From fb798d08d060555d36ba52bcd4c22a346a57e0ad Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Sat, 28 Mar 2026 23:27:14 -0700 Subject: [PATCH 1/2] Add probe timing overrides to container override types MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add ReadinessProbe and LivenessProbe fields of type ProbeOverride to all container override structs in the Installation API. This lets users tune probe PeriodSeconds, TimeoutSeconds, FailureThreshold, and InitialDelaySeconds through the standard deployment override mechanism without changing the probe handler (which the operator controls). The ProbeOverride type is intentionally minimal — it only exposes timing parameters since the operator must control what the probes actually check. Also adds a probes.ApplyOverride() helper in pkg/render/common/probes/ for render functions to apply overrides when constructing probes. --- api/v1/apiserver_types.go | 12 +- api/v1/benchmarker_types.go | 12 +- api/v1/calico_kubecontrollers_types.go | 12 +- api/v1/calico_node_types.go | 12 +- api/v1/calico_node_windows_types.go | 12 +- api/v1/compliance_controller_types.go | 12 +- api/v1/compliance_reporter_types.go | 12 +- api/v1/compliance_server_types.go | 12 +- api/v1/csi_node_driver.go | 12 +- api/v1/dashboards_job_types.go | 12 +- api/v1/dex_deployment_types.go | 12 +- api/v1/eckoperator_types.go | 12 +- api/v1/egressgateway_types.go | 12 +- api/v1/eks_logforwarder_types.go | 12 +- api/v1/elasticsearchmetric_types.go | 12 +- api/v1/esgateway_deployment_types.go | 12 +- api/v1/fluentd_daemonset_types.go | 12 +- api/v1/gatewayapi_types.go | 32 +- api/v1/guardian_deployment_types.go | 12 +- api/v1/intrusiondetection_types.go | 12 +- api/v1/kibana_types.go | 12 +- api/v1/l7_logcollector_types.go | 12 +- api/v1/linseed_deployment_types.go | 12 +- api/v1/manager_types.go | 12 +- api/v1/monitor_types.go | 12 +- api/v1/packetcaptureapi_types.go | 12 +- api/v1/policyrecommendation_types.go | 12 +- api/v1/probe_types.go | 37 + api/v1/snapshotter_deployment_types.go | 12 +- api/v1/typha_deployment_types.go | 12 +- api/v1/windows_upgrade_types.go | 12 +- api/v1/zz_generated.deepcopy.go | 355 +++++++++ .../operator.tigera.io_apiservers.yaml | 58 ++ .../operator.tigera.io_applicationlayers.yaml | 58 ++ .../operator.tigera.io_authentications.yaml | 58 ++ .../operator.tigera.io_compliances.yaml | 288 ++++++++ .../operator.tigera.io_egressgateways.yaml | 56 ++ .../operator.tigera.io_gatewayapis.yaml | 174 +++++ .../operator.tigera.io_installations.yaml | 696 ++++++++++++++++++ ...perator.tigera.io_intrusiondetections.yaml | 58 ++ .../operator.tigera.io_logcollectors.yaml | 116 +++ .../operator.tigera.io_logstorages.yaml | 290 ++++++++ ...igera.io_managementclusterconnections.yaml | 58 ++ .../operator/operator.tigera.io_managers.yaml | 58 ++ .../operator/operator.tigera.io_monitors.yaml | 56 ++ .../operator.tigera.io_packetcaptureapis.yaml | 58 ++ ...rator.tigera.io_policyrecommendations.yaml | 58 ++ .../operator/operator.tigera.io_tenants.yaml | 174 +++++ pkg/render/common/probes/probes.go | 43 ++ 49 files changed, 3099 insertions(+), 30 deletions(-) create mode 100644 api/v1/probe_types.go create mode 100644 pkg/render/common/probes/probes.go diff --git a/api/v1/apiserver_types.go b/api/v1/apiserver_types.go index fc3489bfe8..f567b405ba 100644 --- a/api/v1/apiserver_types.go +++ b/api/v1/apiserver_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2020-2025 Tigera, Inc. All rights reserved. +// Copyright (c) 2020-2026 Tigera, Inc. All rights reserved. /* @@ -89,6 +89,16 @@ type APIServerDeploymentContainer struct { // If used in conjunction with the deprecated ComponentResources, then this value takes precedence. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // APIServerDeploymentInitContainer is an API server Deployment init container. diff --git a/api/v1/benchmarker_types.go b/api/v1/benchmarker_types.go index 3e4ab80e10..087a9b11e9 100644 --- a/api/v1/benchmarker_types.go +++ b/api/v1/benchmarker_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2024-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -71,6 +71,16 @@ type ComplianceBenchmarkerDaemonSetContainer struct { // If omitted, the Compliance Benchmarker DaemonSet will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // ComplianceBenchmarkerDaemonSetInitContainer is a Compliance Benchmarker DaemonSet init container. diff --git a/api/v1/calico_kubecontrollers_types.go b/api/v1/calico_kubecontrollers_types.go index 6251ed6179..75b9a8efd3 100644 --- a/api/v1/calico_kubecontrollers_types.go +++ b/api/v1/calico_kubecontrollers_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2022-2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2022-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -33,6 +33,16 @@ type CalicoKubeControllersDeploymentContainer struct { // If used in conjunction with the deprecated ComponentResources, then this value takes precedence. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // CalicoKubeControllersDeploymentPodSpec is the calico-kube-controller Deployment's PodSpec. diff --git a/api/v1/calico_node_types.go b/api/v1/calico_node_types.go index bd49f8b986..49f9f0cd8c 100644 --- a/api/v1/calico_node_types.go +++ b/api/v1/calico_node_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2022-2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2022-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -33,6 +33,16 @@ type CalicoNodeDaemonSetContainer struct { // If used in conjunction with the deprecated ComponentResources, then this value takes precedence. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // CalicoNodeDaemonSetInitContainer is a calico-node DaemonSet init container. diff --git a/api/v1/calico_node_windows_types.go b/api/v1/calico_node_windows_types.go index 27150d24da..acf1d8282f 100644 --- a/api/v1/calico_node_windows_types.go +++ b/api/v1/calico_node_windows_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2023-2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2023-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -33,6 +33,16 @@ type CalicoNodeWindowsDaemonSetContainer struct { // If used in conjunction with the deprecated ComponentResources, then this value takes precedence. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // CalicoNodeWindowsDaemonSetInitContainer is a calico-node-windows DaemonSet init container. diff --git a/api/v1/compliance_controller_types.go b/api/v1/compliance_controller_types.go index be98b4fd6e..9736a5e2d3 100644 --- a/api/v1/compliance_controller_types.go +++ b/api/v1/compliance_controller_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2024-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -71,6 +71,16 @@ type ComplianceControllerDeploymentContainer struct { // If omitted, the compliance controller Deployment will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // ComplianceControllerDeploymentInitContainer is a compliance controller Deployment init container. diff --git a/api/v1/compliance_reporter_types.go b/api/v1/compliance_reporter_types.go index 8d9dbf9939..9c37e8f12d 100644 --- a/api/v1/compliance_reporter_types.go +++ b/api/v1/compliance_reporter_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2024-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -63,6 +63,16 @@ type ComplianceReporterPodTemplateContainer struct { // If omitted, the ComplianceServer Deployment will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // ComplianceReporterPodTemplateInitContainer is a ComplianceServer Deployment init container. diff --git a/api/v1/compliance_server_types.go b/api/v1/compliance_server_types.go index e9a7d1d82f..52341575b6 100644 --- a/api/v1/compliance_server_types.go +++ b/api/v1/compliance_server_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2024-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -71,6 +71,16 @@ type ComplianceServerDeploymentContainer struct { // If omitted, the ComplianceServer Deployment will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // ComplianceServerDeploymentInitContainer is a ComplianceServer Deployment init container. diff --git a/api/v1/csi_node_driver.go b/api/v1/csi_node_driver.go index e737986e61..872c172ba8 100644 --- a/api/v1/csi_node_driver.go +++ b/api/v1/csi_node_driver.go @@ -1,5 +1,5 @@ /* -Copyright (c) 2022-2024 Tigera, Inc. All rights reserved. +Copyright (c) 2022-2026 Tigera, Inc. