diff --git a/config/crd/projectcalico.org_alertexceptions.yaml b/config/crd/projectcalico.org_alertexceptions.yaml index 53bc7fda..5274cfd2 100644 --- a/config/crd/projectcalico.org_alertexceptions.yaml +++ b/config/crd/projectcalico.org_alertexceptions.yaml @@ -17,23 +17,49 @@ spec: - name: v3 schema: openAPIV3Schema: + description: AlertException defines exceptions for alert events. properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + AlertExceptionSpec contains the specification for an alert + exception resource. properties: description: + description: The description is displayed by the UI. type: string endTime: + description: |- + EndTime defines the end time at which this alert exception will expire. + If omitted the alert exception filtering will continue indefinitely. format: date-time type: string selector: + description: + Selector defines a query string for alert events to be + excluded from UI search results. type: string startTime: + description: |- + StartTime defines the start time from which this alert exception will take effect. + If the value is in the past, matched alerts will be filtered immediately. + If the value is changed to a future time, alert exceptions will restart at that time. format: date-time type: string required: @@ -42,6 +68,7 @@ spec: - startTime type: object status: + description: AlertExceptionStatus contains the status of an alert exception. type: object required: - metadata diff --git a/config/crd/projectcalico.org_bfdconfigurations.yaml b/config/crd/projectcalico.org_bfdconfigurations.yaml index 63ff04ee..fb762954 100644 --- a/config/crd/projectcalico.org_bfdconfigurations.yaml +++ b/config/crd/projectcalico.org_bfdconfigurations.yaml @@ -19,29 +19,66 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + BFDConfigurationSpec contains the specification for a BFDConfiguration + resource. properties: interfaces: items: + description: + BFDInterface contains per-interface parameters for + BFD failure detection. properties: idleSendInterval: default: 1m + description: + IdleSendInterval is the interval between transmitted + BFD packets when the BFD peer is idle. Must be a whole number + of milliseconds greater than 0. type: string matchPattern: + description: |- + MatchPattern is a pattern to match one or more interfaces. + Supports exact interface names, match on interface prefixes (e.g., β€œeth*”), + or β€œ*” to select all interfaces on the selected node(s). type: string minimumRecvInterval: default: 10ms + description: + MinimumRecvInterval is the minimum interval between + received BFD packets. Must be a whole number of milliseconds + greater than 0. type: string minimumSendInterval: default: 100ms + description: + MinimumSendInterval is the minimum interval between + transmitted BFD packets. Must be a whole number of milliseconds + greater than 0. type: string multiplier: default: 5 + description: + Multiplier is the number of intervals that must + pass without receiving a BFD packet before the peer is considered + down. type: integer required: - matchPattern diff --git a/config/crd/projectcalico.org_bgpconfigurations.yaml b/config/crd/projectcalico.org_bgpconfigurations.yaml index b7a900d2..3b18633e 100644 --- a/config/crd/projectcalico.org_bgpconfigurations.yaml +++ b/config/crd/projectcalico.org_bgpconfigurations.yaml @@ -22,28 +22,59 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: BGPConfigurationSpec contains the values of the BGP configuration. properties: asNumber: + description: + "ASNumber is the default AS number used by a node. [Default: + 64512]" format: int32 type: integer bindMode: + description: |- + BindMode indicates whether to listen for BGP connections on all addresses (None) + or only on the node's canonical IP address Node.Spec.BGP.IPvXAddress (NodeIP). + Default behaviour is to listen for BGP connections on all addresses. enum: - None - NodeIP type: string communities: + description: + Communities is a list of BGP community values and their + arbitrary names for tagging routes. items: + description: + Community contains standard or large community value + and its name. properties: name: + description: Name given to community value. maxLength: 253 type: string value: + description: |- + Value must be of format `aa:nn` or `aa:nn:mm`. + For standard community use `aa:nn` format, where `aa` and `nn` are 16 bit number. + For large community use `aa:nn:mm` format, where `aa`, `nn` and `mm` are 32 bit number. + Where, `aa` is an AS Number, `nn` and `mm` are per-AS identifier. maxLength: 40 pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ type: string @@ -55,44 +86,92 @@ spec: extensions: additionalProperties: type: string + description: + Extensions is a mapping of keys to values that can be + used in custom BGP templates type: object ignoredInterfaces: + description: + IgnoredInterfaces indicates the network interfaces that + needs to be excluded when reading device routes. items: type: string type: array x-kubernetes-list-type: set ipv4NormalRoutePriority: + description: |- + IPv4NormalRoutePriority is the normal route priority (metric) that Felix uses for IPv4 + workload routes. This must match the value configured in FelixConfiguration. BIRD uses + this to identify elevated-priority routes during live migration and to override local + workload routes with higher-priority BGP-learned routes. [Default: 1024] maximum: 2147483646 minimum: 1 type: integer ipv6NormalRoutePriority: + description: |- + IPv6NormalRoutePriority is the normal route priority (metric) that Felix uses for IPv6 + workload routes. This must match the value configured in FelixConfiguration. BIRD uses + this to identify elevated-priority routes during live migration and to override local + workload routes with higher-priority BGP-learned routes. [Default: 1024] maximum: 2147483646 minimum: 1 type: integer listenPort: + description: + ListenPort is the port where BGP protocol should listen. + Defaults to 179 maximum: 65535 minimum: 1 type: integer localWorkloadPeeringIPV4: + description: |- + The virtual IPv4 address of the node with which its local workload is expected to peer. + It is recommended to use a link-local address. type: string localWorkloadPeeringIPV6: + description: |- + The virtual IPv6 address of the node with which its local workload is expected to peer. + It is recommended to use a link-local address. type: string logSeverityScreen: default: Info + description: + "LogSeverityScreen is the log severity above which logs + are sent to the stdout. [Default: Info]" pattern: ^(?i)(Trace|Debug|Info|Warning|Error|Fatal)?$ type: string nodeMeshMaxRestartTime: + description: |- + Time to allow for software restart for node-to-mesh peerings. When specified, this is configured + as the graceful restart timeout. When not specified, the BIRD default of 120s is used. + This field can only be set on the default BGPConfiguration instance and requires that NodeMesh is enabled type: string nodeMeshPassword: + description: |- + Optional BGP password for full node-to-mesh peerings. + This field can only be set on the default BGPConfiguration instance and requires that NodeMesh is enabled properties: secretKeyRef: + description: Selects a key of a secret in the node pod's namespace. properties: key: + description: + The key of the secret to select from. Must be + a valid secret key. type: string name: default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string optional: + description: + Specify whether the Secret or its key must be + defined type: boolean required: - key @@ -100,14 +179,29 @@ spec: x-kubernetes-map-type: atomic type: object nodeToNodeMeshEnabled: + description: + "NodeToNodeMeshEnabled sets whether full node to node + BGP mesh is enabled. [Default: true]" type: boolean prefixAdvertisements: + description: + PrefixAdvertisements contains per-prefix advertisement + configuration. items: + description: + PrefixAdvertisement configures advertisement properties + for the specified CIDR. properties: cidr: + description: CIDR for which properties should be advertised. format: cidr type: string communities: + description: |- + Communities can be list of either community names already defined in `Specs.Communities` or community value of format `aa:nn` or `aa:nn:mm`. + For standard community use `aa:nn` format, where `aa` and `nn` are 16 bit number. + For large community use `aa:nn:mm` format, where `aa`, `nn` and `mm` are 32 bit number. + Where,`aa` is an AS Number, `nn` and `mm` are per-AS identifier. items: type: string maxItems: 50 @@ -119,12 +213,23 @@ spec: type: array x-kubernetes-list-type: set programClusterRoutes: + description: |- + ProgramClusterRoutes controls how a cluster node gets a route to a workload on another node, + when that workload's IP comes from an IP Pool with vxlanMode: Never. When ProgramClusterRoutes is Enabled, + confd and BIRD program that route. When ProgramClusterRoutes is Disabled, it is expected that Felix will program that route. + Felix always programs such routes for IP Pools with vxlanMode: Always or vxlanMode: CrossSubnet. [Default: Enabled] enum: - Enabled - Disabled type: string serviceClusterIPs: + description: |- + ServiceClusterIPs are the CIDR blocks from which service cluster IPs are allocated. + If specified, Calico will advertise these blocks, as well as any cluster IPs within them. items: + description: + ServiceClusterIPBlock represents a single allowed ClusterIP + CIDR block. properties: cidr: format: cidr @@ -134,7 +239,13 @@ spec: type: array x-kubernetes-list-type: set serviceExternalIPs: + description: |- + ServiceExternalIPs are the CIDR blocks for Kubernetes Service External IPs. + Kubernetes Service ExternalIPs will only be advertised if they are within one of these blocks. items: + description: + ServiceExternalIPBlock represents a single allowed + External IP CIDR block. properties: cidr: format: cidr @@ -145,12 +256,23 @@ spec: x-kubernetes-list-type: set serviceLoadBalancerAggregation: default: Enabled + description: |- + ServiceLoadBalancerAggregation controls how LoadBalancer service IPs are advertised. + When set to "Disabled", individual /32 routes are advertised for each service instead of + the full CIDR range. This is useful for anycast failover mechanisms where failed service + routes need to be withdrawn. [Default: Enabled] enum: - Enabled - Disabled type: string serviceLoadBalancerIPs: + description: |- + ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes Service LoadBalancer IPs. + Kubernetes Service status.LoadBalancer.Ingress IPs will only be advertised if they are within one of these blocks. items: + description: + ServiceLoadBalancerIPBlock represents a single allowed + LoadBalancer IP CIDR block. properties: cidr: format: cidr diff --git a/config/crd/projectcalico.org_bgpfilters.yaml b/config/crd/projectcalico.org_bgpfilters.yaml index 0a1cfbee..f734bf8a 100644 --- a/config/crd/projectcalico.org_bgpfilters.yaml +++ b/config/crd/projectcalico.org_bgpfilters.yaml @@ -19,15 +19,35 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + BGPFilterSpec contains the IPv4 and IPv6 filter rules of + the BGP Filter. properties: exportV4: + description: + The ordered set of IPv4 BGPFilter rules acting on exporting + routes to a peer. items: + description: |- + BGPFilterRuleV4 defines a BGP filter rule consisting of match criteria, a terminal action, + and optional operations to apply to matching routes. properties: action: enum: @@ -35,19 +55,40 @@ spec: - Reject type: string asPathPrefix: + description: |- + If non-empty, this filter rule will only apply to routes whose AS path begins with the + specified sequence of AS numbers. items: format: int32 type: integer type: array x-kubernetes-list-type: atomic cidr: + description: |- + If non-empty, this filter rule will only apply when the route being exported or imported + "matches" the given CIDR - where the definition of "matches" is according to + MatchOperator and PrefixLength. CIDR should be in conventional CIDR notation, + /. format: cidr maxLength: 18 type: string communities: + description: |- + If set, this filter rule will only apply to routes that carry the specified BGP + community. On import, this matches communities set by the remote peer. On export, + this matches communities already present on the route, whether received from a BGP + peer (e.g. on a route reflector re-advertising to an eBGP peer) or added locally + by an import filter or an earlier export rule's AddCommunity operation. properties: values: + description: + Values is a list of BGP community values to + match against. Exactly one value must be specified. items: + description: |- + BGPCommunityValue is a BGP community string in `aa:nn` (standard) or `aa:nn:mm` (large) format. + For standard communities, each component must be a 16-bit value (0-65535). + For large communities, each component must be a 32-bit value (0-4294967295). maxLength: 32 pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ type: string @@ -60,9 +101,17 @@ spec: type: object x-kubernetes-map-type: atomic interface: + description: |- + If non-empty, this filter rule will only apply to routes with an outgoing interface that + matches Interface. maxLength: 15 type: string matchOperator: + description: |- + MatchOperator defines how the route's prefix is compared against CIDR. "Equal" requires + an exact prefix match, "In" requires the route to be contained within the CIDR (or equal), + "NotEqual" and "NotIn" are their negations. Only meaningful when CIDR is also specified. + Required when CIDR is set. enum: - Equal - NotEqual @@ -70,13 +119,24 @@ spec: - NotIn type: string operations: + description: |- + Operations is an ordered list of route modifications to apply to matching routes before + accepting them. Only valid when Action is "Accept"; specifying operations with "Reject" + is rejected by validation. Each entry must set exactly one operation field. items: + description: |- + BGPFilterOperation is a discriminated union representing a single route modification. + Exactly one field must be set. maxProperties: 1 minProperties: 1 properties: addCommunity: + description: + AddCommunity adds the specified BGP community + to the route. properties: value: + description: Value is the BGP community to add. maxLength: 32 pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ type: string @@ -85,8 +145,15 @@ spec: type: object x-kubernetes-map-type: atomic prependASPath: + description: + PrependASPath prepends the specified AS numbers + to the route's AS path. properties: prefix: + description: |- + Prefix is the sequence of AS numbers to prepend to the route's AS path. + The resulting path starts with these AS numbers in the order listed; + e.g. [65000, 65001] produces the path "65000 65001 ". items: format: int32 type: integer @@ -99,8 +166,14 @@ spec: type: object x-kubernetes-map-type: atomic setPriority: + description: |- + SetPriority sets the route's priority (metric), in the same units as the + ...RoutePriority fields in FelixConfiguration. properties: value: + description: |- + Value is the priority to set, in the same units as FelixConfiguration's + ...RoutePriority fields. maximum: 2147483646 minimum: 1 type: integer @@ -115,11 +188,21 @@ spec: type: array x-kubernetes-list-type: atomic peerType: + description: |- + If non-empty, this filter rule will only apply to routes being imported from or exported + to a BGP peer of the specified type. If empty, the rule applies to all peers. enum: - eBGP - iBGP type: string prefixLength: + description: |- + PrefixLength further constrains the CIDR match by restricting the range of allowed + prefix lengths. For example, CIDR "10.0.0.0/8" with MatchOperator "In" and + PrefixLength {min: 16, max: 24} matches any route within 10.0.0.0/8 whose prefix + length is between /16 and /24. Requires CIDR to be set; if CIDR is omitted, + PrefixLength is ignored. If PrefixLength is nil and CIDR is set, the CIDR's own + prefix length is used as the minimum and /32 (for V4) as the maximum. properties: max: format: int32 @@ -134,10 +217,18 @@ spec: type: object x-kubernetes-map-type: atomic priority: + description: |- + If set, this filter rule will only apply to routes with the given priority, in the + same units as the ...RoutePriority fields in FelixConfiguration. maximum: 2147483646 minimum: 1 type: integer source: + description: |- + If set to "RemotePeers": for export rules, this filter rule will only apply to routes + learned from BGP peers (i.e. re-advertised routes), not locally originated routes. + For import rules, this field is redundant because imported routes are by definition + from BGP peers. enum: - RemotePeers type: string @@ -163,7 +254,13 @@ spec: type: array x-kubernetes-list-type: atomic exportV6: + description: + The ordered set of IPv6 BGPFilter rules acting on exporting + routes to a peer. items: + description: |- + BGPFilterRuleV6 defines a BGP filter rule consisting of match criteria, a terminal action, + and optional operations to apply to matching routes. properties: action: enum: @@ -171,19 +268,40 @@ spec: - Reject type: string asPathPrefix: + description: |- + If non-empty, this filter rule will only apply to routes whose AS path begins with the + specified sequence of AS numbers. items: format: int32 type: integer type: array x-kubernetes-list-type: atomic cidr: + description: |- + If non-empty, this filter rule will only apply when the route being exported or imported + "matches" the given CIDR - where the definition of "matches" is according to + MatchOperator and PrefixLength. CIDR should be in conventional CIDR notation, + /. format: cidr maxLength: 43 type: string communities: + description: |- + If set, this filter rule will only apply to routes that carry the specified BGP + community. On import, this matches communities set by the remote peer. On export, + this matches communities already present on the route, whether received from a BGP + peer (e.g. on a route reflector re-advertising to an eBGP peer) or added locally + by an import filter or an earlier export rule's AddCommunity operation. properties: values: + description: + Values is a list of BGP community values to + match against. Exactly one value must be specified. items: + description: |- + BGPCommunityValue is a BGP community string in `aa:nn` (standard) or `aa:nn:mm` (large) format. + For standard communities, each component must be a 16-bit value (0-65535). + For large communities, each component must be a 32-bit value (0-4294967295). maxLength: 32 pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ type: string @@ -196,9 +314,17 @@ spec: type: object x-kubernetes-map-type: atomic interface: + description: |- + If non-empty, this filter rule will only apply to routes with an outgoing interface that + matches Interface. maxLength: 15 type: string matchOperator: + description: |- + MatchOperator defines how the route's prefix is compared against CIDR. "Equal" requires + an exact prefix match, "In" requires the route to be contained within the CIDR (or equal), + "NotEqual" and "NotIn" are their negations. Only meaningful when CIDR is also specified. + Required when CIDR is set. enum: - Equal - NotEqual @@ -206,13 +332,24 @@ spec: - NotIn type: string operations: + description: |- + Operations is an ordered list of route modifications to apply to matching routes before + accepting them. Only valid when Action is "Accept"; specifying operations with "Reject" + is rejected by validation. Each entry must set exactly one operation field. items: + description: |- + BGPFilterOperation is a discriminated union representing a single route modification. + Exactly one field must be set. maxProperties: 1 minProperties: 1 properties: addCommunity: + description: + AddCommunity adds the specified BGP community + to the route. properties: value: + description: Value is the BGP community to add. maxLength: 32 pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ type: string @@ -221,8 +358,15 @@ spec: type: object x-kubernetes-map-type: atomic prependASPath: + description: + PrependASPath prepends the specified AS numbers + to the route's AS path. properties: prefix: + description: |- + Prefix is the sequence of AS numbers to prepend to the route's AS path. + The resulting path starts with these AS numbers in the order listed; + e.g. [65000, 65001] produces the path "65000 65001 ". items: format: int32 type: integer @@ -235,8 +379,14 @@ spec: type: object x-kubernetes-map-type: atomic setPriority: + description: |- + SetPriority sets the route's priority (metric), in the same units as the + ...RoutePriority fields in FelixConfiguration. properties: value: + description: |- + Value is the priority to set, in the same units as FelixConfiguration's + ...RoutePriority fields. maximum: 2147483646 minimum: 1 type: integer @@ -251,11 +401,21 @@ spec: type: array x-kubernetes-list-type: atomic peerType: + description: |- + If non-empty, this filter rule will only apply to routes being imported from or exported + to a BGP peer of the specified type. If empty, the rule applies to all peers. enum: - eBGP - iBGP type: string prefixLength: + description: |- + PrefixLength further constrains the CIDR match by restricting the range of allowed + prefix lengths. For example, CIDR "fd00::/8" with MatchOperator "In" and + PrefixLength {min: 48, max: 64} matches any route within fd00::/8 whose prefix + length is between /48 and /64. Requires CIDR to be set; if CIDR is omitted, + PrefixLength is ignored. If PrefixLength is nil and CIDR is set, the CIDR's own + prefix length is used as the minimum and /128 (for V6) as the maximum. properties: max: format: int32 @@ -270,10 +430,18 @@ spec: type: object x-kubernetes-map-type: atomic priority: + description: |- + If set, this filter rule will only apply to routes with the given priority, in the + same units as the ...RoutePriority fields in FelixConfiguration. maximum: 2147483646 minimum: 1 type: integer source: + description: |- + If set to "RemotePeers": for export rules, this filter rule will only apply to routes + learned from BGP peers (i.e. re-advertised routes), not locally originated routes. + For import rules, this field is redundant because imported routes are by definition + from BGP peers. enum: - RemotePeers type: string @@ -299,7 +467,13 @@ spec: type: array x-kubernetes-list-type: atomic importV4: + description: + The ordered set of IPv4 BGPFilter rules acting on importing + routes from a peer. items: + description: |- + BGPFilterRuleV4 defines a BGP filter rule consisting of match criteria, a terminal action, + and optional operations to apply to matching routes. properties: action: enum: @@ -307,19 +481,40 @@ spec: - Reject type: string asPathPrefix: + description: |- + If non-empty, this filter rule will only apply to routes whose AS path begins with the + specified sequence of AS numbers. items: format: int32 type: integer type: array x-kubernetes-list-type: atomic cidr: + description: |- + If non-empty, this filter rule will only apply when the route being exported or imported + "matches" the given CIDR - where the definition of "matches" is according to + MatchOperator and PrefixLength. CIDR should be in conventional CIDR notation, + /. format: cidr maxLength: 18 type: string communities: + description: |- + If set, this filter rule will only apply to routes that carry the specified BGP + community. On import, this matches communities set by the remote peer. On export, + this matches communities already present on the route, whether received from a BGP + peer (e.g. on a route reflector re-advertising to an eBGP peer) or added locally + by an import filter or an earlier export rule's AddCommunity operation. properties: values: + description: + Values is a list of BGP community values to + match against. Exactly one value must be specified. items: + description: |- + BGPCommunityValue is a BGP community string in `aa:nn` (standard) or `aa:nn:mm` (large) format. + For standard communities, each component must be a 16-bit value (0-65535). + For large communities, each component must be a 32-bit value (0-4294967295). maxLength: 32 pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ type: string @@ -332,9 +527,17 @@ spec: type: object x-kubernetes-map-type: atomic interface: + description: |- + If non-empty, this filter rule will only apply to routes with an outgoing interface that + matches Interface. maxLength: 15 type: string matchOperator: + description: |- + MatchOperator defines how the route's prefix is compared against CIDR. "Equal" requires + an exact prefix match, "In" requires the route to be contained within the CIDR (or equal), + "NotEqual" and "NotIn" are their negations. Only meaningful when CIDR is also specified. + Required when CIDR is set. enum: - Equal - NotEqual @@ -342,13 +545,24 @@ spec: - NotIn type: string operations: + description: |- + Operations is an ordered list of route modifications to apply to matching routes before + accepting them. Only valid when Action is "Accept"; specifying operations with "Reject" + is rejected by validation. Each entry must set exactly one operation field. items: + description: |- + BGPFilterOperation is a discriminated union representing a single route modification. + Exactly one field must be set. maxProperties: 1 minProperties: 1 properties: addCommunity: + description: + AddCommunity adds the specified BGP community + to the route. properties: value: + description: Value is the BGP community to add. maxLength: 32 pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ type: string @@ -357,8 +571,15 @@ spec: type: object x-kubernetes-map-type: atomic prependASPath: + description: + PrependASPath prepends the specified AS numbers + to the route's AS path. properties: prefix: + description: |- + Prefix is the sequence of AS numbers to prepend to the route's AS path. + The resulting path starts with these AS numbers in the order listed; + e.g. [65000, 65001] produces the path "65000 65001 ". items: format: int32 type: integer @@ -371,8 +592,14 @@ spec: type: object x-kubernetes-map-type: atomic setPriority: + description: |- + SetPriority sets the route's priority (metric), in the same units as the + ...RoutePriority fields in FelixConfiguration. properties: value: + description: |- + Value is the priority to set, in the same units as FelixConfiguration's + ...RoutePriority fields. maximum: 2147483646 minimum: 1 type: integer @@ -387,11 +614,21 @@ spec: type: array x-kubernetes-list-type: atomic peerType: + description: |- + If non-empty, this filter rule will only apply to routes being imported from or exported + to a BGP peer of the specified type. If empty, the rule applies to all peers. enum: - eBGP - iBGP type: string prefixLength: + description: |- + PrefixLength further constrains the CIDR match by restricting the range of allowed + prefix lengths. For example, CIDR "10.0.0.0/8" with MatchOperator "In" and + PrefixLength {min: 16, max: 24} matches any route within 10.0.0.0/8 whose prefix + length is between /16 and /24. Requires CIDR to be set; if CIDR is omitted, + PrefixLength is ignored. If PrefixLength is nil and CIDR is set, the CIDR's own + prefix length is used as the minimum and /32 (for V4) as the maximum. properties: max: format: int32 @@ -406,10 +643,18 @@ spec: type: object x-kubernetes-map-type: atomic priority: + description: |- + If set, this filter rule will only apply to routes with the given priority, in the + same units as the ...RoutePriority fields in FelixConfiguration. maximum: 2147483646 minimum: 1 type: integer source: + description: |- + If set to "RemotePeers": for export rules, this filter rule will only apply to routes + learned from BGP peers (i.e. re-advertised routes), not locally originated routes. + For import rules, this field is redundant because imported routes are by definition + from BGP peers. enum: - RemotePeers type: string @@ -435,7 +680,13 @@ spec: type: array x-kubernetes-list-type: atomic importV6: + description: + The ordered set of IPv6 BGPFilter rules acting on importing + routes from a peer. items: + description: |- + BGPFilterRuleV6 defines a BGP filter rule consisting of match criteria, a terminal action, + and optional operations to apply to matching routes. properties: action: enum: @@ -443,19 +694,40 @@ spec: - Reject type: string asPathPrefix: + description: |- + If non-empty, this filter rule will only apply to routes whose AS path begins with the + specified sequence of AS numbers. items: format: int32 type: integer type: array x-kubernetes-list-type: atomic cidr: + description: |- + If non-empty, this filter rule will only apply when the route being exported or imported + "matches" the given CIDR - where the definition of "matches" is according to + MatchOperator and PrefixLength. CIDR should be in conventional CIDR notation, + /. format: cidr maxLength: 43 type: string communities: + description: |- + If set, this filter rule will only apply to routes that carry the specified BGP + community. On import, this matches communities set by the remote peer. On export, + this matches communities already present on the route, whether received from a BGP + peer (e.g. on a route reflector re-advertising to an eBGP peer) or added locally + by an import filter or an earlier export rule's AddCommunity operation. properties: values: + description: + Values is a list of BGP community values to + match against. Exactly one value must be specified. items: + description: |- + BGPCommunityValue is a BGP community string in `aa:nn` (standard) or `aa:nn:mm` (large) format. + For standard communities, each component must be a 16-bit value (0-65535). + For large communities, each component must be a 32-bit value (0-4294967295). maxLength: 32 pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ type: string @@ -468,9 +740,17 @@ spec: type: object x-kubernetes-map-type: atomic interface: + description: |- + If non-empty, this filter rule will only apply to routes with an outgoing interface that + matches Interface. maxLength: 15 type: string matchOperator: + description: |- + MatchOperator defines how the route's prefix is compared against CIDR. "Equal" requires + an exact prefix match, "In" requires the route to be contained within the CIDR (or equal), + "NotEqual" and "NotIn" are their negations. Only meaningful when CIDR is also specified. + Required when CIDR is set. enum: - Equal - NotEqual @@ -478,13 +758,24 @@ spec: - NotIn type: string operations: + description: |- + Operations is an ordered list of route modifications to apply to matching routes before + accepting them. Only valid when Action is "Accept"; specifying operations with "Reject" + is rejected by validation. Each entry must set exactly one operation field. items: + description: |- + BGPFilterOperation is a discriminated union representing a single route modification. + Exactly one field must be set. maxProperties: 1 minProperties: 1 properties: addCommunity: + description: + AddCommunity adds the specified BGP community + to the route. properties: value: + description: Value is the BGP community to add. maxLength: 32 pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ type: string @@ -493,8 +784,15 @@ spec: type: object x-kubernetes-map-type: atomic prependASPath: + description: + PrependASPath prepends the specified AS numbers + to the route's AS path. properties: prefix: + description: |- + Prefix is the sequence of AS numbers to prepend to the route's AS path. + The resulting path starts with these AS numbers in the order listed; + e.g. [65000, 65001] produces the path "65000 65001 ". items: format: int32 type: integer @@ -507,8 +805,14 @@ spec: type: object x-kubernetes-map-type: atomic setPriority: + description: |- + SetPriority sets the route's priority (metric), in the same units as the + ...RoutePriority fields in FelixConfiguration. properties: value: + description: |- + Value is the priority to set, in the same units as FelixConfiguration's + ...RoutePriority fields. maximum: 2147483646 minimum: 1 type: integer @@ -523,11 +827,21 @@ spec: type: array x-kubernetes-list-type: atomic peerType: + description: |- + If non-empty, this filter rule will only apply to routes being imported from or exported + to a BGP peer of the specified type. If empty, the rule applies to all peers. enum: - eBGP - iBGP type: string prefixLength: + description: |- + PrefixLength further constrains the CIDR match by restricting the range of allowed + prefix lengths. For example, CIDR "fd00::/8" with MatchOperator "In" and + PrefixLength {min: 48, max: 64} matches any route within fd00::/8 whose prefix + length is between /48 and /64. Requires CIDR to be set; if CIDR is omitted, + PrefixLength is ignored. If PrefixLength is nil and CIDR is set, the CIDR's own + prefix length is used as the minimum and /128 (for V6) as the maximum. properties: max: format: int32 @@ -542,10 +856,18 @@ spec: type: object x-kubernetes-map-type: atomic priority: + description: |- + If set, this filter rule will only apply to routes with the given priority, in the + same units as the ...RoutePriority fields in FelixConfiguration. maximum: 2147483646 minimum: 1 type: integer source: + description: |- + If set to "RemotePeers": for export rules, this filter rule will only apply to routes + learned from BGP peers (i.e. re-advertised routes), not locally originated routes. + For import rules, this field is redundant because imported routes are by definition + from BGP peers. enum: - RemotePeers type: string diff --git a/config/crd/projectcalico.org_bgppeers.yaml b/config/crd/projectcalico.org_bgppeers.yaml index 88a84606..2f699313 100644 --- a/config/crd/projectcalico.org_bgppeers.yaml +++ b/config/crd/projectcalico.org_bgppeers.yaml @@ -50,68 +50,151 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: BGPPeerSpec contains the specification for a BGPPeer resource. properties: asNumber: + description: The AS Number of the peer. format: int32 type: integer birdGatewayMode: + description: |- + Specifies the BIRD "gateway" mode, i.e. method for computing the immediate next hop for + each received route, for peerings generated by this BGPPeer resource. Default value + "Recursive" means "gateway recursive". "DirectIfDirectlyConnected" means to configure + "gateway direct" when the peer is directly connected. type: string extensions: additionalProperties: type: string + description: + Extensions is a mapping of keys to values that can be + used in custom BGP templates type: object externalNetwork: + description: Name of the external network to which this peer belongs. type: string failureDetectionMode: + description: |- + Specifies whether and how to detect loss of connectivity on the peerings generated by + this BGPPeer resource. Default value "None" means nothing beyond BGP's own (slow) hold + timer. "BFDIfDirectlyConnected" means to use BFD when the peer is directly connected. type: string filters: + description: The ordered set of BGPFilters applied on this BGP peer. items: type: string type: array x-kubernetes-list-type: atomic keepOriginalNextHop: + description: |- + Option to keep the original nexthop field when routes are sent to a BGP Peer. + Setting "true" configures the selected BGP Peers node to use the "next hop keep;" + instead of "next hop self;"(default) in the specific branch of the Node on "bird.cfg". + Note: that this field is deprecated. Users should use the NextHopMode field to control + the next hop attribute for a BGP peer. type: boolean keepaliveTime: + description: |- + KeepaliveTime specifies the delay in seconds between sending consecutive Keepalive messages. + When specified, this configures the BGP keepalive timer for the peerings generated by this BGPPeer resource. + If not specified, BIRD uses its default keepalive time (one third of the hold time). type: string localASNumber: + description: |- + The optional Local AS Number to use when peering with this remote peer. + If not specified, the AS Number defined in default BGPConfiguration will be used. format: int32 type: integer localWorkloadSelector: + description: |- + Selector for the local workload that the node should peer with. When this is set, the peerSelector and peerIP fields must be empty, + and the ASNumber must not be empty. maxLength: 1024 type: string maxRestartTime: + description: |- + Time to allow for software restart. When specified, this is configured as the graceful + restart timeout when RestartMode is "GracefulRestart", and as the LLGR stale time when + RestartMode is "LongLivedGracefulRestart". When not specified, the BIRD defaults are + used, which are 120s for "GracefulRestart" and 3600s for "LongLivedGracefulRestart". type: string nextHopMode: + description: |- + NextHopMode defines the method of calculating the next hop attribute for received routes. + This replaces and expands the deprecated KeepOriginalNextHop field. + Users should use this setting to control the next hop attribute for a BGP peer. + When this is set, the value of the KeepOriginalNextHop field is ignored. + if neither keepOriginalNextHop or nextHopMode is specified, BGP's default behaviour is used. + Set it to β€œAuto” to apply BGP’s default behaviour. + Set it to "Self" to configure "next hop self;" in "bird.cfg". + Set it to "Keep" to configure "next hop keep;" in "bird.cfg". enum: - Auto - Self - Keep type: string node: + description: |- + The node name identifying the Calico node instance that is targeted by this peer. + If this is not set, and no nodeSelector is specified, then this BGP peer selects all + nodes in the cluster. maxLength: 253 type: string nodeSelector: + description: |- + Selector for the nodes that should have this peering. When this is set, the Node + field must be empty. maxLength: 1024 type: string numAllowedLocalASNumbers: + description: |- + Maximum number of local AS numbers that are allowed in the AS path for received routes. + This removes BGP loop prevention and should only be used if absolutely necessary. format: int32 type: integer password: + description: + Optional BGP password for the peerings generated by this + BGPPeer resource. properties: secretKeyRef: + description: Selects a key of a secret in the node pod's namespace. properties: key: + description: + The key of the secret to select from. Must be + a valid secret key. type: string name: default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string optional: + description: + Specify whether the Secret or its key must be + defined type: boolean required: - key @@ -119,15 +202,34 @@ spec: x-kubernetes-map-type: atomic type: object peerIP: + description: |- + The IP address of the peer followed by an optional port number to peer with. + If port number is given, format should be `[]:port` or `:` for IPv4. + If optional port number is not set, and this peer IP and ASNumber belongs to a calico/node + with ListenPort set in BGPConfiguration, then we use that port to peer. maxLength: 64 type: string peerSelector: + description: |- + Selector for the remote nodes to peer with. When this is set, the PeerIP and + ASNumber fields must be empty. For each peering between the local node and + selected remote nodes, we configure an IPv4 peering if both ends have + NodeBGPSpec.IPv4Address specified, and an IPv6 peering if both ends have + NodeBGPSpec.IPv6Address specified. The remote AS number comes from the remote + node's NodeBGPSpec.ASNumber, or the global default if that is not set. maxLength: 1024 type: string reachableBy: + description: |- + Add an exact, i.e. /32, static route toward peer IP in order to prevent route flapping. + ReachableBy contains the address of the gateway which peer can be reached by. maxLength: 64 type: string restartMode: + description: |- + Specifies restart behaviour to configure on the peerings generated by this BGPPeer + resource. Default value "GracefulRestart" means traditional graceful restart. + "LongLivedGracefulRestart" means LLGR according to draft-uttaro-idr-bgp-persistence-05. type: string reversePeering: allOf: @@ -137,13 +239,26 @@ spec: - enum: - Auto - Manual + description: |- + ReversePeering, for peerings between Calico nodes controls whether + the reverse peering from nodes selected by peerSelector is generated + automatically. If set to Manual, a separate BGPPeer must be created + for the reverse peering. [Default: Auto] type: string sourceAddress: + description: |- + Specifies whether and how to configure a source address for the peerings generated by + this BGPPeer resource. Default value "UseNodeIP" means to configure the node IP as the + source address. "None" means not to configure a source address. enum: - UseNodeIP - None type: string ttlSecurity: + description: |- + TTLSecurity enables the generalized TTL security mechanism (GTSM) which protects against spoofed packets by + ignoring received packets with a smaller than expected TTL value. The provided value is the number of hops + (edges) between the peers. type: integer type: object x-kubernetes-validations: diff --git a/config/crd/projectcalico.org_blockaffinities.yaml b/config/crd/projectcalico.org_blockaffinities.yaml index bb16b6bf..d9567958 100644 --- a/config/crd/projectcalico.org_blockaffinities.yaml +++ b/config/crd/projectcalico.org_blockaffinities.yaml @@ -33,24 +33,48 @@ spec: name: v3 schema: openAPIV3Schema: + description: BlockAffinity maintains a block affinity's state properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + BlockAffinitySpec contains the specification for a BlockAffinity + resource. properties: cidr: + description: The CIDR range this block affinity references. format: cidr type: string deleted: default: false + description: |- + Deleted indicates whether or not this block affinity is disabled and is + used as part of race-condition prevention. When set to true, clients + should treat this block as if it does not exist. type: boolean node: + description: The node that this block affinity is assigned to. type: string state: + description: + The state of the block affinity with regard to any referenced + IPAM blocks. enum: - "" - confirmed @@ -58,6 +82,7 @@ spec: - pendingDeletion type: string type: + description: The type of affinity. type: string required: - cidr diff --git a/config/crd/projectcalico.org_caliconodestatuses.yaml b/config/crd/projectcalico.org_caliconodestatuses.yaml index 9664ff15..d52d68e9 100644 --- a/config/crd/projectcalico.org_caliconodestatuses.yaml +++ b/config/crd/projectcalico.org_caliconodestatuses.yaml @@ -28,14 +28,31 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus + resource. properties: classes: + description: |- + Classes declares the types of information to monitor for this calico/node, + and allows for selective status reporting about certain subsets of information. items: enum: - Agent @@ -45,66 +62,110 @@ spec: type: array x-kubernetes-list-type: set node: + description: + The node name identifies the Calico node instance for + node status. type: string updatePeriodSeconds: + description: |- + UpdatePeriodSeconds is the period at which CalicoNodeStatus should be updated. + Set to 0 to disable CalicoNodeStatus refresh. Maximum update period is one day. format: int32 type: integer type: object status: + description: |- + CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus. + No validation needed for status since it is updated by Calico. properties: agent: + description: Agent holds agent status on the node. properties: birdV4: + description: BIRDV4 represents the latest observed status of bird4. properties: lastBootTime: + description: + LastBootTime holds the value of lastBootTime + from bird.ctl output. type: string lastReconfigurationTime: + description: + LastReconfigurationTime holds the value of lastReconfigTime + from bird.ctl output. type: string routerID: + description: Router ID used by bird. type: string state: + description: The state of the BGP Daemon. enum: - Ready - NotReady type: string version: + description: Version of the BGP daemon type: string type: object birdV6: + description: BIRDV6 represents the latest observed status of bird6. properties: lastBootTime: + description: + LastBootTime holds the value of lastBootTime + from bird.ctl output. type: string lastReconfigurationTime: + description: + LastReconfigurationTime holds the value of lastReconfigTime + from bird.ctl output. type: string routerID: + description: Router ID used by bird. type: string state: + description: The state of the BGP Daemon. enum: - Ready - NotReady type: string version: + description: Version of the BGP daemon type: string type: object type: object bgp: + description: BGP holds node BGP status. properties: numberEstablishedV4: + description: The total number of IPv4 established bgp sessions. type: integer numberEstablishedV6: + description: The total number of IPv6 established bgp sessions. type: integer numberNotEstablishedV4: + description: The total number of IPv4 non-established bgp sessions. type: integer numberNotEstablishedV6: + description: The total number of IPv6 non-established bgp sessions. type: integer peersV4: + description: PeersV4 represents IPv4 BGP peers status on the node. items: + description: + CalicoNodePeer contains the status of BGP peers + on the node. properties: peerIP: + description: + IP address of the peer whose condition we are + reporting. type: string since: + description: Since the state or reason last changed. type: string state: + description: State is the BGP session state. enum: - Idle - Connect @@ -115,6 +176,9 @@ spec: - Close type: string type: + description: |- + Type indicates whether this peer is configured via the node-to-node mesh, + or via an explicit global or per-node BGPPeer object. enum: - NodeMesh - NodePeer @@ -124,13 +188,22 @@ spec: type: array x-kubernetes-list-type: atomic peersV6: + description: PeersV6 represents IPv6 BGP peers status on the node. items: + description: + CalicoNodePeer contains the status of BGP peers + on the node. properties: peerIP: + description: + IP address of the peer whose condition we are + reporting. type: string since: + description: Since the state or reason last changed. type: string state: + description: State is the BGP session state. enum: - Idle - Connect @@ -141,6 +214,9 @@ spec: - Close type: string type: + description: |- + Type indicates whether this peer is configured via the node-to-node mesh, + or via an explicit global or per-node BGPPeer object. enum: - NodeMesh - NodePeer @@ -156,25 +232,47 @@ spec: - numberNotEstablishedV6 type: object lastUpdated: + description: |- + LastUpdated is a timestamp representing the server time when CalicoNodeStatus object + last updated. It is represented in RFC3339 form and is in UTC. format: date-time nullable: true type: string routes: + description: + Routes reports routes known to the Calico BGP daemon + on the node. properties: routesV4: + description: RoutesV4 represents IPv4 routes on the node. items: + description: + CalicoNodeRoute contains the status of BGP routes + on the node. properties: destination: + description: Destination of the route. type: string gateway: + description: Gateway for the destination. type: string interface: + description: Interface for the destination type: string learnedFrom: + description: + LearnedFrom contains information regarding + where this route originated. properties: peerIP: + description: + If sourceType is NodeMesh or BGPPeer, IP + address of the router that sent us this route. type: string sourceType: + description: + Type of the source where a route is learned + from. enum: - Kernel - Static @@ -184,6 +282,9 @@ spec: type: string type: object type: + description: + Type indicates if the route is being used for + forwarding or not. enum: - FIB - RIB @@ -192,19 +293,35 @@ spec: type: array x-kubernetes-list-type: atomic routesV6: + description: RoutesV6 represents IPv6 routes on the node. items: + description: + CalicoNodeRoute contains the status of BGP routes + on the node. properties: destination: + description: Destination of the route. type: string gateway: + description: Gateway for the destination. type: string interface: + description: Interface for the destination type: string learnedFrom: + description: + LearnedFrom contains information regarding + where this route originated. properties: peerIP: + description: + If sourceType is NodeMesh or BGPPeer, IP + address of the router that sent us this route. type: string sourceType: + description: + Type of the source where a route is learned + from. enum: - Kernel - Static @@ -214,6 +331,9 @@ spec: type: string type: object type: + description: + Type indicates if the route is being used for + forwarding or not. enum: - FIB - RIB diff --git a/config/crd/projectcalico.org_clusterinformations.yaml b/config/crd/projectcalico.org_clusterinformations.yaml index c2230655..2e470629 100644 --- a/config/crd/projectcalico.org_clusterinformations.yaml +++ b/config/crd/projectcalico.org_clusterinformations.yaml @@ -35,26 +35,59 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: |- + ClusterInformationSpec contains the values of describing the cluster. + This resource is managed automatically by Calico components and should not be modified manually. properties: calicoEnterpriseVersion: + description: + CalicoEnterpriseVersion is the version of Calico Enterprise + that the cluster is running type: string calicoVersion: + description: + CalicoVersion is the version of Calico running on the + cluster, set automatically by calico/node. type: string clusterGUID: + description: + ClusterGUID is the unique identifier for this cluster, + generated automatically at install time. type: string clusterType: + description: |- + ClusterType describes the type of the cluster, e.g., "k8s,bgp,kubeadm". + Set automatically based on the detected environment. type: string cnxVersion: + description: |- + CNXVersion is the version of Calico Enterprise that the cluster is running + Deprecated: Use CalicoEnterpriseVersion instead. type: string datastoreReady: + description: |- + DatastoreReady is used during significant datastore migrations to signal to components + such as Felix that it should wait before accessing the datastore. type: boolean variant: + description: Variant declares which variant of Calico is active. type: string type: object required: diff --git a/config/crd/projectcalico.org_deeppacketinspections.yaml b/config/crd/projectcalico.org_deeppacketinspections.yaml index 5ca2765b..a9afe9dd 100644 --- a/config/crd/projectcalico.org_deeppacketinspections.yaml +++ b/config/crd/projectcalico.org_deeppacketinspections.yaml @@ -19,17 +19,49 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: Specification of the DeepPacketInspection. properties: selector: + description: + "The selector is an expression used to pick out the endpoints + for which deep packet inspection should\nbe performed on. The selector + will only match endpoints in the same namespace as the\nDeepPacketInspection + resource.