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -32,6 +32,16 @@ type CSINodeDriverDaemonSetContainer struct { // If omitted, the csi-node-driver DaemonSet will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // CSINodeDriverDaemonSetPodSpec is the csi-node-driver DaemonSet's PodSpec. diff --git a/api/v1/dashboards_job_types.go b/api/v1/dashboards_job_types.go index e9827031c0..0f2e8c524a 100644 --- a/api/v1/dashboards_job_types.go +++ b/api/v1/dashboards_job_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2024-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -66,4 +66,14 @@ type DashboardsJobContainer struct { // If omitted, the Dashboard Job will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } diff --git a/api/v1/dex_deployment_types.go b/api/v1/dex_deployment_types.go index f70d83f85e..ca8cf94357 100644 --- a/api/v1/dex_deployment_types.go +++ b/api/v1/dex_deployment_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2024-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -71,6 +71,16 @@ type DexDeploymentContainer struct { // If omitted, the Dex Deployment will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // DexDeploymentInitContainer is a Dex Deployment init container. diff --git a/api/v1/eckoperator_types.go b/api/v1/eckoperator_types.go index 0226124ecc..f299bb88f8 100644 --- a/api/v1/eckoperator_types.go +++ b/api/v1/eckoperator_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2024-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -71,6 +71,16 @@ type ECKOperatorStatefulSetContainer struct { // If omitted, the ECKOperator StatefulSet will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // ECKOperatorStatefulSetInitContainer is a ECKOperator StatefulSet init container. diff --git a/api/v1/egressgateway_types.go b/api/v1/egressgateway_types.go index 129f238784..0eeba71890 100644 --- a/api/v1/egressgateway_types.go +++ b/api/v1/egressgateway_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2023-2025 Tigera, Inc. All rights reserved. +// Copyright (c) 2023-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -34,6 +34,16 @@ type EGWDeploymentContainer struct { // If used in conjunction with the deprecated ComponentResources, then this value takes precedence. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // EGWDeploymentInitContainer is a Egress Gateway Deployment init container. diff --git a/api/v1/eks_logforwarder_types.go b/api/v1/eks_logforwarder_types.go index cc0dfcf743..3d7fa2baec 100644 --- a/api/v1/eks_logforwarder_types.go +++ b/api/v1/eks_logforwarder_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2024-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -71,6 +71,16 @@ type EKSLogForwarderDeploymentContainer struct { // If omitted, the EKSLogForwarder Deployment will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // EKSLogForwarderDeploymentInitContainer is a EKSLogForwarder Deployment init container. diff --git a/api/v1/elasticsearchmetric_types.go b/api/v1/elasticsearchmetric_types.go index 455da163b7..7e4081120c 100644 --- a/api/v1/elasticsearchmetric_types.go +++ b/api/v1/elasticsearchmetric_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2024-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -71,6 +71,16 @@ type ElasticsearchMetricsDeploymentContainer struct { // If omitted, the ElasticsearchMetrics Deployment will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // ElasticsearchMetricsDeploymentInitContainer is a ElasticsearchMetricsDeployment init container. diff --git a/api/v1/esgateway_deployment_types.go b/api/v1/esgateway_deployment_types.go index 117c86de65..ab228fd931 100644 --- a/api/v1/esgateway_deployment_types.go +++ b/api/v1/esgateway_deployment_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2023-2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2023-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -71,6 +71,16 @@ type ESGatewayDeploymentContainer struct { // If omitted, the es-gateway Deployment will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // ESGatewayDeploymentInitContainer is a es-gateway Deployment init container. diff --git a/api/v1/fluentd_daemonset_types.go b/api/v1/fluentd_daemonset_types.go index 7c1394ef62..1db6e847be 100644 --- a/api/v1/fluentd_daemonset_types.go +++ b/api/v1/fluentd_daemonset_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2024-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -71,6 +71,16 @@ type FluentdDaemonSetContainer struct { // If omitted, the Fluentd DaemonSet will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // FluentdDaemonSetInitContainer is a Fluentd DaemonSet init container. diff --git a/api/v1/gatewayapi_types.go b/api/v1/gatewayapi_types.go index ddeec5cdac..a510a90885 100644 --- a/api/v1/gatewayapi_types.go +++ b/api/v1/gatewayapi_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2024-2025 Tigera, Inc. All rights reserved. +// Copyright (c) 2024-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -153,6 +153,16 @@ type GatewayControllerDeploymentContainer struct { // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // GatewayCertgenJob allows customization of the gateway certgen job. @@ -228,6 +238,16 @@ type GatewayCertgenJobContainer struct { // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // GatewayDeployment allows customization of gateway deployments. @@ -313,6 +333,16 @@ type GatewayDeploymentContainer struct { // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // GatewayDeploymentStrategy allows customization of the deployment strategy for gateway diff --git a/api/v1/guardian_deployment_types.go b/api/v1/guardian_deployment_types.go index c819f65382..7628b7f5bb 100644 --- a/api/v1/guardian_deployment_types.go +++ b/api/v1/guardian_deployment_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2024-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -71,6 +71,16 @@ type GuardianDeploymentContainer struct { // If omitted, the guardian Deployment will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // GuardianDeploymentInitContainer is a guardian Deployment init container. diff --git a/api/v1/intrusiondetection_types.go b/api/v1/intrusiondetection_types.go index 3768db5c89..db0ddb524d 100644 --- a/api/v1/intrusiondetection_types.go +++ b/api/v1/intrusiondetection_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2020-2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2020-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -189,6 +189,16 @@ type IntrusionDetectionControllerDeploymentContainer struct { // If omitted, the IntrusionDetection Deployment will use its default value for this container's resources. // +optional Resources *corev1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // IntrusionDetectionControllerDeploymentInitContainer is a IntrusionDetectionController Deployment init container. diff --git a/api/v1/kibana_types.go b/api/v1/kibana_types.go index 5ad62b9d9f..0f4c36a937 100644 --- a/api/v1/kibana_types.go +++ b/api/v1/kibana_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2024-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -67,6 +67,16 @@ type KibanaContainer struct { // If omitted, the Kibana will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // KibanaInitContainer is a Kibana init container. diff --git a/api/v1/l7_logcollector_types.go b/api/v1/l7_logcollector_types.go index fecff4ee86..f132aba9d7 100644 --- a/api/v1/l7_logcollector_types.go +++ b/api/v1/l7_logcollector_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2024-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -71,6 +71,16 @@ type L7LogCollectorDaemonSetContainer struct { // If omitted, the L7LogCollector DaemonSet will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // L7LogCollectorDaemonSetInitContainer is a L7LogCollector DaemonSet init container. diff --git a/api/v1/linseed_deployment_types.go b/api/v1/linseed_deployment_types.go index 0c792c9f5a..0eb01b45ec 100644 --- a/api/v1/linseed_deployment_types.go +++ b/api/v1/linseed_deployment_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2023-2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2023-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -71,6 +71,16 @@ type LinseedDeploymentContainer struct { // If omitted, the linseed Deployment will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // LinseedDeploymentInitContainer is a linseed Deployment init container. diff --git a/api/v1/manager_types.go b/api/v1/manager_types.go index c74758fc58..1377f88d90 100644 --- a/api/v1/manager_types.go +++ b/api/v1/manager_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2020-2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2020-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -76,6 +76,16 @@ type ManagerDeploymentContainer struct { // If omitted, the Manager Deployment will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // ManagerDeploymentInitContainer is a Manager Deployment init container. diff --git a/api/v1/monitor_types.go b/api/v1/monitor_types.go index e354400eb0..74bf150656 100644 --- a/api/v1/monitor_types.go +++ b/api/v1/monitor_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2021-2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2021-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -166,6 +166,16 @@ type PrometheusContainer struct { // If omitted, the Prometheus will use its default value for this container's resources. // +optional Resources *corev1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } type AlertManager struct { diff --git a/api/v1/packetcaptureapi_types.go b/api/v1/packetcaptureapi_types.go index 0ff7144bd3..31f295285a 100644 --- a/api/v1/packetcaptureapi_types.go +++ b/api/v1/packetcaptureapi_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2024-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -80,6 +80,16 @@ type PacketCaptureAPIDeploymentContainer struct { // If omitted, the PacketCaptureAPI Deployment will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // PacketCaptureAPIDeploymentInitContainer is a PacketCaptureAPI Deployment init container. diff --git a/api/v1/policyrecommendation_types.go b/api/v1/policyrecommendation_types.go index b9143fa148..ad0ef51647 100644 --- a/api/v1/policyrecommendation_types.go +++ b/api/v1/policyrecommendation_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2023-2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2023-2026 Tigera, Inc. All rights reserved. // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -79,6 +79,16 @@ type PolicyRecommendationDeploymentContainer struct { // If omitted, the PolicyRecommendation Deployment will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // PolicyRecommendationDeploymentInitContainer is a PolicyRecommendation Deployment init container. diff --git a/api/v1/probe_types.go b/api/v1/probe_types.go new file mode 100644 index 0000000000..eb94b7b907 --- /dev/null +++ b/api/v1/probe_types.go @@ -0,0 +1,37 @@ +// Copyright (c) 2026 Tigera, Inc. All rights reserved. + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package v1 + +// ProbeOverride allows customization of probe timing parameters without +// changing the probe handler itself (which the operator controls). +type ProbeOverride struct { + // PeriodSeconds is how often (in seconds) to perform the probe. + // +optional + PeriodSeconds *int32 `json:"periodSeconds,omitempty"` + + // TimeoutSeconds is the number of seconds after which the probe times out. + // +optional + TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"` + + // FailureThreshold is the minimum consecutive failures for the probe + // to be considered failed after having succeeded. + // +optional + FailureThreshold *int32 `json:"failureThreshold,omitempty"` + + // InitialDelaySeconds is the number of seconds after the container + // starts before the probe is initiated. + // +optional + InitialDelaySeconds *int32 `json:"initialDelaySeconds,omitempty"` +} diff --git a/api/v1/snapshotter_deployment_types.go b/api/v1/snapshotter_deployment_types.go index 2ad5a5b416..b2dbd02fe7 100644 --- a/api/v1/snapshotter_deployment_types.go +++ b/api/v1/snapshotter_deployment_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2024-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -71,6 +71,16 @@ type ComplianceSnapshotterDeploymentContainer struct { // If omitted, the compliance snapshotter Deployment will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // ComplianceSnapshotterDeploymentInitContainer is a compliance snapshotter Deployment init container. diff --git a/api/v1/typha_deployment_types.go b/api/v1/typha_deployment_types.go index 70aa447a7e..97b3c890e6 100644 --- a/api/v1/typha_deployment_types.go +++ b/api/v1/typha_deployment_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2022-2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2022-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -34,6 +34,16 @@ type TyphaDeploymentContainer struct { // If used in conjunction with the deprecated ComponentResources, then this value takes precedence. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // TyphaDeploymentInitContainer is a typha Deployment init container. diff --git a/api/v1/windows_upgrade_types.go b/api/v1/windows_upgrade_types.go index 723b68cc17..fc36e31fa1 100644 --- a/api/v1/windows_upgrade_types.go +++ b/api/v1/windows_upgrade_types.go @@ -1,4 +1,4 @@ -// Copyright (c) 2022-2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2022-2026 Tigera, Inc. All rights reserved. /* Licensed under the Apache License, Version 2.0 (the "License"); @@ -31,6 +31,16 @@ type CalicoWindowsUpgradeDaemonSetContainer struct { // If omitted, the calico-windows-upgrade DaemonSet will use its default value for this container's resources. // +optional Resources *v1.ResourceRequirements `json:"resources,omitempty"` + + // ReadinessProbe allows customization of the readiness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + ReadinessProbe *ProbeOverride `json:"readinessProbe,omitempty"` + + // LivenessProbe allows customization of the liveness probe timing parameters. + // The probe handler is set by the operator and cannot be overridden. + // +optional + LivenessProbe *ProbeOverride `json:"livenessProbe,omitempty"` } // CalicoWindowsUpgradeDaemonSetPodSpec is the calico-windows-upgrade DaemonSet's PodSpec. diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go index 7ed870d2f3..78fdf5a306 100644 --- a/api/v1/zz_generated.deepcopy.go +++ b/api/v1/zz_generated.deepcopy.go @@ -88,6 +88,16 @@ func (in *APIServerDeploymentContainer) DeepCopyInto(out *APIServerDeploymentCon *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIServerDeploymentContainer. @@ -905,6 +915,16 @@ func (in *CSINodeDriverDaemonSetContainer) DeepCopyInto(out *CSINodeDriverDaemon *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CSINodeDriverDaemonSetContainer. @@ -1041,6 +1061,16 @@ func (in *CalicoKubeControllersDeploymentContainer) DeepCopyInto(out *CalicoKube *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CalicoKubeControllersDeploymentContainer. @@ -1254,6 +1284,16 @@ func (in *CalicoNodeDaemonSetContainer) DeepCopyInto(out *CalicoNodeDaemonSetCon *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CalicoNodeDaemonSetContainer. @@ -1417,6 +1457,16 @@ func (in *CalicoNodeWindowsDaemonSetContainer) DeepCopyInto(out *CalicoNodeWindo *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CalicoNodeWindowsDaemonSetContainer. @@ -1580,6 +1630,16 @@ func (in *CalicoWindowsUpgradeDaemonSetContainer) DeepCopyInto(out *CalicoWindow *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CalicoWindowsUpgradeDaemonSetContainer. @@ -1781,6 +1841,16 @@ func (in *ComplianceBenchmarkerDaemonSetContainer) DeepCopyInto(out *ComplianceB *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComplianceBenchmarkerDaemonSetContainer. @@ -1910,6 +1980,16 @@ func (in *ComplianceControllerDeploymentContainer) DeepCopyInto(out *ComplianceC *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComplianceControllerDeploymentContainer. @@ -2100,6 +2180,16 @@ func (in *ComplianceReporterPodTemplateContainer) DeepCopyInto(out *ComplianceRe *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComplianceReporterPodTemplateContainer. @@ -2180,6 +2270,16 @@ func (in *ComplianceServerDeploymentContainer) DeepCopyInto(out *ComplianceServe *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComplianceServerDeploymentContainer. @@ -2309,6 +2409,16 @@ func (in *ComplianceSnapshotterDeploymentContainer) DeepCopyInto(out *Compliance *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComplianceSnapshotterDeploymentContainer. @@ -2602,6 +2712,16 @@ func (in *DashboardsJobContainer) DeepCopyInto(out *DashboardsJobContainer) { *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DashboardsJobContainer. @@ -2724,6 +2844,16 @@ func (in *DexDeploymentContainer) DeepCopyInto(out *DexDeploymentContainer) { *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DexDeploymentContainer. @@ -2853,6 +2983,16 @@ func (in *ECKOperatorStatefulSetContainer) DeepCopyInto(out *ECKOperatorStateful *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ECKOperatorStatefulSetContainer. @@ -2962,6 +3102,16 @@ func (in *EGWDeploymentContainer) DeepCopyInto(out *EGWDeploymentContainer) { *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EGWDeploymentContainer. @@ -3022,6 +3172,16 @@ func (in *EKSLogForwarderDeploymentContainer) DeepCopyInto(out *EKSLogForwarderD *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EKSLogForwarderDeploymentContainer. @@ -3151,6 +3311,16 @@ func (in *ESGatewayDeploymentContainer) DeepCopyInto(out *ESGatewayDeploymentCon *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ESGatewayDeploymentContainer. @@ -3585,6 +3755,16 @@ func (in *ElasticsearchMetricsDeploymentContainer) DeepCopyInto(out *Elasticsear *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ElasticsearchMetricsDeploymentContainer. @@ -3800,6 +3980,16 @@ func (in *FluentdDaemonSetContainer) DeepCopyInto(out *FluentdDaemonSetContainer *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FluentdDaemonSetContainer. @@ -4027,6 +4217,16 @@ func (in *GatewayCertgenJobContainer) DeepCopyInto(out *GatewayCertgenJobContain *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatewayCertgenJobContainer. @@ -4158,6 +4358,16 @@ func (in *GatewayControllerDeploymentContainer) DeepCopyInto(out *GatewayControl *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatewayControllerDeploymentContainer. @@ -4289,6 +4499,16 @@ func (in *GatewayDeploymentContainer) DeepCopyInto(out *GatewayDeploymentContain *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatewayDeploymentContainer. @@ -4467,6 +4687,16 @@ func (in *GuardianDeploymentContainer) DeepCopyInto(out *GuardianDeploymentConta *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GuardianDeploymentContainer. @@ -5109,6 +5339,16 @@ func (in *IntrusionDetectionControllerDeploymentContainer) DeepCopyInto(out *Int *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IntrusionDetectionControllerDeploymentContainer. @@ -5325,6 +5565,16 @@ func (in *KibanaContainer) DeepCopyInto(out *KibanaContainer) { *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KibanaContainer. @@ -5454,6 +5704,16 @@ func (in *L7LogCollectorDaemonSetContainer) DeepCopyInto(out *L7LogCollectorDaem *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new L7LogCollectorDaemonSetContainer. @@ -5583,6 +5843,16 @@ func (in *LinseedDeploymentContainer) DeepCopyInto(out *LinseedDeploymentContain *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LinseedDeploymentContainer. @@ -6279,6 +6549,16 @@ func (in *ManagerDeploymentContainer) DeepCopyInto(out *ManagerDeploymentContain *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagerDeploymentContainer. @@ -6841,6 +7121,16 @@ func (in *PacketCaptureAPIDeploymentContainer) DeepCopyInto(out *PacketCaptureAP *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PacketCaptureAPIDeploymentContainer. @@ -7096,6 +7386,16 @@ func (in *PolicyRecommendationDeploymentContainer) DeepCopyInto(out *PolicyRecom *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyRecommendationDeploymentContainer. @@ -7264,6 +7564,41 @@ func (in *PolicyRecommendationStatus) DeepCopy() *PolicyRecommendationStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProbeOverride) DeepCopyInto(out *ProbeOverride) { + *out = *in + if in.PeriodSeconds != nil { + in, out := &in.PeriodSeconds, &out.PeriodSeconds + *out = new(int32) + **out = **in + } + if in.TimeoutSeconds != nil { + in, out := &in.TimeoutSeconds, &out.TimeoutSeconds + *out = new(int32) + **out = **in + } + if in.FailureThreshold != nil { + in, out := &in.FailureThreshold, &out.FailureThreshold + *out = new(int32) + **out = **in + } + if in.InitialDelaySeconds != nil { + in, out := &in.InitialDelaySeconds, &out.InitialDelaySeconds + *out = new(int32) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProbeOverride. +func (in *ProbeOverride) DeepCopy() *ProbeOverride { + if in == nil { + return nil + } + out := new(ProbeOverride) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Prometheus) DeepCopyInto(out *Prometheus) { *out = *in @@ -7292,6 +7627,16 @@ func (in *PrometheusContainer) DeepCopyInto(out *PrometheusContainer) { *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrometheusContainer. @@ -8008,6 +8353,16 @@ func (in *TyphaDeploymentContainer) DeepCopyInto(out *TyphaDeploymentContainer) *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ReadinessProbe != nil { + in, out := &in.ReadinessProbe, &out.ReadinessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } + if in.LivenessProbe != nil { + in, out := &in.LivenessProbe, &out.LivenessProbe + *out = new(ProbeOverride) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TyphaDeploymentContainer. diff --git a/pkg/crds/operator/operator.tigera.io_apiservers.yaml b/pkg/crds/operator/operator.tigera.io_apiservers.yaml index 751933b0ff..d1d5497d15 100644 --- a/pkg/crds/operator/operator.tigera.io_apiservers.yaml +++ b/pkg/crds/operator/operator.tigera.io_apiservers.yaml @@ -1068,6 +1068,35 @@ spec: description: APIServerDeploymentContainer is an API server Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the API server Deployment container by name. @@ -1077,6 +1106,35 @@ spec: - tigera-queryserver - calico-l7-admission-controller type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. diff --git a/pkg/crds/operator/operator.tigera.io_applicationlayers.yaml b/pkg/crds/operator/operator.tigera.io_applicationlayers.yaml index e7f99d2710..3579fa5936 100644 --- a/pkg/crds/operator/operator.tigera.io_applicationlayers.yaml +++ b/pkg/crds/operator/operator.tigera.io_applicationlayers.yaml @@ -90,6 +90,35 @@ spec: description: L7LogCollectorDaemonSetContainer is a L7LogCollector DaemonSet container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the L7LogCollector DaemonSet container by name. @@ -99,6 +128,35 @@ spec: - envoy-proxy - dikastes type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. diff --git a/pkg/crds/operator/operator.tigera.io_authentications.yaml b/pkg/crds/operator/operator.tigera.io_authentications.yaml index ef8f3d2192..aef35f68ea 100644 --- a/pkg/crds/operator/operator.tigera.io_authentications.yaml +++ b/pkg/crds/operator/operator.tigera.io_authentications.yaml @@ -60,6 +60,35 @@ spec: description: DexDeploymentContainer is a Dex Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the Dex Deployment container by name. @@ -67,6 +96,35 @@ spec: enum: - tigera-dex type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. diff --git a/pkg/crds/operator/operator.tigera.io_compliances.yaml b/pkg/crds/operator/operator.tigera.io_compliances.yaml index c5f2330a0b..3363a684b4 100644 --- a/pkg/crds/operator/operator.tigera.io_compliances.yaml +++ b/pkg/crds/operator/operator.tigera.io_compliances.yaml @@ -66,6 +66,35 @@ spec: description: ComplianceBenchmarkerDaemonSetContainer is a Compliance Benchmarker DaemonSet container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the Compliance Benchmarker DaemonSet container by name. @@ -73,6 +102,35 @@ spec: enum: - compliance-benchmarker type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -248,6 +306,35 @@ spec: description: ComplianceControllerDeploymentContainer is a compliance controller Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the compliance controller Deployment container by name. @@ -255,6 +342,35 @@ spec: enum: - compliance-controller type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -426,6 +542,34 @@ spec: description: ComplianceReporterPodTemplateContainer is a ComplianceServer Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often (in + seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number of + seconds after which the probe times out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the ComplianceServer Deployment container by name. @@ -433,6 +577,34 @@ spec: enum: - reporter type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often (in + seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number of + seconds after which the probe times out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -607,6 +779,35 @@ spec: description: ComplianceServerDeploymentContainer is a ComplianceServer Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the ComplianceServer Deployment container by name. @@ -614,6 +815,35 @@ spec: enum: - compliance-server type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -789,6 +1019,35 @@ spec: description: ComplianceSnapshotterDeploymentContainer is a compliance snapshotter Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the compliance snapshotter Deployment container by name. @@ -796,6 +1055,35 @@ spec: enum: - compliance-snapshotter type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. diff --git a/pkg/crds/operator/operator.tigera.io_egressgateways.yaml b/pkg/crds/operator/operator.tigera.io_egressgateways.yaml index a6084a4a4d..a7b1d3d894 100644 --- a/pkg/crds/operator/operator.tigera.io_egressgateways.yaml +++ b/pkg/crds/operator/operator.tigera.io_egressgateways.yaml @@ -1163,6 +1163,34 @@ spec: description: EGWDeploymentContainer is a Egress Gateway Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often (in seconds) + to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number of seconds + after which the probe times out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the EGW Deployment container by name. @@ -1170,6 +1198,34 @@ spec: enum: - calico-egw type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often (in seconds) + to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number of seconds + after which the probe times out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. diff --git a/pkg/crds/operator/operator.tigera.io_gatewayapis.yaml b/pkg/crds/operator/operator.tigera.io_gatewayapis.yaml index 7949ed52d0..52077d6d5a 100644 --- a/pkg/crds/operator/operator.tigera.io_gatewayapis.yaml +++ b/pkg/crds/operator/operator.tigera.io_gatewayapis.yaml @@ -1078,10 +1078,68 @@ spec: If GatewayCertgenJob.Spec.Template.Spec.Containers["envoy-gateway-certgen"].Resources is non-nil, it overrides the ResourceRequirements of the job's "envoy-gateway-certgen" container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: enum: - envoy-gateway-certgen type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: ResourceRequirements describes the compute resource requirements. @@ -2224,10 +2282,68 @@ spec: If GatewayControllerDeployment.Spec.Template.Spec.Containers["envoy-gateway"].Resources is non-nil, it overrides the ResourceRequirements of the controller's "envoy-gateway" container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: enum: - envoy-gateway type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: ResourceRequirements describes the compute resource requirements. @@ -3385,10 +3501,68 @@ spec: If GatewayDeployment.Spec.Template.Spec.Containers["envoy"].Resources is non-nil, it overrides the ResourceRequirements of the "envoy" container in each gateway deployment. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: enum: - envoy type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: ResourceRequirements describes the compute resource requirements. diff --git a/pkg/crds/operator/operator.tigera.io_installations.yaml b/pkg/crds/operator/operator.tigera.io_installations.yaml index 3f71f96324..68dc4b95f4 100644 --- a/pkg/crds/operator/operator.tigera.io_installations.yaml +++ b/pkg/crds/operator/operator.tigera.io_installations.yaml @@ -1086,6 +1086,35 @@ spec: description: CalicoKubeControllersDeploymentContainer is a calico-kube-controllers Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the calico-kube-controllers Deployment container by name. @@ -1094,6 +1123,35 @@ spec: - calico-kube-controllers - es-calico-kube-controllers type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -2493,6 +2551,35 @@ spec: description: CalicoNodeDaemonSetContainer is a calico-node DaemonSet container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the calico-node DaemonSet container by name. @@ -2500,6 +2587,35 @@ spec: enum: - calico-node type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -3738,6 +3854,35 @@ spec: description: CalicoNodeWindowsDaemonSetContainer is a calico-node-windows DaemonSet container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the calico-node-windows DaemonSet container by name. @@ -3745,6 +3890,35 @@ spec: enum: - calico-node-windows type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -4984,6 +5158,35 @@ spec: description: CalicoWindowsUpgradeDaemonSetContainer is a calico-windows-upgrade DaemonSet container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: Name is an enum which identifies the calico-windows-upgrade DaemonSet container @@ -4991,6 +5194,35 @@ spec: enum: - calico-windows-upgrade type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -6370,6 +6602,35 @@ spec: description: CSINodeDriverDaemonSetContainer is a csi-node-driver DaemonSet container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the csi-node-driver DaemonSet container by name. @@ -6379,6 +6640,35 @@ spec: - csi-node-driver-registrar - csi-node-driver type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -7999,6 +8289,35 @@ spec: description: TyphaDeploymentContainer is a typha Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the typha Deployment container by name. @@ -8006,6 +8325,35 @@ spec: enum: - calico-typha type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -9520,6 +9868,35 @@ spec: description: CalicoKubeControllersDeploymentContainer is a calico-kube-controllers Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the calico-kube-controllers Deployment container by name. @@ -9528,6 +9905,35 @@ spec: - calico-kube-controllers - es-calico-kube-controllers type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -10944,6 +11350,35 @@ spec: description: CalicoNodeDaemonSetContainer is a calico-node DaemonSet container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the calico-node DaemonSet container by name. @@ -10951,6 +11386,35 @@ spec: enum: - calico-node type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -12204,6 +12668,35 @@ spec: description: CalicoNodeWindowsDaemonSetContainer is a calico-node-windows DaemonSet container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the calico-node-windows DaemonSet container by name. @@ -12211,6 +12704,35 @@ spec: enum: - calico-node-windows type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -13465,6 +13987,35 @@ spec: description: CalicoWindowsUpgradeDaemonSetContainer is a calico-windows-upgrade DaemonSet container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: Name is an enum which identifies the calico-windows-upgrade DaemonSet container @@ -13472,6 +14023,35 @@ spec: enum: - calico-windows-upgrade type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -14870,6 +15450,35 @@ spec: description: CSINodeDriverDaemonSetContainer is a csi-node-driver DaemonSet container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the csi-node-driver DaemonSet container by name. @@ -14879,6 +15488,35 @@ spec: - csi-node-driver-registrar - csi-node-driver type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -16515,6 +17153,35 @@ spec: description: TyphaDeploymentContainer is a typha Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the typha Deployment container by name. @@ -16522,6 +17189,35 @@ spec: enum: - calico-typha type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. diff --git a/pkg/crds/operator/operator.tigera.io_intrusiondetections.yaml b/pkg/crds/operator/operator.tigera.io_intrusiondetections.yaml index 0c4f53b5b9..3f734b1ed3 100644 --- a/pkg/crds/operator/operator.tigera.io_intrusiondetections.yaml +++ b/pkg/crds/operator/operator.tigera.io_intrusiondetections.yaml @@ -247,6 +247,35 @@ spec: description: IntrusionDetectionControllerDeploymentContainer is a IntrusionDetectionController Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the IntrusionDetectionController Deployment container by name. @@ -255,6 +284,35 @@ spec: - controller - webhooks-processor type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. diff --git a/pkg/crds/operator/operator.tigera.io_logcollectors.yaml b/pkg/crds/operator/operator.tigera.io_logcollectors.yaml index c69c7692b6..061358351b 100644 --- a/pkg/crds/operator/operator.tigera.io_logcollectors.yaml +++ b/pkg/crds/operator/operator.tigera.io_logcollectors.yaml @@ -186,6 +186,35 @@ spec: description: EKSLogForwarderDeploymentContainer is a EKSLogForwarder Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the EKSLogForwarder Deployment container by name. @@ -193,6 +222,35 @@ spec: enum: - eks-log-forwarder type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -365,6 +423,35 @@ spec: description: FluentdDaemonSetContainer is a Fluentd DaemonSet container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the Fluentd DaemonSet container by name. @@ -372,6 +459,35 @@ spec: enum: - fluentd type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. diff --git a/pkg/crds/operator/operator.tigera.io_logstorages.yaml b/pkg/crds/operator/operator.tigera.io_logstorages.yaml index 9eeebc9b2f..2705474493 100644 --- a/pkg/crds/operator/operator.tigera.io_logstorages.yaml +++ b/pkg/crds/operator/operator.tigera.io_logstorages.yaml @@ -151,6 +151,35 @@ spec: description: ECKOperatorStatefulSetContainer is a ECKOperator StatefulSet container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the ECKOperator StatefulSet container by name. @@ -158,6 +187,35 @@ spec: enum: - manager type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -331,6 +389,35 @@ spec: description: ElasticsearchMetricsDeploymentContainer is a ElasticsearchMetricsDeployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the ElasticsearchMetricsDeployment container by name. @@ -338,6 +425,35 @@ spec: enum: - tigera-elasticsearch-metrics type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -510,6 +626,35 @@ spec: description: ESGatewayDeploymentContainer is a es-gateway Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the es-gateway Deployment container by name. @@ -517,6 +662,35 @@ spec: enum: - tigera-secure-es-gateway type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -698,6 +872,35 @@ spec: items: description: KibanaContainer is a Kibana container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the Kibana Deployment container by name. @@ -705,6 +908,35 @@ spec: enum: - kibana type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -878,6 +1110,35 @@ spec: description: LinseedDeploymentContainer is a linseed Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the linseed Deployment container by name. @@ -885,6 +1146,35 @@ spec: enum: - tigera-linseed type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. diff --git a/pkg/crds/operator/operator.tigera.io_managementclusterconnections.yaml b/pkg/crds/operator/operator.tigera.io_managementclusterconnections.yaml index 4e085f0a0c..9d92a790be 100644 --- a/pkg/crds/operator/operator.tigera.io_managementclusterconnections.yaml +++ b/pkg/crds/operator/operator.tigera.io_managementclusterconnections.yaml @@ -63,6 +63,35 @@ spec: description: GuardianDeploymentContainer is a guardian Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the guardian Deployment container by name. @@ -70,6 +99,35 @@ spec: enum: - tigera-guardian type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. diff --git a/pkg/crds/operator/operator.tigera.io_managers.yaml b/pkg/crds/operator/operator.tigera.io_managers.yaml index 16ba53461c..24f104d767 100644 --- a/pkg/crds/operator/operator.tigera.io_managers.yaml +++ b/pkg/crds/operator/operator.tigera.io_managers.yaml @@ -63,6 +63,35 @@ spec: description: ManagerDeploymentContainer is a Manager Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the Manager Deployment container by name. @@ -73,6 +102,35 @@ spec: - tigera-es-proxy - tigera-ui-apis type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. diff --git a/pkg/crds/operator/operator.tigera.io_monitors.yaml b/pkg/crds/operator/operator.tigera.io_monitors.yaml index f2b7056d86..a335326d71 100644 --- a/pkg/crds/operator/operator.tigera.io_monitors.yaml +++ b/pkg/crds/operator/operator.tigera.io_monitors.yaml @@ -386,6 +386,34 @@ spec: items: description: PrometheusContainer is a Prometheus container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often (in + seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number of + seconds after which the probe times out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the Prometheus Deployment container by name. @@ -393,6 +421,34 @@ spec: enum: - authn-proxy type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often (in + seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number of + seconds after which the probe times out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. diff --git a/pkg/crds/operator/operator.tigera.io_packetcaptureapis.yaml b/pkg/crds/operator/operator.tigera.io_packetcaptureapis.yaml index 3f408f977d..cbf266c250 100644 --- a/pkg/crds/operator/operator.tigera.io_packetcaptureapis.yaml +++ b/pkg/crds/operator/operator.tigera.io_packetcaptureapis.yaml @@ -64,6 +64,35 @@ spec: description: PacketCaptureAPIDeploymentContainer is a PacketCaptureAPI Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the PacketCaptureAPI Deployment container by name. @@ -71,6 +100,35 @@ spec: enum: - tigera-packetcapture-server type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. diff --git a/pkg/crds/operator/operator.tigera.io_policyrecommendations.yaml b/pkg/crds/operator/operator.tigera.io_policyrecommendations.yaml index fcd34ee0ae..ab2aa1997c 100644 --- a/pkg/crds/operator/operator.tigera.io_policyrecommendations.yaml +++ b/pkg/crds/operator/operator.tigera.io_policyrecommendations.yaml @@ -67,6 +67,35 @@ spec: description: PolicyRecommendationDeploymentContainer is a PolicyRecommendation Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the PolicyRecommendation Deployment container by name. @@ -74,6 +103,35 @@ spec: enum: - policy-recommendation-controller type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. diff --git a/pkg/crds/operator/operator.tigera.io_tenants.yaml b/pkg/crds/operator/operator.tigera.io_tenants.yaml index e3111f7530..6db519151c 100644 --- a/pkg/crds/operator/operator.tigera.io_tenants.yaml +++ b/pkg/crds/operator/operator.tigera.io_tenants.yaml @@ -65,6 +65,35 @@ spec: description: DashboardsJobContainer is the Dashboards job container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the Dashboard Job container by name. @@ -72,6 +101,35 @@ spec: enum: - dashboards-installer type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -1184,6 +1242,35 @@ spec: description: CalicoKubeControllersDeploymentContainer is a calico-kube-controllers Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the calico-kube-controllers Deployment container by name. @@ -1192,6 +1279,35 @@ spec: - calico-kube-controllers - es-calico-kube-controllers type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. @@ -1377,6 +1493,35 @@ spec: description: LinseedDeploymentContainer is a linseed Deployment container. properties: + livenessProbe: + description: |- + LivenessProbe allows customization of the liveness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object name: description: |- Name is an enum which identifies the linseed Deployment container by name. @@ -1384,6 +1529,35 @@ spec: enum: - tigera-linseed type: string + readinessProbe: + description: |- + ReadinessProbe allows customization of the readiness probe timing parameters. + The probe handler is set by the operator and cannot be overridden. + properties: + failureThreshold: + description: |- + FailureThreshold is the minimum consecutive failures for the probe + to be considered failed after having succeeded. + format: int32 + type: integer + initialDelaySeconds: + description: |- + InitialDelaySeconds is the number of seconds after the container + starts before the probe is initiated. + format: int32 + type: integer + periodSeconds: + description: PeriodSeconds is how often + (in seconds) to perform the probe. + format: int32 + type: integer + timeoutSeconds: + description: TimeoutSeconds is the number + of seconds after which the probe times + out. + format: int32 + type: integer + type: object resources: description: |- Resources allows customization of limits and requests for compute resources such as cpu and memory. diff --git a/pkg/render/common/probes/probes.go b/pkg/render/common/probes/probes.go new file mode 100644 index 0000000000..155dd4c506 --- /dev/null +++ b/pkg/render/common/probes/probes.go @@ -0,0 +1,43 @@ +// Copyright (c) 2026 Tigera, Inc. All rights reserved. + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package probes + +import ( + corev1 "k8s.io/api/core/v1" + + operatorv1 "github.com/tigera/operator/api/v1" +) + +// ApplyOverride applies user-provided probe timing overrides to a probe. +// The probe handler is not modified — only timing parameters are overridden. +// If override is nil, the probe is returned unchanged. +func ApplyOverride(probe *corev1.Probe, override *operatorv1.ProbeOverride) *corev1.Probe { + if probe == nil || override == nil { + return probe + } + if override.PeriodSeconds != nil { + probe.PeriodSeconds = *override.PeriodSeconds + } + if override.TimeoutSeconds != nil { + probe.TimeoutSeconds = *override.TimeoutSeconds + } + if override.FailureThreshold != nil { + probe.FailureThreshold = *override.FailureThreshold + } + if override.InitialDelaySeconds != nil { + probe.InitialDelaySeconds = *override.InitialDelaySeconds + } + return probe +} From 8d4abb8e89f672c81b6d8caae5a4dedd12cfc4dc