\n\nSelector expressions follow this syntax:\n\n\tlabel + == \"string_literal\" -> comparison, e.g. my_label == \"foo bar\"\n\tlabel + != \"string_literal\" -> not equal; also matches if label is + not present\n\tlabel in { \"a\", \"b\", \"c\", ... } -> true if + the value of label X is one of \"a\", \"b\", \"c\"\n\tlabel not + in { \"a\", \"b\", \"c\", ... } -> true if the value of label + X is not one of \"a\", \"b\", \"c\"\n\thas(label_name) -> True + if that label is present\n\t! expr -> negation of expr\n\texpr && + expr -> Short-circuit and\n\texpr || expr -> Short-circuit or\n\t( + expr ) -> parens for grouping\n\tall() or the empty selector -> + matches all endpoints.\n\nLabel names are allowed to contain alphanumerics, + -, _ and /. String literals are more permissive\nbut they do not + support escape characters.\n\nExamples (with made-up labels):\n\n\ttype + == \"webserver\" && deployment == \"prod\"\n\ttype in {\"frontend\", + \"backend\"}\n\tdeployment != \"dev\"\n\t! has(label_name)" type: string type: object status: + description: Status of the DeepPacketInspection. properties: nodes: items: @@ -37,24 +69,37 @@ spec: active: properties: lastUpdated: + description: + Timestamp of when the active status was last + updated. format: date-time type: string success: + description: + Success indicates if deep packet inspection + is running on all workloads matching the selector. type: boolean type: object errorConditions: items: properties: lastUpdated: + description: + Timestamp of when this error message was + added. format: date-time type: string message: + description: Message from deep packet inspection error. type: string type: object maxItems: 10 type: array x-kubernetes-list-type: atomic node: + description: + Node identifies with a physical node from the cluster + via its hostname. type: string type: object type: array diff --git a/config/crd/projectcalico.org_egressgatewaypolicies.yaml b/config/crd/projectcalico.org_egressgatewaypolicies.yaml index 3f7936a0..91668355 100644 --- a/config/crd/projectcalico.org_egressgatewaypolicies.yaml +++ b/config/crd/projectcalico.org_egressgatewaypolicies.yaml @@ -19,34 +19,74 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + EgressGatewayPolicySpec contains the egress policy rules + for each destination network properties: rules: + description: + The ordered set of Egress Gateway Policies to define + how traffic exit a cluster items: + description: + EgressGatewayRule defines an Egress Gateway to reach + a destination network properties: description: + description: The description of the EgressGatewayPolicy rule. type: string destination: + description: |- + The destination network that can be reached via egress gateway. + If no destination is set, the default route, 0.0.0.0/0, is used instead. properties: cidr: + description: The destination network CIDR. type: string type: object gateway: + description: |- + Gateway specifies the egress gateway that should be used for the specified destination. + If no gateway is set then the destination is routed normally rather than via an egress gateway. properties: maxNextHops: + description: |- + MaxNextHops specifies the maximum number of egress gateway replicas from the selected + deployment that a pod should depend on. type: integer namespaceSelector: + description: + NamespaceSelector selects one or more namespaces + containing an egress gateway deployment. type: string selector: + description: |- + Selector is an expression used to pick out the egress gateway that the destination can + be reached via. type: string type: object gatewayPreference: default: None + description: |- + GatewayPreference specifies which egress gateways to use. If set to PreferNodeLocal, egress gateways in the same node as + the client will be used if available. Otherwise all the active egress gateways will be used. enum: - None - PreferNodeLocal diff --git a/config/crd/projectcalico.org_externalnetworks.yaml b/config/crd/projectcalico.org_externalnetworks.yaml index 91c913d6..6ddc032b 100644 --- a/config/crd/projectcalico.org_externalnetworks.yaml +++ b/config/crd/projectcalico.org_externalnetworks.yaml @@ -19,14 +19,33 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + ExternalNetworkSpec contains the specification for a external + network resource. properties: routeTableIndex: + description: |- + The index of a linux kernel routing table that should be used for the routes associated with the external network. + The value should be unique for each external network. + The value should not be in the range of `RouteTableRanges` field in FelixConfiguration. + The kernel routing table index should not be used by other processes on the node. format: int32 type: integer required: diff --git a/config/crd/projectcalico.org_felixconfigurations.yaml b/config/crd/projectcalico.org_felixconfigurations.yaml index 0a7dbc37..8bbded9a 100644 --- a/config/crd/projectcalico.org_felixconfigurations.yaml +++ b/config/crd/projectcalico.org_felixconfigurations.yaml @@ -19,119 +19,298 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: FelixConfigurationSpec contains the values of the Felix configuration. properties: allowIPIPPacketsFromWorkloads: + description: |- + AllowIPIPPacketsFromWorkloads controls whether Felix will add a rule to drop IPIP encapsulated traffic + from workloads. [Default: false] type: boolean allowVXLANPacketsFromWorkloads: + description: |- + AllowVXLANPacketsFromWorkloads controls whether Felix will add a rule to drop VXLAN encapsulated traffic + from workloads. [Default: false] type: boolean awsRequestTimeout: + description: + "AWSRequestTimeout is the timeout on AWS API requests. + [Default: 30s]" pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string awsSecondaryIPRoutingRulePriority: + description: |- + AWSSecondaryIPRoutingRulePriority controls the priority that Felix will use for routing rules when programming + them for AWS Secondary IP support. [Default: 101] type: integer awsSecondaryIPSupport: + description: |- + AWSSecondaryIPSupport controls whether Felix will try to provision AWS secondary ENIs for + workloads that have IPs from IP pools that are configured with an AWS subnet ID. If the field is set to + "EnabledENIPerWorkload" then each workload with an AWS-backed IP will be assigned its own secondary ENI. + If set to "Enabled" then each workload with an AWS-backed IP pool will be allocated a secondary IP address + on a secondary ENI; this mode requires additional IP pools to be provisioned for the host to claim IPs for + the primary IP of the secondary ENIs. Accepted value must be one of "Enabled", "EnabledENIPerWorkload" or + "Disabled". [Default: Disabled] pattern: ^(?i)(Enabled|EnabledENIPerWorkload|Disabled)?$ type: string awsSrcDstCheck: + description: |- + AWSSrcDstCheck controls whether Felix will try to change the "source/dest check" setting on the EC2 instance + on which it is running. A value of "Disable" will try to disable the source/dest check. Disabling the check + allows for sending workload traffic without encapsulation within the same AWS subnet. + [Default: DoNothing] enum: - DoNothing - Enable - Disable type: string bpfAttachType: + description: |- + BPFAttachType controls how are the BPF programs at the network interfaces attached. + By default `TCX` is used where available to enable easier coexistence with 3rd party programs. + `TC` can force the legacy method of attaching via a qdisc. `TCX` falls back to `TC` if `TCX` is not available. + [Default: TCX] enum: - TC - TCX type: string bpfCTLBLogFilter: + description: |- + BPFCTLBLogFilter specifies, what is logged by connect time load balancer when BPFLogLevel is + debug. Currently has to be specified as 'all' when BPFLogFilters is set + to see CTLB logs. + [Default: unset - means logs are emitted when BPFLogLevel id debug and BPFLogFilters not set.] type: string bpfConnectTimeLoadBalancing: + description: |- + BPFConnectTimeLoadBalancing when in BPF mode, controls whether Felix installs the connect-time load + balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services + and it improves the performance of pod-to-service connections.When set to TCP, connect time load balancing + is available only for services with TCP ports. [Default: TCP] enum: - TCP - Enabled - Disabled type: string bpfConnectTimeLoadBalancingEnabled: + description: |- + BPFConnectTimeLoadBalancingEnabled when in BPF mode, controls whether Felix installs the connection-time load + balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services + and it improves the performance of pod-to-service connections. The only reason to disable it is for debugging + purposes. + + Deprecated: Use BPFConnectTimeLoadBalancing [Default: true] type: boolean bpfConntrackLogLevel: + description: |- + BPFConntrackLogLevel controls the log level of the BPF conntrack cleanup program, which runs periodically + to clean up expired BPF conntrack entries. + [Default: Off]. enum: - "Off" - Debug type: string bpfConntrackMode: + description: |- + BPFConntrackCleanupMode controls how BPF conntrack entries are cleaned up. `Auto` will use a BPF program if supported, + falling back to userspace if not. `Userspace` will always use the userspace cleanup code. `BPFProgram` will + always use the BPF program (failing if not supported). + + /To be deprecated in future versions as conntrack map type changed to + lru_hash and userspace cleanup is the only mode that is supported. + [Default: Userspace] enum: - Auto - Userspace - BPFProgram type: string bpfConntrackTimeouts: + description: |- + BPFConntrackTimers overrides the default values for the specified conntrack timer if + set. Each value can be either a duration or `Auto` to pick the value from + a Linux conntrack timeout. + + Configurable timers are: CreationGracePeriod, TCPSynSent, + TCPEstablished, TCPFinsSeen, TCPResetSeen, UDPTimeout, GenericTimeout, + ICMPTimeout. + + Unset values are replaced by the default values with a warning log for + incorrect values. properties: creationGracePeriod: + description: |- + CreationGracePeriod gives a generic grace period to new connections + before they are considered for cleanup [Default: 10s]. pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ type: string genericTimeout: + description: |- + GenericTimeout controls how long it takes before considering this + entry for cleanup after the connection became idle. If set to 'Auto', the + value from nf_conntrack_generic_timeout is used. If nil, Calico uses its + own default value. [Default: 10m]. pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ type: string icmpTimeout: + description: |- + ICMPTimeout controls how long it takes before considering this + entry for cleanup after the connection became idle. If set to 'Auto', the + value from nf_conntrack_icmp_timeout is used. If nil, Calico uses its + own default value. [Default: 5s]. pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ type: string tcpEstablished: + description: |- + TCPEstablished controls how long it takes before considering this entry for + cleanup after the connection became idle. If set to 'Auto', the + value from nf_conntrack_tcp_timeout_established is used. If nil, Calico uses + its own default value. [Default: 1h]. pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ type: string tcpFinsSeen: + description: |- + TCPFinsSeen controls how long it takes before considering this entry for + cleanup after the connection was closed gracefully. If set to 'Auto', the + value from nf_conntrack_tcp_timeout_time_wait is used. If nil, Calico uses + its own default value. [Default: Auto]. pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ type: string tcpResetSeen: + description: |- + TCPResetSeen controls how long it takes before considering this entry for + cleanup after the connection was aborted. If nil, Calico uses its own + default value. [Default: 40s]. pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ type: string tcpSynSent: + description: |- + TCPSynSent controls how long it takes before considering this entry for + cleanup after the last SYN without a response. If set to 'Auto', the + value from nf_conntrack_tcp_timeout_syn_sent is used. If nil, Calico uses + its own default value. [Default: 20s]. pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ type: string udpTimeout: + description: |- + UDPTimeout controls how long it takes before considering this entry for + cleanup after the connection became idle. If nil, Calico uses its own + default value. [Default: 60s]. pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ type: string type: object bpfDNSPolicyMode: + description: |- + BPFDNSPolicyMode specifies how DNS policy programming will be handled. + Inline - BPF parses DNS response inline with DNS response packet + processing. This guarantees the DNS rules reflect any change immediately. + NoDelay - Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time + the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial + connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. + [Default: DelayDeniedPacket] type: string bpfDSROptoutCIDRs: + description: |- + BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients + in those CIDRs will access service node ports as if BPFExternalServiceMode was set to + Tunnel. items: type: string type: array bpfDataIfacePattern: + description: |- + BPFDataIfacePattern is a regular expression that controls which interfaces Felix should attach BPF programs to + in order to catch traffic to/from the network. This needs to match the interfaces that Calico workload traffic + flows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the + cluster. It should not match the workload interfaces (usually named cali...) or any other special device managed + by Calico itself (e.g., tunnels). type: string bpfDisableGROForIfaces: + description: |- + BPFDisableGROForIfaces is a regular expression that controls which interfaces Felix should disable the + Generic Receive Offload [GRO] option. It should not match the workload interfaces (usually named cali...). type: string bpfDisableUnprivileged: + description: |- + BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable + unprivileged use of BPF. This ensures that unprivileged users cannot access Calico's BPF maps and + cannot insert their own BPF programs to interfere with Calico's. [Default: true] type: boolean bpfEnabled: + description: + "BPFEnabled, if enabled Felix will use the BPF dataplane. + [Default: false]" type: boolean bpfEnforceRPF: + description: |- + BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of + what is the per-interfaces or global setting. Possible values are Disabled, Strict + or Loose. [Default: Loose] pattern: ^(?i)(Disabled|Strict|Loose)?$ type: string bpfExcludeCIDRsFromNAT: + description: |- + BPFExcludeCIDRsFromNAT is a list of CIDRs that are to be excluded from NAT + resolution so that host can handle them. A typical usecase is node local + DNS cache. items: type: string type: array bpfExportBufferSizeMB: + description: |- + BPFExportBufferSizeMB in BPF mode, controls the buffer size used for sending BPF events to felix. + [Default: 1] type: integer bpfExtToServiceConnmark: + description: |- + BPFExtToServiceConnmark in BPF mode, controls a 32bit mark that is set on connections from an + external client to a local service. This mark allows us to control how packets of that + connection are routed within the host and how is routing interpreted by RPF check. [Default: 0] type: integer bpfExternalServiceMode: + description: |- + BPFExternalServiceMode in BPF mode, controls how connections from outside the cluster to services (node ports + and cluster IPs) are forwarded to remote workloads. If set to "Tunnel" then both request and response traffic + is tunneled to the remote node. If set to "DSR", the request traffic is tunneled but the response traffic + is sent directly from the remote node. In "DSR" mode, the remote node appears to use the IP of the ingress + node; this requires a permissive L2 network. [Default: Tunnel] pattern: ^(?i)(Tunnel|DSR)?$ type: string bpfForceTrackPacketsFromIfaces: + description: |- + BPFForceTrackPacketsFromIfaces in BPF mode, forces traffic from these interfaces + to skip Calico's iptables NOTRACK rule, allowing traffic from those interfaces to be + tracked by Linux conntrack. Should only be used for interfaces that are not used for + the Calico fabric. For example, a docker bridge device for non-Calico-networked + containers. [Default: docker+] items: type: string type: array bpfHostConntrackBypass: + description: |- + BPFHostConntrackBypass Controls whether to bypass Linux conntrack in BPF mode for + workloads and services. [Default: true - bypass Linux conntrack] type: boolean bpfHostNetworkedNATWithoutCTLB: + description: |- + BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing + determines the CTLB behavior. [Default: Enabled] type: string bpfJITHardening: allOf: @@ -141,160 +320,409 @@ spec: - enum: - Auto - Strict + description: |- + BPFJITHardening controls BPF JIT hardening. When set to "Auto", Felix will set JIT hardening to 1 + if it detects the current value is 2 (strict mode that hurts performance). When set to "Strict", + Felix will not modify the JIT hardening setting. [Default: Auto] type: string bpfKubeProxyHealthzPort: + description: |- + BPFKubeProxyHealthzPort, in BPF mode, controls the port that Felix's embedded kube-proxy health check server binds to. + The health check server is used by external load balancers to determine if this node should receive traffic. + Set to 0 to disable the health check server. [Default: 10256] type: integer bpfKubeProxyIptablesCleanupEnabled: + description: |- + BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF mode, Felix will proactively clean up the upstream + Kubernetes kube-proxy's iptables chains. Should only be enabled if kube-proxy is not running. [Default: true] type: boolean bpfKubeProxyMinSyncPeriod: + description: |- + BPFKubeProxyMinSyncPeriod, in BPF mode, controls the minimum time between updates to the dataplane for Felix's + embedded kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by + batching up more work. [Default: 1s] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string bpfL3IfacePattern: + description: |- + BPFL3IfacePattern is a regular expression that allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices) + in addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows + over as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster. type: string bpfLogFilters: additionalProperties: type: string + description: |- + BPFLogFilters is a map of key=values where the value is + a pcap filter expression and the key is an interface name with 'all' + denoting all interfaces, 'weps' all workload endpoints and 'heps' all host + endpoints. + + When specified as an env var, it accepts a comma-separated list of + key=values. + [Default: unset - means all debug logs are emitted] type: object bpfLogLevel: + description: |- + BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of "Off", "Info", or + "Debug". The logs are emitted to the BPF trace pipe, accessible with the command `tc exec bpf debug`. + [Default: Off]. pattern: ^(?i)(Off|Info|Debug)?$ type: string bpfMaglevMaxEndpointsPerService: + description: |- + BPFMaglevMaxEndpointsPerService is the maximum number of endpoints + expected to be part of a single Maglev-enabled service. + + Influences the size of the per-service Maglev lookup-tables generated by Felix + and thus the amount of memory reserved. + + [Default: 100] type: integer bpfMaglevMaxServices: + description: |- + BPFMaglevMaxServices is the maximum number of expected Maglev-enabled + services that Felix will allocate lookup-tables for. + + [Default: 100] type: integer bpfMapSizeConntrack: + description: |- + BPFMapSizeConntrack sets the size for the conntrack map. This map must be large enough to hold + an entry for each active connection. Warning: changing the size of the conntrack map can cause disruption. type: integer bpfMapSizeConntrackCleanupQueue: + description: |- + BPFMapSizeConntrackCleanupQueue sets the size for the map used to hold NAT conntrack entries that are queued + for cleanup. This should be big enough to hold all the NAT entries that expire within one cleanup interval. minimum: 1 type: integer bpfMapSizeConntrackScaling: + description: |- + BPFMapSizeConntrackScaling controls whether and how we scale the conntrack map size depending + on its usage. 'Disabled' make the size stay at the default or whatever is set by + BPFMapSizeConntrack*. 'DoubleIfFull' doubles the size when the map is pretty much full even + after cleanups. [Default: DoubleIfFull] pattern: ^(?i)(Disabled|DoubleIfFull)?$ type: string bpfMapSizeIPSets: + description: |- + BPFMapSizeIPSets sets the size for ipsets map. The IP sets map must be large enough to hold an entry + for each endpoint matched by every selector in the source/destination matches in network policy. Selectors + such as "all()" can result in large numbers of entries (one entry per endpoint in that case). type: integer bpfMapSizeIfState: + description: |- + BPFMapSizeIfState sets the size for ifstate map. The ifstate map must be large enough to hold an entry + for each device (host + workloads) on a host. type: integer bpfMapSizeNATAffinity: + description: |- + BPFMapSizeNATAffinity sets the size of the BPF map that stores the affinity of a connection (for services that + enable that feature. type: integer bpfMapSizeNATBackend: + description: |- + BPFMapSizeNATBackend sets the size for NAT back end map. + This is the total number of endpoints. This is mostly + more than the size of the number of services. type: integer bpfMapSizeNATFrontend: + description: |- + BPFMapSizeNATFrontend sets the size for NAT front end map. + FrontendMap should be large enough to hold an entry for each nodeport, + external IP and each port in each service. type: integer bpfMapSizePerCpuConntrack: + description: |- + BPFMapSizePerCPUConntrack determines the size of conntrack map based on the number of CPUs. If set to a + non-zero value, overrides BPFMapSizeConntrack with `BPFMapSizePerCPUConntrack * (Number of CPUs)`. + This map must be large enough to hold an entry for each active connection. Warning: changing the size of the + conntrack map can cause disruption. type: integer bpfMapSizeRoute: + description: |- + BPFMapSizeRoute sets the size for the routes map. The routes map should be large enough + to hold one entry per workload and a handful of entries per host (enough to cover its own IPs and + tunnel IPs). type: integer bpfPSNATPorts: anyOf: - type: integer - type: string + description: |- + BPFPSNATPorts sets the range from which we randomly pick a port if there is a source port + collision. This should be within the ephemeral range as defined by RFC 6056 (1024–65535) and + preferably outside the ephemeral ranges used by common operating systems. Linux uses + 32768–60999, while others mostly use the IANA defined range 49152–65535. It is not necessarily + a problem if this range overlaps with the operating systems. Both ends of the range are + inclusive. [Default: 20000:29999] pattern: ^.* x-kubernetes-int-or-string: true bpfPolicyDebugEnabled: + description: |- + BPFPolicyDebugEnabled when true, Felix records detailed information + about the BPF policy programs, which can be examined with the calico-bpf command-line tool. type: boolean bpfProfiling: + description: |- + BPFProfiling controls profiling of BPF programs. At the monent, it can be + Disabled or Enabled. [Default: Disabled] enum: - Enabled - Disabled type: string bpfRedirectToPeer: + description: |- + BPFRedirectToPeer controls whether traffic may be forwarded directly to the peer side of a workload’s device. + Note that the legacy "L2Only" option is now deprecated and if set it is treated like "Enabled". + Setting this option to "Enabled" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard), + which can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path. + As a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic. [Default: Disabled] enum: - Enabled - Disabled type: string captureDir: + description: + "CaptureDir controls directory to store file capture. + [Default: /var/log/calico/pcap]" minLength: 1 type: string captureMaxFiles: + description: + "CaptureMaxFiles controls number of rotated capture file + to keep. [Default: 2]" minimum: 1 type: integer captureMaxSizeBytes: + description: + "CaptureMaxSizeBytes controls the max size of a file + capture. [Default: 10000000]" minimum: 1 type: integer captureRotationSeconds: + description: + "CaptureRotationSeconds controls the time rotation of + a packet capture. [Default: 3600]" minimum: 1 type: integer cgroupV2Path: + description: + CgroupV2Path overrides the default location where to + find the cgroup hierarchy. type: string chainInsertMode: + description: |- + ChainInsertMode controls whether Felix hooks the kernel's top-level iptables chains by inserting a rule + at the top of the chain or by appending a rule at the bottom. insert is the safe default since it prevents + Calico's rules from being bypassed. If you switch to append mode, be sure that the other rules in the chains + signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed. + [Default: insert] pattern: ^(?i)(Insert|Append)?$ type: string dataplaneDriver: + description: |- + DataplaneDriver filename of the external dataplane driver to use. Only used if UseInternalDataplaneDriver + is set to false. type: string dataplaneWatchdogTimeout: + description: |- + DataplaneWatchdogTimeout is the readiness/liveness timeout used for Felix's (internal) dataplane driver. + Deprecated: replaced by the generic HealthTimeoutOverrides. type: string debugDisableLogDropping: + description: |- + DebugDisableLogDropping disables the dropping of log messages when the log buffer is full. This can + significantly impact performance if log write-out is a bottleneck. [Default: false] type: boolean debugHost: + description: |- + DebugHost is the host IP or hostname to bind the debug port to. Only used + if DebugPort is set. [Default:localhost] type: string debugMemoryProfilePath: + description: + DebugMemoryProfilePath is the path to write the memory + profile to when triggered by signal. type: string debugPort: + description: |- + DebugPort if set, enables Felix's debug HTTP port, which allows memory and CPU profiles + to be retrieved. The debug port is not secure, it should not be exposed to the internet. type: integer debugSimulateCalcGraphHangAfter: + description: |- + DebugSimulateCalcGraphHangAfter is used to simulate a hang in the calculation graph after the specified duration. + This is useful in tests of the watchdog system only! pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string debugSimulateDataplaneApplyDelay: + description: |- + DebugSimulateDataplaneApplyDelay adds an artificial delay to every dataplane operation. This is useful for + simulating a heavily loaded system for test purposes only. pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string debugSimulateDataplaneHangAfter: + description: |- + DebugSimulateDataplaneHangAfter is used to simulate a hang in the dataplane after the specified duration. + This is useful in tests of the watchdog system only! pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string defaultEndpointToHostAction: + description: |- + DefaultEndpointToHostAction controls what happens to traffic that goes from a workload endpoint to the host + itself (after the endpoint's egress policy is applied). By default, Calico blocks traffic from workload + endpoints to the host itself with an iptables "DROP" action. If you want to allow some or all traffic from + endpoint to host, set this parameter to RETURN or ACCEPT. Use RETURN if you have your own rules in the iptables + "INPUT" chain; Calico will insert its rules at the top of that chain, then "RETURN" packets to the "INPUT" chain + once it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets + from workloads after processing workload endpoint egress policy. [Default: Drop] pattern: ^(?i)(Drop|Accept|Return)?$ type: string deletedMetricsRetentionSecs: + description: + DeletedMetricsRetentionSecs controls how long metrics + are retianed after the flow is gone. type: integer deviceRouteProtocol: + description: |- + DeviceRouteProtocol controls the protocol to set on routes programmed by Felix. The protocol is an 8-bit label + used to identify the owner of the route. type: integer deviceRouteSourceAddress: + description: |- + DeviceRouteSourceAddress IPv4 address to set as the source hint for routes programmed by Felix. When not set + the source address for local traffic from host to workload will be determined by the kernel. maxLength: 45 type: string deviceRouteSourceAddressIPv6: + description: |- + DeviceRouteSourceAddressIPv6 IPv6 address to set as the source hint for routes programmed by Felix. When not set + the source address for local traffic from host to workload will be determined by the kernel. maxLength: 45 type: string disableConntrackInvalidCheck: + description: |- + DisableConntrackInvalidCheck disables the check for invalid connections in conntrack. While the conntrack + invalid check helps to detect malicious traffic, it can also cause issues with certain multi-NIC scenarios. type: boolean dnsCacheEpoch: + description: |- + An arbitrary number that can be changed, at runtime, to tell Felix to discard all its + learnt DNS information. [Default: 0]. type: integer dnsCacheFile: + description: |- + The name of the file that Felix uses to preserve learnt DNS information when restarting. [Default: + "/var/run/calico/felix-dns-cache.txt"]. type: string dnsCacheSaveInterval: + description: |- + The periodic interval at which Felix saves learnt DNS information to the cache file. [Default: + 60s]. pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string dnsExtraTTL: + description: |- + Extra time to keep IPs and alias names that are learnt from DNS, in addition to each name + or IP's advertised TTL. [Default: 0s]. pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string dnsLogsFileAggregationKind: + description: |- + DNSLogsFileAggregationKind is used to choose the type of aggregation for DNS log entries. + [Default: 1 - client name prefix aggregation]. + Accepted values are 0 and 1. + 0 - No aggregation. + 1 - Aggregate over clients with the same name prefix. enum: - 0 - 1 type: integer dnsLogsFileDirectory: + description: |- + DNSLogsFileDirectory sets the directory where DNS log files are stored. + [Default: /var/log/calico/dnslogs] type: string dnsLogsFileEnabled: + description: |- + DNSLogsFileEnabled controls logging DNS logs to a file. If false no DNS logging to file will occur. + [Default: false] type: boolean dnsLogsFileIncludeLabels: + description: |- + DNSLogsFileIncludeLabels is used to configure if endpoint labels are included in a DNS log entry written to file. + [Default: true] type: boolean dnsLogsFileMaxFileSizeMB: + description: |- + DNSLogsFileMaxFileSizeMB sets the max size in MB of DNS log files before rotation. + [Default: 100] type: integer dnsLogsFileMaxFiles: + description: |- + DNSLogsFileMaxFiles sets the number of DNS log files to keep. + [Default: 5] type: integer dnsLogsFilePerNodeLimit: + description: |- + Limit on the number of DNS logs that can be emitted within each flush interval. When + this limit has been reached, Felix counts the number of unloggable DNS responses within + the flush interval, and emits a WARNING log with that count at the same time as it + flushes the buffered DNS logs. [Default: 0, meaning no limit] type: integer dnsLogsFlushInterval: + description: |- + DNSLogsFlushInterval configures the interval at which Felix exports DNS logs. + [Default: 300s] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string dnsLogsLatency: + description: |- + DNSLogsLatency indicates to include measurements of DNS request/response latency in each DNS log. + [Default: true] type: boolean dnsPacketsNfqueueID: + description: |- + DNSPacketsNfqueueID is the NFQUEUE ID to use for capturing DNS packets to ensure programming IPSets occurs before + the response is released. Used when DNSPolicyMode is DelayDNSResponse. [Default: 101] type: integer dnsPacketsNfqueueMaxHoldDuration: + description: |- + DNSPacketsNfqueueMaxHoldDuration is the max length of time to hold on to a DNS response while waiting for the + the dataplane to be programmed. Used when DNSPolicyMode is DelayDNSResponse. + [Default: 3s] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string dnsPacketsNfqueueSize: + description: |- + DNSPacketsNfqueueSize is the size of the NFQUEUE for captured DNS packets. This is the maximum number of DNS + packets that may be queued awaiting programming in the dataplane. Used when DNSPolicyMode is DelayDNSResponse. + [Default: 100] type: integer dnsPolicyMode: + description: |- + DNSPolicyMode specifies how DNS policy programming will be handled. + DelayDeniedPacket - Felix delays any denied packet that traversed a policy that included egress domain matches, + but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. + DelayDNSResponse - Felix delays any DNS response until related IPSets are programmed. This introduces some + latency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics + are accurate. This is the recommended setting when you are making use of staged policies or policy rule hit + statistics. + NoDelay - Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time + the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial + connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. + + Inline - Parses DNS response inline with DNS response packet processing within IPTables. + This guarantees the DNS rules reflect any change immediately. + This mode works for iptables only and matches the same mode for BPFDNSPolicyMode. + This setting is ignored on Windows and "NoDelay" is always used. + + This setting is ignored by eBPF and BPFDNSPolicyMode is used instead. + + This field has no effect in NFTables mode. Please use NFTablesDNSPolicyMode instead. + [Default: Inline] enum: - NoDelay - DelayDeniedPacket @@ -302,50 +730,129 @@ spec: - Inline type: string dnsPolicyNfqueueID: + description: |- + DNSPolicyNfqueueID is the NFQUEUE ID to use for DNS Policy re-evaluation when the domains IP hasn't been programmed + to ipsets yet. Used when DNSPolicyMode is DelayDeniedPacket. [Default: 100] type: integer dnsPolicyNfqueueSize: + description: |- + DNSPolicyNfqueueID is the size of the NFQUEUE for DNS policy re-evaluation. This is the maximum number of denied + packets that may be queued up pending re-evaluation. + Used when DNSPolicyMode is DelayDeniedPacket. [Default: 100] type: integer dnsTrustedServers: + description: |- + The DNS servers that Felix should trust. Each entry here must be `[:]` - indicating an + explicit DNS server IP - or `k8s-service:[/][:port]` - indicating a Kubernetes DNS + service. `` defaults to the first service port, or 53 for an IP, and `` to + `kube-system`. An IPv6 address with a port must use the square brackets convention, for example + `[fd00:83a6::12]:5353`.Note that Felix (calico-node) will need RBAC permission to read the details of + each service specified by a `k8s-service:...` form. [Default: "k8s-service:kube-dns"]. items: type: string type: array dropActionOverride: + description: |- + DropActionOverride overrides the Drop action in Felix, optionally changing the behavior to Accept, and optionally adding Log. + Possible values are Drop, LogAndDrop, Accept, LogAndAccept. [Default: Drop] pattern: ^(?i)(Drop|LogAndDrop|Accept|LogAndAccept)?$ type: string egressGatewayPollFailureCount: + description: |- + EgressGatewayPollFailureCount is the minimum number of poll failures before a remote Egress Gateway is considered + to have failed. type: integer egressGatewayPollInterval: + description: |- + EgressGatewayPollInterval is the interval at which Felix will poll remote egress gateways to check their + health. Only Egress Gateways with a named "health" port will be polled in this way. Egress Gateways that + fail the health check will be taken our of use as if they have been deleted. pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string egressIPHostIfacePattern: + description: |- + EgressIPHostIfacePattern is a comma-separated list of interface names which might send and receive egress traffic + across the cluster boundary, after it has left an Egress Gateway pod. Felix will ensure `src_valid_mark` sysctl flags + are set correctly for matching interfaces. + To target multiple interfaces with a single string, the list supports regular expressions. + For regular expressions, wrap the value with `/`. + Example: `/^bond/,eth0` will match all interfaces that begin with `bond` and also the interface `eth0`. [Default: ""] type: string egressIPRoutingRulePriority: + description: + "EgressIPRoutingRulePriority controls the priority value + to use for the egress IP routing rule. [Default: 100]" type: integer egressIPSupport: + description: |- + EgressIPSupport defines three different support modes for egress IP function. [Default: Disabled] + - Disabled: Egress IP function is disabled. + - EnabledPerNamespace: Egress IP function is enabled and can be configured on a per-namespace basis; + per-pod egress annotations are ignored. + - EnabledPerNamespaceOrPerPod: Egress IP function is enabled and can be configured per-namespace or per-pod, + with per-pod egress annotations overriding namespace annotations. pattern: ^(?i)(Disabled|EnabledPerNamespace|EnabledPerNamespaceOrPerPod)?$ type: string egressIPVXLANPort: + description: + "EgressIPVXLANPort is the port number of vxlan tunnel + device for egress traffic. [Default: 4790]" type: integer egressIPVXLANVNI: + description: + "EgressIPVXLANVNI is the VNI ID of vxlan tunnel device + for egress traffic. [Default: 4097]" type: integer endpointReportingDelay: + description: |- + EndpointReportingDelay is the delay before Felix reports endpoint status to the datastore. This is only used + by the OpenStack integration. [Default: 1s] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string endpointReportingEnabled: + description: |- + EndpointReportingEnabled controls whether Felix reports endpoint status to the datastore. This is only used + by the OpenStack integration. [Default: false] type: boolean endpointStatusPathPrefix: + description: |- + EndpointStatusPathPrefix is the path to the directory where endpoint status will be written. Endpoint status + file reporting is disabled if field is left empty. + + Chosen directory should match the directory used by the CNI plugin for PodStartupDelay. + [Default: /var/run/calico] type: string externalNetworkRoutingRulePriority: + description: + "ExternalNetworkRoutingRulePriority controls the priority + value to use for the external network routing rule. [Default: 102]" type: integer externalNetworkSupport: + description: |- + ExternalNetworkSupport defines two different support modes for external network function. [Default: Disabled] + - Disabled: External network function is disabled. + - Enabled: External network function is enabled. pattern: ^(?i)(Disabled|Enabled)?$ type: string externalNodesList: + description: |- + ExternalNodesCIDRList is a list of CIDR's of external, non-Calico nodes from which VXLAN/IPIP overlay traffic + will be allowed. By default, external tunneled traffic is blocked to reduce attack surface. items: type: string type: array failsafeInboundHostPorts: + description: |- + FailsafeInboundHostPorts is a list of ProtoPort struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will + allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally + cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, + it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, + use the value "[]". The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. + [Default: tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667 ] items: + description: + ProtoPort is combination of protocol, port, and CIDR. + Protocol and port must be specified. properties: net: type: string @@ -358,7 +865,18 @@ spec: type: object type: array failsafeOutboundHostPorts: + description: |- + FailsafeOutboundHostPorts is a list of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix + will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally + cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults + to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, + use the value "[]". The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd + as well as allowing DHCP, DNS, BGP and the Kubernetes API. + [Default: udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667 ] items: + description: + ProtoPort is combination of protocol, port, and CIDR. + Protocol and port must be specified. properties: net: type: string @@ -371,41 +889,101 @@ spec: type: object type: array featureDetectOverride: + description: |- + FeatureDetectOverride is used to override feature detection based on auto-detected platform + capabilities. Values are specified in a comma separated list with no spaces, example; + "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". A value of "true" or "false" will + force enable/disable feature, empty or omitted values fall back to auto-detection. pattern: ^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$ type: string featureGates: + description: |- + FeatureGates is used to enable or disable tech-preview Calico features. + Values are specified in a comma separated list with no spaces, example; + "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". This is + used to enable features that are not fully production ready. pattern: ^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$ type: string floatingIPs: + description: |- + FloatingIPs configures whether or not Felix will program non-OpenStack floating IP addresses. (OpenStack-derived + floating IPs are always programmed, regardless of this setting.) enum: - Enabled - Disabled type: string flowLogsAggregationThresholdBytes: + description: |- + FlowLogsAggregationThresholdBytes is used specify how far behind the external pipeline that reads flow logs can be. Default is 8192 bytes. + This parameter only takes effect when FlowLogsDynamicAggregationEnabled is set to true. type: integer flowLogsCollectProcessInfo: + description: + "FlowLogsCollectProcessInfo, if enabled Felix will load + the kprobe BPF programs to collect process info. [Default: false]" type: boolean flowLogsCollectProcessPath: + description: |- + When FlowLogsCollectProcessPath and FlowLogsCollectProcessInfo are + both enabled, each flow log will include information about the process + that is sending or receiving the packets in that flow: the + `process_name` field will contain the full path of the process + executable, and the `process_args` field will have the arguments with + which the executable was invoked. Process information will not be + reported for connections which use raw sockets. type: boolean flowLogsCollectTcpStats: + description: + FlowLogsCollectTcpStats enables flow logs reporting TCP + socket stats type: boolean flowLogsCollectorDebugTrace: + description: |- + When FlowLogsCollectorDebugTrace is set to true, enables the logs in the collector to be + printed in their entirety. type: boolean flowLogsDestDomainsByClient: + description: |- + FlowLogsDestDomainsByClient is used to configure if the source IP is used in the mapping of top + level destination domains. [Default: true] type: boolean flowLogsDynamicAggregationEnabled: + description: + FlowLogsDynamicAggregationEnabled is used to enable/disable + dynamically changing aggregation levels. Default is true. type: boolean flowLogsEnableHostEndpoint: + description: + FlowLogsEnableHostEndpoint enables Flow logs reporting + for HostEndpoints. type: boolean flowLogsEnableNetworkSets: + description: + FlowLogsEnableNetworkSets enables Flow logs reporting + for GlobalNetworkSets. type: boolean flowLogsFileAggregationKindForAllowed: + description: |- + FlowLogsFileAggregationKindForAllowed is used to choose the type of aggregation for flow log entries created for + allowed connections. [Default: 2 - pod prefix name based aggregation]. + Accepted values are 0, 1 and 2. + 0 - No aggregation. + 1 - Source port based aggregation. + 2 - Pod prefix name based aggreagation. enum: - 0 - 1 - 2 type: integer flowLogsFileAggregationKindForDenied: + description: |- + FlowLogsFileAggregationKindForDenied is used to choose the type of aggregation for flow log entries created for + denied connections. [Default: 1 - source port based aggregation]. + Accepted values are 0, 1 and 2. + 0 - No aggregation. + 1 - Source port based aggregation. + 2 - Pod prefix name based aggregation. + 3 - No destination ports based aggregation. enum: - 0 - 1 @@ -413,64 +991,183 @@ spec: - 3 type: integer flowLogsFileDirectory: + description: + FlowLogsFileDirectory sets the directory where flow logs + files are stored. type: string flowLogsFileDomainsLimit: + description: |- + FlowLogsFileDomainsLimit is used to configure the number of (destination) domains to include in the flow log. + These are not included for workload or host endpoint destinations. + [Default: 5] type: integer flowLogsFileEnabled: + description: + FlowLogsFileEnabled when set to true, enables logging + flow logs to a file. If false no flow logging to file will occur. type: boolean flowLogsFileEnabledForAllowed: + description: |- + FlowLogsFileEnabledForAllowed is used to enable/disable flow logs entries created for allowed connections. Default is true. + This parameter only takes effect when FlowLogsFileReporterEnabled is set to true. type: boolean flowLogsFileEnabledForDenied: + description: |- + FlowLogsFileEnabledForDenied is used to enable/disable flow logs entries created for denied flows. Default is true. + This parameter only takes effect when FlowLogsFileReporterEnabled is set to true. type: boolean flowLogsFileIncludeLabels: + description: + FlowLogsFileIncludeLabels is used to configure if endpoint + labels are included in a Flow log entry written to file. type: boolean flowLogsFileIncludePolicies: + description: + FlowLogsFileIncludePolicies is used to configure if policy + information are included in a Flow log entry written to file. type: boolean flowLogsFileIncludeService: + description: |- + FlowLogsFileIncludeService is used to configure if the destination service is included in a Flow log entry written to file. + The service information can only be included if the flow was explicitly determined to be directed at the service (e.g. + when the pre-DNAT destination corresponds to the service ClusterIP and port). type: boolean flowLogsFileMaxFileSizeMB: + description: + FlowLogsFileMaxFileSizeMB sets the max size in MB of + flow logs files before rotation. type: integer flowLogsFileMaxFiles: + description: + FlowLogsFileMaxFiles sets the number of log files to + keep. type: integer flowLogsFileNatOutgoingPortLimit: + description: |- + FlowLogsFileNatOutgoingPortLimit is used to specify the maximum number of distinct post SNAT ports that will appear + in the flowLogs. Default value is 3 type: integer flowLogsFilePerFlowProcessArgsLimit: + description: |- + FlowLogsFilePerFlowProcessArgsLimit is used to specify the maximum number of distinct process args that will appear in the flowLogs. + Default value is 5 type: integer flowLogsFilePerFlowProcessLimit: + description: |- + FlowLogsFilePerFlowProcessLimit, is used to specify the maximum number of flow log entries with distinct process information + beyond which process information will be aggregated. [Default: 2] type: integer flowLogsFlushInterval: + description: + FlowLogsFlushInterval configures the interval at which + Felix exports flow logs. pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string flowLogsGoldmaneServer: + description: + FlowLogGoldmaneServer is the flow server endpoint to + which flow data should be published. type: string flowLogsLocalReporter: + description: + "FlowLogsLocalReporter configures local unix socket for + reporting flow data from each node. [Default: Disabled]" enum: - Disabled - Enabled type: string flowLogsMaxOriginalIPsIncluded: + description: + FlowLogsMaxOriginalIPsIncluded specifies the number of + unique IP addresses (if relevant) that should be included in Flow + logs. type: integer flowLogsPolicyEvaluationMode: + description: |- + FlowLogsPolicyEvaluationMode defines how policies are evaluated and reflected in flow logs. + OnNewConnection - In this mode, staged policies are only evaluated when new connections are + made in the dataplane. Staged/active policy changes will not be reflected in the + `pending_policies` field of flow logs for long lived connections. + Continuous - Felix evaluates active flows on a regular basis to determine the rule + traces in the flow logs. Any policy updates that impact a flow will be reflected in the + pending_policies field, offering a near-real-time view of policy changes across flows. + [Default: Continuous] type: string flowLogsPolicyScope: + description: |- + FlowLogsPolicyScope controls which policies are included in flow logs. + AllPolicies - Processes both transit policies for the local node and + endpoint policies derived from packet source/destination IPs. Provides comprehensive + visibility into all policy evaluations but increases log volume. + EndpointPolicies - Processes only policies for endpoints identified as the source + or destination of the packet (whether workload or host endpoints). + [Default: EndpointPolicies] type: string flowLogsPositionFilePath: + description: |- + FlowLogsPositionFilePath is used specify the position of the external pipeline that reads flow logs. Default is /var/log/calico/flows.log.pos. + This parameter only takes effect when FlowLogsDynamicAggregationEnabled is set to true. type: string genericXDPEnabled: + description: |- + GenericXDPEnabled enables Generic XDP so network cards that don't support XDP offload or driver + modes can use XDP. This is not recommended since it doesn't provide better performance than + iptables. [Default: false] type: boolean goGCThreshold: + description: |- + GoGCThreshold Sets the Go runtime's garbage collection threshold. I.e. the percentage that the heap is + allowed to grow before garbage collection is triggered. In general, doubling the value halves the CPU time + spent doing GC, but it also doubles peak GC memory overhead. A special value of -1 can be used + to disable GC entirely; this should only be used in conjunction with the GoMemoryLimitMB setting. + + This setting is overridden by the GOGC environment variable. + + [Default: 40] type: integer goMaxProcs: + description: |- + GoMaxProcs sets the maximum number of CPUs that the Go runtime will use concurrently. A value of -1 means + "use the system default"; typically the number of real CPUs on the system. + + this setting is overridden by the GOMAXPROCS environment variable. + + [Default: -1] type: integer goMemoryLimitMB: + description: |- + GoMemoryLimitMB sets a (soft) memory limit for the Go runtime in MB. The Go runtime will try to keep its memory + usage under the limit by triggering GC as needed. To avoid thrashing, it will exceed the limit if GC starts to + take more than 50% of the process's CPU time. A value of -1 disables the memory limit. + + Note that the memory limit, if used, must be considerably less than any hard resource limit set at the container + or pod level. This is because felix is not the only process that must run in the container or pod. + + This setting is overridden by the GOMEMLIMIT environment variable. + + [Default: -1] type: integer healthEnabled: + description: |- + HealthEnabled if set to true, enables Felix's health port, which provides readiness and liveness endpoints. + [Default: false] type: boolean healthHost: + description: + "HealthHost is the host that the health server should + bind to. [Default: localhost]" type: string healthPort: + description: + "HealthPort is the TCP port that the health server should + bind to. [Default: 9099]" type: integer healthTimeoutOverrides: + description: |- + HealthTimeoutOverrides allows the internal watchdog timeouts of individual subcomponents to be + overridden. This is useful for working around "false positive" liveness timeouts that can occur + in particularly stressful workloads or if CPU is constrained. For a list of active + subcomponents, see Felix's logs. items: properties: name: @@ -484,39 +1181,91 @@ spec: type: array x-kubernetes-list-type: atomic interfaceExclude: + description: |- + InterfaceExclude A comma-separated list of interface names that should be excluded when Felix is resolving + host endpoints. The default value ensures that Felix ignores Kubernetes' internal `kube-ipvs0` device. If you + want to exclude multiple interface names using a single value, the list supports regular expressions. For + regular expressions you must wrap the value with `/`. For example having values `/^kube/,veth1` will exclude + all interfaces that begin with `kube` and also the interface `veth1`. [Default: kube-ipvs0] type: string interfacePrefix: + description: |- + InterfacePrefix is the interface name prefix that identifies workload endpoints and so distinguishes + them from host endpoint interfaces. Note: in environments other than bare metal, the orchestrators + configure this appropriately. For example our Kubernetes and Docker integrations set the 'cali' value, + and our OpenStack integration sets the 'tap' value. [Default: cali] type: string interfaceRefreshInterval: + description: |- + InterfaceRefreshInterval is the period at which Felix rescans local interfaces to verify their state. + The rescan can be disabled by setting the interval to 0. pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string ipForwarding: + description: |- + IPForwarding controls whether Felix sets the host sysctls to enable IP forwarding. IP forwarding is required + when using Calico for workload networking. This should be disabled only on hosts where Calico is used solely for + host protection. In BPF mode, due to a kernel interaction, either IPForwarding must be enabled or BPFEnforceRPF + must be disabled. [Default: Enabled] enum: - Enabled - Disabled type: string ipipEnabled: + description: |- + IPIPEnabled overrides whether Felix should configure an IPIP interface on the host. Optional as Felix + determines this based on the existing IP pools. [Default: nil (unset)] type: boolean ipipMTU: + description: |- + IPIPMTU controls the MTU to set on the IPIP tunnel device. Optional as Felix auto-detects the MTU based on the + MTU of the host's interfaces. [Default: 0 (auto-detect)] type: integer ipsecAllowUnsecuredTraffic: + description: |- + IPSecAllowUnsecuredTraffic controls whether non-IPsec traffic is allowed in addition to IPsec traffic. Enabling this + negates the anti-spoofing protections of IPsec but it is useful when migrating to/from IPsec. [Default: false] type: boolean ipsecESPAlgorithm: + description: + "IPSecESAlgorithm sets IPSec ESP algorithm. Default is + NIST suite B recommendation. [Default: aes128gcm16-ecp256]" type: string ipsecIKEAlgorithm: + description: + "IPSecIKEAlgorithm sets IPSec IKE algorithm. Default + is NIST suite B recommendation. [Default: aes128gcm16-prfsha256-ecp256]" type: string ipsecLogLevel: + description: |- + IPSecLogLevel controls log level for IPSec components. Set to None for no logging. + A generic log level terminology is used [None, Notice, Info, Debug, Verbose]. + [Default: Info] pattern: ^(?i)(None|Notice|Info|Debug|Verbose)?$ type: string ipsecMode: + description: |- + IPSecMode controls which mode IPSec is operating on. + Default value means IPSec is not enabled. [Default: ""] type: string ipsecPolicyRefreshInterval: + description: |- + IPSecPolicyRefreshInterval is the interval at which Felix will check the kernel’s IPsec policy tables and + repair any inconsistencies. [Default: 600s] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string ipsetsRefreshInterval: + description: |- + IpsetsRefreshInterval controls the period at which Felix re-checks all IP sets to look for discrepancies. + Set to 0 to disable the periodic refresh. [Default: 90s] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string iptablesBackend: + description: |- + IptablesBackend controls which backend of iptables will be used. The default is `Auto`. + + Warning: changing this on a running system can leave "orphaned" rules in the "other" backend. These + should be cleaned up to avoid confusing interactions. enum: - Legacy - NFT @@ -524,50 +1273,120 @@ spec: pattern: ^(?i)(Auto|Legacy|NFT)?$ type: string iptablesFilterAllowAction: + description: |- + IptablesFilterAllowAction controls what happens to traffic that is accepted by a Felix policy chain in the + iptables filter table (which is used for "normal" policy). The default will immediately `Accept` the traffic. Use + `Return` to send the traffic back up to the system chains for further processing. pattern: ^(?i)(Accept|Return)?$ type: string iptablesFilterDenyAction: + description: |- + IptablesFilterDenyAction controls what happens to traffic that is denied by network policy. By default Calico blocks traffic + with an iptables "DROP" action. If you want to use "REJECT" action instead you can configure it in here. pattern: ^(?i)(Drop|Reject)?$ type: string iptablesLockProbeInterval: + description: |- + IptablesLockProbeInterval configures the interval between attempts to claim + the xtables lock. Shorter intervals are more responsive but use more CPU. [Default: 50ms] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string iptablesMangleAllowAction: + description: |- + IptablesMangleAllowAction controls what happens to traffic that is accepted by a Felix policy chain in the + iptables mangle table (which is used for "pre-DNAT" policy). The default will immediately `Accept` the traffic. + Use `Return` to send the traffic back up to the system chains for further processing. pattern: ^(?i)(Accept|Return)?$ type: string iptablesMarkMask: + description: |- + IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal + number with at least 8 bits set, none of which clash with any other mark bits in use on the system. + [Default: 0xffff0000] format: int32 type: integer iptablesNATOutgoingInterfaceFilter: + description: |- + This parameter can be used to limit the host interfaces on which Calico will apply SNAT to traffic leaving a + Calico IPAM pool with "NAT outgoing" enabled. This can be useful if you have a main data interface, where + traffic should be SNATted and a secondary device (such as the docker bridge) which is local to the host and + doesn't require SNAT. This parameter uses the iptables interface matching syntax, which allows + as a + wildcard. Most users will not need to set this. Example: if your data interfaces are eth0 and eth1 and you + want to exclude the docker bridge, you could set this to eth+ type: string iptablesPostWriteCheckInterval: + description: |- + IptablesPostWriteCheckInterval is the period after Felix has done a write + to the dataplane that it schedules an extra read back in order to check the write was not + clobbered by another process. This should only occur if another application on the system + doesn't respect the iptables lock. [Default: 1s] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string iptablesRefreshInterval: + description: |- + IptablesRefreshInterval is the period at which Felix re-checks the IP sets + in the dataplane to ensure that no other process has accidentally broken Calico's rules. + Set to 0 to disable IP sets refresh. Note: the default for this value is lower than the + other refresh intervals as a workaround for a Linux kernel bug that was fixed in kernel + version 4.11. If you are using v4.11 or greater you may want to set this to, a higher value + to reduce Felix CPU usage. [Default: 10s] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string ipv4ElevatedRoutePriority: + description: |- + Route Priority value for an elevated priority Calico-programmed IPv4 route. Note, higher + values mean lower priority. Elevated priority is used during VM live migration, and for + optimal behaviour IPv4ElevatedRoutePriority must be less than IPv4NormalRoutePriority + [Default: 512] type: integer ipv4NormalRoutePriority: + description: |- + Route Priority value for a normal priority Calico-programmed IPv4 route. Note, higher + values mean lower priority. [Default: 1024] type: integer ipv6ElevatedRoutePriority: + description: |- + Route Priority value for an elevated priority Calico-programmed IPv6 route. Note, higher + values mean lower priority. Elevated priority is used during VM live migration, and for + optimal behaviour IPv6ElevatedRoutePriority must be less than IPv6NormalRoutePriority + [Default: 512] type: integer ipv6NormalRoutePriority: + description: |- + Route Priority value for a normal priority Calico-programmed IPv6 route. Note, higher + values mean lower priority. [Default: 1024] type: integer ipv6Support: + description: + IPv6Support controls whether Felix enables support for + IPv6 (if supported by the in-use dataplane). type: boolean istioAmbientMode: + description: |- + IstioAmbientMode configures Felix to work together with Tigera's Istio distribution. + [Default: Disabled] enum: - Enabled - Disabled type: string istioDSCPMark: + description: |- + IstioDSCPMark sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on + SYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used + with other Istio installation. [Default: 23] pattern: ^.* type: integer x-kubernetes-int-or-string: true kubeMasqueradeBit: + description: |- + KubeMasqueradeBit should be set to the same value as --iptables-masquerade-bit of kube-proxy + when TPROXY is used. The default is the same as kube-proxy default thus only needs a change + if kube-proxy is using a non-standard setting. Must be within the range of 0-31. [Default: 14] type: integer kubeNodePortRanges: + description: |- + KubeNodePortRanges holds list of port ranges used for service node ports. Only used if felix detects kube-proxy running in ipvs mode. + Felix uses these ranges to separate host and workload traffic. [Default: 30000:32767]. items: anyOf: - type: integer @@ -577,83 +1396,221 @@ spec: maxItems: 7 type: array l7LogsFileAggregationDestinationInfo: + description: |- + L7LogsFileAggregationDestinationInfo is used to choose the type of aggregation for the destination metadata on L7 log entries. + [Default: IncludeL7DestinationInfo - include destination metadata]. + Accepted values are IncludeL7DestinationInfo and ExcludeL7DestinationInfo. + IncludeL7DestinationInfo - Include destination metadata in the logs. + ExcludeL7DestinationInfo - Aggregate over all other fields ignoring the destination aggregated name, namespace, and type. pattern: ^(?i)(IncludeL7DestinationInfo|ExcludeL7DestinationInfo)?$ type: string l7LogsFileAggregationHTTPHeaderInfo: + description: |- + L7LogsFileAggregationHTTPHeaderInfo is used to choose the type of aggregation for HTTP header data on L7 log entries. + [Default: ExcludeL7HTTPHeaderInfo - http header info removal]. + Accepted values are IncludeL7HTTPHeaderInfo and ExcludeL7HTTPHeaderInfo. + IncludeL7HTTPHeaderInfo - Include HTTP header data in the logs. + ExcludeL7HTTPHeaderInfo - Aggregate over all other fields ignoring the user agent and log type. pattern: ^(?i)(IncludeL7HTTPHeaderInfo|ExcludeL7HTTPHeaderInfo)?$ type: string l7LogsFileAggregationHTTPMethod: + description: |- + L7LogsFileAggregationHTTPMethod is used to choose the type of aggregation for the HTTP request method on L7 log entries. + [Default: IncludeL7HTTPMethod - include the HTTP method]. + Accepted values are IncludeL7HTTPMethod and ExcludeL7HTTPMethod. + IncludeL7HTTPMethod - Include HTTP method in the logs. + ExcludeL7HTTPMethod - Aggregate over all other fields ignoring the HTTP method. pattern: ^(?i)(IncludeL7HTTPMethod|ExcludeL7HTTPMethod)?$ type: string l7LogsFileAggregationNumURLPath: + description: |- + L7LogsFileAggregationNumURLPath is used to choose the number of components in the url path to display. + This allows for the url to be truncated in case parts of the path provide no value. Setting this value + to negative will allow all parts of the path to be displayed. + [Default: 5]. type: integer l7LogsFileAggregationResponseCode: + description: |- + L7LogsFileAggregationResponseCode is used to choose the type of aggregation for the response code on L7 log entries. + [Default: IncludeL7ResponseCode - include the response code]. + Accepted values are IncludeL7ResponseCode and ExcludeL7ResponseCode. + IncludeL7ResponseCode - Include the response code in the logs. + ExcludeL7ResponseCode - Aggregate over all other fields ignoring the response code. pattern: ^(?i)(IncludeL7ResponseCode|ExcludeL7ResponseCode)?$ type: string l7LogsFileAggregationServiceInfo: + description: |- + L7LogsFileAggregationServiceInfo is used to choose the type of aggregation for the service data on L7 log entries. + [Default: IncludeL7ServiceInfo - include service data]. + Accepted values are IncludeL7ServiceInfo and ExcludeL7ServiceInfo. + IncludeL7ServiceInfo - Include service data in the logs. + ExcludeL7ServiceInfo - Aggregate over all other fields ignoring the service name, namespace, and port. pattern: ^(?i)(IncludeL7ServiceInfo|ExcludeL7ServiceInfo)?$ type: string l7LogsFileAggregationSourceInfo: + description: |- + L7LogsFileAggregationExcludeSourceInfo is used to choose the type of aggregation for the source metadata on L7 log entries. + [Default: IncludeL7SourceInfoNoPort - include all source metadata except for the source port]. + Accepted values are IncludeL7SourceInfo, IncludeL7SourceInfoNoPort, and ExcludeL7SourceInfo. + IncludeL7SourceInfo - Include source metadata in the logs. + IncludeL7SourceInfoNoPort - Include source metadata in the logs excluding the source port. + ExcludeL7SourceInfo - Aggregate over all other fields ignoring the source aggregated name, namespace, and type. pattern: ^(?i)(IncludeL7SourceInfo|IncludeL7SourceInfoNoPort|ExcludeL7SourceInfo)?$ type: string l7LogsFileAggregationTrimURL: + description: |- + L7LogsFileAggregationTrimURL is used to choose the type of aggregation for the url on L7 log entries. + [Default: IncludeL7FullURL - include the full URL up to however many path components are allowed by L7LogsFileAggregationNumURLPath]. + Accepted values: + IncludeL7FullURL - Include the full URL up to however many path components are allowed by L7LogsFileAggregationNumURLPath. + TrimURLQuery - Aggregate over all other fields ignoring the query parameters on the URL. + TrimURLQueryAndPath - Aggregate over all other fields and the base URL only. + ExcludeL7URL - Aggregate over all other fields ignoring the URL entirely. pattern: ^(?i)(IncludeL7FullURL|TrimURLQuery|TrimURLQueryAndPath|ExcludeL7URL)?$ type: string l7LogsFileAggregationURLCharLimit: + description: |- + Limit on the length of the URL collected in L7 logs. When a URL length reaches this limit + it is sliced off, and the sliced URL is sent to log storage. [Default: 250] type: integer l7LogsFileDirectory: + description: |- + L7LogsFileDirectory sets the directory where L7 log files are stored. + [Default: /var/log/calico/l7logs] type: string l7LogsFileEnabled: + description: |- + L7LogsFileEnabled controls logging L7 logs to a file. If false no L7 logging to file will occur. + [Default: true] type: boolean l7LogsFileMaxFileSizeMB: + description: |- + L7LogsFileMaxFileSizeMB sets the max size in MB of L7 log files before rotation. + [Default: 100] type: integer l7LogsFileMaxFiles: + description: |- + L7LogsFileMaxFiles sets the number of L7 log files to keep. + [Default: 5] type: integer l7LogsFilePerNodeLimit: + description: |- + Limit on the number of L7 logs that can be emitted within each flush interval. When + this limit has been reached, Felix counts the number of unloggable L7 responses within + the flush interval, and emits a WARNING log with that count at the same time as it + flushes the buffered L7 logs. A value of 0 means no limit. [Default: 1500] type: integer l7LogsFlushInterval: + description: |- + L7LogsFlushInterval configures the interval at which Felix exports L7 logs. + [Default: 300s] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string liveMigrationRouteConvergenceTime: + description: |- + LiveMigrationRouteConvergenceTime is the time to keep elevated route priority after a + VM live migration completes. This allows routes to converge across the cluster before + reverting to normal priority. [Default: 30s] pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))*$ type: string logActionRateLimit: + description: |- + LogActionRateLimit sets the rate of hitting a Log action. The value must be in the format "N/unit", + where N is a number and unit is one of: second, minute, hour, or day. For example: "10/second" or "100/hour". pattern: ^[1-9]\d{0,3}/(?:second|minute|hour|day)$ type: string logActionRateLimitBurst: + description: + LogActionRateLimitBurst sets the rate limit burst of + hitting a Log action when LogActionRateLimit is enabled. maximum: 9999 minimum: 0 type: integer logDebugFilenameRegex: + description: |- + LogDebugFilenameRegex controls which source code files have their Debug log output included in the logs. + Only logs from files with names that match the given regular expression are included. The filter only applies + to Debug level logs. type: string logDropActionOverride: + description: + LogDropActionOverride specifies whether or not to include + the DropActionOverride in the logs when it is triggered. type: boolean logFilePath: + description: + "LogFilePath is the full path to the Felix log. Set to + none to disable file logging. [Default: /var/log/calico/felix.log]" type: string logPrefix: + description: |- + LogPrefix is the log prefix that Felix uses when rendering LOG rules. It is possible to use the following specifiers + to include extra information in the log prefix. + - %t: Tier name. + - %k: Kind (short names). + - %n: Policy or profile name. + - %p: Policy or profile name (namespace/name for namespaced kinds or just name for non namespaced kinds). + Calico includes ": " characters at the end of the generated log prefix. + Note that iptables shows up to 29 characters for the log prefix and nftables up to 127 characters. Extra characters are truncated. + [Default: calico-packet] pattern: "^([a-zA-Z0-9%: /_-])*$" type: string logSeverityFile: + description: + "LogSeverityFile is the log severity above which logs + are sent to the log file. [Default: Info]" pattern: ^(?i)(Trace|Debug|Info|Warning|Error|Fatal)?$ type: string logSeverityScreen: + description: + "LogSeverityScreen is the log severity above which logs + are sent to the stdout. [Default: Info]" pattern: ^(?i)(Trace|Debug|Info|Warning|Error|Fatal)?$ type: string logSeveritySys: + description: |- + LogSeveritySys is the log severity above which logs are sent to the syslog. Set to None for no logging to syslog. + [Default: Info] pattern: ^(?i)(Trace|Debug|Info|Warning|Error|Fatal)?$ type: string maxIpsetSize: + description: |- + MaxIpsetSize is the maximum number of IP addresses that can be stored in an IP set. Not applicable + if using the nftables backend. type: integer metadataAddr: + description: |- + MetadataAddr is the IP address or domain name of the server that can answer VM queries for + cloud-init metadata. In OpenStack, this corresponds to the machine running nova-api (or in + Ubuntu, nova-api-metadata). A value of none (case-insensitive) means that Felix should not + set up any NAT rule for the metadata path. [Default: 127.0.0.1] type: string metadataPort: + description: |- + MetadataPort is the port of the metadata server. This, combined with global.MetadataAddr (if + not 'None'), is used to set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. + In most cases this should not need to be changed [Default: 8775]. type: integer mtuIfacePattern: + description: |- + MTUIfacePattern is a regular expression that controls which interfaces Felix should scan in order + to calculate the host's MTU. + This should not match workload interfaces (usually named cali...). type: string natOutgoingAddress: + description: |- + NATOutgoingAddress specifies an address to use when performing source NAT for traffic in a natOutgoing pool that + is leaving the network. By default the address used is an address on the interface the traffic is leaving on + (i.e. it uses the iptables MASQUERADE target). maxLength: 45 type: string natOutgoingExclusions: + description: |- + When a IP pool setting `natOutgoing` is true, packets sent from Calico networked containers in this IP pool to destinations will be masqueraded. + Configure which type of destinations is excluded from being masqueraded. + - IPPoolsOnly: destinations outside of this IP pool will be masqueraded. + - IPPoolsAndHostIPs: destinations outside of this IP pool and all hosts will be masqueraded. + [Default: IPPoolsOnly] enum: - IPPoolsOnly - IPPoolsAndHostIPs @@ -662,109 +1619,253 @@ spec: anyOf: - type: integer - type: string + description: |- + NATPortRange specifies the range of ports that is used for port mapping when doing outgoing NAT. When unset the default behavior of the + network stack is used. pattern: ^.* x-kubernetes-int-or-string: true netlinkTimeout: + description: |- + NetlinkTimeout is the timeout when talking to the kernel over the netlink protocol, used for programming + routes, rules, and other kernel objects. [Default: 10s] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string nfNetlinkBufSize: + description: |- + NfNetlinkBufSize controls the size of NFLOG messages that the kernel will try to send to Felix. NFLOG messages + are used to report flow verdicts from the kernel. Warning: currently increasing the value may cause errors + due to a bug in the netlink library. type: string nftablesDNSPolicyMode: + description: |- + NFTablesDNSPolicyMode specifies how DNS policy programming will be handled for NFTables. + DelayDeniedPacket - Felix delays any denied packet that traversed a policy that included egress domain matches, + but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. + DelayDNSResponse - Felix delays any DNS response until related IPSets are programmed. This introduces some + latency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics + are accurate. This is the recommended setting when you are making use of staged policies or policy rule hit + statistics. + NoDelay - Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time + the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial + connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. + [Default: DelayDeniedPacket] enum: - NoDelay - DelayDeniedPacket - DelayDNSResponse type: string nftablesFilterAllowAction: + description: |- + NftablesFilterAllowAction controls the nftables action that Felix uses to represent the "allow" policy verdict + in the filter table. The default is to `ACCEPT` the traffic, which is a terminal action. Alternatively, + `RETURN` can be used to return the traffic back to the top-level chain for further processing by your rules. pattern: ^(?i)(Accept|Return)?$ type: string nftablesFilterDenyAction: + description: |- + NftablesFilterDenyAction controls what happens to traffic that is denied by network policy. By default, Calico + blocks traffic with a "drop" action. If you want to use a "reject" action instead you can configure it here. pattern: ^(?i)(Drop|Reject)?$ type: string nftablesMangleAllowAction: + description: |- + NftablesMangleAllowAction controls the nftables action that Felix uses to represent the "allow" policy verdict + in the mangle table. The default is to `ACCEPT` the traffic, which is a terminal action. Alternatively, + `RETURN` can be used to return the traffic back to the top-level chain for further processing by your rules. pattern: ^(?i)(Accept|Return)?$ type: string nftablesMarkMask: + description: |- + NftablesMarkMask is the mask that Felix selects its nftables Mark bits from. Should be a 32 bit hexadecimal + number with at least 8 bits set, none of which clash with any other mark bits in use on the system. + [Default: 0xffff0000] format: int32 type: integer nftablesMode: default: Auto + description: + "NFTablesMode configures nftables support in Felix. [Default: + Auto]" enum: - Disabled - Enabled - Auto type: string nftablesRefreshInterval: + description: + "NftablesRefreshInterval controls the interval at which + Felix periodically refreshes the nftables rules. [Default: 90s]" type: string openstackRegion: + description: |- + OpenstackRegion is the name of the region that a particular Felix belongs to. In a multi-region + Calico/OpenStack deployment, this must be configured somehow for each Felix (here in the datamodel, + or in felix.cfg or the environment on each compute node), and must match the [calico] + openstack_region value configured in neutron.conf on each node. [Default: Empty] type: string policyActivityLogsFileDirectory: + description: |- + PolicyActivityLogsFileDirectory sets the directory where policy activity log files are stored. + [Default: /var/log/calico/policy] type: string policyActivityLogsFileEnabled: + description: |- + PolicyActivityLogsFileEnabled controls logging policy activity logs to a file. If false no policy activity logging to file will occur. + [Default: true] type: boolean policyActivityLogsFileMaxFileSizeMB: + description: |- + PolicyActivityLogsFileMaxFileSizeMB sets the max size in MB of policy activity log files before rotation. + [Default: 100] type: integer policyActivityLogsFileMaxFiles: + description: |- + PolicyActivityLogsFileMaxFiles sets the number of policy activity log files to keep. + [Default: 5] type: integer policyActivityLogsFlushInterval: + description: |- + PolicyActivityLogsFlushInterval configures the interval at which Felix exports policy activity logs. + [Default: 15s] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string policySyncPathPrefix: + description: |- + PolicySyncPathPrefix is used to by Felix to communicate policy changes to external services, + like Application layer policy. [Default: Empty] type: string programClusterRoutes: + description: |- + ProgramClusterRoutes controls how a cluster node gets a route to a workload on another node, + when that workload's IP comes from an IP Pool with vxlanMode: Never. When ProgramClusterRoutes is Disabled, + it is expected that confd and BIRD will program that route. When ProgramClusterRoutes is Enabled, Felix program that route. + Felix always programs such routes for IP Pools with vxlanMode: Always or vxlanMode: CrossSubnet. [Default: Disabled] enum: - Enabled - Disabled type: string prometheusGoMetricsEnabled: + description: |- + PrometheusGoMetricsEnabled disables Go runtime metrics collection, which the Prometheus client does by default, when + set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true] type: boolean prometheusMetricsCAFile: + description: |- + PrometheusMetricsCAFile defines the absolute path to the TLS CA certificate file used for securing the /metrics endpoint. + This certificate must be valid and accessible by the calico-node process. type: string prometheusMetricsCertFile: + description: |- + PrometheusMetricsCertFile defines the absolute path to the TLS certificate file used for securing the /metrics endpoint. + This certificate must be valid and accessible by the calico-node process. type: string prometheusMetricsClientAuth: + description: |- + PrometheusMetricsClientAuth specifies the client authentication type for the /metrics endpoint. + This determines how the server validates client certificates. Default is "RequireAndVerifyClientCert". type: string prometheusMetricsEnabled: + description: + "PrometheusMetricsEnabled enables the Prometheus metrics + server in Felix if set to true. [Default: false]" type: boolean prometheusMetricsHost: + description: + "PrometheusMetricsHost is the host that the Prometheus + metrics server should bind to. [Default: empty]" type: string prometheusMetricsKeyFile: + description: |- + PrometheusMetricsKeyFile defines the absolute path to the private key file corresponding to the TLS certificate + used for securing the /metrics endpoint. The private key must be valid and accessible by the calico-node process. type: string prometheusMetricsPort: + description: + "PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. [Default: 9091]" type: integer prometheusProcessMetricsEnabled: + description: |- + PrometheusProcessMetricsEnabled disables process metrics collection, which the Prometheus client does by default, when + set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true] type: boolean prometheusReporterCAFile: + description: + PrometheusReporterCAFile is the path to the TLS CA file + for the Prometheus per-flow metrics reporter. type: string prometheusReporterCertFile: + description: + PrometheusReporterCertFile is the path to the TLS certificate + file for the Prometheus per-flow metrics reporter. type: string prometheusReporterEnabled: + description: |- + PrometheusReporterEnabled controls whether the Prometheus per-flow metrics reporter is enabled. This is + used to show real-time flow metrics in the UI. type: boolean prometheusReporterKeyFile: + description: + PrometheusReporterKeyFile is the path to the TLS private + key file for the Prometheus per-flow metrics reporter. type: string prometheusReporterPort: + description: + PrometheusReporterPort is the port that the Prometheus + per-flow metrics reporter should bind to. type: integer prometheusWireGuardMetricsEnabled: + description: |- + PrometheusWireGuardMetricsEnabled disables wireguard metrics collection, which the Prometheus client does by default, when + set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true] type: boolean removeExternalRoutes: + description: |- + RemoveExternalRoutes Controls whether Felix will remove unexpected routes to workload interfaces. Felix will + always clean up expected routes that use the configured DeviceRouteProtocol. To add your own routes, you must + use a distinct protocol (in addition to setting this field to false). type: boolean reportingInterval: + description: |- + ReportingInterval is the interval at which Felix reports its status into the datastore or 0 to disable. + Must be non-zero in OpenStack deployments. [Default: 30s] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string reportingTTL: + description: + "ReportingTTL is the time-to-live setting for process-wide + status reports. [Default: 90s]" pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string requireMTUFile: + description: |- + RequireMTUFile specifies whether mtu file is required to start the felix. + Optional as to keep the same as previous behavior. [Default: false] type: boolean routeRefreshInterval: + description: |- + RouteRefreshInterval is the period at which Felix re-checks the routes + in the dataplane to ensure that no other process has accidentally broken Calico's rules. + Set to 0 to disable route refresh. [Default: 90s] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string routeSource: + description: |- + RouteSource configures where Felix gets its routing information. + - WorkloadIPs: use workload endpoints to construct routes. + - CalicoIPAM: the default - use IPAM data to construct routes. pattern: ^(?i)(WorkloadIPs|CalicoIPAM)?$ type: string routeSyncDisabled: + description: |- + RouteSyncDisabled will disable all operations performed on the route table. Set to true to + run in network-policy mode only. type: boolean routeTableRange: + description: |- + Deprecated in favor of RouteTableRanges. + Calico programs additional Linux route tables for various purposes. + RouteTableRange specifies the indices of the route tables that Calico should use. properties: max: type: integer @@ -779,6 +1880,10 @@ spec: reason: FieldValueInvalid rule: self.min >= 1 && self.max >= self.min && self.max <= 250 routeTableRanges: + description: |- + Calico programs additional Linux route tables for various purposes. + RouteTableRanges specifies a set of table index ranges that Calico should use. + Deprecates`RouteTableRange`, overrides `RouteTableRange`. items: properties: max: @@ -798,106 +1903,256 @@ spec: rule: self.min <= self.max type: array serviceLoopPrevention: + description: |- + When service IP advertisement is enabled, prevent routing loops to service IPs that are + not in use, by dropping or rejecting packets that do not get DNAT'd by kube-proxy. + Unless set to "Disabled", in which case such routing loops continue to be allowed. + [Default: Drop] pattern: ^(?i)(Drop|Reject|Disabled)?$ type: string sidecarAccelerationEnabled: + description: + "SidecarAccelerationEnabled enables experimental sidecar + acceleration [Default: false]" type: boolean statsDumpFilePath: + description: + StatsDumpFilePath is the path to write a diagnostic flow + logs statistics dump to when triggered by signal. type: string syslogReporterAddress: + description: |- + SyslogReporterAddress is the address to dial to when writing to Syslog. For TCP and UDP networks, the address has + the form "host:port". The host must be a literal IP address, or a host name that can be resolved to IP addresses. + The port must be a literal port number or a service name. For more, see: https://pkg.go.dev/net#Dial type: string syslogReporterEnabled: + description: |- + SyslogReporterEnabled turns on the feature to write logs to Syslog. Please note that this can incur significant + disk space usage when running felix on non-cluster hosts. type: boolean syslogReporterNetwork: + description: |- + SyslogReporterNetwork is the network to dial to when writing to Syslog. Known networks are "tcp", "tcp4" + (IPv4-only), "tcp6" (IPv6-only), "udp", "udp4" (IPv4-only), "udp6" (IPv6-only), "ip", "ip4" (IPv4-only), "ip6" + (IPv6-only), "unix", "unixgram" and "unixpacket". For more, see: https://pkg.go.dev/net#Dial type: string tproxyMode: + description: |- + TPROXYMode sets whether traffic is directed through a transparent proxy + for further processing or not and how is the proxying done. + [Default: Disabled] pattern: ^(?i)(Disabled|Enabled|EnabledAllServices)?