Mon Sep 17 00:00:00 2001 From: Casey Davenport Date: Sat, 28 Mar 2026 23:52:51 -0700 Subject: [PATCH 2/2] Add probe override merge logic, tests, and gen-files output Wire ProbeOverride fields into the container override merge path: - mergeContainerOverrides applies resource, readiness, and liveness probe overrides from the Installation API to rendered containers - valueToContainerOverrides extracts all override fields via reflection - Add DaemonSet test entry verifying probe period/timeout overrides - Add unit tests for probes.ApplyOverride helper - Include gen-files output (CRDs, deepcopy) --- ...d.projectcalico.org_bgpconfigurations.yaml | 309 +- .../crd.projectcalico.org_bgpfilters.yaml | 707 ++- .../crd.projectcalico.org_bgppeers.yaml | 249 +- ...crd.projectcalico.org_blockaffinities.yaml | 81 +- ....projectcalico.org_caliconodestatuses.yaml | 418 +- ...projectcalico.org_clusterinformations.yaml | 76 +- ...projectcalico.org_felixconfigurations.yaml | 2505 ++++++----- ...ojectcalico.org_globalnetworkpolicies.yaml | 1315 ++---- ...d.projectcalico.org_globalnetworksets.yaml | 60 +- .../crd.projectcalico.org_hostendpoints.yaml | 151 +- .../crd.projectcalico.org_ipamblocks.yaml | 167 +- .../crd.projectcalico.org_ipamconfigs.yaml | 77 +- .../crd.projectcalico.org_ipamhandles.yaml | 69 +- .../calico/crd.projectcalico.org_ippools.yaml | 204 +- .../crd.projectcalico.org_ipreservations.yaml | 59 +- ...ico.org_kubecontrollersconfigurations.yaml | 507 +-- ...crd.projectcalico.org_networkpolicies.yaml | 1265 ++---- .../crd.projectcalico.org_networksets.yaml | 58 +- ...alico.org_stagedglobalnetworkpolicies.yaml | 1328 ++---- ...o.org_stagedkubernetesnetworkpolicies.yaml | 697 +-- ...ojectcalico.org_stagednetworkpolicies.yaml | 1278 ++---- .../calico/crd.projectcalico.org_tiers.yaml | 94 +- ...etworking.k8s.io_adminnetworkpolicies.yaml | 1082 ----- ...g.k8s.io_baselineadminnetworkpolicies.yaml | 1057 ----- ...working.k8s.io_clusternetworkpolicies.yaml | 1184 +++++ pkg/crds/enterprise/01-crd-eck-agent.yaml | 1090 ----- pkg/crds/enterprise/01-crd-eck-apmserver.yaml | 1182 ----- .../enterprise/01-crd-eck-autoscaling.yaml | 319 -- pkg/crds/enterprise/01-crd-eck-beat.yaml | 455 -- .../01-crd-eck-elasticmapsserver.yaml | 580 --- .../enterprise/01-crd-eck-elasticsearch.yaml | 2688 ----------- .../01-crd-eck-enterprisesearch.yaml | 1126 ----- pkg/crds/enterprise/01-crd-eck-kibana.yaml | 1265 ------ pkg/crds/enterprise/01-crd-eck-logstash.yaml | 1133 ----- .../01-crd-eck-stackconfigpolicy.yaml | 359 -- ...crd.projectcalico.org_alertexceptions.yaml | 90 +- ...d.projectcalico.org_bfdconfigurations.yaml | 113 +- ...d.projectcalico.org_bgpconfigurations.yaml | 319 +- .../crd.projectcalico.org_bgpfilters.yaml | 707 ++- .../crd.projectcalico.org_bgppeers.yaml | 289 +- ...crd.projectcalico.org_blockaffinities.yaml | 81 +- ....projectcalico.org_caliconodestatuses.yaml | 418 +- ...projectcalico.org_clusterinformations.yaml | 84 +- ...ojectcalico.org_deeppacketinspections.yaml | 134 +- ...ojectcalico.org_egressgatewaypolicies.yaml | 125 +- ...rd.projectcalico.org_externalnetworks.yaml | 62 +- ...projectcalico.org_felixconfigurations.yaml | 3924 +++++++++-------- .../crd.projectcalico.org_globalalerts.yaml | 244 +- ...rojectcalico.org_globalalerttemplates.yaml | 181 +- ...ojectcalico.org_globalnetworkpolicies.yaml | 1401 +++--- ...d.projectcalico.org_globalnetworksets.yaml | 74 +- .../crd.projectcalico.org_globalreports.yaml | 556 +-- ...d.projectcalico.org_globalreporttypes.yaml | 167 +- ...d.projectcalico.org_globalthreatfeeds.yaml | 327 +- .../crd.projectcalico.org_hostendpoints.yaml | 151 +- .../crd.projectcalico.org_ipamblocks.yaml | 167 +- .../crd.projectcalico.org_ipamconfigs.yaml | 77 +- .../crd.projectcalico.org_ipamhandles.yaml | 69 +- .../crd.projectcalico.org_ippools.yaml | 215 +- .../crd.projectcalico.org_ipreservations.yaml | 59 +- ...ico.org_kubecontrollersconfigurations.yaml | 535 ++- .../crd.projectcalico.org_licensekeys.yaml | 146 +- ...crd.projectcalico.org_managedclusters.yaml | 109 +- ...crd.projectcalico.org_networkpolicies.yaml | 1351 +++--- .../crd.projectcalico.org_networksets.yaml | 72 +- .../crd.projectcalico.org_packetcaptures.yaml | 204 +- ...calico.org_policyrecommendationscopes.yaml | 156 +- ...alico.org_remoteclusterconfigurations.yaml | 238 +- ...ojectcalico.org_securityeventwebhooks.yaml | 257 +- ...alico.org_stagedglobalnetworkpolicies.yaml | 1414 +++--- ...o.org_stagedkubernetesnetworkpolicies.yaml | 697 +-- ...ojectcalico.org_stagednetworkpolicies.yaml | 1364 +++--- .../crd.projectcalico.org_tiers.yaml | 94 +- .../crd.projectcalico.org_uisettings.yaml | 473 +- ...rd.projectcalico.org_uisettingsgroups.yaml | 87 +- ...etworking.k8s.io_adminnetworkpolicies.yaml | 1953 ++++---- ...g.k8s.io_baselineadminnetworkpolicies.yaml | 1904 ++++---- .../usage.tigera.io_licenseusagereports.yaml | 65 +- pkg/render/common/components/components.go | 106 +- .../common/components/components_test.go | 36 +- pkg/render/common/probes/probes_test.go | 107 + 81 files changed, 16109 insertions(+), 30487 deletions(-) delete mode 100644 pkg/crds/calico/policy.networking.k8s.io_adminnetworkpolicies.yaml delete mode 100644 pkg/crds/calico/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml create mode 100644 pkg/crds/calico/policy.networking.k8s.io_clusternetworkpolicies.yaml delete mode 100644 pkg/crds/enterprise/01-crd-eck-agent.yaml delete mode 100644 pkg/crds/enterprise/01-crd-eck-apmserver.yaml delete mode 100644 pkg/crds/enterprise/01-crd-eck-autoscaling.yaml delete mode 100644 pkg/crds/enterprise/01-crd-eck-beat.yaml delete mode 100644 pkg/crds/enterprise/01-crd-eck-elasticmapsserver.yaml delete mode 100644 pkg/crds/enterprise/01-crd-eck-elasticsearch.yaml delete mode 100644 pkg/crds/enterprise/01-crd-eck-enterprisesearch.yaml delete mode 100644 pkg/crds/enterprise/01-crd-eck-kibana.yaml delete mode 100644 pkg/crds/enterprise/01-crd-eck-logstash.yaml delete mode 100644 pkg/crds/enterprise/01-crd-eck-stackconfigpolicy.yaml create mode 100644 pkg/render/common/probes/probes_test.go diff --git a/pkg/crds/calico/crd.projectcalico.org_bgpconfigurations.yaml b/pkg/crds/calico/crd.projectcalico.org_bgpconfigurations.yaml index 7a92d3ea82..bd5407355f 100644 --- a/pkg/crds/calico/crd.projectcalico.org_bgpconfigurations.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_bgpconfigurations.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: bgpconfigurations.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,176 +14,155 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - description: BGPConfiguration contains the configuration for any BGP routing. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: BGPConfigurationSpec contains the values of the BGP configuration. - properties: - asNumber: - description: 'ASNumber is the default AS number used by a node. [Default: - 64512]' - format: int32 - type: integer - bindMode: - description: |- - BindMode indicates whether to listen for BGP connections on all addresses (None) - or only on the node's canonical IP address Node.Spec.BGP.IPvXAddress (NodeIP). - Default behaviour is to listen for BGP connections on all addresses. - type: string - communities: - description: Communities is a list of BGP community values and their - arbitrary names for tagging routes. - items: - description: Community contains standard or large community value - and its name. + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + asNumber: + format: int32 + type: integer + bindMode: + enum: + - None + - NodeIP + type: string + communities: + items: + properties: + name: + type: string + value: + pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: set + ignoredInterfaces: + items: + type: string + type: array + x-kubernetes-list-type: set + ipv4NormalRoutePriority: + maximum: 2147483646 + minimum: 1 + type: integer + ipv6NormalRoutePriority: + maximum: 2147483646 + minimum: 1 + type: integer + listenPort: + maximum: 65535 + minimum: 1 + type: integer + localWorkloadPeeringIPV4: + type: string + localWorkloadPeeringIPV6: + type: string + logSeverityScreen: + default: Info + pattern: ^(?i)(Trace|Debug|Info|Warning|Error|Fatal)?