$ type: string tproxyPort: + description: |- + TPROXYPort sets to which port proxied traffic should be redirected. + [Default: 16001] type: integer tproxyUpstreamConnMark: + description: |- + TPROXYUpstreamConnMark tells Felix which mark is used by the proxy for its upstream + connections so that Felix can program the dataplane correctly. [Default: 0x17] format: int32 type: integer usageReportingEnabled: + description: + UsageReportingEnabled is unused in Calico Enterprise, + usage reporting is permanently disabled. type: boolean usageReportingInitialDelay: + description: + "UsageReportingInitialDelay is unused in Calico Enterprise, + usage reporting is permanently disabled. [Default: 300s]" pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string usageReportingInterval: + description: + "UsageReportingInterval is unused in Calico Enterprise, + usage reporting is permanently disabled. [Default: 86400s]" pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string useInternalDataplaneDriver: + description: |- + UseInternalDataplaneDriver, if true, Felix will use its internal dataplane programming logic. If false, it + will launch an external dataplane driver and communicate with it over protobuf. type: boolean vxlanEnabled: + description: |- + VXLANEnabled overrides whether Felix should create the VXLAN tunnel device for IPv4 VXLAN networking. + Optional as Felix determines this based on the existing IP pools. [Default: nil (unset)] type: boolean vxlanMTU: + description: |- + VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the + MTU of the host's interfaces. [Default: 0 (auto-detect)] type: integer vxlanMTUV6: + description: |- + VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the + MTU of the host's interfaces. [Default: 0 (auto-detect)] type: integer vxlanPort: + description: + "VXLANPort is the UDP port number to use for VXLAN traffic. + [Default: 4789]" type: integer vxlanVNI: + description: |- + VXLANVNI is the VXLAN VNI to use for VXLAN traffic. You may need to change this if the default value is + in use on your system. [Default: 4096] type: integer wafEventLogsFileDirectory: + description: |- + WAFEventLogsFileDirectory sets the directory where WAFEvent log files are stored. + [Default: /var/log/calico/waf] type: string wafEventLogsFileEnabled: + description: |- + WAFEventLogsFileEnabled controls logging WAFEvent logs to a file. If false no WAFEvent logging to file will occur. + [Default: false] type: boolean wafEventLogsFileMaxFileSizeMB: + description: |- + WAFEventLogsFileMaxFileSizeMB sets the max size in MB of WAFEvent log files before rotation. + [Default: 100] type: integer wafEventLogsFileMaxFiles: + description: |- + WAFEventLogsFileMaxFiles sets the number of WAFEvent log files to keep. + [Default: 5] type: integer wafEventLogsFlushInterval: + description: |- + WAFEventLogsFlushInterval configures the interval at which Felix exports WAFEvent logs. + [Default: 15s] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string windowsDnsCacheFile: + description: |- + The name of the file that Felix uses to preserve learnt DNS information when restarting. [Default: + "c:\\TigeraCalico\\felix-dns-cache.txt"]. type: string windowsDnsExtraTTL: + description: |- + Extra time to keep IPs and alias names that are learnt from DNS, in addition to each name + or IP's advertised TTL. The default value is 120s which is same as the default value of + ServicePointManager.DnsRefreshTimeout on .net framework. [Default: 120s]. pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string windowsFlowLogsFileDirectory: + description: + 'WindowsFlowLogsFileDirectory sets the directory where + flow logs files are stored on Windows nodes. [Default: "c:\\TigeraCalico\\flowlogs"].' type: string windowsFlowLogsPositionFilePath: + description: |- + WindowsFlowLogsPositionFilePath is used to specify the position of the external pipeline that reads flow logs on Windows nodes. + [Default: "c:\\TigeraCalico\\flowlogs\\flows.log.pos"]. + This parameter only takes effect when FlowLogsDynamicAggregationEnabled is set to true. type: string windowsManageFirewallRules: + description: + "WindowsManageFirewallRules configures whether or not + Felix will program Windows Firewall rules (to allow inbound access + to its own metrics ports). [Default: Disabled]" enum: - Enabled - Disabled type: string windowsNetworkName: + description: |- + WindowsNetworkName specifies which Windows HNS networks Felix should operate on. The default is to match + networks that start with "calico". Supports regular expression syntax. type: string windowsStatsDumpFilePath: + description: + 'WindowsStatsDumpFilePath is used to specify the path + of the stats dump file on Windows nodes. [Default: "c:\\TigeraCalico\\stats\\dump"]' type: string wireguardEnabled: + description: + "WireguardEnabled controls whether Wireguard is enabled + for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network). + [Default: false]" type: boolean wireguardEnabledV6: + description: + "WireguardEnabledV6 controls whether Wireguard is enabled + for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network). + [Default: false]" type: boolean wireguardHostEncryptionEnabled: + description: + "WireguardHostEncryptionEnabled controls whether Wireguard + host-to-host encryption is enabled. [Default: false]" type: boolean wireguardInterfaceName: + description: + "WireguardInterfaceName specifies the name to use for + the IPv4 Wireguard interface. [Default: wireguard.cali]" type: string wireguardInterfaceNameV6: + description: + "WireguardInterfaceNameV6 specifies the name to use for + the IPv6 Wireguard interface. [Default: wg-v6.cali]" type: string wireguardKeepAlive: + description: + "WireguardPersistentKeepAlive controls Wireguard PersistentKeepalive + option. Set 0 to disable. [Default: 0]" pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string wireguardListeningPort: + description: + "WireguardListeningPort controls the listening port used + by IPv4 Wireguard. [Default: 51820]" type: integer wireguardListeningPortV6: + description: + "WireguardListeningPortV6 controls the listening port + used by IPv6 Wireguard. [Default: 51821]" type: integer wireguardMTU: + description: + "WireguardMTU controls the MTU on the IPv4 Wireguard + interface. See Configuring MTU [Default: 1440]" type: integer wireguardMTUV6: + description: + "WireguardMTUV6 controls the MTU on the IPv6 Wireguard + interface. See Configuring MTU [Default: 1420]" type: integer wireguardRoutingRulePriority: + description: + "WireguardRoutingRulePriority controls the priority value + to use for the Wireguard routing rule. [Default: 99]" type: integer wireguardThreadingEnabled: + description: |- + WireguardThreadingEnabled controls whether Wireguard has Threaded NAPI enabled. [Default: false] + This increases the maximum number of packets a Wireguard interface can process. + Consider threaded NAPI only if you have high packets per second workloads that are causing dropping packets due to a saturated `softirq` CPU core. + There is a [known issue](https://lore.kernel.org/netdev/CALrw=nEoT2emQ0OAYCjM1d_6Xe_kNLSZ6dhjb5FxrLFYh4kozA@mail.gmail.com/T/) with this setting + that may cause NAPI to get stuck holding the global `rtnl_mutex` when a peer is removed. + Workaround: Make sure your Linux kernel [includes this patch](https://github.com/torvalds/linux/commit/56364c910691f6d10ba88c964c9041b9ab777bd6) to unwedge NAPI. type: boolean workloadSourceSpoofing: + description: |- + WorkloadSourceSpoofing controls whether pods can use the allowedSourcePrefixes annotation to send traffic with a source IP + address that is not theirs. This is disabled by default. When set to "Any", pods can request any prefix. pattern: ^(?i)(Disabled|Any)?$ type: string xdpEnabled: + description: + "XDPEnabled enables XDP acceleration for suitable untracked + incoming deny rules. [Default: true]" type: boolean xdpRefreshInterval: + description: |- + XDPRefreshInterval is the period at which Felix re-checks all XDP state to ensure that no + other process has accidentally broken Calico's BPF maps or attached programs. Set to 0 to + disable XDP refresh. [Default: 90s] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string type: object diff --git a/config/crd/projectcalico.org_globalalerts.yaml b/config/crd/projectcalico.org_globalalerts.yaml index dc26527c..5e9b436c 100644 --- a/config/crd/projectcalico.org_globalalerts.yaml +++ b/config/crd/projectcalico.org_globalalerts.yaml @@ -19,45 +19,93 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: aggregateBy: + description: |- + An optional list of fields to aggregate results. + Only used if Type is RuleBased. items: type: string type: array x-kubernetes-list-type: atomic condition: + description: |- + Compare the value of the metric to the threshold using this condition. + Only used if Type is RuleBased. type: string dataSet: + description: |- + DataSet determines which dataset type the Query will use. + Required and used only if Type is RuleBased. type: string description: + description: Human-readable description of the template. type: string detector: + description: |- + Parameters for configuring an AnomalyDetection run. + Only used if Type is AnomalyDetection. properties: name: + description: Name specifies the AnomalyDetection Detector to run. type: string required: - name type: object field: + description: |- + Which field to aggregate results by if using a metric other than count. + Only used if Type is RuleBased. type: string lookback: + description: |- + How much data to gather at once. + If Type is RuleBased, it must exceed audit log flush interval, dnsLogsFlushInterval, or flowLogsFlushInterval as appropriate. type: string metric: + description: |- + A metric to apply to aggregated results. count is the number of log entries matching the aggregation pattern. + Others are applied only to numeric fields in the logs. + Only used if Type is RuleBased. type: string period: + description: |- + If Type is RuleBased, it is how often the query defined will run. + If Type is AnomalyDetection it is how often the detector will be run. type: string query: + description: + Which data to include from the source data set. Written + in a domain-specific query language. Only used if Type is RuleBased. type: string severity: + description: Severity of the alert for display in Manager. type: integer substitutions: + description: |- + An optional list of values to replace variable names in query. + Only used if Type is RuleBased. items: + description: + GlobalAlertSubstitution substitutes for the variables + in the set operators of a Query. properties: name: type: string @@ -72,10 +120,19 @@ spec: type: array x-kubernetes-list-type: atomic summary: + description: + Template for the description field in generated events, + description is used if this is omitted. type: string threshold: + description: |- + A numeric value to compare the value of the metric against. + Only used if Type is RuleBased. type: number type: + description: |- + Type will dictate how the fields of the GlobalAlert will be utilized. + Each Type will have different usages and defaults for the fields. [Default: RuleBased] type: string required: - description diff --git a/config/crd/projectcalico.org_globalalerttemplates.yaml b/config/crd/projectcalico.org_globalalerttemplates.yaml index 185cac20..5ae5cec5 100644 --- a/config/crd/projectcalico.org_globalalerttemplates.yaml +++ b/config/crd/projectcalico.org_globalalerttemplates.yaml @@ -19,45 +19,93 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: aggregateBy: + description: |- + An optional list of fields to aggregate results. + Only used if Type is RuleBased. items: type: string type: array x-kubernetes-list-type: atomic condition: + description: |- + Compare the value of the metric to the threshold using this condition. + Only used if Type is RuleBased. type: string dataSet: + description: |- + DataSet determines which dataset type the Query will use. + Required and used only if Type is RuleBased. type: string description: + description: Human-readable description of the template. type: string detector: + description: |- + Parameters for configuring an AnomalyDetection run. + Only used if Type is AnomalyDetection. properties: name: + description: Name specifies the AnomalyDetection Detector to run. type: string required: - name type: object field: + description: |- + Which field to aggregate results by if using a metric other than count. + Only used if Type is RuleBased. type: string lookback: + description: |- + How much data to gather at once. + If Type is RuleBased, it must exceed audit log flush interval, dnsLogsFlushInterval, or flowLogsFlushInterval as appropriate. type: string metric: + description: |- + A metric to apply to aggregated results. count is the number of log entries matching the aggregation pattern. + Others are applied only to numeric fields in the logs. + Only used if Type is RuleBased. type: string period: + description: |- + If Type is RuleBased, it is how often the query defined will run. + If Type is AnomalyDetection it is how often the detector will be run. type: string query: + description: + Which data to include from the source data set. Written + in a domain-specific query language. Only used if Type is RuleBased. type: string severity: + description: Severity of the alert for display in Manager. type: integer substitutions: + description: |- + An optional list of values to replace variable names in query. + Only used if Type is RuleBased. items: + description: + GlobalAlertSubstitution substitutes for the variables + in the set operators of a Query. properties: name: type: string @@ -72,10 +120,19 @@ spec: type: array x-kubernetes-list-type: atomic summary: + description: + Template for the description field in generated events, + description is used if this is omitted. type: string threshold: + description: |- + A numeric value to compare the value of the metric against. + Only used if Type is RuleBased. type: number type: + description: |- + Type will dictate how the fields of the GlobalAlert will be utilized. + Each Type will have different usages and defaults for the fields. [Default: RuleBased] type: string required: - description diff --git a/config/crd/projectcalico.org_globalnetworkpolicies.yaml b/config/crd/projectcalico.org_globalnetworkpolicies.yaml index 3147a5ae..b62610e3 100644 --- a/config/crd/projectcalico.org_globalnetworkpolicies.yaml +++ b/config/crd/projectcalico.org_globalnetworkpolicies.yaml @@ -32,19 +32,49 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: applyOnForward: + description: |- + ApplyOnForward indicates to apply the rules in this policy on forward traffic. + Must be set to true when DoNotTrack or PreDNAT is true. type: boolean doNotTrack: + description: |- + DoNotTrack indicates whether packets matched by the rules in this policy should go through + the data plane's connection tracking, such as Linux conntrack. If True, the rules in + this policy are applied before any data plane connection tracking, and packets allowed by + this policy are marked as not to be tracked. Requires ApplyOnForward to be true. type: boolean egress: + description: |- + The ordered set of egress rules. Each rule contains a set of packet match criteria and + a corresponding action to apply. Limited to 1024 rules per policy. items: + description: |- + A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy + and security Profiles reference rules - separated out as a list of rules for both + ingress and egress packet matching. + + Each positive match criteria has a negated version, prefixed with "Not". All the match + criteria within a rule must be satisfied for a packet to match. A single rule can contain + the positive and negative version of a match and both must be satisfied for the rule to match. properties: action: enum: @@ -54,28 +84,59 @@ spec: - Pass type: string destination: + description: + Destination contains the match criteria that apply + to destination entity. properties: domains: + description: |- + Domains is an optional field, valid for egress Allow rules only, that restricts the rule + to apply only to traffic to one of the specified domains. If this field is specified, + Action must be Allow, and Nets and Selector must both be left empty. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: + description: |- + NamespaceSelector is an optional field that contains a selector expression. Only traffic + that originates from (or terminates at) endpoints within the selected namespaces will be + matched. When both NamespaceSelector and another selector are defined on the same rule, then only + workload endpoints that are matched by both selectors will be selected by the rule. + + For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting + only workload endpoints in the same namespace as the NetworkPolicy. + + For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting + only GlobalNetworkSet or HostEndpoint. + + For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces. maxLength: 1024 type: string nets: + description: |- + Nets is an optional field that restricts the rule to only apply to traffic that + originates from (or terminates at) IP addresses in any of the given subnets. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notNets: + description: + NotNets is the negated version of the Nets + field. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notPorts: + description: |- + NotPorts is the negated version of the Ports field. + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -86,9 +147,19 @@ spec: type: array x-kubernetes-list-type: atomic notSelector: + description: |- + NotSelector is the negated version of the Selector field. See Selector field for + subtleties with negated selectors. maxLength: 1024 type: string ports: + description: |- + Ports is an optional field that restricts the rule to only apply to traffic that has a + source (destination) port that matches one of these ranges/values. This value is a + list of integers or strings that represent ranges of ports. + + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -99,24 +170,66 @@ spec: type: array x-kubernetes-list-type: atomic selector: + description: + "Selector is an optional field that contains + a selector expression (see Policy for\nsample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching\nthe selector will be matched.\n\nNote that: + in addition to the negated version of the Selector (see + NotSelector below), the\nselector expression syntax itself + supports negation. The two types of negation are subtly\ndifferent. + One negates the set of matched endpoints, the other negates + the whole match:\n\n\tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled\n\tendpoints + that do not have the label \"my_label\".\n\n\tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled\n\tendpoints that do have the label + \"my_label\".\n\nThe effect is that the latter will accept + packets from non-Calico sources whereas the\nformer is + limited to packets from Calico-controlled endpoints." maxLength: 1024 type: string serviceAccounts: + description: |- + ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. properties: names: + description: |- + Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates + at) a pod running as a service account whose name is in the list. items: type: string type: array x-kubernetes-list-type: set selector: + description: |- + Selector is an optional field that restricts the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account that matches the given label selector. + If both Names and Selector are specified then they are AND'ed. type: string type: object services: + description: |- + Services is an optional field that contains options for matching Kubernetes Services. + If specified, only traffic that originates from or terminates at endpoints within the selected + service(s) will be matched, and only to/from each endpoint's port. + + Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, + NotNets or ServiceAccounts. + + Ports and NotPorts can only be specified with Services on ingress rules. properties: name: + description: + Name specifies the name of a Kubernetes + Service to match. maxLength: 253 type: string namespace: + description: |- + Namespace specifies the namespace of the given Service. If left empty, the rule + will match within this policy's namespace. maxLength: 253 type: string type: object @@ -156,9 +269,19 @@ spec: "!has(self.services) || (!has(self.nets) || size(self.nets) == 0) && (!has(self.notNets) || size(self.notNets) == 0)" http: + description: + HTTP contains match criteria that apply to HTTP + requests. properties: headers: + description: |- + Headers is an optional field that restricts the rule to apply to HTTP headers. + Multiple headers criteria are AND'd together. + Criteria within a single headers rule ar OR'd together. items: + description: + HTTPHeaderCriteria structure defines optional + HTTP headers criterion for ALP. properties: header: type: string @@ -177,13 +300,29 @@ spec: type: array x-kubernetes-list-type: atomic methods: + description: |- + Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed + HTTP Methods (e.g. GET, PUT, etc.) + Multiple methods are OR'd together. items: type: string maxItems: 20 type: array x-kubernetes-list-type: atomic paths: + description: |- + Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed + HTTP Paths. + Multiple paths are OR'd together. + e.g: + - exact: /foo + - prefix: /bar + NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. items: + description: |- + HTTPPath specifies an HTTP path to match. It may be either of the form: + exact: : which matches the path exactly or + prefix: : which matches the path prefix properties: exact: maxLength: 1024 @@ -197,12 +336,23 @@ spec: x-kubernetes-list-type: atomic type: object icmp: + description: |- + ICMP is an optional field that restricts the rule to apply to a specific type and + code of ICMP traffic. This should only be specified if the Protocol field is set to + "ICMP" or "ICMPv6". properties: code: + description: |- + Match on a specific ICMP code. If specified, the Type value must also be specified. + This is a technical limitation imposed by the kernel's iptables firewall, which + Calico uses to enforce the rule. maximum: 255 minimum: 0 type: integer type: + description: |- + Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request + (i.e. pings). maximum: 254 minimum: 0 type: integer @@ -212,24 +362,41 @@ spec: reason: FieldValueInvalid rule: "!has(self.code) || has(self.type)" ipVersion: + description: |- + IPVersion is an optional field that restricts the rule to only match a specific IP + version. enum: - 4 - 6 type: integer metadata: + description: + Metadata contains additional information for this + rule properties: annotations: additionalProperties: type: string + description: + Annotations is a set of key value pairs that + give extra information about the rule type: object type: object notICMP: + description: NotICMP is the negated version of the ICMP field. properties: code: + description: |- + Match on a specific ICMP code. If specified, the Type value must also be specified. + This is a technical limitation imposed by the kernel's iptables firewall, which + Calico uses to enforce the rule. maximum: 255 minimum: 0 type: integer type: + description: |- + Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request + (i.e. pings). maximum: 254 minimum: 0 type: integer @@ -242,37 +409,78 @@ spec: anyOf: - type: integer - type: string + description: + NotProtocol is the negated version of the Protocol + field. pattern: ^.* x-kubernetes-int-or-string: true protocol: anyOf: - type: integer - type: string + description: |- + Protocol is an optional field that restricts the rule to only apply to traffic of + a specific IP protocol. Required if any of the EntityRules contain Ports + (because ports only apply to certain protocols). + + Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" + or an integer in the range 1-255. pattern: ^.* x-kubernetes-int-or-string: true source: + description: + Source contains the match criteria that apply to + source entity. properties: domains: + description: |- + Domains is an optional field, valid for egress Allow rules only, that restricts the rule + to apply only to traffic to one of the specified domains. If this field is specified, + Action must be Allow, and Nets and Selector must both be left empty. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: + description: |- + NamespaceSelector is an optional field that contains a selector expression. Only traffic + that originates from (or terminates at) endpoints within the selected namespaces will be + matched. When both NamespaceSelector and another selector are defined on the same rule, then only + workload endpoints that are matched by both selectors will be selected by the rule. + + For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting + only workload endpoints in the same namespace as the NetworkPolicy. + + For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting + only GlobalNetworkSet or HostEndpoint. + + For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces. maxLength: 1024 type: string nets: + description: |- + Nets is an optional field that restricts the rule to only apply to traffic that + originates from (or terminates at) IP addresses in any of the given subnets. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notNets: + description: + NotNets is the negated version of the Nets + field. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notPorts: + description: |- + NotPorts is the negated version of the Ports field. + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -283,9 +491,19 @@ spec: type: array x-kubernetes-list-type: atomic notSelector: + description: |- + NotSelector is the negated version of the Selector field. See Selector field for + subtleties with negated selectors. maxLength: 1024 type: string ports: + description: |- + Ports is an optional field that restricts the rule to only apply to traffic that has a + source (destination) port that matches one of these ranges/values. This value is a + list of integers or strings that represent ranges of ports. + + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -296,24 +514,66 @@ spec: type: array x-kubernetes-list-type: atomic selector: + description: + "Selector is an optional field that contains + a selector expression (see Policy for\nsample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching\nthe selector will be matched.\n\nNote that: + in addition to the negated version of the Selector (see + NotSelector below), the\nselector expression syntax itself + supports negation. The two types of negation are subtly\ndifferent. + One negates the set of matched endpoints, the other negates + the whole match:\n\n\tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled\n\tendpoints + that do not have the label \"my_label\".\n\n\tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled\n\tendpoints that do have the label + \"my_label\".\n\nThe effect is that the latter will accept + packets from non-Calico sources whereas the\nformer is + limited to packets from Calico-controlled endpoints." maxLength: 1024 type: string serviceAccounts: + description: |- + ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. properties: names: + description: |- + Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates + at) a pod running as a service account whose name is in the list. items: type: string type: array x-kubernetes-list-type: set selector: + description: |- + Selector is an optional field that restricts the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account that matches the given label selector. + If both Names and Selector are specified then they are AND'ed. type: string type: object services: + description: |- + Services is an optional field that contains options for matching Kubernetes Services. + If specified, only traffic that originates from or terminates at endpoints within the selected + service(s) will be matched, and only to/from each endpoint's port. + + Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, + NotNets or ServiceAccounts. + + Ports and NotPorts can only be specified with Services on ingress rules. properties: name: + description: + Name specifies the name of a Kubernetes + Service to match. maxLength: 253 type: string namespace: + description: |- + Namespace specifies the namespace of the given Service. If left empty, the rule + will match within this policy's namespace. maxLength: 253 type: string type: object @@ -403,7 +663,18 @@ spec: type: array x-kubernetes-list-type: atomic ingress: + description: |- + The ordered set of ingress rules. Each rule contains a set of packet match criteria and + a corresponding action to apply. Limited to 1024 rules per policy. items: + description: |- + A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy + and security Profiles reference rules - separated out as a list of rules for both + ingress and egress packet matching. + + Each positive match criteria has a negated version, prefixed with "Not". All the match + criteria within a rule must be satisfied for a packet to match. A single rule can contain + the positive and negative version of a match and both must be satisfied for the rule to match. properties: action: enum: @@ -413,28 +684,59 @@ spec: - Pass type: string destination: + description: + Destination contains the match criteria that apply + to destination entity. properties: domains: + description: |- + Domains is an optional field, valid for egress Allow rules only, that restricts the rule + to apply only to traffic to one of the specified domains. If this field is specified, + Action must be Allow, and Nets and Selector must both be left empty. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: + description: |- + NamespaceSelector is an optional field that contains a selector expression. Only traffic + that originates from (or terminates at) endpoints within the selected namespaces will be + matched. When both NamespaceSelector and another selector are defined on the same rule, then only + workload endpoints that are matched by both selectors will be selected by the rule. + + For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting + only workload endpoints in the same namespace as the NetworkPolicy. + + For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting + only GlobalNetworkSet or HostEndpoint. + + For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces. maxLength: 1024 type: string nets: + description: |- + Nets is an optional field that restricts the rule to only apply to traffic that + originates from (or terminates at) IP addresses in any of the given subnets. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notNets: + description: + NotNets is the negated version of the Nets + field. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notPorts: + description: |- + NotPorts is the negated version of the Ports field. + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -445,9 +747,19 @@ spec: type: array x-kubernetes-list-type: atomic notSelector: + description: |- + NotSelector is the negated version of the Selector field. See Selector field for + subtleties with negated selectors. maxLength: 1024 type: string ports: + description: |- + Ports is an optional field that restricts the rule to only apply to traffic that has a + source (destination) port that matches one of these ranges/values. This value is a + list of integers or strings that represent ranges of ports. + + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -458,24 +770,66 @@ spec: type: array x-kubernetes-list-type: atomic selector: + description: + "Selector is an optional field that contains + a selector expression (see Policy for\nsample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching\nthe selector will be matched.\n\nNote that: + in addition to the negated version of the Selector (see + NotSelector below), the\nselector expression syntax itself + supports negation. The two types of negation are subtly\ndifferent. + One negates the set of matched endpoints, the other negates + the whole match:\n\n\tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled\n\tendpoints + that do not have the label \"my_label\".\n\n\tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled\n\tendpoints that do have the label + \"my_label\".\n\nThe effect is that the latter will accept + packets from non-Calico sources whereas the\nformer is + limited to packets from Calico-controlled endpoints." maxLength: 1024 type: string serviceAccounts: + description: |- + ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. properties: names: + description: |- + Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates + at) a pod running as a service account whose name is in the list. items: type: string type: array x-kubernetes-list-type: set selector: + description: |- + Selector is an optional field that restricts the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account that matches the given label selector. + If both Names and Selector are specified then they are AND'ed. type: string type: object services: + description: |- + Services is an optional field that contains options for matching Kubernetes Services. + If specified, only traffic that originates from or terminates at endpoints within the selected + service(s) will be matched, and only to/from each endpoint's port. + + Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, + NotNets or ServiceAccounts. + + Ports and NotPorts can only be specified with Services on ingress rules. properties: name: + description: + Name specifies the name of a Kubernetes + Service to match. maxLength: 253 type: string namespace: + description: |- + Namespace specifies the namespace of the given Service. If left empty, the rule + will match within this policy's namespace. maxLength: 253 type: string type: object @@ -515,9 +869,19 @@ spec: "!has(self.services) || (!has(self.nets) || size(self.nets) == 0) && (!has(self.notNets) || size(self.notNets) == 0)" http: + description: + HTTP contains match criteria that apply to HTTP + requests. properties: headers: + description: |- + Headers is an optional field that restricts the rule to apply to HTTP headers. + Multiple headers criteria are AND'd together. + Criteria within a single headers rule ar OR'd together. items: + description: + HTTPHeaderCriteria structure defines optional + HTTP headers criterion for ALP. properties: header: type: string @@ -536,13 +900,29 @@ spec: type: array x-kubernetes-list-type: atomic methods: + description: |- + Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed + HTTP Methods (e.g. GET, PUT, etc.) + Multiple methods are OR'd together. items: type: string maxItems: 20 type: array x-kubernetes-list-type: atomic paths: + description: |- + Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed + HTTP Paths. + Multiple paths are OR'd together. + e.g: + - exact: /foo + - prefix: /bar + NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. items: + description: |- + HTTPPath specifies an HTTP path to match. It may be either of the form: + exact: : which matches the path exactly or + prefix: : which matches the path prefix properties: exact: maxLength: 1024 @@ -556,12 +936,23 @@ spec: x-kubernetes-list-type: atomic type: object icmp: + description: |- + ICMP is an optional field that restricts the rule to apply to a specific type and + code of ICMP traffic. This should only be specified if the Protocol field is set to + "ICMP" or "ICMPv6". properties: code: + description: |- + Match on a specific ICMP code. If specified, the Type value must also be specified. + This is a technical limitation imposed by the kernel's iptables firewall, which + Calico uses to enforce the rule. maximum: 255 minimum: 0 type: integer type: + description: |- + Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request + (i.e. pings). maximum: 254 minimum: 0 type: integer @@ -571,24 +962,41 @@ spec: reason: FieldValueInvalid rule: "!has(self.code) || has(self.type)" ipVersion: + description: |- + IPVersion is an optional field that restricts the rule to only match a specific IP + version. enum: - 4 - 6 type: integer metadata: + description: + Metadata contains additional information for this + rule properties: annotations: additionalProperties: type: string + description: + Annotations is a set of key value pairs that + give extra information about the rule type: object type: object notICMP: + description: NotICMP is the negated version of the ICMP field. properties: code: + description: |- + Match on a specific ICMP code. If specified, the Type value must also be specified. + This is a technical limitation imposed by the kernel's iptables firewall, which + Calico uses to enforce the rule. maximum: 255 minimum: 0 type: integer type: + description: |- + Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request + (i.e. pings). maximum: 254 minimum: 0 type: integer @@ -601,37 +1009,78 @@ spec: anyOf: - type: integer - type: string + description: + NotProtocol is the negated version of the Protocol + field. pattern: ^.* x-kubernetes-int-or-string: true protocol: anyOf: - type: integer - type: string + description: |- + Protocol is an optional field that restricts the rule to only apply to traffic of + a specific IP protocol. Required if any of the EntityRules contain Ports + (because ports only apply to certain protocols). + + Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" + or an integer in the range 1-255. pattern: ^.* x-kubernetes-int-or-string: true source: + description: + Source contains the match criteria that apply to + source entity. properties: domains: + description: |- + Domains is an optional field, valid for egress Allow rules only, that restricts the rule + to apply only to traffic to one of the specified domains. If this field is specified, + Action must be Allow, and Nets and Selector must both be left empty. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: + description: |- + NamespaceSelector is an optional field that contains a selector expression. Only traffic + that originates from (or terminates at) endpoints within the selected namespaces will be + matched. When both NamespaceSelector and another selector are defined on the same rule, then only + workload endpoints that are matched by both selectors will be selected by the rule. + + For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting + only workload endpoints in the same namespace as the NetworkPolicy. + + For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting + only GlobalNetworkSet or HostEndpoint. + + For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces. maxLength: 1024 type: string nets: + description: |- + Nets is an optional field that restricts the rule to only apply to traffic that + originates from (or terminates at) IP addresses in any of the given subnets. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notNets: + description: + NotNets is the negated version of the Nets + field. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notPorts: + description: |- + NotPorts is the negated version of the Ports field. + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -642,9 +1091,19 @@ spec: type: array x-kubernetes-list-type: atomic notSelector: + description: |- + NotSelector is the negated version of the Selector field. See Selector field for + subtleties with negated selectors. maxLength: 1024 type: string ports: + description: |- + Ports is an optional field that restricts the rule to only apply to traffic that has a + source (destination) port that matches one of these ranges/values. This value is a + list of integers or strings that represent ranges of ports. + + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -655,24 +1114,66 @@ spec: type: array x-kubernetes-list-type: atomic selector: + description: + "Selector is an optional field that contains + a selector expression (see Policy for\nsample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching\nthe selector will be matched.\n\nNote that: + in addition to the negated version of the Selector (see + NotSelector below), the\nselector expression syntax itself + supports negation. The two types of negation are subtly\ndifferent. + One negates the set of matched endpoints, the other negates + the whole match:\n\n\tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled\n\tendpoints + that do not have the label \"my_label\".\n\n\tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled\n\tendpoints that do have the label + \"my_label\".\n\nThe effect is that the latter will accept + packets from non-Calico sources whereas the\nformer is + limited to packets from Calico-controlled endpoints." maxLength: 1024 type: string serviceAccounts: + description: |- + ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. properties: names: + description: |- + Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates + at) a pod running as a service account whose name is in the list. items: type: string type: array x-kubernetes-list-type: set selector: + description: |- + Selector is an optional field that restricts the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account that matches the given label selector. + If both Names and Selector are specified then they are AND'ed. type: string type: object services: + description: |- + Services is an optional field that contains options for matching Kubernetes Services. + If specified, only traffic that originates from or terminates at endpoints within the selected + service(s) will be matched, and only to/from each endpoint's port. + + Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, + NotNets or ServiceAccounts. + + Ports and NotPorts can only be specified with Services on ingress rules. properties: name: + description: + Name specifies the name of a Kubernetes + Service to match. maxLength: 253 type: string namespace: + description: |- + Namespace specifies the namespace of the given Service. If left empty, the rule + will match within this policy's namespace. maxLength: 253 type: string type: object @@ -762,11 +1263,31 @@ spec: type: array x-kubernetes-list-type: atomic namespaceSelector: + description: + NamespaceSelector is an optional field for an expression + used to select a pod based on namespaces. maxLength: 1024 type: string order: + description: |- + Order is an optional field that specifies the order in which the policy is applied. + Policies with higher "order" are applied after those with lower + order within the same tier. If the order is omitted, it may be considered to be "infinite" - i.e. the + policy will be applied last. Policies with identical order will be applied in + alphanumerical order based on the Policy "Name" within the tier. type: number performanceHints: + description: |- + PerformanceHints contains a list of hints to Calico's policy engine to + help process the policy more efficiently. Hints never change the + enforcement behaviour of the policy. + + Currently, the only available hint is "AssumeNeededOnEveryNode". When + that hint is set on a policy, Felix will act as if the policy matches + a local endpoint even if it does not. This is useful for "preloading" + any large static policies that are known to be used on every node. + If the policy is _not_ used on a particular node then the work + done to preload the policy (and to maintain it) is wasted. items: enum: - AssumeNeededOnEveryNode @@ -774,18 +1295,66 @@ spec: type: array x-kubernetes-list-type: set preDNAT: + description: |- + PreDNAT indicates to apply the rules in this policy before any DNAT. + Requires ApplyOnForward to be true. Cannot be used with DoNotTrack, and the + policy must not contain egress rules. type: boolean selector: + description: + "The selector is an expression used to pick out the endpoints + that the policy should\nbe applied to.\n\nSelector expressions follow + this syntax:\n\n\tlabel == \"string_literal\" -> comparison, e.g. + my_label == \"foo bar\"\n\tlabel != \"string_literal\" -> not + equal; also matches if label is not present\n\tlabel in { \"a\", + \"b\", \"c\", ... } -> true if the value of label X is one of + \"a\", \"b\", \"c\"\n\tlabel not in { \"a\", \"b\", \"c\", ... } + \ -> true if the value of label X is not one of \"a\", \"b\", \"c\"\n\thas(label_name) + \ -> True if that label is present\n\t! expr -> negation of expr\n\texpr + && expr -> Short-circuit and\n\texpr || expr -> Short-circuit + or\n\t( expr ) -> parens for grouping\n\tall() or the empty selector + -> matches all endpoints.\n\nLabel names are allowed to contain + alphanumerics, -, _ and /. String literals are more permissive\nbut + they do not support escape characters.\n\nExamples (with made-up + labels):\n\n\ttype == \"webserver\" && deployment == \"prod\"\n\ttype + in {\"frontend\", \"backend\"}\n\tdeployment != \"dev\"\n\t! has(label_name)" maxLength: 1024 type: string serviceAccountSelector: + description: + ServiceAccountSelector is an optional field for an expression + used to select a pod based on service accounts. maxLength: 1024 type: string tier: default: default + description: |- + The name of the tier that this policy belongs to. If this is omitted, the default + tier (name is "default") is assumed. The specified tier must exist in order to create + security policies within the tier, the "default" tier is created automatically if it + does not exist, this means for deployments requiring only a single Tier, the tier name + may be omitted on all policy management requests. type: string types: + description: |- + Types indicates whether this policy applies to ingress, or to egress, or to both. When + not explicitly specified (and so the value on creation is empty or nil), Calico defaults + Types according to what Ingress and Egress rules are present in the policy. The + default is: + + - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are + also no Ingress rules) + + - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules + + - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. + + When the policy is read back again, Types will always be one of these values, never empty + or nil. items: + description: + PolicyType enumerates the possible values of the PolicySpec + Types field. enum: - Ingress - Egress diff --git a/config/crd/projectcalico.org_globalnetworksets.yaml b/config/crd/projectcalico.org_globalnetworksets.yaml index 4d5a7507..b43344cd 100644 --- a/config/crd/projectcalico.org_globalnetworksets.yaml +++ b/config/crd/projectcalico.org_globalnetworksets.yaml @@ -23,21 +23,47 @@ spec: name: v3 schema: openAPIV3Schema: + description: |- + GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs and domain names that share + labels to allow rules to refer to them via selectors. The labels of GlobalNetworkSet are not + namespaced. properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + GlobalNetworkSetSpec contains the specification for a NetworkSet + resource. properties: allowedEgressDomains: + description: |- + The list of domain names that belong to this set and are honored in egress allow rules + only. Domain names specified here only work to allow egress traffic from the cluster to + external destinations. They don't work to _deny_ traffic to destinations specified by + domain name, or to allow ingress traffic from _sources_ specified by domain name. items: type: string type: array x-kubernetes-list-type: atomic nets: + description: |- + The list of IP networks that belong to this set. Each entry must be in CIDR notation, + e.g. "192.168.1.0/24". To include a single IP address, use a /32 (IPv4) or /128 (IPv6) mask. items: type: string type: array diff --git a/config/crd/projectcalico.org_globalreports.yaml b/config/crd/projectcalico.org_globalreports.yaml index a4acfa10..7522f100 100644 --- a/config/crd/projectcalico.org_globalreports.yaml +++ b/config/crd/projectcalico.org_globalreports.yaml @@ -17,39 +17,90 @@ spec: - name: v3 schema: openAPIV3Schema: + description: + GlobalReport contains the configuration for a non-namespaced + Report. properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: ReportSpec contains the values of the GlobalReport. properties: cis: + description: + This field contain all the parameters for configuring + a CIS benchmark report. properties: highThreshold: + description: |- + Interpretted as a percentage to indicate at what levels of passing tests a node should be considered + HIGH, MED, and LOW. + - If >= HighThreshold flag as high + - Otherwise, if > MedThreshold flag as med + - Otherwise flag as low. type: integer includeUnscoredTests: + description: + Specifies if the report should also show results + for scored/not-scored tests. type: boolean medThreshold: type: integer numFailedTests: + description: + Configure the number of top failed tests to show + up on the report. type: integer resultsFilters: + description: |- + Benchmark results filters. The first matching set of filters is applied to each set of benchmark results. + If there are no matching filters, the full set of benchmark results will be included in the report. items: + description: + CISBenchmarkFilter provides filters for a set of + benchmarks that match particular selection criteria. properties: benchmarkSelection: + description: + BenchmarkSelection specifies which benchmarks + this filter applies to. If not specified, applies to all. properties: kubernetesVersion: + description: |- + KubernetesVersion is used select nodes that are running a specific version of kubelet. The full version need not + be fully specified down to the patch level, in which case the significant parts of the version are matched. + e.g. "1.0" will match versions "1.0.1" and "1.0.2" + If not specified, matches all versions. type: string type: object exclude: + description: + Exclude is an array of test indices to exclude + from the report. items: type: string type: array x-kubernetes-list-type: atomic include: + description: |- + Include is an array of test indices to show in the report. + Is additive if IncludeUnscoredTests is true. + Takes precedence over Exclude. items: type: string type: array @@ -59,70 +110,144 @@ spec: x-kubernetes-list-type: atomic type: object endpoints: + description: |- + Endpoints is used to specify which endpoints are in-scope and stored in the generated report data. + Only used if endpoints data and/or audit logs are gathered in the report. If omitted, treated as everything + in-scope. properties: namespaces: + description: + Namespace match restricts endpoint selection to those + in the selected namespaces. properties: names: + description: + Names is an optional field that specifies a set + of resources by name. items: type: string type: array x-kubernetes-list-type: atomic selector: + description: |- + Selector is an optional field that selects a set of resources by label. + If both Names and Selector are specified then they are AND'ed. type: string type: object selector: + description: |- + Selector, selects endpoints by endpoint labels. If omitted, all endpoints are included in the report + data. type: string serviceAccounts: + description: + ServiceAccount match restricts endpoint selection + to those in the selected service accounts. properties: names: + description: + Names is an optional field that specifies a set + of resources by name. items: type: string type: array x-kubernetes-list-type: atomic selector: + description: |- + Selector is an optional field that selects a set of resources by label. + If both Names and Selector are specified then they are AND'ed. type: string type: object type: object jobNodeSelector: additionalProperties: type: string + description: + The node selector used to specify which nodes the report + job may be scheduled on. type: object reportType: + description: The name of the report type. type: string schedule: + description: |- + The report schedule specified in cron format. This specifies both the start and end times of each report, + where the end time of one report becomes the start time of the next report. + Separate jobs are created to generate a report, and the job generates the report data from archived audit + and traffic data. To ensure this data is actually archived, the jobs to generate each report starts at a + configurable time *after* the end time of the report that is being generated. The default job start delay is + 30m, but is configurable through the compliance-controller environments. + The cron format has minute accuracy, but only up to two values may be configured for the minute column which + means you may only have at most two reports for each hour period. type: string suspend: + description: |- + This flag tells the controller to suspend subsequent jobs for generating reports, it does not apply to already + started jobs. If jobs are resumed then the controller will start creating jobs for any reports that were missed + while the job was suspended. type: boolean required: - reportType type: object status: + description: + ReportStatus contains the status of the automated report + generation. properties: activeReportJobs: + description: The set of active report jobs. items: + description: ReportJob contains properties: end: + description: The end time of the report. format: date-time type: string job: + description: A reference to the report creation job if known. properties: apiVersion: + description: API version of the referent. type: string fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. type: string kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic start: + description: The start time of the report. format: date-time type: string required: @@ -133,33 +258,65 @@ spec: type: array x-kubernetes-list-type: atomic lastFailedReportJobs: + description: The configured report jobs that have failed. items: + description: + CompletedReportJob augments the ReportJob with completion + details. properties: end: + description: The end time of the report. format: date-time type: string job: + description: A reference to the report creation job if known. properties: apiVersion: + description: API version of the referent. type: string fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. type: string kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic jobCompletionTime: + description: The time the report job completed. format: date-time type: string start: + description: The start time of the report. format: date-time type: string required: @@ -170,29 +327,57 @@ spec: type: array x-kubernetes-list-type: atomic lastScheduledReportJob: + description: The last scheduled report job. properties: end: + description: The end time of the report. format: date-time type: string job: + description: A reference to the report creation job if known. properties: apiVersion: + description: API version of the referent. type: string fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. type: string kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic start: + description: The start time of the report. format: date-time type: string required: @@ -201,33 +386,65 @@ spec: - start type: object lastSuccessfulReportJobs: + description: The configured report jobs that have completed successfully. items: + description: + CompletedReportJob augments the ReportJob with completion + details. properties: end: + description: The end time of the report. format: date-time type: string job: + description: A reference to the report creation job if known. properties: apiVersion: + description: API version of the referent. type: string fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. type: string kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic jobCompletionTime: + description: The time the report job completed. format: date-time type: string start: + description: The start time of the report. format: date-time type: string required: diff --git a/config/crd/projectcalico.org_globalreporttypes.yaml b/config/crd/projectcalico.org_globalreporttypes.yaml index c5926563..e4bcefbf 100644 --- a/config/crd/projectcalico.org_globalreporttypes.yaml +++ b/config/crd/projectcalico.org_globalreporttypes.yaml @@ -17,59 +17,130 @@ spec: - name: v3 schema: openAPIV3Schema: + description: + GlobalReportType contains the configuration for a non-namespaced + report type. properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + ReportTypeSpec contains the various templates, and configuration + used to render a specific type of report. properties: auditEventsSelection: + description: |- + What audit log data should be included in the report. If not specified, the report will contain no audit log + data. The selection may be further filtered by the Report. properties: resources: + description: |- + Resources lists the resources that will be included in the audit logs in the ReportData. Blank fields in the + listed ResourceID structs are treated as wildcards. items: + description: |- + AuditResource is used to filter Audit events in the Report configuration. + + An empty field value indicates a wildcard. For example, if Resource is set to "networkpolicies" and all other + fields are blank then this filter would include all NetworkPolicy resources across all namespaces, and would include + both Calico and Kubernetes resource types. properties: apiGroup: + description: + APIGroup is the name of the API group that + contains the referred object (e.g. projectcalico.org). type: string apiVersion: + description: + APIVersion is the version of the API group + that contains the referred object (e.g. v3). type: string name: + description: The resource name. type: string namespace: + description: The resource namespace. type: string resource: + description: + The resource type. The format is the lowercase + plural as used in audit event selection and RBAC configuration. type: string type: object type: array x-kubernetes-list-type: atomic type: object downloadTemplates: + description: The set of templates used to render the report for downloads. items: + description: + ReportTemplate defines a template used to render a + report into downloadable or UI compatible format. properties: description: + description: A user-facing description of the template. type: string name: + description: |- + The name of this template. This should be unique across all template names within a ReportType. This will be used + by the UI as the suffix of the downloadable file name. type: string template: + description: + The base-64 encoded go template used to render + the report data. type: string type: object type: array x-kubernetes-list-type: atomic includeCISBenchmarkData: + description: + Whether to include the full cis benchmark test results + in the report. type: boolean includeEndpointData: + description: |- + Whether to include endpoint data in the report. The actual endpoints included may be filtered by the Report, + but will otherwise contain the full set of endpoints. type: boolean includeEndpointFlowLogData: + description: + Whether to include endpoint-to-endpoint flow log data + in the report. type: boolean uiSummaryTemplate: + description: |- + The summary template, explicitly used by the UI to render a summary version of the report. This should render + to json containing a sets of widgets that the UI can use to render the summary. The rendered data is returned + on the list query of the reports. properties: description: + description: A user-facing description of the template. type: string name: + description: |- + The name of this template. This should be unique across all template names within a ReportType. This will be used + by the UI as the suffix of the downloadable file name. type: string template: + description: + The base-64 encoded go template used to render the + report data. type: string type: object type: object diff --git a/config/crd/projectcalico.org_globalthreatfeeds.yaml b/config/crd/projectcalico.org_globalthreatfeeds.yaml index 5ec29952..3227b2b5 100644 --- a/config/crd/projectcalico.org_globalthreatfeeds.yaml +++ b/config/crd/projectcalico.org_globalthreatfeeds.yaml @@ -17,26 +17,49 @@ spec: - name: v3 schema: openAPIV3Schema: + description: |- + GlobalThreatFeed is a source of intel for possible threats to the cluster. This + object configures how Tigera components communicate with the feed and update + detection jobs or policy based on the intel. properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + GlobalThreatFeedSpec contains the specification of a GlobalThreatFeed + resource. properties: content: default: IPSet + description: Content describes the kind of data the data feed provides. enum: - IPSet - DomainNameSet type: string description: + description: Human-readable description of the template. maxLength: 256 type: string feedType: default: Custom + description: + Distinguishes between Builtin Global Threat Feeds and + Custom feed types. enum: - Builtin - Custom @@ -50,6 +73,9 @@ spec: type: object mode: default: Enabled + description: + Determines whether the Global Threat Feed is Enabled + or Disabled. enum: - Enabled - Disabled @@ -95,26 +121,52 @@ spec: valueFrom: properties: configMapKeyRef: + description: Selects a key of a ConfigMap. properties: key: + description: The key to select. type: string name: default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string optional: + description: + Specify whether the ConfigMap or + its key must be defined type: boolean required: - key type: object x-kubernetes-map-type: atomic secretKeyRef: + description: + Selects a key of a secret in the pod's + namespace properties: key: + description: + The key of the secret to select + from. Must be a valid secret key. type: string name: default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string optional: + description: + Specify whether the Secret or its + key must be defined type: boolean required: - key diff --git a/config/crd/projectcalico.org_hostendpoints.yaml b/config/crd/projectcalico.org_hostendpoints.yaml index 28368929..3f553682 100644 --- a/config/crd/projectcalico.org_hostendpoints.yaml +++ b/config/crd/projectcalico.org_hostendpoints.yaml @@ -33,25 +33,67 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + HostEndpointSpec contains the specification for a HostEndpoint + resource. properties: expectedIPs: + description: + "The expected IP addresses (IPv4 and IPv6) of the endpoint.\nIf + \"InterfaceName\" is not present, Calico will look for an interface + matching any\nof the IPs in the list and apply policy to that.\nNote:\n\tWhen + using the selector match criteria in an ingress or egress security + Policy\n\tor Profile, Calico converts the selector into a set of + IP addresses. For host\n\tendpoints, the ExpectedIPs field is used + for that purpose. (If only the interface\n\tname is specified, Calico + does not learn the IPs of the interface for use in match\n\tcriteria.)" items: type: string type: array x-kubernetes-list-type: set interfaceName: + description: |- + Either "*", or the name of a specific Linux interface to apply policy to; or empty. "*" + indicates that this HostEndpoint governs all traffic to, from or through the default + network namespace of the host named by the "Node" field; entering and leaving that + namespace via any interface, including those from/to non-host-networked local workloads. + + If InterfaceName is not "*", this HostEndpoint only governs traffic that enters or leaves + the host through the specific interface named by InterfaceName, or - when InterfaceName + is empty - through the specific interface that has one of the IPs in ExpectedIPs. + Therefore, when InterfaceName is empty, at least one expected IP must be specified. Only + external interfaces (such as "eth0") are supported here; it isn't possible for a + HostEndpoint to protect traffic through a specific local workload interface. + + Note: Only some kinds of policy are implemented for "*" HostEndpoints; initially just + pre-DNAT policy. Please check Calico documentation for the latest position. maxLength: 15 type: string node: + description: The node name identifying the Calico node instance. maxLength: 253 type: string ports: + description: + Ports contains the endpoint's named ports, which may + be referenced in security policy rules. items: properties: name: @@ -74,6 +116,10 @@ spec: type: array x-kubernetes-list-type: atomic profiles: + description: |- + A list of identifiers of security Profile objects that apply to this endpoint. Each + profile is applied in the order that they appear in this list. Profile rules are applied + after the selector-based security policy. items: type: string type: array diff --git a/config/crd/projectcalico.org_ipamblocks.yaml b/config/crd/projectcalico.org_ipamblocks.yaml index 414b24ce..d4bf6eb7 100644 --- a/config/crd/projectcalico.org_ipamblocks.yaml +++ b/config/crd/projectcalico.org_ipamblocks.yaml @@ -32,20 +32,42 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: |- + IPAMBlockSpec contains the specification for an IPAMBlock resource. + This resource is managed internally by Calico IPAM and should not be modified manually. properties: affinity: + description: |- + Affinity of the block, if this block has one. If set, it will be of the form + "host:" or "virtual:". If not set, this block is not affine to a host. pattern: ^(host|virtual):[a-zA-Z0-9\.\-_]+$ type: string affinityClaimTime: + description: Time at which affinity was claimed. format: date-time type: string allocations: + description: |- + Array of allocations in-use within this block. nil entries mean the allocation is free. + For non-nil entries at index i, the index is the ordinal of the allocation within this block + and the value is the index of the associated attributes in the Attributes array. items: type: integer # TODO: This nullable is manually added in. We should update controller-gen @@ -54,38 +76,74 @@ spec: type: array x-kubernetes-list-type: atomic attributes: + description: |- + Attributes is an array of arbitrary metadata associated with allocations in the block. To find + attributes for a given allocation, use the value of the allocation's entry in the Allocations array + as the index of the element in this array. items: + description: + AllocationAttribute holds metadata associated with + a single IP allocation within a block. properties: alternateOwnerAttrs: additionalProperties: type: string + description: + AlternateOwnerAttrs stores attributes of a secondary + owner, used during IP address migration. type: object handle_id: + description: + HandleID is the ID of the IPAM handle that owns + this allocation. type: string secondary: additionalProperties: type: string + description: + ActiveOwnerAttrs stores attributes of the primary + owner of this allocation (e.g., pod name, namespace). type: object type: object type: array x-kubernetes-list-type: atomic cidr: + description: The block's CIDR. format: cidr type: string deleted: + description: |- + Deleted is an internal boolean used to workaround a limitation in the Kubernetes API whereby + deletion will not return a conflict error if the block has been updated. It should not be set manually. type: boolean sequenceNumber: default: 0 + description: |- + We store a sequence number that is updated each time the block is written. + Each allocation will also store the sequence number of the block at the time of its creation. + When releasing an IP, passing the sequence number associated with the allocation allows us + to protect against a race condition and ensure the IP hasn't been released and re-allocated + since the release request. format: int64 type: integer sequenceNumberForAllocation: additionalProperties: format: int64 type: integer + description: |- + Map of allocated ordinal within the block to sequence number of the block at + the time of allocation. Kubernetes does not allow numerical keys for maps, so + the key is cast to a string. type: object strictAffinity: + description: + StrictAffinity on the IPAMBlock is deprecated and no + longer used by the code. Use IPAMConfig StrictAffinity instead. type: boolean unallocated: + description: + Unallocated is an ordered list of allocations which are + free in the block. items: type: integer type: array diff --git a/config/crd/projectcalico.org_ipamconfigurations.yaml b/config/crd/projectcalico.org_ipamconfigurations.yaml index 9be7e3a9..e8505eff 100644 --- a/config/crd/projectcalico.org_ipamconfigurations.yaml +++ b/config/crd/projectcalico.org_ipamconfigurations.yaml @@ -33,31 +33,65 @@ spec: name: v3 schema: openAPIV3Schema: + description: + IPAMConfiguration contains information about a block for IP address + assignment. properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + IPAMConfigurationSpec contains the specification for an IPAMConfiguration + resource. properties: autoAllocateBlocks: default: true + description: Whether or not to auto allocate blocks to hosts. type: boolean kubeVirtVMAddressPersistence: + description: |- + KubeVirtVMAddressPersistence controls whether KubeVirt VirtualMachine workloads + maintain persistent IP addresses across VM lifecycle events (reboot, migration, pod eviction). + When Enabled, Calico automatically ensures that KubeVirt VMs retain their IP addresses + when their underlying pods are recreated during VM operations. + When Disabled, VMs receive new IP addresses whenever their pods are recreated, + and creating a live migration target pod is not supported because the migration + target pod requires the same IP as the source pod, which is only possible with + address persistence. + Defaults to Enabled if not specified. enum: - Enabled - Disabled type: string maxBlocksPerHost: default: 0 + description: |- + MaxBlocksPerHost, if non-zero, is the max number of blocks that can be + affine to each host. format: int32 maximum: 1000000 minimum: 0 type: integer strictAffinity: default: false + description: + When StrictAffinity is true, borrowing IP addresses is + not allowed. type: boolean required: - autoAllocateBlocks diff --git a/config/crd/projectcalico.org_ipamhandles.yaml b/config/crd/projectcalico.org_ipamhandles.yaml index 8b4f60b9..b1b75eae 100644 --- a/config/crd/projectcalico.org_ipamhandles.yaml +++ b/config/crd/projectcalico.org_ipamhandles.yaml @@ -24,20 +24,43 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: |- + IPAMHandleSpec contains the specification for an IPAMHandle resource. + This resource is managed internally by Calico IPAM and should not be modified manually. properties: block: additionalProperties: type: integer + description: + Block maps block CIDRs to the number of allocations from + that block held by this handle. type: object deleted: + description: + Deleted is an internal flag used to prevent races during + handle cleanup. Should not be set manually. type: boolean handleID: + description: + HandleID is the unique identifier for this allocation + handle. type: string required: - block diff --git a/config/crd/projectcalico.org_ippools.yaml b/config/crd/projectcalico.org_ippools.yaml index 8d6d8c1b..285389ad 100644 --- a/config/crd/projectcalico.org_ippools.yaml +++ b/config/crd/projectcalico.org_ippools.yaml @@ -44,15 +44,36 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: IPPoolSpec contains the specification for an IPPool resource. properties: allowedUses: + description: |- + AllowedUses controls what the IP pool will be used for. If not specified or empty, defaults to + ["Tunnel", "Workload"] for back-compatibility. Valid values: "Tunnel", "Workload", "LoadBalancer". items: + description: |- + IPPoolAllowedUse defines the allowed uses for an IP pool. + It can be one of "Workload", "Tunnel", or "LoadBalancer". + - "Workload" means the pool is used for workload IP addresses. + - "Tunnel" means the pool is used for tunnel IP addresses. + - "LoadBalancer" means the pool is used for load balancer IP addresses. enum: - Workload - Tunnel @@ -63,13 +84,27 @@ spec: x-kubernetes-list-type: set assignmentMode: default: Automatic + description: + Determines the mode how IP addresses should be assigned + from this pool enum: - Automatic - Manual type: string awsSubnetID: + description: |- + AWSSubnetID if specified Calico will attempt to ensure that IPs chosen from this IP pool are routed + to the corresponding node by adding one or more secondary ENIs to the node and explicitly assigning + the IP to one of the secondary ENIs. Important: since subnets cannot cross availability zones, + it's important to use Kubernetes node selectors to avoid scheduling pods to one availability zone + using an IP pool that is backed by a subnet that belongs to another availability zone. If AWSSubnetID + is specified, then the CIDR of the IP pool must be contained within the specified AWS subnet. type: string blockSize: + description: |- + The block size to use for IP address assignments from this pool. Defaults to 26 for IPv4 and 122 for IPv6. + The block size must be between 0 and 32 for IPv4 and between 0 and 128 for IPv6. It must also be smaller than + or equal to the size of the pool CIDR. maximum: 128 minimum: 0 type: integer @@ -80,6 +115,7 @@ spec: reason: FieldValueInvalid rule: self == oldSelf cidr: + description: The pool CIDR. format: cidr maxLength: 48 type: string @@ -90,25 +126,44 @@ spec: reason: FieldValueInvalid rule: self == oldSelf disableBGPExport: + description: + "Disable exporting routes from this IP Pool's CIDR over + BGP. [Default: false]" type: boolean disabled: + description: + When disabled is true, Calico IPAM will not assign addresses + from this pool. type: boolean ipipMode: + description: |- + Contains configuration for IPIP tunneling for this pool. + For IPv6 pools, IPIP tunneling must be disabled. enum: - Never - Always - CrossSubnet type: string namespaceSelector: + description: |- + Allows IPPool to allocate for a specific namespace by label selector. + If specified, both namespaceSelector and nodeSelector must match for the pool to be used. maxLength: 1024 type: string natOutgoing: + description: |- + When natOutgoing is true, packets sent from Calico networked containers in + this pool to destinations outside of this pool will be masqueraded. type: boolean nodeSelector: default: all() + description: + Allows IPPool to allocate for a specific node by label + selector. maxLength: 1024 type: string vxlanMode: + description: Contains configuration for VXLAN tunneling for this pool. enum: - Never - Always @@ -171,29 +226,50 @@ spec: properties: conditions: items: + description: + Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: + description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/config/crd/projectcalico.org_ipreservations.yaml b/config/crd/projectcalico.org_ipreservations.yaml index 19f44a1e..dc522cdd 100644 --- a/config/crd/projectcalico.org_ipreservations.yaml +++ b/config/crd/projectcalico.org_ipreservations.yaml @@ -17,16 +17,39 @@ spec: - name: v3 schema: openAPIV3Schema: + description: |- + IPReservation allows certain IP addresses to be reserved (i.e. prevented from being allocated) by Calico + IPAM. Reservations only block new allocations, they do not cause existing IP allocations to be released. + The current implementation is only suitable for reserving small numbers of IP addresses relative to the + size of the IP pool. If large portions of an IP pool are reserved, Calico IPAM may hunt for a long time + to find a non-reserved IP. properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + IPReservationSpec contains the specification for an IPReservation + resource. properties: reservedCIDRs: + description: |- + ReservedCIDRs is a list of CIDRs that Calico IPAM will exclude from new allocations. + Each entry must be in CIDR notation (e.g., "10.0.0.0/24" or "10.0.0.1/32" for a single IP). format: cidr items: type: string diff --git a/config/crd/projectcalico.org_kubecontrollersconfigurations.yaml b/config/crd/projectcalico.org_kubecontrollersconfigurations.yaml index 0e3d2069..cf04e946 100644 --- a/config/crd/projectcalico.org_kubecontrollersconfigurations.yaml +++ b/config/crd/projectcalico.org_kubecontrollersconfigurations.yaml @@ -22,117 +22,229 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + KubeControllersConfigurationSpec contains the values of the + Kubernetes controllers configuration. properties: controllers: + description: + Controllers enables and configures individual Kubernetes + controllers properties: federatedServices: + description: + FederatedServices enables and configures the federatedservices + controller. Disabled by default. properties: reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform reconciliation. + [Default: 5m]" type: string type: object loadBalancer: + description: + LoadBalancer enables and configures the LoadBalancer + controller. Enabled by default, set to nil to disable. properties: assignIPs: default: AllServices + description: + AssignIPs controls which LoadBalancer Service + gets IP assigned from Calico IPAM. enum: - AllServices - RequestedServicesOnly type: string type: object migration: + description: Migration enables and configures migration controllers. properties: policyNameMigrator: default: Enabled + description: |- + PolicyNameMigrator enables or disables the Policy Name Migrator, which migrates + old-style Calico backend policy names to use v3 style names. enum: - Disabled - Enabled type: string type: object namespace: + description: + Namespace enables and configures the namespace controller. + Enabled by default, set to nil to disable. properties: reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]" type: string type: object node: + description: + Node enables and configures the node controller. + Enabled by default, set to nil to disable. properties: hostEndpoint: + description: + HostEndpoint controls syncing nodes to host endpoints. + Disabled by default, set to nil to disable. properties: autoCreate: + description: |- + AutoCreate enables automatic creation of host endpoints for every node. [Default: Disabled] + Valid values are: "Enabled", "Disabled". enum: - Enabled - Disabled type: string createDefaultHostEndpoint: + description: |- + DefaultHostEndpointMode controls whether a default host endpoint is created for each node. + Valid values are: "Enabled", "Disabled". type: string templates: + description: + Templates contains definition for creating + AutoHostEndpoints items: properties: generateName: + description: + GenerateName is appended to the end + of the generated AutoHostEndpoint name maxLength: 253 type: string interfaceCIDRs: + description: |- + InterfaceCIDRs contains a list of CIDRs used for matching nodeIPs to the AutoHostEndpoint. + If specified, only addresses within these CIDRs will be included in the expected IPs. + At least one of InterfaceCIDRs and InterfacePattern must be specified. items: type: string type: array x-kubernetes-list-type: set interfacePattern: + description: |- + InterfacePattern contains a regex string to match Node interface names. If specified, a HostEndpoint will be created for each matching interface on each selected node. + At least one of InterfaceCIDRs and InterfacePattern must be specified. type: string labels: additionalProperties: type: string + description: + Labels adds the specified labels to + the generated AutoHostEndpoint, labels from node + with the same name will be overwritten by values + from the template label type: object nodeSelector: + description: + NodeSelector allows the AutoHostEndpoint + to be created only for specific nodes type: string type: object type: array x-kubernetes-list-type: atomic type: object leakGracePeriod: + description: |- + LeakGracePeriod is the period used by the controller to determine if an IP address has been leaked. + Set to 0 to disable IP garbage collection. [Default: 15m] type: string reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]" type: string syncLabels: + description: |- + SyncLabels controls whether to copy Kubernetes node labels to Calico nodes. [Default: Enabled] + Valid values are: "Enabled", "Disabled". enum: - Enabled - Disabled type: string type: object policy: + description: + Policy enables and configures the policy controller. + Enabled by default, set to nil to disable. properties: reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]" type: string type: object serviceAccount: + description: + ServiceAccount enables and configures the service + account controller. Enabled by default, set to nil to disable. properties: reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]" type: string type: object workloadEndpoint: + description: + WorkloadEndpoint enables and configures the workload + endpoint controller. Enabled by default, set to nil to disable. properties: reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]" type: string type: object type: object debugProfilePort: + description: |- + DebugProfilePort configures the port to serve memory and cpu profiles on. If not specified, profiling + is disabled. + Valid values are: 0-65535. format: int32 maximum: 65535 minimum: 0 type: integer etcdV3CompactionPeriod: + description: + "EtcdV3CompactionPeriod is the period between etcdv3 + compaction requests. Set to 0 to disable. [Default: 10m]" type: string healthChecks: default: Enabled + description: |- + HealthChecks enables or disables support for health checks [Default: Enabled] + Valid values are: "Enabled", "Disabled". enum: - Enabled - Disabled type: string logSeverityScreen: + description: |- + LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info] + Valid values are: "None", "Debug", "Info", "Warning", "Error", "Fatal", "Panic". enum: - None - Debug @@ -143,6 +255,9 @@ spec: - Panic type: string prometheusMetricsPort: + description: |- + PrometheusMetricsPort is the TCP port that the Prometheus metrics server should bind to. Set to 0 to disable. [Default: 9094] + Valid values are: 0-65535. maximum: 65535 minimum: 0 type: integer @@ -150,117 +265,230 @@ spec: - controllers type: object status: + description: |- + KubeControllersConfigurationStatus represents the status of the configuration. It's useful for admins to + be able to see the actual config that was applied, which can be modified by environment variables on the + kube-controllers process. properties: environmentVars: additionalProperties: type: string + description: |- + EnvironmentVars contains the environment variables on the kube-controllers that influenced + the RunningConfig. type: object runningConfig: + description: |- + RunningConfig contains the effective config that is running in the kube-controllers pod, after + merging the API resource with any environment variables. properties: controllers: + description: + Controllers enables and configures individual Kubernetes + controllers properties: federatedServices: + description: + FederatedServices enables and configures the + federatedservices controller. Disabled by default. properties: reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform + reconciliation. [Default: 5m]" type: string type: object loadBalancer: + description: + LoadBalancer enables and configures the LoadBalancer + controller. Enabled by default, set to nil to disable. properties: assignIPs: default: AllServices + description: + AssignIPs controls which LoadBalancer Service + gets IP assigned from Calico IPAM. enum: - AllServices - RequestedServicesOnly type: string type: object migration: + description: Migration enables and configures migration controllers. properties: policyNameMigrator: default: Enabled + description: |- + PolicyNameMigrator enables or disables the Policy Name Migrator, which migrates + old-style Calico backend policy names to use v3 style names. enum: - Disabled - Enabled type: string type: object namespace: + description: + Namespace enables and configures the namespace + controller. Enabled by default, set to nil to disable. properties: reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]" type: string type: object node: + description: + Node enables and configures the node controller. + Enabled by default, set to nil to disable. properties: hostEndpoint: + description: + HostEndpoint controls syncing nodes to host + endpoints. Disabled by default, set to nil to disable. properties: autoCreate: + description: |- + AutoCreate enables automatic creation of host endpoints for every node. [Default: Disabled] + Valid values are: "Enabled", "Disabled". enum: - Enabled - Disabled type: string createDefaultHostEndpoint: + description: |- + DefaultHostEndpointMode controls whether a default host endpoint is created for each node. + Valid values are: "Enabled", "Disabled". type: string templates: + description: + Templates contains definition for creating + AutoHostEndpoints items: properties: generateName: + description: + GenerateName is appended to the + end of the generated AutoHostEndpoint name maxLength: 253 type: string interfaceCIDRs: + description: |- + InterfaceCIDRs contains a list of CIDRs used for matching nodeIPs to the AutoHostEndpoint. + If specified, only addresses within these CIDRs will be included in the expected IPs. + At least one of InterfaceCIDRs and InterfacePattern must be specified. items: type: string type: array x-kubernetes-list-type: set interfacePattern: + description: |- + InterfacePattern contains a regex string to match Node interface names. If specified, a HostEndpoint will be created for each matching interface on each selected node. + At least one of InterfaceCIDRs and InterfacePattern must be specified. type: string labels: additionalProperties: type: string + description: + Labels adds the specified labels + to the generated AutoHostEndpoint, labels + from node with the same name will be overwritten + by values from the template label type: object nodeSelector: + description: + NodeSelector allows the AutoHostEndpoint + to be created only for specific nodes type: string type: object type: array x-kubernetes-list-type: atomic type: object leakGracePeriod: + description: |- + LeakGracePeriod is the period used by the controller to determine if an IP address has been leaked. + Set to 0 to disable IP garbage collection. [Default: 15m] type: string reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]" type: string syncLabels: + description: |- + SyncLabels controls whether to copy Kubernetes node labels to Calico nodes. [Default: Enabled] + Valid values are: "Enabled", "Disabled". enum: - Enabled - Disabled type: string type: object policy: + description: + Policy enables and configures the policy controller. + Enabled by default, set to nil to disable. properties: reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]" type: string type: object serviceAccount: + description: + ServiceAccount enables and configures the service + account controller. Enabled by default, set to nil to disable. properties: reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]" type: string type: object workloadEndpoint: + description: + WorkloadEndpoint enables and configures the workload + endpoint controller. Enabled by default, set to nil to disable. properties: reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]" type: string type: object type: object debugProfilePort: + description: |- + DebugProfilePort configures the port to serve memory and cpu profiles on. If not specified, profiling + is disabled. + Valid values are: 0-65535. format: int32 maximum: 65535 minimum: 0 type: integer etcdV3CompactionPeriod: + description: + "EtcdV3CompactionPeriod is the period between etcdv3 + compaction requests. Set to 0 to disable. [Default: 10m]" type: string healthChecks: default: Enabled + description: |- + HealthChecks enables or disables support for health checks [Default: Enabled] + Valid values are: "Enabled", "Disabled". enum: - Enabled - Disabled type: string logSeverityScreen: + description: |- + LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info] + Valid values are: "None", "Debug", "Info", "Warning", "Error", "Fatal", "Panic". enum: - None - Debug @@ -271,6 +499,9 @@ spec: - Panic type: string prometheusMetricsPort: + description: |- + PrometheusMetricsPort is the TCP port that the Prometheus metrics server should bind to. Set to 0 to disable. [Default: 9094] + Valid values are: 0-65535. maximum: 65535 minimum: 0 type: integer diff --git a/config/crd/projectcalico.org_licensekeys.yaml b/config/crd/projectcalico.org_licensekeys.yaml index 5904820e..d976e115 100644 --- a/config/crd/projectcalico.org_licensekeys.yaml +++ b/config/crd/projectcalico.org_licensekeys.yaml @@ -33,49 +33,92 @@ spec: name: v3 schema: openAPIV3Schema: + description: + LicenseKey contains the Calico Enterprise license key for the + cluster. properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: LicenseKeySpec contains the license key itself. properties: certificate: + description: Certificate is used to validate the token. type: string token: + description: Token is the JWT containing the license claims type: string required: - token type: object status: + description: LicenseKeyStatus contains the license key information. properties: conditions: + description: + Conditions is a list of conditions related to the license + key. This can be used to indicate if the license is valid, expired, + etc. items: + description: + Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: + description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -91,19 +134,28 @@ spec: - type x-kubernetes-list-type: map expiry: + description: Expiry is the expiry date of License format: date-time nullable: true type: string features: + description: List of features that are available via the applied license items: type: string type: array x-kubernetes-list-type: atomic gracePeriod: + description: + GracePeriod is how long after expiry the license remains + functional (e.g. "90d") type: string maxnodes: + description: Maximum Number of Allowed Nodes type: integer package: + description: + License package defines type of Calico license that is + being enforced enum: - CloudCommunity - CloudStarter diff --git a/config/crd/projectcalico.org_managedclusters.yaml b/config/crd/projectcalico.org_managedclusters.yaml index fb1ddc84..b415f75d 100644 --- a/config/crd/projectcalico.org_managedclusters.yaml +++ b/config/crd/projectcalico.org_managedclusters.yaml @@ -17,27 +17,55 @@ spec: - name: v3 schema: openAPIV3Schema: + description: |- + ManagedCluster represents a cluster that is being managed by the multi-cluster + management plane. This object configures how Tigera multi-cluster management + components communicate with the corresponding cluster. properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + ManagedClusterSpec contains the specification of a ManagedCluster + resource. properties: certificate: + description: + The certificate used to authenticate the managed cluster + to the management cluster. format: byte type: string installationManifest: + description: |- + Field to store dynamically generated manifest for installing component into + the actual application cluster corresponding to this Managed Cluster type: string operatorNamespace: + description: |- + The namespace of the managed cluster's operator. This value is used in + the generation of the InstallationManifest. type: string type: object status: properties: conditions: items: + description: Condition contains various status information properties: message: type: string diff --git a/config/crd/projectcalico.org_networkpolicies.yaml b/config/crd/projectcalico.org_networkpolicies.yaml index c3d4aa1c..e6600678 100644 --- a/config/crd/projectcalico.org_networkpolicies.yaml +++ b/config/crd/projectcalico.org_networkpolicies.yaml @@ -29,15 +29,37 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: egress: + description: |- + The ordered set of egress rules. Each rule contains a set of packet match criteria and + a corresponding action to apply. Limited to 1024 rules per policy. items: + description: |- + A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy + and security Profiles reference rules - separated out as a list of rules for both + ingress and egress packet matching. + + Each positive match criteria has a negated version, prefixed with "Not". All the match + criteria within a rule must be satisfied for a packet to match. A single rule can contain + the positive and negative version of a match and both must be satisfied for the rule to match. properties: action: enum: @@ -47,28 +69,59 @@ spec: - Pass type: string destination: + description: + Destination contains the match criteria that apply + to destination entity. properties: domains: + description: |- + Domains is an optional field, valid for egress Allow rules only, that restricts the rule + to apply only to traffic to one of the specified domains. If this field is specified, + Action must be Allow, and Nets and Selector must both be left empty. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: + description: |- + NamespaceSelector is an optional field that contains a selector expression. Only traffic + that originates from (or terminates at) endpoints within the selected namespaces will be + matched. When both NamespaceSelector and another selector are defined on the same rule, then only + workload endpoints that are matched by both selectors will be selected by the rule. + + For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting + only workload endpoints in the same namespace as the NetworkPolicy. + + For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting + only GlobalNetworkSet or HostEndpoint. + + For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces. maxLength: 1024 type: string nets: + description: |- + Nets is an optional field that restricts the rule to only apply to traffic that + originates from (or terminates at) IP addresses in any of the given subnets. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notNets: + description: + NotNets is the negated version of the Nets + field. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notPorts: + description: |- + NotPorts is the negated version of the Ports field. + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -79,9 +132,19 @@ spec: type: array x-kubernetes-list-type: atomic notSelector: + description: |- + NotSelector is the negated version of the Selector field. See Selector field for + subtleties with negated selectors. maxLength: 1024 type: string ports: + description: |- + Ports is an optional field that restricts the rule to only apply to traffic that has a + source (destination) port that matches one of these ranges/values. This value is a + list of integers or strings that represent ranges of ports. + + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -92,24 +155,66 @@ spec: type: array x-kubernetes-list-type: atomic selector: + description: + "Selector is an optional field that contains + a selector expression (see Policy for\nsample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching\nthe selector will be matched.\n\nNote that: + in addition to the negated version of the Selector (see + NotSelector below), the\nselector expression syntax itself + supports negation. The two types of negation are subtly\ndifferent. + One negates the set of matched endpoints, the other negates + the whole match:\n\n\tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled\n\tendpoints + that do not have the label \"my_label\".\n\n\tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled\n\tendpoints that do have the label + \"my_label\".\n\nThe effect is that the latter will accept + packets from non-Calico sources whereas the\nformer is + limited to packets from Calico-controlled endpoints." maxLength: 1024 type: string serviceAccounts: + description: |- + ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. properties: names: + description: |- + Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates + at) a pod running as a service account whose name is in the list. items: type: string type: array x-kubernetes-list-type: set selector: + description: |- + Selector is an optional field that restricts the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account that matches the given label selector. + If both Names and Selector are specified then they are AND'ed. type: string type: object services: + description: |- + Services is an optional field that contains options for matching Kubernetes Services. + If specified, only traffic that originates from or terminates at endpoints within the selected + service(s) will be matched, and only to/from each endpoint's port. + + Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, + NotNets or ServiceAccounts. + + Ports and NotPorts can only be specified with Services on ingress rules. properties: name: + description: + Name specifies the name of a Kubernetes + Service to match. maxLength: 253 type: string namespace: + description: |- + Namespace specifies the namespace of the given Service. If left empty, the rule + will match within this policy's namespace. maxLength: 253 type: string type: object @@ -149,9 +254,19 @@ spec: "!has(self.services) || (!has(self.nets) || size(self.nets) == 0) && (!has(self.notNets) || size(self.notNets) == 0)" http: + description: + HTTP contains match criteria that apply to HTTP + requests. properties: headers: + description: |- + Headers is an optional field that restricts the rule to apply to HTTP headers. + Multiple headers criteria are AND'd together. + Criteria within a single headers rule ar OR'd together. items: + description: + HTTPHeaderCriteria structure defines optional + HTTP headers criterion for ALP. properties: header: type: string @@ -170,13 +285,29 @@ spec: type: array x-kubernetes-list-type: atomic methods: + description: |- + Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed + HTTP Methods (e.g. GET, PUT, etc.) + Multiple methods are OR'd together. items: type: string maxItems: 20 type: array x-kubernetes-list-type: atomic paths: + description: |- + Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed + HTTP Paths. + Multiple paths are OR'd together. + e.g: + - exact: /foo + - prefix: /bar + NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. items: + description: |- + HTTPPath specifies an HTTP path to match. It may be either of the form: + exact: : which matches the path exactly or + prefix: : which matches the path prefix properties: exact: maxLength: 1024 @@ -190,12 +321,23 @@ spec: x-kubernetes-list-type: atomic type: object icmp: + description: |- + ICMP is an optional field that restricts the rule to apply to a specific type and + code of ICMP traffic. This should only be specified if the Protocol field is set to + "ICMP" or "ICMPv6". properties: code: + description: |- + Match on a specific ICMP code. If specified, the Type value must also be specified. + This is a technical limitation imposed by the kernel's iptables firewall, which + Calico uses to enforce the rule. maximum: 255 minimum: 0 type: integer type: + description: |- + Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request + (i.e. pings). maximum: 254 minimum: 0 type: integer @@ -205,24 +347,41 @@ spec: reason: FieldValueInvalid rule: "!has(self.code) || has(self.type)" ipVersion: + description: |- + IPVersion is an optional field that restricts the rule to only match a specific IP + version. enum: - 4 - 6 type: integer metadata: + description: + Metadata contains additional information for this + rule properties: annotations: additionalProperties: type: string + description: + Annotations is a set of key value pairs that + give extra information about the rule type: object type: object notICMP: + description: NotICMP is the negated version of the ICMP field. properties: code: + description: |- + Match on a specific ICMP code. If specified, the Type value must also be specified. + This is a technical limitation imposed by the kernel's iptables firewall, which + Calico uses to enforce the rule. maximum: 255 minimum: 0 type: integer type: + description: |- + Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request + (i.e. pings). maximum: 254 minimum: 0 type: integer @@ -235,37 +394,78 @@ spec: anyOf: - type: integer - type: string + description: + NotProtocol is the negated version of the Protocol + field. pattern: ^.* x-kubernetes-int-or-string: true protocol: anyOf: - type: integer - type: string + description: |- + Protocol is an optional field that restricts the rule to only apply to traffic of + a specific IP protocol. Required if any of the EntityRules contain Ports + (because ports only apply to certain protocols). + + Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" + or an integer in the range 1-255. pattern: ^.* x-kubernetes-int-or-string: true source: + description: + Source contains the match criteria that apply to + source entity. properties: domains: + description: |- + Domains is an optional field, valid for egress Allow rules only, that restricts the rule + to apply only to traffic to one of the specified domains. If this field is specified, + Action must be Allow, and Nets and Selector must both be left empty. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: + description: |- + NamespaceSelector is an optional field that contains a selector expression. Only traffic + that originates from (or terminates at) endpoints within the selected namespaces will be + matched. When both NamespaceSelector and another selector are defined on the same rule, then only + workload endpoints that are matched by both selectors will be selected by the rule. + + For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting + only workload endpoints in the same namespace as the NetworkPolicy. + + For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting + only GlobalNetworkSet or HostEndpoint. + + For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces. maxLength: 1024 type: string nets: + description: |- + Nets is an optional field that restricts the rule to only apply to traffic that + originates from (or terminates at) IP addresses in any of the given subnets. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notNets: + description: + NotNets is the negated version of the Nets + field. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notPorts: + description: |- + NotPorts is the negated version of the Ports field. + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -276,9 +476,19 @@ spec: type: array x-kubernetes-list-type: atomic notSelector: + description: |- + NotSelector is the negated version of the Selector field. See Selector field for + subtleties with negated selectors. maxLength: 1024 type: string ports: + description: |- + Ports is an optional field that restricts the rule to only apply to traffic that has a + source (destination) port that matches one of these ranges/values. This value is a + list of integers or strings that represent ranges of ports. + + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -289,24 +499,66 @@ spec: type: array x-kubernetes-list-type: atomic selector: + description: + "Selector is an optional field that contains + a selector expression (see Policy for\nsample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching\nthe selector will be matched.\n\nNote that: + in addition to the negated version of the Selector (see + NotSelector below), the\nselector expression syntax itself + supports negation. The two types of negation are subtly\ndifferent. + One negates the set of matched endpoints, the other negates + the whole match:\n\n\tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled\n\tendpoints + that do not have the label \"my_label\".\n\n\tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled\n\tendpoints that do have the label + \"my_label\".\n\nThe effect is that the latter will accept + packets from non-Calico sources whereas the\nformer is + limited to packets from Calico-controlled endpoints." maxLength: 1024 type: string serviceAccounts: + description: |- + ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. properties: names: + description: |- + Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates + at) a pod running as a service account whose name is in the list. items: type: string type: array x-kubernetes-list-type: set selector: + description: |- + Selector is an optional field that restricts the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account that matches the given label selector. + If both Names and Selector are specified then they are AND'ed. type: string type: object services: + description: |- + Services is an optional field that contains options for matching Kubernetes Services. + If specified, only traffic that originates from or terminates at endpoints within the selected + service(s) will be matched, and only to/from each endpoint's port. + + Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, + NotNets or ServiceAccounts. + + Ports and NotPorts can only be specified with Services on ingress rules. properties: name: + description: + Name specifies the name of a Kubernetes + Service to match. maxLength: 253 type: string namespace: + description: |- + Namespace specifies the namespace of the given Service. If left empty, the rule + will match within this policy's namespace. maxLength: 253 type: string type: object @@ -396,7 +648,18 @@ spec: type: array x-kubernetes-list-type: atomic ingress: + description: |- + The ordered set of ingress rules. Each rule contains a set of packet match criteria and + a corresponding action to apply. Limited to 1024 rules per policy. items: + description: |- + A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy + and security Profiles reference rules - separated out as a list of rules for both + ingress and egress packet matching. + + Each positive match criteria has a negated version, prefixed with "Not". All the match + criteria within a rule must be satisfied for a packet to match. A single rule can contain + the positive and negative version of a match and both must be satisfied for the rule to match. properties: action: enum: @@ -406,28 +669,59 @@ spec: - Pass type: string destination: + description: + Destination contains the match criteria that apply + to destination entity. properties: domains: + description: |- + Domains is an optional field, valid for egress Allow rules only, that restricts the rule + to apply only to traffic to one of the specified domains. If this field is specified, + Action must be Allow, and Nets and Selector must both be left empty. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: + description: |- + NamespaceSelector is an optional field that contains a selector expression. Only traffic + that originates from (or terminates at) endpoints within the selected namespaces will be + matched. When both NamespaceSelector and another selector are defined on the same rule, then only + workload endpoints that are matched by both selectors will be selected by the rule. + + For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting + only workload endpoints in the same namespace as the NetworkPolicy. + + For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting + only GlobalNetworkSet or HostEndpoint. + + For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces. maxLength: 1024 type: string nets: + description: |- + Nets is an optional field that restricts the rule to only apply to traffic that + originates from (or terminates at) IP addresses in any of the given subnets. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notNets: + description: + NotNets is the negated version of the Nets + field. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notPorts: + description: |- + NotPorts is the negated version of the Ports field. + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -438,9 +732,19 @@ spec: type: array x-kubernetes-list-type: atomic notSelector: + description: |- + NotSelector is the negated version of the Selector field. See Selector field for + subtleties with negated selectors. maxLength: 1024 type: string ports: + description: |- + Ports is an optional field that restricts the rule to only apply to traffic that has a + source (destination) port that matches one of these ranges/values. This value is a + list of integers or strings that represent ranges of ports. + + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -451,24 +755,66 @@ spec: type: array x-kubernetes-list-type: atomic selector: + description: + "Selector is an optional field that contains + a selector expression (see Policy for\nsample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching\nthe selector will be matched.\n\nNote that: + in addition to the negated version of the Selector (see + NotSelector below), the\nselector expression syntax itself + supports negation. The two types of negation are subtly\ndifferent. + One negates the set of matched endpoints, the other negates + the whole match:\n\n\tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled\n\tendpoints + that do not have the label \"my_label\".\n\n\tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled\n\tendpoints that do have the label + \"my_label\".\n\nThe effect is that the latter will accept + packets from non-Calico sources whereas the\nformer is + limited to packets from Calico-controlled endpoints." maxLength: 1024 type: string serviceAccounts: + description: |- + ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. properties: names: + description: |- + Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates + at) a pod running as a service account whose name is in the list. items: type: string type: array x-kubernetes-list-type: set selector: + description: |- + Selector is an optional field that restricts the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account that matches the given label selector. + If both Names and Selector are specified then they are AND'ed. type: string type: object services: + description: |- + Services is an optional field that contains options for matching Kubernetes Services. + If specified, only traffic that originates from or terminates at endpoints within the selected + service(s) will be matched, and only to/from each endpoint's port. + + Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, + NotNets or ServiceAccounts. + + Ports and NotPorts can only be specified with Services on ingress rules. properties: name: + description: + Name specifies the name of a Kubernetes + Service to match. maxLength: 253 type: string namespace: + description: |- + Namespace specifies the namespace of the given Service. If left empty, the rule + will match within this policy's namespace. maxLength: 253 type: string type: object @@ -508,9 +854,19 @@ spec: "!has(self.services) || (!has(self.nets) || size(self.nets) == 0) && (!has(self.notNets) || size(self.notNets) == 0)" http: + description: + HTTP contains match criteria that apply to HTTP + requests. properties: headers: + description: |- + Headers is an optional field that restricts the rule to apply to HTTP headers. + Multiple headers criteria are AND'd together. + Criteria within a single headers rule ar OR'd together. items: + description: + HTTPHeaderCriteria structure defines optional + HTTP headers criterion for ALP. properties: header: type: string @@ -529,13 +885,29 @@ spec: type: array x-kubernetes-list-type: atomic methods: + description: |- + Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed + HTTP Methods (e.g. GET, PUT, etc.) + Multiple methods are OR'd together. items: type: string maxItems: 20 type: array x-kubernetes-list-type: atomic paths: + description: |- + Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed + HTTP Paths. + Multiple paths are OR'd together. + e.g: + - exact: /foo + - prefix: /bar + NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. items: + description: |- + HTTPPath specifies an HTTP path to match. It may be either of the form: + exact: : which matches the path exactly or + prefix: : which matches the path prefix properties: exact: maxLength: 1024 @@ -549,12 +921,23 @@ spec: x-kubernetes-list-type: atomic type: object icmp: + description: |- + ICMP is an optional field that restricts the rule to apply to a specific type and + code of ICMP traffic. This should only be specified if the Protocol field is set to + "ICMP" or "ICMPv6". properties: code: + description: |- + Match on a specific ICMP code. If specified, the Type value must also be specified. + This is a technical limitation imposed by the kernel's iptables firewall, which + Calico uses to enforce the rule. maximum: 255 minimum: 0 type: integer type: + description: |- + Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request + (i.e. pings). maximum: 254 minimum: 0 type: integer @@ -564,24 +947,41 @@ spec: reason: FieldValueInvalid rule: "!has(self.code) || has(self.type)" ipVersion: + description: |- + IPVersion is an optional field that restricts the rule to only match a specific IP + version. enum: - 4 - 6 type: integer metadata: + description: + Metadata contains additional information for this + rule properties: annotations: additionalProperties: type: string + description: + Annotations is a set of key value pairs that + give extra information about the rule type: object type: object notICMP: + description: NotICMP is the negated version of the ICMP field. properties: code: + description: |- + Match on a specific ICMP code. If specified, the Type value must also be specified. + This is a technical limitation imposed by the kernel's iptables firewall, which + Calico uses to enforce the rule. maximum: 255 minimum: 0 type: integer type: + description: |- + Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request + (i.e. pings). maximum: 254 minimum: 0 type: integer @@ -594,37 +994,78 @@ spec: anyOf: - type: integer - type: string + description: + NotProtocol is the negated version of the Protocol + field. pattern: ^.* x-kubernetes-int-or-string: true protocol: anyOf: - type: integer - type: string + description: |- + Protocol is an optional field that restricts the rule to only apply to traffic of + a specific IP protocol. Required if any of the EntityRules contain Ports + (because ports only apply to certain protocols). + + Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" + or an integer in the range 1-255. pattern: ^.* x-kubernetes-int-or-string: true source: + description: + Source contains the match criteria that apply to + source entity. properties: domains: + description: |- + Domains is an optional field, valid for egress Allow rules only, that restricts the rule + to apply only to traffic to one of the specified domains. If this field is specified, + Action must be Allow, and Nets and Selector must both be left empty. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: + description: |- + NamespaceSelector is an optional field that contains a selector expression. Only traffic + that originates from (or terminates at) endpoints within the selected namespaces will be + matched. When both NamespaceSelector and another selector are defined on the same rule, then only + workload endpoints that are matched by both selectors will be selected by the rule. + + For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting + only workload endpoints in the same namespace as the NetworkPolicy. + + For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting + only GlobalNetworkSet or HostEndpoint. + + For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces. maxLength: 1024 type: string nets: + description: |- + Nets is an optional field that restricts the rule to only apply to traffic that + originates from (or terminates at) IP addresses in any of the given subnets. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notNets: + description: + NotNets is the negated version of the Nets + field. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notPorts: + description: |- + NotPorts is the negated version of the Ports field. + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -635,9 +1076,19 @@ spec: type: array x-kubernetes-list-type: atomic notSelector: + description: |- + NotSelector is the negated version of the Selector field. See Selector field for + subtleties with negated selectors. maxLength: 1024 type: string ports: + description: |- + Ports is an optional field that restricts the rule to only apply to traffic that has a + source (destination) port that matches one of these ranges/values. This value is a + list of integers or strings that represent ranges of ports. + + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -648,24 +1099,66 @@ spec: type: array x-kubernetes-list-type: atomic selector: + description: + "Selector is an optional field that contains + a selector expression (see Policy for\nsample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching\nthe selector will be matched.\n\nNote that: + in addition to the negated version of the Selector (see + NotSelector below), the\nselector expression syntax itself + supports negation. The two types of negation are subtly\ndifferent. + One negates the set of matched endpoints, the other negates + the whole match:\n\n\tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled\n\tendpoints + that do not have the label \"my_label\".\n\n\tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled\n\tendpoints that do have the label + \"my_label\".\n\nThe effect is that the latter will accept + packets from non-Calico sources whereas the\nformer is + limited to packets from Calico-controlled endpoints." maxLength: 1024 type: string serviceAccounts: + description: |- + ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. properties: names: + description: |- + Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates + at) a pod running as a service account whose name is in the list. items: type: string type: array x-kubernetes-list-type: set selector: + description: |- + Selector is an optional field that restricts the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account that matches the given label selector. + If both Names and Selector are specified then they are AND'ed. type: string type: object services: + description: |- + Services is an optional field that contains options for matching Kubernetes Services. + If specified, only traffic that originates from or terminates at endpoints within the selected + service(s) will be matched, and only to/from each endpoint's port. + + Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, + NotNets or ServiceAccounts. + + Ports and NotPorts can only be specified with Services on ingress rules. properties: name: + description: + Name specifies the name of a Kubernetes + Service to match. maxLength: 253 type: string namespace: + description: |- + Namespace specifies the namespace of the given Service. If left empty, the rule + will match within this policy's namespace. maxLength: 253 type: string type: object @@ -755,8 +1248,25 @@ spec: type: array x-kubernetes-list-type: atomic order: + description: |- + Order is an optional field that specifies the order in which the policy is applied. + Policies with higher "order" are applied after those with lower + order within the same tier. If the order is omitted, it may be considered to be "infinite" - i.e. the + policy will be applied last. Policies with identical order will be applied in + alphanumerical order based on the Policy "Name" within the tier. type: number performanceHints: + description: |- + PerformanceHints contains a list of hints to Calico's policy engine to + help process the policy more efficiently. Hints never change the + enforcement behaviour of the policy. + + Currently, the only available hint is "AssumeNeededOnEveryNode". When + that hint is set on a policy, Felix will act as if the policy matches + a local endpoint even if it does not. This is useful for "preloading" + any large static policies that are known to be used on every node. + If the policy is _not_ used on a particular node then the work + done to preload the policy (and to maintain it) is wasted. items: enum: - AssumeNeededOnEveryNode @@ -764,16 +1274,60 @@ spec: type: array x-kubernetes-list-type: set selector: + description: + "The selector is an expression used to pick out the endpoints + that the policy should\nbe applied to.\n\nSelector expressions follow + this syntax:\n\n\tlabel == \"string_literal\" -> comparison, e.g. + my_label == \"foo bar\"\n\tlabel != \"string_literal\" -> not + equal; also matches if label is not present\n\tlabel in { \"a\", + \"b\", \"c\", ... } -> true if the value of label X is one of + \"a\", \"b\", \"c\"\n\tlabel not in { \"a\", \"b\", \"c\", ... } + \ -> true if the value of label X is not one of \"a\", \"b\", \"c\"\n\thas(label_name) + \ -> True if that label is present\n\t! expr -> negation of expr\n\texpr + && expr -> Short-circuit and\n\texpr || expr -> Short-circuit + or\n\t( expr ) -> parens for grouping\n\tall() or the empty selector + -> matches all endpoints.\n\nLabel names are allowed to contain + alphanumerics, -, _ and /. String literals are more permissive\nbut + they do not support escape characters.\n\nExamples (with made-up + labels):\n\n\ttype == \"webserver\" && deployment == \"prod\"\n\ttype + in {\"frontend\", \"backend\"}\n\tdeployment != \"dev\"\n\t! has(label_name)" maxLength: 1024 type: string serviceAccountSelector: + description: + ServiceAccountSelector is an optional field for an expression + used to select a pod based on service accounts. maxLength: 1024 type: string tier: default: default + description: |- + The name of the tier that this policy belongs to. If this is omitted, the default + tier (name is "default") is assumed. The specified tier must exist in order to create + security policies within the tier, the "default" tier is created automatically if it + does not exist, this means for deployments requiring only a single Tier, the tier name + may be omitted on all policy management requests. type: string types: + description: |- + Types indicates whether this policy applies to ingress, or to egress, or to both. When + not explicitly specified (and so the value on creation is empty or nil), Calico defaults + Types according to what Ingress and Egress are present in the policy. The + default is: + + - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are + also no Ingress rules) + + - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules + + - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. + + When the policy is read back again, Types will always be one of these values, never empty + or nil. items: + description: + PolicyType enumerates the possible values of the PolicySpec + Types field. enum: - Ingress - Egress diff --git a/config/crd/projectcalico.org_networksets.yaml b/config/crd/projectcalico.org_networksets.yaml index 014fa382..f5935ce0 100644 --- a/config/crd/projectcalico.org_networksets.yaml +++ b/config/crd/projectcalico.org_networksets.yaml @@ -19,19 +19,41 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + NetworkSetSpec contains the specification for a NetworkSet + resource. properties: allowedEgressDomains: + description: |- + The list of domain names that belong to this set and are honored in egress allow rules + only. Domain names specified here only work to allow egress traffic from the cluster to + external destinations. They don't work to _deny_ traffic to destinations specified by + domain name, or to allow ingress traffic from _sources_ specified by domain name. items: type: string type: array x-kubernetes-list-type: atomic nets: + description: |- + The list of IP networks that belong to this set. Each entry must be in CIDR notation, + e.g. "192.168.1.0/24". To include a single IP address, use a /32 (IPv4) or /128 (IPv6) mask. items: type: string type: array diff --git a/config/crd/projectcalico.org_packetcaptures.yaml b/config/crd/projectcalico.org_packetcaptures.yaml index 988627ec..0db8466c 100644 --- a/config/crd/projectcalico.org_packetcaptures.yaml +++ b/config/crd/projectcalico.org_packetcaptures.yaml @@ -17,22 +17,49 @@ spec: - name: v3 schema: openAPIV3Schema: + description: PacketCapture contains the configuration for any packet capture. properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: Specification of the PacketCapture. properties: endTime: + description: |- + Defines the end time at which this PacketCapture will stop capturing packets. + If omitted the capture will continue indefinitely. + If the value is changed to the past, capture will stop immediately. format: date-time type: string filters: + description: |- + The ordered set of filters applied to traffic captured from an interface. Each rule contains a set of + packet match criteria. items: + description: + A PacketCaptureRule encapsulates a set of match criteria + for traffic captured from an interface. properties: ports: + description: |- + Ports is an optional field that defines a filter for all traffic that has a + source or destination port that matches one of these ranges/values. This value is a + list of integers or strings that represent ranges of ports. items: anyOf: - type: integer @@ -45,6 +72,12 @@ spec: anyOf: - type: integer - type: string + description: |- + Protocol is an optional field that defines a filter for all traffic for + a specific IP protocol. + + Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" + or an integer in the range 1-255. pattern: ^.* x-kubernetes-int-or-string: true type: object @@ -52,26 +85,67 @@ spec: x-kubernetes-list-type: atomic selector: default: all() + description: + "The selector is an expression used to pick out the endpoints + that the policy should\nbe applied to. The selector will only match + endpoints in the same namespace as the\nPacketCapture resource.\n\nSelector + expressions follow this syntax:\n\n\tlabel == \"string_literal\" + \ -> comparison, e.g. my_label == \"foo bar\"\n\tlabel != \"string_literal\" + \ -> not equal; also matches if label is not present\n\tlabel + in { \"a\", \"b\", \"c\", ... } -> true if the value of label + X is one of \"a\", \"b\", \"c\"\n\tlabel not in { \"a\", \"b\", + \"c\", ... } -> true if the value of label X is not one of \"a\", + \"b\", \"c\"\n\thas(label_name) -> True if that label is present\n\t! + expr -> negation of expr\n\texpr && expr -> Short-circuit and\n\texpr + || expr -> Short-circuit or\n\t( expr ) -> parens for grouping\n\tall() + -> matches all endpoints.\n\tan empty selector will default to all\n\nLabel + names are allowed to contain alphanumerics, -, _ and /. String literals + are more permissive\nbut they do not support escape characters.\n\nExamples + (with made-up labels):\n\n\ttype == \"webserver\" && deployment + == \"prod\"\n\ttype in {\"frontend\", \"backend\"}\n\tdeployment + != \"dev\"\n\t! has(label_name)" type: string startTime: + description: |- + Defines the start time from which this PacketCapture will capture packets. + If omitted or the value is in the past, the capture will start immediately. + If the value is changed to a future time, capture will stop immediately and restart at that time format: date-time type: string type: object status: + description: Status of the PacketCapture properties: files: items: + description: |- + PacketCaptureFile describes files generated by a PacketCapture. It describes the location of the packet capture files + that is identified via a node, its directory and the file names generated. properties: directory: + description: + Directory represents the path inside the calico-node + container for the the generated files type: string fileNames: + description: |- + FileNames represents the name of the generated file for a PacketCapture ordered alphanumerically. + The active packet capture file will be identified using the following schema: + "{workload endpoint name}_{host network interface}.pcap" . + Rotated capture files name will contain an index matching the rotation timestamp. items: type: string type: array x-kubernetes-list-type: atomic node: + description: + Node identifies with a physical node from the cluster + via its hostname type: string state: + description: + PacketCaptureState represents the state of the + PacketCapture enum: - Capturing - Finished diff --git a/config/crd/projectcalico.org_policyrecommendationscopes.yaml b/config/crd/projectcalico.org_policyrecommendationscopes.yaml index 58791de2..cbe38ad4 100644 --- a/config/crd/projectcalico.org_policyrecommendationscopes.yaml +++ b/config/crd/projectcalico.org_policyrecommendationscopes.yaml @@ -19,62 +19,119 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: hostEndpointSpec: + description: + The host endpoint spec contains host endpoint relative + recommendation vars. properties: recommendationStatus: + description: Recommendation status. One of Enabled, Disabled. enum: - Enabled - Disabled type: string selector: + description: |- + The selector is an expression used to pick out the host endpoints that the policy + recommendation engine should create policies for. The syntax is the same as the + NetworkPolicy.projectcalico.org resource selectors. maxLength: 4096 type: string tierName: + description: |- + The name of the policy recommendation tier for host endpoint isolated policies. + [Default: "hostendpoint-isolation"] maxLength: 253 type: string required: - selector type: object initialLookback: + description: |- + How far back to look in flow logs when first creating a recommended policy. + [Default: 24h] type: string interval: + description: |- + How frequently to run the recommendation engine to create and refine recommended policies. + [Default: 150s] type: string maxRules: + description: |- + The maximum number of rules that are permitted in the ingress or egress set. For egress rules, + any egress domain rules will be simplified by contracting all domains into a single egress + domain NetworkSet. If the number of rules exceeds this limit, the recommendation engine will + treat this as an error condition. + [Default: 20] type: integer namespaceSpec: + description: + The namespace spec contains the namespace relative recommendation + vars. properties: intraNamespacePassThroughTraffic: + description: |- + Pass intra-namespace traffic. + [Default: false] type: boolean recStatus: + description: Recommendation status. One of Enabled, Disabled. enum: - Enabled - Disabled type: string selector: + description: |- + The namespace selector is an expression used to pick out the namespaces that the policy + recommendation engine should create policies for. The syntax is the same as the + NetworkPolicy.projectcalico.org resource selectors. maxLength: 4096 type: string tierName: + description: |- + The name of the policy recommendation tier for namespace-isolated policies. + [Default: "namespace-isolation"] maxLength: 253 type: string required: - selector type: object policiesLearningCutOff: + description: |- + The number of staged policies that are actively learning at any one time, after which the + policy recommendation engine will stop adding new recommendations. + [Default: 20] type: integer stabilizationPeriod: + description: |- + StabilizationPeriod is the amount of time a recommended policy should remain unchanged to be + deemed stable and ready to be enforced. + [Default: 10m] type: string type: object status: properties: conditions: items: + description: Condition contains various status information properties: message: type: string diff --git a/config/crd/projectcalico.org_remoteclusterconfigurations.yaml b/config/crd/projectcalico.org_remoteclusterconfigurations.yaml index 8897fea6..6198011d 100644 --- a/config/crd/projectcalico.org_remoteclusterconfigurations.yaml +++ b/config/crd/projectcalico.org_remoteclusterconfigurations.yaml @@ -17,34 +17,82 @@ spec: - name: v3 schema: openAPIV3Schema: + description: + RemoteClusterConfiguration contains the configuration for remote + clusters. properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + RemoteClusterConfigurationSpec contains the values of describing + the cluster. properties: clusterAccessSecret: + description: |- + Specifies a Secret to read for the RemoteClusterconfiguration. + If defined all datastore configuration in this struct will be cleared + and overwritten with the appropriate fields in the Secret. properties: apiVersion: + description: API version of the referent. type: string fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. type: string kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic datastoreType: + description: + Indicates the datastore to use. If unspecified, defaults + to etcdv3. enum: - etcdv3 - kubernetes @@ -52,43 +100,92 @@ spec: etcdCACert: type: string etcdCACertFile: + description: + Path to the etcd Certificate Authority file. Valid if + DatastoreType is etcdv3. type: string etcdCert: type: string etcdCertFile: + description: + Path to the etcd client certificate. Valid if DatastoreType + is etcdv3. type: string etcdEndpoints: + description: + "A comma separated list of etcd endpoints. Valid if DatastoreType + is etcdv3. [Default: ]" type: string etcdKey: + description: + These config file parameters are to support inline certificates, + keys and CA / Trusted certificate. type: string etcdKeyFile: + description: + Path to the etcd key file. Valid if DatastoreType is + etcdv3. type: string etcdPassword: + description: + Password for the given user name. Valid if DatastoreType + is etcdv3. type: string etcdUsername: + description: User name for RBAC. Valid if DatastoreType is etcdv3. type: string k8sAPIEndpoint: + description: + Location of the Kubernetes API. Not required if using + kubeconfig. Valid if DatastoreType is kubernetes. type: string k8sAPIToken: + description: + Token to be used for accessing the Kubernetes API. Valid + if DatastoreType is kubernetes. type: string k8sCAFile: + description: + Location of a CA for accessing the Kubernetes API. Valid + if DatastoreType is kubernetes. type: string k8sCertFile: + description: + Location of a client certificate for accessing the Kubernetes + API. Valid if DatastoreType is kubernetes. type: string k8sInsecureSkipTLSVerify: type: boolean k8sKeyFile: + description: + Location of a client key for accessing the Kubernetes + API. Valid if DatastoreType is kubernetes. type: string kubeconfig: + description: + When using the Kubernetes datastore, the location of + a kubeconfig file. Valid if DatastoreType is kubernetes. type: string kubeconfigInline: + description: |- + This is an alternative to Kubeconfig and if specified overrides Kubeconfig. + This contains the contents that would normally be in the file pointed at by Kubeconfig. type: string syncOptions: default: overlayRoutingMode: Disabled + description: |- + Configuration options that do not relate to the underlying datastore connection. These fields relate to the + syncing of resources once the connection is established. These fields can be set independent of the other + connection-oriented fields, e.g. they can be set when ClusterAccessSecret is non-nil. properties: overlayRoutingMode: default: Disabled + description: |- + Determines whether overlay routing will be established between federated clusters. If unspecified during create or + update of RemoteClusterConfiguration, this field will default based on the encapsulation mode of the local cluster + at the time of RemoteClusterConfiguration application: "Enabled" if VXLAN, "Disabled" otherwise. If upgrading from + a version that predates this field, this field will default to "Disabled". type: string type: object type: object diff --git a/config/crd/projectcalico.org_securityeventwebhooks.yaml b/config/crd/projectcalico.org_securityeventwebhooks.yaml index d26bd037..7226756f 100644 --- a/config/crd/projectcalico.org_securityeventwebhooks.yaml +++ b/config/crd/projectcalico.org_securityeventwebhooks.yaml @@ -19,14 +19,28 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: config: + description: + contains the SecurityEventWebhook's configuration associated + with the intended Consumer items: properties: name: @@ -36,26 +50,50 @@ spec: valueFrom: properties: configMapKeyRef: + description: Selects a key from a ConfigMap. properties: key: + description: The key to select. type: string name: default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string optional: + description: + Specify whether the ConfigMap or its key + must be defined type: boolean required: - key type: object x-kubernetes-map-type: atomic secretKeyRef: + description: SecretKeySelector selects a key of a Secret. properties: key: + description: + The key of the secret to select from. Must + be a valid secret key. type: string name: default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string optional: + description: + Specify whether the Secret or its key must + be defined type: boolean required: - key @@ -68,10 +106,19 @@ spec: type: array x-kubernetes-list-type: atomic consumer: + description: + "indicates the SecurityEventWebhook intended consumer, + one of: Slack, Jira, Generic, AlertManager" type: string query: + description: + defines the SecurityEventWebhook query to be executed + against fields of SecurityEvents type: string state: + description: + "defines the webhook desired state, one of: Enabled, + Disabled, Test or Debug" type: string required: - config @@ -81,29 +128,50 @@ spec: type: object status: items: + description: + Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: + description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/config/crd/projectcalico.org_stagedglobalnetworkpolicies.yaml b/config/crd/projectcalico.org_stagedglobalnetworkpolicies.yaml index b20c600b..4df3ca59 100644 --- a/config/crd/projectcalico.org_stagedglobalnetworkpolicies.yaml +++ b/config/crd/projectcalico.org_stagedglobalnetworkpolicies.yaml @@ -26,21 +26,52 @@ spec: name: v3 schema: openAPIV3Schema: + description: StagedGlobalNetworkPolicy is a staged GlobalNetworkPolicy. properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: applyOnForward: + description: + ApplyOnForward indicates to apply the rules in this policy + on forward traffic. type: boolean doNotTrack: + description: |- + DoNotTrack indicates whether packets matched by the rules in this policy should go through + the data plane's connection tracking, such as Linux conntrack. If True, the rules in + this policy are applied before any data plane connection tracking, and packets allowed by + this policy are marked as not to be tracked. type: boolean egress: + description: |- + The ordered set of egress rules. Each rule contains a set of packet match criteria and + a corresponding action to apply. Limited to 1024 rules per policy. items: + description: |- + A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy + and security Profiles reference rules - separated out as a list of rules for both + ingress and egress packet matching. + + Each positive match criteria has a negated version, prefixed with "Not". All the match + criteria within a rule must be satisfied for a packet to match. A single rule can contain + the positive and negative version of a match and both must be satisfied for the rule to match. properties: action: enum: @@ -50,28 +81,59 @@ spec: - Pass type: string destination: + description: + Destination contains the match criteria that apply + to destination entity. properties: domains: + description: |- + Domains is an optional field, valid for egress Allow rules only, that restricts the rule + to apply only to traffic to one of the specified domains. If this field is specified, + Action must be Allow, and Nets and Selector must both be left empty. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: + description: |- + NamespaceSelector is an optional field that contains a selector expression. Only traffic + that originates from (or terminates at) endpoints within the selected namespaces will be + matched. When both NamespaceSelector and another selector are defined on the same rule, then only + workload endpoints that are matched by both selectors will be selected by the rule. + + For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting + only workload endpoints in the same namespace as the NetworkPolicy. + + For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting + only GlobalNetworkSet or HostEndpoint. + + For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces. maxLength: 1024 type: string nets: + description: |- + Nets is an optional field that restricts the rule to only apply to traffic that + originates from (or terminates at) IP addresses in any of the given subnets. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notNets: + description: + NotNets is the negated version of the Nets + field. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notPorts: + description: |- + NotPorts is the negated version of the Ports field. + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -82,9 +144,19 @@ spec: type: array x-kubernetes-list-type: atomic notSelector: + description: |- + NotSelector is the negated version of the Selector field. See Selector field for + subtleties with negated selectors. maxLength: 1024 type: string ports: + description: |- + Ports is an optional field that restricts the rule to only apply to traffic that has a + source (destination) port that matches one of these ranges/values. This value is a + list of integers or strings that represent ranges of ports. + + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -95,24 +167,66 @@ spec: type: array x-kubernetes-list-type: atomic selector: + description: + "Selector is an optional field that contains + a selector expression (see Policy for\nsample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching\nthe selector will be matched.\n\nNote that: + in addition to the negated version of the Selector (see + NotSelector below), the\nselector expression syntax itself + supports negation. The two types of negation are subtly\ndifferent. + One negates the set of matched endpoints, the other negates + the whole match:\n\n\tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled\n\tendpoints + that do not have the label \"my_label\".\n\n\tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled\n\tendpoints that do have the label + \"my_label\".\n\nThe effect is that the latter will accept + packets from non-Calico sources whereas the\nformer is + limited to packets from Calico-controlled endpoints." maxLength: 1024 type: string serviceAccounts: + description: |- + ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. properties: names: + description: |- + Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates + at) a pod running as a service account whose name is in the list. items: type: string type: array x-kubernetes-list-type: set selector: + description: |- + Selector is an optional field that restricts the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account that matches the given label selector. + If both Names and Selector are specified then they are AND'ed. type: string type: object services: + description: |- + Services is an optional field that contains options for matching Kubernetes Services. + If specified, only traffic that originates from or terminates at endpoints within the selected + service(s) will be matched, and only to/from each endpoint's port. + + Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, + NotNets or ServiceAccounts. + + Ports and NotPorts can only be specified with Services on ingress rules. properties: name: + description: + Name specifies the name of a Kubernetes + Service to match. maxLength: 253 type: string namespace: + description: |- + Namespace specifies the namespace of the given Service. If left empty, the rule + will match within this policy's namespace. maxLength: 253 type: string type: object @@ -152,9 +266,19 @@ spec: "!has(self.services) || (!has(self.nets) || size(self.nets) == 0) && (!has(self.notNets) || size(self.notNets) == 0)" http: + description: + HTTP contains match criteria that apply to HTTP + requests. properties: headers: + description: |- + Headers is an optional field that restricts the rule to apply to HTTP headers. + Multiple headers criteria are AND'd together. + Criteria within a single headers rule ar OR'd together. items: + description: + HTTPHeaderCriteria structure defines optional + HTTP headers criterion for ALP. properties: header: type: string @@ -173,13 +297,29 @@ spec: type: array x-kubernetes-list-type: atomic methods: + description: |- + Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed + HTTP Methods (e.g. GET, PUT, etc.) + Multiple methods are OR'd together. items: type: string maxItems: 20 type: array x-kubernetes-list-type: atomic paths: + description: |- + Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed + HTTP Paths. + Multiple paths are OR'd together. + e.g: + - exact: /foo + - prefix: /bar + NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. items: + description: |- + HTTPPath specifies an HTTP path to match. It may be either of the form: + exact: : which matches the path exactly or + prefix: : which matches the path prefix properties: exact: maxLength: 1024 @@ -193,12 +333,23 @@ spec: x-kubernetes-list-type: atomic type: object icmp: + description: |- + ICMP is an optional field that restricts the rule to apply to a specific type and + code of ICMP traffic. This should only be specified if the Protocol field is set to + "ICMP" or "ICMPv6". properties: code: + description: |- + Match on a specific ICMP code. If specified, the Type value must also be specified. + This is a technical limitation imposed by the kernel's iptables firewall, which + Calico uses to enforce the rule. maximum: 255 minimum: 0 type: integer type: + description: |- + Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request + (i.e. pings). maximum: 254 minimum: 0 type: integer @@ -208,24 +359,41 @@ spec: reason: FieldValueInvalid rule: "!has(self.code) || has(self.type)" ipVersion: + description: |- + IPVersion is an optional field that restricts the rule to only match a specific IP + version. enum: - 4 - 6 type: integer metadata: + description: + Metadata contains additional information for this + rule properties: annotations: additionalProperties: type: string + description: + Annotations is a set of key value pairs that + give extra information about the rule type: object type: object notICMP: + description: NotICMP is the negated version of the ICMP field. properties: code: + description: |- + Match on a specific ICMP code. If specified, the Type value must also be specified. + This is a technical limitation imposed by the kernel's iptables firewall, which + Calico uses to enforce the rule. maximum: 255 minimum: 0 type: integer type: + description: |- + Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request + (i.e. pings). maximum: 254 minimum: 0 type: integer @@ -238,37 +406,78 @@ spec: anyOf: - type: integer - type: string + description: + NotProtocol is the negated version of the Protocol + field. pattern: ^.* x-kubernetes-int-or-string: true protocol: anyOf: - type: integer - type: string + description: |- + Protocol is an optional field that restricts the rule to only apply to traffic of + a specific IP protocol. Required if any of the EntityRules contain Ports + (because ports only apply to certain protocols). + + Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" + or an integer in the range 1-255. pattern: ^.* x-kubernetes-int-or-string: true source: + description: + Source contains the match criteria that apply to + source entity. properties: domains: + description: |- + Domains is an optional field, valid for egress Allow rules only, that restricts the rule + to apply only to traffic to one of the specified domains. If this field is specified, + Action must be Allow, and Nets and Selector must both be left empty. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: + description: |- + NamespaceSelector is an optional field that contains a selector expression. Only traffic + that originates from (or terminates at) endpoints within the selected namespaces will be + matched. When both NamespaceSelector and another selector are defined on the same rule, then only + workload endpoints that are matched by both selectors will be selected by the rule. + + For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting + only workload endpoints in the same namespace as the NetworkPolicy. + + For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting + only GlobalNetworkSet or HostEndpoint. + + For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces. maxLength: 1024 type: string nets: + description: |- + Nets is an optional field that restricts the rule to only apply to traffic that + originates from (or terminates at) IP addresses in any of the given subnets. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notNets: + description: + NotNets is the negated version of the Nets + field. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notPorts: + description: |- + NotPorts is the negated version of the Ports field. + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -279,9 +488,19 @@ spec: type: array x-kubernetes-list-type: atomic notSelector: + description: |- + NotSelector is the negated version of the Selector field. See Selector field for + subtleties with negated selectors. maxLength: 1024 type: string ports: + description: |- + Ports is an optional field that restricts the rule to only apply to traffic that has a + source (destination) port that matches one of these ranges/values. This value is a + list of integers or strings that represent ranges of ports. + + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -292,24 +511,66 @@ spec: type: array x-kubernetes-list-type: atomic selector: + description: + "Selector is an optional field that contains + a selector expression (see Policy for\nsample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching\nthe selector will be matched.\n\nNote that: + in addition to the negated version of the Selector (see + NotSelector below), the\nselector expression syntax itself + supports negation. The two types of negation are subtly\ndifferent. + One negates the set of matched endpoints, the other negates + the whole match:\n\n\tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled\n\tendpoints + that do not have the label \"my_label\".\n\n\tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled\n\tendpoints that do have the label + \"my_label\".\n\nThe effect is that the latter will accept + packets from non-Calico sources whereas the\nformer is + limited to packets from Calico-controlled endpoints." maxLength: 1024 type: string serviceAccounts: + description: |- + ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. properties: names: + description: |- + Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates + at) a pod running as a service account whose name is in the list. items: type: string type: array x-kubernetes-list-type: set selector: + description: |- + Selector is an optional field that restricts the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account that matches the given label selector. + If both Names and Selector are specified then they are AND'ed. type: string type: object services: + description: |- + Services is an optional field that contains options for matching Kubernetes Services. + If specified, only traffic that originates from or terminates at endpoints within the selected + service(s) will be matched, and only to/from each endpoint's port. + + Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, + NotNets or ServiceAccounts. + + Ports and NotPorts can only be specified with Services on ingress rules. properties: name: + description: + Name specifies the name of a Kubernetes + Service to match. maxLength: 253 type: string namespace: + description: |- + Namespace specifies the namespace of the given Service. If left empty, the rule + will match within this policy's namespace. maxLength: 253 type: string type: object @@ -399,7 +660,18 @@ spec: type: array x-kubernetes-list-type: atomic ingress: + description: |- + The ordered set of ingress rules. Each rule contains a set of packet match criteria and + a corresponding action to apply. Limited to 1024 rules per policy. items: + description: |- + A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy + and security Profiles reference rules - separated out as a list of rules for both + ingress and egress packet matching. + + Each positive match criteria has a negated version, prefixed with "Not". All the match + criteria within a rule must be satisfied for a packet to match. A single rule can contain + the positive and negative version of a match and both must be satisfied for the rule to match. properties: action: enum: @@ -409,28 +681,59 @@ spec: - Pass type: string destination: + description: + Destination contains the match criteria that apply + to destination entity. properties: domains: + description: |- + Domains is an optional field, valid for egress Allow rules only, that restricts the rule + to apply only to traffic to one of the specified domains. If this field is specified, + Action must be Allow, and Nets and Selector must both be left empty. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: + description: |- + NamespaceSelector is an optional field that contains a selector expression. Only traffic + that originates from (or terminates at) endpoints within the selected namespaces will be + matched. When both NamespaceSelector and another selector are defined on the same rule, then only + workload endpoints that are matched by both selectors will be selected by the rule. + + For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting + only workload endpoints in the same namespace as the NetworkPolicy. + + For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting + only GlobalNetworkSet or HostEndpoint. + + For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces. maxLength: 1024 type: string nets: + description: |- + Nets is an optional field that restricts the rule to only apply to traffic that + originates from (or terminates at) IP addresses in any of the given subnets. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notNets: + description: + NotNets is the negated version of the Nets + field. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notPorts: + description: |- + NotPorts is the negated version of the Ports field. + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -441,9 +744,19 @@ spec: type: array x-kubernetes-list-type: atomic notSelector: + description: |- + NotSelector is the negated version of the Selector field. See Selector field for + subtleties with negated selectors. maxLength: 1024 type: string ports: + description: |- + Ports is an optional field that restricts the rule to only apply to traffic that has a + source (destination) port that matches one of these ranges/values. This value is a + list of integers or strings that represent ranges of ports. + + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -454,24 +767,66 @@ spec: type: array x-kubernetes-list-type: atomic selector: + description: + "Selector is an optional field that contains + a selector expression (see Policy for\nsample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching\nthe selector will be matched.\n\nNote that: + in addition to the negated version of the Selector (see + NotSelector below), the\nselector expression syntax itself + supports negation. The two types of negation are subtly\ndifferent. + One negates the set of matched endpoints, the other negates + the whole match:\n\n\tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled\n\tendpoints + that do not have the label \"my_label\".\n\n\tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled\n\tendpoints that do have the label + \"my_label\".\n\nThe effect is that the latter will accept + packets from non-Calico sources whereas the\nformer is + limited to packets from Calico-controlled endpoints." maxLength: 1024 type: string serviceAccounts: + description: |- + ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. properties: names: + description: |- + Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates + at) a pod running as a service account whose name is in the list. items: type: string type: array x-kubernetes-list-type: set selector: + description: |- + Selector is an optional field that restricts the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account that matches the given label selector. + If both Names and Selector are specified then they are AND'ed. type: string type: object services: + description: |- + Services is an optional field that contains options for matching Kubernetes Services. + If specified, only traffic that originates from or terminates at endpoints within the selected + service(s) will be matched, and only to/from each endpoint's port. + + Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, + NotNets or ServiceAccounts. + + Ports and NotPorts can only be specified with Services on ingress rules. properties: name: + description: + Name specifies the name of a Kubernetes + Service to match. maxLength: 253 type: string namespace: + description: |- + Namespace specifies the namespace of the given Service. If left empty, the rule + will match within this policy's namespace. maxLength: 253 type: string type: object @@ -511,9 +866,19 @@ spec: "!has(self.services) || (!has(self.nets) || size(self.nets) == 0) && (!has(self.notNets) || size(self.notNets) == 0)" http: + description: + HTTP contains match criteria that apply to HTTP + requests. properties: headers: + description: |- + Headers is an optional field that restricts the rule to apply to HTTP headers. + Multiple headers criteria are AND'd together. + Criteria within a single headers rule ar OR'd together. items: + description: + HTTPHeaderCriteria structure defines optional + HTTP headers criterion for ALP. properties: header: type: string @@ -532,13 +897,29 @@ spec: type: array x-kubernetes-list-type: atomic methods: + description: |- + Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed + HTTP Methods (e.g. GET, PUT, etc.) + Multiple methods are OR'd together. items: type: string maxItems: 20 type: array x-kubernetes-list-type: atomic paths: + description: |- + Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed + HTTP Paths. + Multiple paths are OR'd together. + e.g: + - exact: /foo + - prefix: /bar + NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. items: + description: |- + HTTPPath specifies an HTTP path to match. It may be either of the form: + exact: : which matches the path exactly or + prefix: : which matches the path prefix properties: exact: maxLength: 1024 @@ -552,12 +933,23 @@ spec: x-kubernetes-list-type: atomic type: object icmp: + description: |- + ICMP is an optional field that restricts the rule to apply to a specific type and + code of ICMP traffic. This should only be specified if the Protocol field is set to + "ICMP" or "ICMPv6". properties: code: + description: |- + Match on a specific ICMP code. If specified, the Type value must also be specified. + This is a technical limitation imposed by the kernel's iptables firewall, which + Calico uses to enforce the rule. maximum: 255 minimum: 0 type: integer type: + description: |- + Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request + (i.e. pings). maximum: 254 minimum: 0 type: integer @@ -567,24 +959,41 @@ spec: reason: FieldValueInvalid rule: "!has(self.code) || has(self.type)" ipVersion: + description: |- + IPVersion is an optional field that restricts the rule to only match a specific IP + version. enum: - 4 - 6 type: integer metadata: + description: + Metadata contains additional information for this + rule properties: annotations: additionalProperties: type: string + description: + Annotations is a set of key value pairs that + give extra information about the rule type: object type: object notICMP: + description: NotICMP is the negated version of the ICMP field. properties: code: + description: |- + Match on a specific ICMP code. If specified, the Type value must also be specified. + This is a technical limitation imposed by the kernel's iptables firewall, which + Calico uses to enforce the rule. maximum: 255 minimum: 0 type: integer type: + description: |- + Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request + (i.e. pings). maximum: 254 minimum: 0 type: integer @@ -597,37 +1006,78 @@ spec: anyOf: - type: integer - type: string + description: + NotProtocol is the negated version of the Protocol + field. pattern: ^.* x-kubernetes-int-or-string: true protocol: anyOf: - type: integer - type: string + description: |- + Protocol is an optional field that restricts the rule to only apply to traffic of + a specific IP protocol. Required if any of the EntityRules contain Ports + (because ports only apply to certain protocols). + + Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" + or an integer in the range 1-255. pattern: ^.* x-kubernetes-int-or-string: true source: + description: + Source contains the match criteria that apply to + source entity. properties: domains: + description: |- + Domains is an optional field, valid for egress Allow rules only, that restricts the rule + to apply only to traffic to one of the specified domains. If this field is specified, + Action must be Allow, and Nets and Selector must both be left empty. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: + description: |- + NamespaceSelector is an optional field that contains a selector expression. Only traffic + that originates from (or terminates at) endpoints within the selected namespaces will be + matched. When both NamespaceSelector and another selector are defined on the same rule, then only + workload endpoints that are matched by both selectors will be selected by the rule. + + For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting + only workload endpoints in the same namespace as the NetworkPolicy. + + For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting + only GlobalNetworkSet or HostEndpoint. + + For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces. maxLength: 1024 type: string nets: + description: |- + Nets is an optional field that restricts the rule to only apply to traffic that + originates from (or terminates at) IP addresses in any of the given subnets. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notNets: + description: + NotNets is the negated version of the Nets + field. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notPorts: + description: |- + NotPorts is the negated version of the Ports field. + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -638,9 +1088,19 @@ spec: type: array x-kubernetes-list-type: atomic notSelector: + description: |- + NotSelector is the negated version of the Selector field. See Selector field for + subtleties with negated selectors. maxLength: 1024 type: string ports: + description: |- + Ports is an optional field that restricts the rule to only apply to traffic that has a + source (destination) port that matches one of these ranges/values. This value is a + list of integers or strings that represent ranges of ports. + + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -651,24 +1111,66 @@ spec: type: array x-kubernetes-list-type: atomic selector: + description: + "Selector is an optional field that contains + a selector expression (see Policy for\nsample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching\nthe selector will be matched.\n\nNote that: + in addition to the negated version of the Selector (see + NotSelector below), the\nselector expression syntax itself + supports negation. The two types of negation are subtly\ndifferent. + One negates the set of matched endpoints, the other negates + the whole match:\n\n\tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled\n\tendpoints + that do not have the label \"my_label\".\n\n\tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled\n\tendpoints that do have the label + \"my_label\".\n\nThe effect is that the latter will accept + packets from non-Calico sources whereas the\nformer is + limited to packets from Calico-controlled endpoints." maxLength: 1024 type: string serviceAccounts: + description: |- + ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. properties: names: + description: |- + Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates + at) a pod running as a service account whose name is in the list. items: type: string type: array x-kubernetes-list-type: set selector: + description: |- + Selector is an optional field that restricts the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account that matches the given label selector. + If both Names and Selector are specified then they are AND'ed. type: string type: object services: + description: |- + Services is an optional field that contains options for matching Kubernetes Services. + If specified, only traffic that originates from or terminates at endpoints within the selected + service(s) will be matched, and only to/from each endpoint's port. + + Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, + NotNets or ServiceAccounts. + + Ports and NotPorts can only be specified with Services on ingress rules. properties: name: + description: + Name specifies the name of a Kubernetes + Service to match. maxLength: 253 type: string namespace: + description: |- + Namespace specifies the namespace of the given Service. If left empty, the rule + will match within this policy's namespace. maxLength: 253 type: string type: object @@ -758,11 +1260,31 @@ spec: type: array x-kubernetes-list-type: atomic namespaceSelector: + description: + NamespaceSelector is an optional field for an expression + used to select a pod based on namespaces. maxLength: 1024 type: string order: + description: |- + Order is an optional field that specifies the order in which the policy is applied. + Policies with higher "order" are applied after those with lower + order within the same tier. If the order is omitted, it may be considered to be "infinite" - i.e. the + policy will be applied last. Policies with identical order will be applied in + alphanumerical order based on the Policy "Name" within the tier. type: number performanceHints: + description: |- + PerformanceHints contains a list of hints to Calico's policy engine to + help process the policy more efficiently. Hints never change the + enforcement behaviour of the policy. + + Currently, the only available hint is "AssumeNeededOnEveryNode". When + that hint is set on a policy, Felix will act as if the policy matches + a local endpoint even if it does not. This is useful for "preloading" + any large static policies that are known to be used on every node. + If the policy is _not_ used on a particular node then the work + done to preload the policy (and to maintain it) is wasted. items: enum: - AssumeNeededOnEveryNode @@ -770,15 +1292,41 @@ spec: type: array x-kubernetes-list-type: set preDNAT: + description: + PreDNAT indicates to apply the rules in this policy before + any DNAT. type: boolean selector: + description: + "The selector is an expression used to pick out the endpoints + that the policy should\nbe applied to.\n\nSelector expressions follow + this syntax:\n\n\tlabel == \"string_literal\" -> comparison, e.g. + my_label == \"foo bar\"\n\tlabel != \"string_literal\" -> not + equal; also matches if label is not present\n\tlabel in { \"a\", + \"b\", \"c\", ... } -> true if the value of label X is one of + \"a\", \"b\", \"c\"\n\tlabel not in { \"a\", \"b\", \"c\", ... } + \ -> true if the value of label X is not one of \"a\", \"b\", \"c\"\n\thas(label_name) + \ -> True if that label is present\n\t! expr -> negation of expr\n\texpr + && expr -> Short-circuit and\n\texpr || expr -> Short-circuit + or\n\t( expr ) -> parens for grouping\n\tall() or the empty selector + -> matches all endpoints.\n\nLabel names are allowed to contain + alphanumerics, -, _ and /. String literals are more permissive\nbut + they do not support escape characters.\n\nExamples (with made-up + labels):\n\n\ttype == \"webserver\" && deployment == \"prod\"\n\ttype + in {\"frontend\", \"backend\"}\n\tdeployment != \"dev\"\n\t! has(label_name)" maxLength: 1024 type: string serviceAccountSelector: + description: + ServiceAccountSelector is an optional field for an expression + used to select a pod based on service accounts. maxLength: 1024 type: string stagedAction: default: Set + description: + The staged action. If this is omitted, the default is + Set. enum: - Set - Delete @@ -787,9 +1335,33 @@ spec: type: string tier: default: default + description: |- + The name of the tier that this policy belongs to. If this is omitted, the default + tier (name is "default") is assumed. The specified tier must exist in order to create + security policies within the tier, the "default" tier is created automatically if it + does not exist, this means for deployments requiring only a single Tier, the tier name + may be omitted on all policy management requests. type: string types: + description: |- + Types indicates whether this policy applies to ingress, or to egress, or to both. When + not explicitly specified (and so the value on creation is empty or nil), Calico defaults + Types according to what Ingress and Egress rules are present in the policy. The + default is: + + - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are + also no Ingress rules) + + - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules + + - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. + + When the policy is read back again, Types will always be one of these values, never empty + or nil. items: + description: + PolicyType enumerates the possible values of the PolicySpec + Types field. enum: - Ingress - Egress diff --git a/config/crd/projectcalico.org_stagedkubernetesnetworkpolicies.yaml b/config/crd/projectcalico.org_stagedkubernetesnetworkpolicies.yaml index 6762260f..5381cfa7 100644 --- a/config/crd/projectcalico.org_stagedkubernetesnetworkpolicies.yaml +++ b/config/crd/projectcalico.org_stagedkubernetesnetworkpolicies.yaml @@ -19,42 +19,107 @@ spec: - name: v3 schema: openAPIV3Schema: + description: StagedKubernetesNetworkPolicy is a staged GlobalNetworkPolicy. properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: egress: + description: |- + List of egress rules to be applied to the selected pods. Outgoing traffic is + allowed if there are no NetworkPolicies selecting the pod (and cluster policy + otherwise allows the traffic), OR if the traffic matches at least one egress rule + across all of the NetworkPolicy objects whose podSelector matches the pod. If + this field is empty then this NetworkPolicy limits all outgoing traffic (and serves + solely to ensure that the pods it selects are isolated by default). + This field is beta-level in 1.8 items: + description: |- + NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods + matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. + This type is beta-level in 1.8 properties: ports: + description: |- + ports is a list of destination ports for outgoing traffic. + Each item in this list is combined using a logical OR. If this field is + empty or missing, this rule matches all ports (traffic not restricted by port). + If this field is present and contains at least one item, then this rule allows + traffic only if the traffic matches at least one port in the list. items: + description: + NetworkPolicyPort describes a port to allow traffic + on properties: endPort: + description: |- + endPort indicates that the range of ports from port to endPort if set, inclusive, + should be allowed by the policy. This field cannot be defined if the port field + is not defined or if the port field is defined as a named (string) port. + The endPort must be equal or greater than port. format: int32 type: integer port: anyOf: - type: integer - type: string + description: |- + port represents the port on the given protocol. This can either be a numerical or named + port on a pod. If this field is not provided, this matches all port names and + numbers. + If present, only traffic on the specified protocol AND port will be matched. x-kubernetes-int-or-string: true protocol: + description: |- + protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. + If not specified, this field defaults to TCP. type: string type: object type: array x-kubernetes-list-type: atomic to: + description: |- + to is a list of destinations for outgoing traffic of pods selected for this rule. + Items in this list are combined using a logical OR operation. If this field is + empty or missing, this rule matches all destinations (traffic not restricted by + destination). If this field is present and contains at least one item, this rule + allows traffic only if the traffic matches at least one item in the to list. items: + description: |- + NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of + fields are allowed properties: ipBlock: + description: |- + ipBlock defines policy on a particular IPBlock. If this field is set then + neither of the other fields can be. properties: cidr: + description: |- + cidr is a string representing the IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" type: string except: + description: |- + except is a slice of CIDRs that should not be included within an IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + Except values will be rejected if they are outside the cidr range items: type: string type: array @@ -63,15 +128,39 @@ spec: - cidr type: object namespaceSelector: + description: |- + namespaceSelector selects namespaces using cluster-scoped labels. This field follows + standard label selector semantics; if present but empty, it selects all namespaces. + + If podSelector is also set, then the NetworkPolicyPeer as a whole selects + the pods matching podSelector in the namespaces selected by namespaceSelector. + Otherwise it selects all pods in the namespaces selected by namespaceSelector. properties: matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: + description: + key is the label key that the selector + applies to. type: string operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -85,19 +174,47 @@ spec: matchLabels: additionalProperties: type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic podSelector: + description: |- + podSelector is a label selector which selects pods. This field follows standard label + selector semantics; if present but empty, it selects all pods. + + If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects + the pods matching podSelector in the Namespaces selected by NamespaceSelector. + Otherwise it selects the pods matching podSelector in the policy's own namespace. properties: matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: + description: + key is the label key that the selector + applies to. type: string operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -111,6 +228,10 @@ spec: matchLabels: additionalProperties: type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -121,16 +242,46 @@ spec: type: array x-kubernetes-list-type: atomic ingress: + description: |- + List of ingress rules to be applied to the selected pods. Traffic is allowed to + a pod if there are no NetworkPolicies selecting the pod + (and cluster policy otherwise allows the traffic), OR if the traffic source is + the pod's local node, OR if the traffic matches at least one ingress rule + across all of the NetworkPolicy objects whose podSelector matches the pod. If + this field is empty then this NetworkPolicy does not allow any traffic (and serves + solely to ensure that the pods it selects are isolated by default) items: + description: |- + NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods + matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from. properties: from: + description: |- + from is a list of sources which should be able to access the pods selected for this rule. + Items in this list are combined using a logical OR operation. If this field is + empty or missing, this rule matches all sources (traffic not restricted by + source). If this field is present and contains at least one item, this rule + allows traffic only if the traffic matches at least one item in the from list. items: + description: |- + NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of + fields are allowed properties: ipBlock: + description: |- + ipBlock defines policy on a particular IPBlock. If this field is set then + neither of the other fields can be. properties: cidr: + description: |- + cidr is a string representing the IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" type: string except: + description: |- + except is a slice of CIDRs that should not be included within an IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + Except values will be rejected if they are outside the cidr range items: type: string type: array @@ -139,15 +290,39 @@ spec: - cidr type: object namespaceSelector: + description: |- + namespaceSelector selects namespaces using cluster-scoped labels. This field follows + standard label selector semantics; if present but empty, it selects all namespaces. + + If podSelector is also set, then the NetworkPolicyPeer as a whole selects + the pods matching podSelector in the namespaces selected by namespaceSelector. + Otherwise it selects all pods in the namespaces selected by namespaceSelector. properties: matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: + description: + key is the label key that the selector + applies to. type: string operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -161,19 +336,47 @@ spec: matchLabels: additionalProperties: type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic podSelector: + description: |- + podSelector is a label selector which selects pods. This field follows standard label + selector semantics; if present but empty, it selects all pods. + + If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects + the pods matching podSelector in the Namespaces selected by NamespaceSelector. + Otherwise it selects the pods matching podSelector in the policy's own namespace. properties: matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: + description: + key is the label key that the selector + applies to. type: string operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -187,6 +390,10 @@ spec: matchLabels: additionalProperties: type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -194,17 +401,39 @@ spec: type: array x-kubernetes-list-type: atomic ports: + description: |- + ports is a list of ports which should be made accessible on the pods selected for + this rule. Each item in this list is combined using a logical OR. If this field is + empty or missing, this rule matches all ports (traffic not restricted by port). + If this field is present and contains at least one item, then this rule allows + traffic only if the traffic matches at least one port in the list. items: + description: + NetworkPolicyPort describes a port to allow traffic + on properties: endPort: + description: |- + endPort indicates that the range of ports from port to endPort if set, inclusive, + should be allowed by the policy. This field cannot be defined if the port field + is not defined or if the port field is defined as a named (string) port. + The endPort must be equal or greater than port. format: int32 type: integer port: anyOf: - type: integer - type: string + description: |- + port represents the port on the given protocol. This can either be a numerical or named + port on a pod. If this field is not provided, this matches all port names and + numbers. + If present, only traffic on the specified protocol AND port will be matched. x-kubernetes-int-or-string: true protocol: + description: |- + protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. + If not specified, this field defaults to TCP. type: string type: object type: array @@ -213,15 +442,39 @@ spec: type: array x-kubernetes-list-type: atomic podSelector: + description: |- + Selects the pods to which this NetworkPolicy object applies. The array of + ingress rules is applied to any pods selected by this field. Multiple network + policies can select the same set of pods. In this case, the ingress rules for + each are combined additively. This field is NOT optional and follows standard + label selector semantics. An empty podSelector matches all pods in this + namespace. properties: matchExpressions: + description: + matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: + description: + key is the label key that the selector applies + to. type: string operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -235,11 +488,29 @@ spec: matchLabels: additionalProperties: type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic policyTypes: + description: |- + List of rule types that the NetworkPolicy relates to. + Valid options are Ingress, Egress, or Ingress,Egress. + If this field is not specified, it will default based on the existence of Ingress or Egress rules; + policies that contain an Egress section are assumed to affect Egress, and all policies + (whether or not they contain an Ingress section) are assumed to affect Ingress. + If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. + Likewise, if you want to write a policy that specifies that no egress is allowed, + you must specify a policyTypes value that include "Egress" (since such a policy would not include + an Egress section and would otherwise default to just [ "Ingress" ]). + This field is beta-level in 1.8 items: + description: |- + PolicyType string describes the NetworkPolicy type + This type is beta-level in 1.8 type: string maxItems: 2 minItems: 1 @@ -247,6 +518,9 @@ spec: x-kubernetes-list-type: set stagedAction: default: Set + description: + The staged action. If this is omitted, the default is + Set. enum: - Set - Delete diff --git a/config/crd/projectcalico.org_stagednetworkpolicies.yaml b/config/crd/projectcalico.org_stagednetworkpolicies.yaml index c3baadbc..7147c2d0 100644 --- a/config/crd/projectcalico.org_stagednetworkpolicies.yaml +++ b/config/crd/projectcalico.org_stagednetworkpolicies.yaml @@ -27,17 +27,42 @@ spec: name: v3 schema: openAPIV3Schema: + description: |- + StagedNetworkPolicy is a staged NetworkPolicy. + StagedNetworkPolicy is the Namespaced-equivalent of the StagedGlobalNetworkPolicy. properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: egress: + description: |- + The ordered set of egress rules. Each rule contains a set of packet match criteria and + a corresponding action to apply. Limited to 1024 rules per policy. items: + description: |- + A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy + and security Profiles reference rules - separated out as a list of rules for both + ingress and egress packet matching. + + Each positive match criteria has a negated version, prefixed with "Not". All the match + criteria within a rule must be satisfied for a packet to match. A single rule can contain + the positive and negative version of a match and both must be satisfied for the rule to match. properties: action: enum: @@ -47,28 +72,59 @@ spec: - Pass type: string destination: + description: + Destination contains the match criteria that apply + to destination entity. properties: domains: + description: |- + Domains is an optional field, valid for egress Allow rules only, that restricts the rule + to apply only to traffic to one of the specified domains. If this field is specified, + Action must be Allow, and Nets and Selector must both be left empty. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: + description: |- + NamespaceSelector is an optional field that contains a selector expression. Only traffic + that originates from (or terminates at) endpoints within the selected namespaces will be + matched. When both NamespaceSelector and another selector are defined on the same rule, then only + workload endpoints that are matched by both selectors will be selected by the rule. + + For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting + only workload endpoints in the same namespace as the NetworkPolicy. + + For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting + only GlobalNetworkSet or HostEndpoint. + + For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces. maxLength: 1024 type: string nets: + description: |- + Nets is an optional field that restricts the rule to only apply to traffic that + originates from (or terminates at) IP addresses in any of the given subnets. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notNets: + description: + NotNets is the negated version of the Nets + field. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notPorts: + description: |- + NotPorts is the negated version of the Ports field. + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -79,9 +135,19 @@ spec: type: array x-kubernetes-list-type: atomic notSelector: + description: |- + NotSelector is the negated version of the Selector field. See Selector field for + subtleties with negated selectors. maxLength: 1024 type: string ports: + description: |- + Ports is an optional field that restricts the rule to only apply to traffic that has a + source (destination) port that matches one of these ranges/values. This value is a + list of integers or strings that represent ranges of ports. + + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -92,24 +158,66 @@ spec: type: array x-kubernetes-list-type: atomic selector: + description: + "Selector is an optional field that contains + a selector expression (see Policy for\nsample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching\nthe selector will be matched.\n\nNote that: + in addition to the negated version of the Selector (see + NotSelector below), the\nselector expression syntax itself + supports negation. The two types of negation are subtly\ndifferent. + One negates the set of matched endpoints, the other negates + the whole match:\n\n\tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled\n\tendpoints + that do not have the label \"my_label\".\n\n\tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled\n\tendpoints that do have the label + \"my_label\".\n\nThe effect is that the latter will accept + packets from non-Calico sources whereas the\nformer is + limited to packets from Calico-controlled endpoints." maxLength: 1024 type: string serviceAccounts: + description: |- + ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. properties: names: + description: |- + Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates + at) a pod running as a service account whose name is in the list. items: type: string type: array x-kubernetes-list-type: set selector: + description: |- + Selector is an optional field that restricts the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account that matches the given label selector. + If both Names and Selector are specified then they are AND'ed. type: string type: object services: + description: |- + Services is an optional field that contains options for matching Kubernetes Services. + If specified, only traffic that originates from or terminates at endpoints within the selected + service(s) will be matched, and only to/from each endpoint's port. + + Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, + NotNets or ServiceAccounts. + + Ports and NotPorts can only be specified with Services on ingress rules. properties: name: + description: + Name specifies the name of a Kubernetes + Service to match. maxLength: 253 type: string namespace: + description: |- + Namespace specifies the namespace of the given Service. If left empty, the rule + will match within this policy's namespace. maxLength: 253 type: string type: object @@ -149,9 +257,19 @@ spec: "!has(self.services) || (!has(self.nets) || size(self.nets) == 0) && (!has(self.notNets) || size(self.notNets) == 0)" http: + description: + HTTP contains match criteria that apply to HTTP + requests. properties: headers: + description: |- + Headers is an optional field that restricts the rule to apply to HTTP headers. + Multiple headers criteria are AND'd together. + Criteria within a single headers rule ar OR'd together. items: + description: + HTTPHeaderCriteria structure defines optional + HTTP headers criterion for ALP. properties: header: type: string @@ -170,13 +288,29 @@ spec: type: array x-kubernetes-list-type: atomic methods: + description: |- + Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed + HTTP Methods (e.g. GET, PUT, etc.) + Multiple methods are OR'd together. items: type: string maxItems: 20 type: array x-kubernetes-list-type: atomic paths: + description: |- + Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed + HTTP Paths. + Multiple paths are OR'd together. + e.g: + - exact: /foo + - prefix: /bar + NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. items: + description: |- + HTTPPath specifies an HTTP path to match. It may be either of the form: + exact: : which matches the path exactly or + prefix: : which matches the path prefix properties: exact: maxLength: 1024 @@ -190,12 +324,23 @@ spec: x-kubernetes-list-type: atomic type: object icmp: + description: |- + ICMP is an optional field that restricts the rule to apply to a specific type and + code of ICMP traffic. This should only be specified if the Protocol field is set to + "ICMP" or "ICMPv6". properties: code: + description: |- + Match on a specific ICMP code. If specified, the Type value must also be specified. + This is a technical limitation imposed by the kernel's iptables firewall, which + Calico uses to enforce the rule. maximum: 255 minimum: 0 type: integer type: + description: |- + Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request + (i.e. pings). maximum: 254 minimum: 0 type: integer @@ -205,24 +350,41 @@ spec: reason: FieldValueInvalid rule: "!has(self.code) || has(self.type)" ipVersion: + description: |- + IPVersion is an optional field that restricts the rule to only match a specific IP + version. enum: - 4 - 6 type: integer metadata: + description: + Metadata contains additional information for this + rule properties: annotations: additionalProperties: type: string + description: + Annotations is a set of key value pairs that + give extra information about the rule type: object type: object notICMP: + description: NotICMP is the negated version of the ICMP field. properties: code: + description: |- + Match on a specific ICMP code. If specified, the Type value must also be specified. + This is a technical limitation imposed by the kernel's iptables firewall, which + Calico uses to enforce the rule. maximum: 255 minimum: 0 type: integer type: + description: |- + Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request + (i.e. pings). maximum: 254 minimum: 0 type: integer @@ -235,37 +397,78 @@ spec: anyOf: - type: integer - type: string + description: + NotProtocol is the negated version of the Protocol + field. pattern: ^.* x-kubernetes-int-or-string: true protocol: anyOf: - type: integer - type: string + description: |- + Protocol is an optional field that restricts the rule to only apply to traffic of + a specific IP protocol. Required if any of the EntityRules contain Ports + (because ports only apply to certain protocols). + + Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" + or an integer in the range 1-255. pattern: ^.* x-kubernetes-int-or-string: true source: + description: + Source contains the match criteria that apply to + source entity. properties: domains: + description: |- + Domains is an optional field, valid for egress Allow rules only, that restricts the rule + to apply only to traffic to one of the specified domains. If this field is specified, + Action must be Allow, and Nets and Selector must both be left empty. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: + description: |- + NamespaceSelector is an optional field that contains a selector expression. Only traffic + that originates from (or terminates at) endpoints within the selected namespaces will be + matched. When both NamespaceSelector and another selector are defined on the same rule, then only + workload endpoints that are matched by both selectors will be selected by the rule. + + For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting + only workload endpoints in the same namespace as the NetworkPolicy. + + For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting + only GlobalNetworkSet or HostEndpoint. + + For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces. maxLength: 1024 type: string nets: + description: |- + Nets is an optional field that restricts the rule to only apply to traffic that + originates from (or terminates at) IP addresses in any of the given subnets. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notNets: + description: + NotNets is the negated version of the Nets + field. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notPorts: + description: |- + NotPorts is the negated version of the Ports field. + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -276,9 +479,19 @@ spec: type: array x-kubernetes-list-type: atomic notSelector: + description: |- + NotSelector is the negated version of the Selector field. See Selector field for + subtleties with negated selectors. maxLength: 1024 type: string ports: + description: |- + Ports is an optional field that restricts the rule to only apply to traffic that has a + source (destination) port that matches one of these ranges/values. This value is a + list of integers or strings that represent ranges of ports. + + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -289,24 +502,66 @@ spec: type: array x-kubernetes-list-type: atomic selector: + description: + "Selector is an optional field that contains + a selector expression (see Policy for\nsample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching\nthe selector will be matched.\n\nNote that: + in addition to the negated version of the Selector (see + NotSelector below), the\nselector expression syntax itself + supports negation. The two types of negation are subtly\ndifferent. + One negates the set of matched endpoints, the other negates + the whole match:\n\n\tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled\n\tendpoints + that do not have the label \"my_label\".\n\n\tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled\n\tendpoints that do have the label + \"my_label\".\n\nThe effect is that the latter will accept + packets from non-Calico sources whereas the\nformer is + limited to packets from Calico-controlled endpoints." maxLength: 1024 type: string serviceAccounts: + description: |- + ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. properties: names: + description: |- + Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates + at) a pod running as a service account whose name is in the list. items: type: string type: array x-kubernetes-list-type: set selector: + description: |- + Selector is an optional field that restricts the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account that matches the given label selector. + If both Names and Selector are specified then they are AND'ed. type: string type: object services: + description: |- + Services is an optional field that contains options for matching Kubernetes Services. + If specified, only traffic that originates from or terminates at endpoints within the selected + service(s) will be matched, and only to/from each endpoint's port. + + Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, + NotNets or ServiceAccounts. + + Ports and NotPorts can only be specified with Services on ingress rules. properties: name: + description: + Name specifies the name of a Kubernetes + Service to match. maxLength: 253 type: string namespace: + description: |- + Namespace specifies the namespace of the given Service. If left empty, the rule + will match within this policy's namespace. maxLength: 253 type: string type: object @@ -396,7 +651,18 @@ spec: type: array x-kubernetes-list-type: atomic ingress: + description: |- + The ordered set of ingress rules. Each rule contains a set of packet match criteria and + a corresponding action to apply. Limited to 1024 rules per policy. items: + description: |- + A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy + and security Profiles reference rules - separated out as a list of rules for both + ingress and egress packet matching. + + Each positive match criteria has a negated version, prefixed with "Not". All the match + criteria within a rule must be satisfied for a packet to match. A single rule can contain + the positive and negative version of a match and both must be satisfied for the rule to match. properties: action: enum: @@ -406,28 +672,59 @@ spec: - Pass type: string destination: + description: + Destination contains the match criteria that apply + to destination entity. properties: domains: + description: |- + Domains is an optional field, valid for egress Allow rules only, that restricts the rule + to apply only to traffic to one of the specified domains. If this field is specified, + Action must be Allow, and Nets and Selector must both be left empty. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: + description: |- + NamespaceSelector is an optional field that contains a selector expression. Only traffic + that originates from (or terminates at) endpoints within the selected namespaces will be + matched. When both NamespaceSelector and another selector are defined on the same rule, then only + workload endpoints that are matched by both selectors will be selected by the rule. + + For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting + only workload endpoints in the same namespace as the NetworkPolicy. + + For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting + only GlobalNetworkSet or HostEndpoint. + + For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces. maxLength: 1024 type: string nets: + description: |- + Nets is an optional field that restricts the rule to only apply to traffic that + originates from (or terminates at) IP addresses in any of the given subnets. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notNets: + description: + NotNets is the negated version of the Nets + field. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notPorts: + description: |- + NotPorts is the negated version of the Ports field. + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -438,9 +735,19 @@ spec: type: array x-kubernetes-list-type: atomic notSelector: + description: |- + NotSelector is the negated version of the Selector field. See Selector field for + subtleties with negated selectors. maxLength: 1024 type: string ports: + description: |- + Ports is an optional field that restricts the rule to only apply to traffic that has a + source (destination) port that matches one of these ranges/values. This value is a + list of integers or strings that represent ranges of ports. + + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -451,24 +758,66 @@ spec: type: array x-kubernetes-list-type: atomic selector: + description: + "Selector is an optional field that contains + a selector expression (see Policy for\nsample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching\nthe selector will be matched.\n\nNote that: + in addition to the negated version of the Selector (see + NotSelector below), the\nselector expression syntax itself + supports negation. The two types of negation are subtly\ndifferent. + One negates the set of matched endpoints, the other negates + the whole match:\n\n\tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled\n\tendpoints + that do not have the label \"my_label\".\n\n\tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled\n\tendpoints that do have the label + \"my_label\".\n\nThe effect is that the latter will accept + packets from non-Calico sources whereas the\nformer is + limited to packets from Calico-controlled endpoints." maxLength: 1024 type: string serviceAccounts: + description: |- + ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. properties: names: + description: |- + Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates + at) a pod running as a service account whose name is in the list. items: type: string type: array x-kubernetes-list-type: set selector: + description: |- + Selector is an optional field that restricts the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account that matches the given label selector. + If both Names and Selector are specified then they are AND'ed. type: string type: object services: + description: |- + Services is an optional field that contains options for matching Kubernetes Services. + If specified, only traffic that originates from or terminates at endpoints within the selected + service(s) will be matched, and only to/from each endpoint's port. + + Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, + NotNets or ServiceAccounts. + + Ports and NotPorts can only be specified with Services on ingress rules. properties: name: + description: + Name specifies the name of a Kubernetes + Service to match. maxLength: 253 type: string namespace: + description: |- + Namespace specifies the namespace of the given Service. If left empty, the rule + will match within this policy's namespace. maxLength: 253 type: string type: object @@ -508,9 +857,19 @@ spec: "!has(self.services) || (!has(self.nets) || size(self.nets) == 0) && (!has(self.notNets) || size(self.notNets) == 0)" http: + description: + HTTP contains match criteria that apply to HTTP + requests. properties: headers: + description: |- + Headers is an optional field that restricts the rule to apply to HTTP headers. + Multiple headers criteria are AND'd together. + Criteria within a single headers rule ar OR'd together. items: + description: + HTTPHeaderCriteria structure defines optional + HTTP headers criterion for ALP. properties: header: type: string @@ -529,13 +888,29 @@ spec: type: array x-kubernetes-list-type: atomic methods: + description: |- + Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed + HTTP Methods (e.g. GET, PUT, etc.) + Multiple methods are OR'd together. items: type: string maxItems: 20 type: array x-kubernetes-list-type: atomic paths: + description: |- + Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed + HTTP Paths. + Multiple paths are OR'd together. + e.g: + - exact: /foo + - prefix: /bar + NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. items: + description: |- + HTTPPath specifies an HTTP path to match. It may be either of the form: + exact: : which matches the path exactly or + prefix: : which matches the path prefix properties: exact: maxLength: 1024 @@ -549,12 +924,23 @@ spec: x-kubernetes-list-type: atomic type: object icmp: + description: |- + ICMP is an optional field that restricts the rule to apply to a specific type and + code of ICMP traffic. This should only be specified if the Protocol field is set to + "ICMP" or "ICMPv6". properties: code: + description: |- + Match on a specific ICMP code. If specified, the Type value must also be specified. + This is a technical limitation imposed by the kernel's iptables firewall, which + Calico uses to enforce the rule. maximum: 255 minimum: 0 type: integer type: + description: |- + Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request + (i.e. pings). maximum: 254 minimum: 0 type: integer @@ -564,24 +950,41 @@ spec: reason: FieldValueInvalid rule: "!has(self.code) || has(self.type)" ipVersion: + description: |- + IPVersion is an optional field that restricts the rule to only match a specific IP + version. enum: - 4 - 6 type: integer metadata: + description: + Metadata contains additional information for this + rule properties: annotations: additionalProperties: type: string + description: + Annotations is a set of key value pairs that + give extra information about the rule type: object type: object notICMP: + description: NotICMP is the negated version of the ICMP field. properties: code: + description: |- + Match on a specific ICMP code. If specified, the Type value must also be specified. + This is a technical limitation imposed by the kernel's iptables firewall, which + Calico uses to enforce the rule. maximum: 255 minimum: 0 type: integer type: + description: |- + Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request + (i.e. pings). maximum: 254 minimum: 0 type: integer @@ -594,37 +997,78 @@ spec: anyOf: - type: integer - type: string + description: + NotProtocol is the negated version of the Protocol + field. pattern: ^.* x-kubernetes-int-or-string: true protocol: anyOf: - type: integer - type: string + description: |- + Protocol is an optional field that restricts the rule to only apply to traffic of + a specific IP protocol. Required if any of the EntityRules contain Ports + (because ports only apply to certain protocols). + + Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" + or an integer in the range 1-255. pattern: ^.* x-kubernetes-int-or-string: true source: + description: + Source contains the match criteria that apply to + source entity. properties: domains: + description: |- + Domains is an optional field, valid for egress Allow rules only, that restricts the rule + to apply only to traffic to one of the specified domains. If this field is specified, + Action must be Allow, and Nets and Selector must both be left empty. items: type: string type: array x-kubernetes-list-type: atomic namespaceSelector: + description: |- + NamespaceSelector is an optional field that contains a selector expression. Only traffic + that originates from (or terminates at) endpoints within the selected namespaces will be + matched. When both NamespaceSelector and another selector are defined on the same rule, then only + workload endpoints that are matched by both selectors will be selected by the rule. + + For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting + only workload endpoints in the same namespace as the NetworkPolicy. + + For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting + only GlobalNetworkSet or HostEndpoint. + + For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces. maxLength: 1024 type: string nets: + description: |- + Nets is an optional field that restricts the rule to only apply to traffic that + originates from (or terminates at) IP addresses in any of the given subnets. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notNets: + description: + NotNets is the negated version of the Nets + field. items: type: string maxItems: 256 type: array x-kubernetes-list-type: set notPorts: + description: |- + NotPorts is the negated version of the Ports field. + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -635,9 +1079,19 @@ spec: type: array x-kubernetes-list-type: atomic notSelector: + description: |- + NotSelector is the negated version of the Selector field. See Selector field for + subtleties with negated selectors. maxLength: 1024 type: string ports: + description: |- + Ports is an optional field that restricts the rule to only apply to traffic that has a + source (destination) port that matches one of these ranges/values. This value is a + list of integers or strings that represent ranges of ports. + + Since only some protocols have ports, if any ports are specified it requires the + Protocol match in the Rule to be set to "TCP", "UDP", or "SCTP". items: anyOf: - type: integer @@ -648,24 +1102,66 @@ spec: type: array x-kubernetes-list-type: atomic selector: + description: + "Selector is an optional field that contains + a selector expression (see Policy for\nsample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching\nthe selector will be matched.\n\nNote that: + in addition to the negated version of the Selector (see + NotSelector below), the\nselector expression syntax itself + supports negation. The two types of negation are subtly\ndifferent. + One negates the set of matched endpoints, the other negates + the whole match:\n\n\tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled\n\tendpoints + that do not have the label \"my_label\".\n\n\tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled\n\tendpoints that do have the label + \"my_label\".\n\nThe effect is that the latter will accept + packets from non-Calico sources whereas the\nformer is + limited to packets from Calico-controlled endpoints." maxLength: 1024 type: string serviceAccounts: + description: |- + ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or + terminates at) a pod running as a matching service account. properties: names: + description: |- + Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates + at) a pod running as a service account whose name is in the list. items: type: string type: array x-kubernetes-list-type: set selector: + description: |- + Selector is an optional field that restricts the rule to only apply to traffic that originates from + (or terminates at) a pod running as a service account that matches the given label selector. + If both Names and Selector are specified then they are AND'ed. type: string type: object services: + description: |- + Services is an optional field that contains options for matching Kubernetes Services. + If specified, only traffic that originates from or terminates at endpoints within the selected + service(s) will be matched, and only to/from each endpoint's port. + + Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, + NotNets or ServiceAccounts. + + Ports and NotPorts can only be specified with Services on ingress rules. properties: name: + description: + Name specifies the name of a Kubernetes + Service to match. maxLength: 253 type: string namespace: + description: |- + Namespace specifies the namespace of the given Service. If left empty, the rule + will match within this policy's namespace. maxLength: 253 type: string type: object @@ -755,8 +1251,25 @@ spec: type: array x-kubernetes-list-type: atomic order: + description: |- + Order is an optional field that specifies the order in which the policy is applied. + Policies with higher "order" are applied after those with lower + order within the same tier. If the order is omitted, it may be considered to be "infinite" - i.e. the + policy will be applied last. Policies with identical order will be applied in + alphanumerical order based on the Policy "Name" within the tier. type: number performanceHints: + description: |- + PerformanceHints contains a list of hints to Calico's policy engine to + help process the policy more efficiently. Hints never change the + enforcement behaviour of the policy. + + Currently, the only available hint is "AssumeNeededOnEveryNode". When + that hint is set on a policy, Felix will act as if the policy matches + a local endpoint even if it does not. This is useful for "preloading" + any large static policies that are known to be used on every node. + If the policy is _not_ used on a particular node then the work + done to preload the policy (and to maintain it) is wasted. items: enum: - AssumeNeededOnEveryNode @@ -764,13 +1277,36 @@ spec: type: array x-kubernetes-list-type: set selector: + description: + "The selector is an expression used to pick out the endpoints + that the policy should\nbe applied to.\n\nSelector expressions follow + this syntax:\n\n\tlabel == \"string_literal\" -> comparison, e.g. + my_label == \"foo bar\"\n\tlabel != \"string_literal\" -> not + equal; also matches if label is not present\n\tlabel in { \"a\", + \"b\", \"c\", ... } -> true if the value of label X is one of + \"a\", \"b\", \"c\"\n\tlabel not in { \"a\", \"b\", \"c\", ... } + \ -> true if the value of label X is not one of \"a\", \"b\", \"c\"\n\thas(label_name) + \ -> True if that label is present\n\t! expr -> negation of expr\n\texpr + && expr -> Short-circuit and\n\texpr || expr -> Short-circuit + or\n\t( expr ) -> parens for grouping\n\tall() or the empty selector + -> matches all endpoints.\n\nLabel names are allowed to contain + alphanumerics, -, _ and /. String literals are more permissive\nbut + they do not support escape characters.\n\nExamples (with made-up + labels):\n\n\ttype == \"webserver\" && deployment == \"prod\"\n\ttype + in {\"frontend\", \"backend\"}\n\tdeployment != \"dev\"\n\t! has(label_name)" maxLength: 1024 type: string serviceAccountSelector: + description: + ServiceAccountSelector is an optional field for an expression + used to select a pod based on service accounts. maxLength: 1024 type: string stagedAction: default: Set + description: + The staged action. If this is omitted, the default is + Set. enum: - Set - Delete @@ -779,9 +1315,33 @@ spec: type: string tier: default: default + description: |- + The name of the tier that this policy belongs to. If this is omitted, the default + tier (name is "default") is assumed. The specified tier must exist in order to create + security policies within the tier, the "default" tier is created automatically if it + does not exist, this means for deployments requiring only a single Tier, the tier name + may be omitted on all policy management requests. type: string types: + description: |- + Types indicates whether this policy applies to ingress, or to egress, or to both. When + not explicitly specified (and so the value on creation is empty or nil), Calico defaults + Types according to what Ingress and Egress are present in the policy. The + default is: + + - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are + also no Ingress rules) + + - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules + + - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. + + When the policy is read back again, Types will always be one of these values, never empty + or nil. items: + description: + PolicyType enumerates the possible values of the PolicySpec + Types field. enum: - Ingress - Egress diff --git a/config/crd/projectcalico.org_tiers.yaml b/config/crd/projectcalico.org_tiers.yaml index 8c6406c5..0136cb1c 100644 --- a/config/crd/projectcalico.org_tiers.yaml +++ b/config/crd/projectcalico.org_tiers.yaml @@ -30,14 +30,32 @@ spec: name: v3 schema: openAPIV3Schema: + description: |- + Tier contains a set of policies that are applied to packets. Multiple tiers may + be created and each tier is applied in the order specified in the tier specification. + Tier is globally-scoped (i.e. not Namespaced). properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + TierSpec contains the specification for a security policy + tier resource. properties: defaultAction: allOf: @@ -50,37 +68,72 @@ spec: - Pass - Deny default: Deny + description: |- + DefaultAction specifies the action applied to traffic that matches a policy in the tier + but does not match any rule within that policy. + [Default: Deny] type: string order: + description: |- + Order is an optional field that specifies the order in which the tier is applied. + Tiers with higher "order" are applied after those with lower order. If the order + is omitted, it may be considered to be "infinite" - i.e. the tier will be applied + last. Tiers with identical order will be applied in alphanumerical order based + on the Tier "Name". type: number type: object status: + description: TierStatus contains the status of a Tier resource. properties: conditions: + description: |- + Conditions represents the latest observed set of conditions for the resource. A tier with a + "Ready" condition set to "True" is operating as expected. items: + description: + Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: + description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/config/crd/projectcalico.org_uisettings.yaml b/config/crd/projectcalico.org_uisettings.yaml index f1f851db..2ca0b647 100644 --- a/config/crd/projectcalico.org_uisettings.yaml +++ b/config/crd/projectcalico.org_uisettings.yaml @@ -17,52 +17,102 @@ spec: - name: v3 schema: openAPIV3Schema: + description: UISettings contains UI settings. properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + UISettingsSpec contains the specification for a UISettings + resource. properties: dashboard: + description: + Dashboard data. One of View, Layer or Dashboard should + be specified. properties: dashboardData: + description: Array of dashboard data items: properties: layout: + description: Layout information of the dashboard card properties: height: + description: Height of the dashboard card format: int32 type: integer index: + description: Index of the dashboard type: string isInNamespaceView: + description: + Whether this dashboard is in namespace + view or not type: boolean isResizable: + description: + Whether this dashboard card should be re-sizeable + or not type: boolean isVisible: + description: + Whether this dashboard card should be visible + or not type: boolean maxHeight: + description: + Maximum limit set for the size of the dashboard + card height format: int32 type: integer maxWidth: + description: + Maximum limit set for the size of the dashboard + card width format: int32 type: integer minHeight: + description: + Minimum limit set for the size of the dashboard + card height format: int32 type: integer minWidth: + description: + Minimum limit set for the size of the dashboard + card width format: int32 type: integer width: + description: Width of the dashboard card format: int32 type: integer xPos: + description: + X coordinate of the top-left corner of + the dashboard card format: int32 type: integer yPos: + description: + Y coordinate of the top-left corner of + the dashboard card format: int32 type: integer required: @@ -72,33 +122,56 @@ spec: - yPos type: object selectedNamespace: + description: Namespace user selected for the dashboard type: string type: + description: Type of the dashboard type: string type: object type: array x-kubernetes-list-type: atomic type: object description: + description: This description is displayed by the UI. type: string group: + description: + The settings group. Once configured this cannot be modified. + The group must exist. type: string layer: + description: + Layer data. One of View, Layer or Dashboard should be + specified. properties: color: + description: + The color used to represent the layer when an Icon + has not been specified. type: string icon: + description: + A user-configurable icon. If not specified, the default + layer icon is used for this layer node. type: string nodes: + description: The nodes that are aggregated into a single layer. items: + description: + UIGraphNode contains details about a graph node + so that the UI can render it correctly. properties: id: + description: The node ID. type: string name: + description: The node name. type: string namespace: + description: The node namespace. type: string type: + description: The node type. type: string required: - id @@ -111,15 +184,35 @@ spec: - nodes type: object user: + description: |- + The user associated with these settings. This is filled in by the APIServer on a create request if the owning + group is filtered by user. Cannot be modified. type: string view: + description: + View data. One of View, Layer or Dashboard should be + specified. properties: expandPorts: + description: + Whether ports are expanded. If false, port information + is aggregated. type: boolean followConnectionDirection: + description: + Whether or not to automatically follow directly connected + nodes. type: boolean hostAggregationSelectors: + description: |- + The set of selectors used to aggregate hosts (Kubernetes nodes). Nodes are aggregated based on the supplied set + of selectors. In the case of overlapping selectors, the order specified in the slice is the order checked and so + the first selector to match is used. The nodes will be aggregated into a graph node with the name specified in + the NamedSelector. items: + description: + A Calico format label selector with an associated + name. properties: name: type: string @@ -132,36 +225,72 @@ spec: type: array x-kubernetes-list-type: atomic layers: + description: |- + The set of layer names that are active in this view. Note that layers may be defined, but it is not necessary + to have each layer "active". Corresponds directly to the name of the UISettings resource that contains a layer + definition. items: type: string type: array x-kubernetes-list-type: atomic layoutType: + description: |- + Layout type. Semi-arbitrary value used to specify the layout-type/algorithm. For example could specify + different layout algorithms, or click-to-grid. Mostly here for future use. type: string nodes: + description: |- + Graph node specific view data. This provides information about what is in focus, expanded, hidden, + deemphasized etc. at a per-node level. items: + description: + UIGraphNodeView contains the view configuration + for a specific graph node. properties: deemphasize: + description: |- + Whether the UI should de-emphasize the node when visible. This is just a UI directive and does not correspond to + a backend parameter. type: boolean expanded: + description: |- + This node is expanded to the next level. This node can, for example, be a layer that is expanded into its + constituent parts. type: boolean followEgress: type: boolean followIngress: + description: |- + Whether the ingress/egress connections to/from this node are included in the graph. This effectively brings + more nodes into focus. type: boolean hide: + description: + Whether the UI should hide the node. This is + just a UI directive and does not correspond to a backend + parameter. type: boolean hideUnrelated: + description: |- + Whether the UI should hide unrelated nodes. This is just a UI directive and does not correspond to a backend + parameter. type: boolean id: + description: The node ID. type: string inFocus: + description: + This node is a primary focus of the graph (i.e. + the graph contains this node and connected nodes). type: boolean name: + description: The node name. type: string namespace: + description: The node namespace. type: string type: + description: The node type. type: string required: - id @@ -171,7 +300,9 @@ spec: type: array x-kubernetes-list-type: atomic positions: + description: Positions of graph nodes. items: + description: UI screen position. properties: id: type: string @@ -190,6 +321,10 @@ spec: type: array x-kubernetes-list-type: atomic splitIngressEgress: + description: |- + Whether to split HostEndpoints, NetworkSets and Networks into separate ingress and egress nodes or to combine + them. In a service-centric view, splitting these makes the graph clearer. This never splits pods which represent + a true microservice which has ingress and egress connections. type: boolean type: object required: diff --git a/config/crd/projectcalico.org_uisettingsgroups.yaml b/config/crd/projectcalico.org_uisettingsgroups.yaml index 5d0dcda0..5027068e 100644 --- a/config/crd/projectcalico.org_uisettingsgroups.yaml +++ b/config/crd/projectcalico.org_uisettingsgroups.yaml @@ -17,18 +17,58 @@ spec: - name: v3 schema: openAPIV3Schema: + description: |- + UISettingsGroup contains the settings that dictate how many UI settings may be created for a + specific cluster/user combination. UI settings may only be persisted if there is a + corresponding UISettingsGroup resource. properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: + description: + UISettingsGroupSpec contains the specification for a UISettingsGroup + resource. properties: description: + description: |- + This description is displayed by the UI when asking where to store any UI-specific settings + such as views, layers, dashboards etc. This name should be a short description that relates + the settings to the set of clusters defined below, the set of users or groups that are able to + access to these settings (defined via RBAC) or the set of applications common to the set of + users or groups that can access these settings. + Examples might be: + - "cluster" when these settings apply to the whole cluster + - "global" when these settings apply to all clusters (in an Multi-Cluster environment) + - "security team" if these settings are accessible only to the security group and therefore + applicable to the applications accessible by that team + - "storefront" if these settings are accessible to all users and groups that can access the + storefront set of applications + - "user" if these settings are accessible to only a single user type: string filterType: + description: |- + The type of filter to use when listing and watching the UISettings associated with this group. If set to None + a List/watch of UISettings in this group will return all UISettings. If set to User a list/watch of UISettings + in this group will return only UISettings created by the user making the request. + For settings groups that are specific to users and where multiple users may access the settings in this group + we recommend setting this to "User" to avoid cluttering up the UI with settings for other users. + Note this is only a filter. Full lockdown of UISettings for specific users should be handled using appropriate + RBAC. enum: - None - User diff --git a/config/crd/usage.tigera.io_licenseusagereports.yaml b/config/crd/usage.tigera.io_licenseusagereports.yaml index 8438b172..59d3c097 100644 --- a/config/crd/usage.tigera.io_licenseusagereports.yaml +++ b/config/crd/usage.tigera.io_licenseusagereports.yaml @@ -19,8 +19,19 @@ spec: openAPIV3Schema: properties: apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -29,6 +40,9 @@ spec: hmac: type: string reportData: + description: |- + The base64-encoded JSON data for this report. The data represents an interval of time when license usage was + monitored in the cluster, along with data that binds the report to its cluster context. type: string required: - hmac diff --git a/metadata.mk b/metadata.mk index e7022bd5..8cb10c04 100644 --- a/metadata.mk +++ b/metadata.mk @@ -3,12 +3,12 @@ ################################################################################################# # Calico toolchain versions and the calico/base image to use. -GO_BUILD_VER=1.26.1-llvm20.1.8-k8s1.35.3 -RUST_BUILD_VER=1.93.1 +GO_BUILD_VER=1.26.2-llvm20.1.8-k8s1.35.3 +RUST_BUILD_VER=1.94.1 # Calico Enterprise shipping images now builds on UBI 10. For Calico OSS to Enterprise merges, # please don't downgrade the base image back to UBI 9. -CALICO_BASE_VER=ubi10-1774386983 +CALICO_BASE_VER=ubi10-1775601218 # Version of Kubernetes to use for tests, rancher/kubectl, and kubectl binary release. K8S_VERSION=v1.35.2 diff --git a/patches/0001-Add-nullable-to-IPAM-block-allocations-field.patch b/patches/0001-Add-nullable-to-IPAM-block-allocations-field.patch index ef91c963..053cdea4 100644 --- a/patches/0001-Add-nullable-to-IPAM-block-allocations-field.patch +++ b/patches/0001-Add-nullable-to-IPAM-block-allocations-field.patch @@ -11,7 +11,7 @@ diff --git a/api/config/crd/projectcalico.org_ipamblocks.yaml b/api/config/crd/p index a6159008d1..20beb8de45 100644 --- a/api/config/crd/projectcalico.org_ipamblocks.yaml +++ b/api/config/crd/projectcalico.org_ipamblocks.yaml -@@ -44,6 +44,9 @@ spec: +@@ -48,6 +48,9 @@ spec: allocations: items: type: integer @@ -19,8 +19,8 @@ index a6159008d1..20beb8de45 100644 + # to handle []*int properly itself. + nullable: true type: array + x-kubernetes-list-type: atomic attributes: - items: -- 2.34.1 diff --git a/pkg/apis/projectcalico/v3/nodestatus.go b/pkg/apis/projectcalico/v3/nodestatus.go index 07aea4b0..50ec643a 100644 --- a/pkg/apis/projectcalico/v3/nodestatus.go +++ b/pkg/apis/projectcalico/v3/nodestatus.go @@ -159,7 +159,7 @@ type CalicoNodePeer struct { PeerIP string `json:"peerIP,omitempty" validate:"omitempty,ip"` // Type indicates whether this peer is configured via the node-to-node mesh, - // or via en explicit global or per-node BGPPeer object. + // or via an explicit global or per-node BGPPeer object. Type BGPPeerType `json:"type,omitempty"` // State is the BGP session state. diff --git a/pkg/client/applyconfiguration_generated/projectcalico/v3/caliconodepeer.go b/pkg/client/applyconfiguration_generated/projectcalico/v3/caliconodepeer.go index 81987d0a..34106914 100644 --- a/pkg/client/applyconfiguration_generated/projectcalico/v3/caliconodepeer.go +++ b/pkg/client/applyconfiguration_generated/projectcalico/v3/caliconodepeer.go @@ -16,7 +16,7 @@ type CalicoNodePeerApplyConfiguration struct { // IP address of the peer whose condition we are reporting. PeerIP *string `json:"peerIP,omitempty"` // Type indicates whether this peer is configured via the node-to-node mesh, - // or via en explicit global or per-node BGPPeer object. + // or via an explicit global or per-node BGPPeer object. Type *projectcalicov3.BGPPeerType `json:"type,omitempty"` // State is the BGP session state. State *projectcalicov3.BGPSessionState `json:"state,omitempty"` diff --git a/pkg/openapi/generated.openapi.go b/pkg/openapi/generated.openapi.go index 6f1158d7..7722ff22 100644 --- a/pkg/openapi/generated.openapi.go +++ b/pkg/openapi/generated.openapi.go @@ -3750,7 +3750,7 @@ func schema_pkg_apis_projectcalico_v3_CalicoNodePeer(ref common.ReferenceCallbac }, "type": { SchemaProps: spec.SchemaProps{ - Description: "Type indicates whether this peer is configured via the node-to-node mesh, or via en explicit global or per-node BGPPeer object.", + Description: "Type indicates whether this peer is configured via the node-to-node mesh, or via an explicit global or per-node BGPPeer object.", Type: []string{"string"}, Format: "", },