$ + type: string + nodeMeshMaxRestartTime: + type: string + nodeMeshPassword: properties: - name: - description: Name given to community value. - type: string - value: - description: |- - Value must be of format `aa:nn` or `aa:nn:mm`. - For standard community use `aa:nn` format, where `aa` and `nn` are 16 bit number. - For large community use `aa:nn:mm` format, where `aa`, `nn` and `mm` are 32 bit number. - Where, `aa` is an AS Number, `nn` and `mm` are per-AS identifier. - pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ - type: string + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic type: object - type: array - ignoredInterfaces: - description: IgnoredInterfaces indicates the network interfaces that - needs to be excluded when reading device routes. - items: + nodeToNodeMeshEnabled: + type: boolean + prefixAdvertisements: + items: + properties: + cidr: + format: cidr + type: string + communities: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: set + programClusterRoutes: + enum: + - Enabled + - Disabled type: string - type: array - listenPort: - description: ListenPort is the port where BGP protocol should listen. - Defaults to 179 - maximum: 65535 - minimum: 1 - type: integer - logSeverityScreen: - description: 'LogSeverityScreen is the log severity above which logs - are sent to the stdout. [Default: INFO]' - type: string - nodeMeshMaxRestartTime: - description: |- - Time to allow for software restart for node-to-mesh peerings. When specified, this is configured - as the graceful restart timeout. When not specified, the BIRD default of 120s is used. - This field can only be set on the default BGPConfiguration instance and requires that NodeMesh is enabled - type: string - nodeMeshPassword: - description: |- - Optional BGP password for full node-to-mesh peerings. - This field can only be set on the default BGPConfiguration instance and requires that NodeMesh is enabled - properties: - secretKeyRef: - description: Selects a key of a secret in the node pod's namespace. + serviceClusterIPs: + items: properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. + cidr: + format: cidr type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: set + serviceExternalIPs: + items: + properties: + cidr: + format: cidr type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key type: object x-kubernetes-map-type: atomic - type: object - nodeToNodeMeshEnabled: - description: 'NodeToNodeMeshEnabled sets whether full node to node - BGP mesh is enabled. [Default: true]' - type: boolean - prefixAdvertisements: - description: PrefixAdvertisements contains per-prefix advertisement - configuration. - items: - description: PrefixAdvertisement configures advertisement properties - for the specified CIDR. - properties: - cidr: - description: CIDR for which properties should be advertised. - type: string - communities: - description: |- - Communities can be list of either community names already defined in `Specs.Communities` or community value of format `aa:nn` or `aa:nn:mm`. - For standard community use `aa:nn` format, where `aa` and `nn` are 16 bit number. - For large community use `aa:nn:mm` format, where `aa`, `nn` and `mm` are 32 bit number. - Where,`aa` is an AS Number, `nn` and `mm` are per-AS identifier. - items: + type: array + x-kubernetes-list-type: set + serviceLoadBalancerAggregation: + default: Enabled + enum: + - Enabled + - Disabled + type: string + serviceLoadBalancerIPs: + items: + properties: + cidr: + format: cidr type: string - type: array - type: object - type: array - serviceClusterIPs: - description: |- - ServiceClusterIPs are the CIDR blocks from which service cluster IPs are allocated. - If specified, Calico will advertise these blocks, as well as any cluster IPs within them. - items: - description: ServiceClusterIPBlock represents a single allowed ClusterIP - CIDR block. - properties: - cidr: - type: string - type: object - type: array - serviceExternalIPs: - description: |- - ServiceExternalIPs are the CIDR blocks for Kubernetes Service External IPs. - Kubernetes Service ExternalIPs will only be advertised if they are within one of these blocks. - items: - description: ServiceExternalIPBlock represents a single allowed - External IP CIDR block. - properties: - cidr: - type: string - type: object - type: array - serviceLoadBalancerIPs: - description: |- - ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes Service LoadBalancer IPs. - Kubernetes Service status.LoadBalancer.Ingress IPs will only be advertised if they are within one of these blocks. - items: - description: ServiceLoadBalancerIPBlock represents a single allowed - LoadBalancer IP CIDR block. - properties: - cidr: - type: string - type: object - type: array - type: object - type: object - served: true - storage: true + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: set + type: object + x-kubernetes-validations: + - message: + nodeMeshPassword cannot be set when nodeToNodeMeshEnabled is + false + reason: FieldValueForbidden + rule: + "!has(self.nodeMeshPassword) || !has(self.nodeToNodeMeshEnabled) + || self.nodeToNodeMeshEnabled == true" + - message: + nodeMeshMaxRestartTime cannot be set when nodeToNodeMeshEnabled + is false + reason: FieldValueForbidden + rule: + "!has(self.nodeMeshMaxRestartTime) || !has(self.nodeToNodeMeshEnabled) + || self.nodeToNodeMeshEnabled == true" + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_bgpfilters.yaml b/pkg/crds/calico/crd.projectcalico.org_bgpfilters.yaml index c46ca68621..193208e8db 100644 --- a/pkg/crds/calico/crd.projectcalico.org_bgpfilters.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_bgpfilters.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: bgpfilters.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,168 +14,559 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of - the BGP Filter. - properties: - exportV4: - description: The ordered set of IPv4 BGPFilter rules acting on exporting - routes to a peer. - items: - description: BGPFilterRuleV4 defines a BGP filter rule consisting - a single IPv4 CIDR block and a filter action for this CIDR. - properties: - action: - type: string - cidr: - type: string - interface: - type: string - matchOperator: - type: string - prefixLength: - properties: - max: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + exportV4: + items: + properties: + action: + enum: + - Accept + - Reject + type: string + asPathPrefix: + items: format: int32 - maximum: 32 - minimum: 0 type: integer - min: + type: array + x-kubernetes-list-type: atomic + cidr: + format: cidr + maxLength: 18 + type: string + communities: + properties: + values: + items: + maxLength: 32 + pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ + type: string + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - values + type: object + x-kubernetes-map-type: atomic + interface: + type: string + matchOperator: + enum: + - Equal + - NotEqual + - In + - NotIn + type: string + operations: + items: + maxProperties: 1 + minProperties: 1 + properties: + addCommunity: + properties: + value: + maxLength: 32 + pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ + type: string + required: + - value + type: object + x-kubernetes-map-type: atomic + prependASPath: + properties: + prefix: + items: + format: int32 + type: integer + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - prefix + type: object + x-kubernetes-map-type: atomic + setPriority: + properties: + value: + maximum: 2147483646 + minimum: 1 + type: integer + required: + - value + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + peerType: + enum: + - eBGP + - iBGP + type: string + prefixLength: + properties: + max: + format: int32 + maximum: 32 + minimum: 0 + type: integer + min: + format: int32 + maximum: 32 + minimum: 0 + type: integer + type: object + x-kubernetes-map-type: atomic + priority: + maximum: 2147483646 + minimum: 1 + type: integer + source: + enum: + - RemotePeers + type: string + required: + - action + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: cidr and matchOperator must both be set or both be empty + reason: FieldValueInvalid + rule: + (has(self.cidr) && size(self.cidr) > 0) == (has(self.matchOperator) + && size(self.matchOperator) > 0) + - message: cidr is required when prefixLength is set + reason: FieldValueInvalid + rule: + "!has(self.prefixLength) || (has(self.cidr) && size(self.cidr) + > 0)" + - message: operations may only be used with action Accept + rule: + "!has(self.operations) || size(self.operations) == 0 || + self.action == 'Accept'" + type: array + x-kubernetes-list-type: atomic + exportV6: + items: + properties: + action: + enum: + - Accept + - Reject + type: string + asPathPrefix: + items: format: int32 - maximum: 32 - minimum: 0 type: integer - type: object - source: - type: string - required: - - action - type: object - type: array - exportV6: - description: The ordered set of IPv6 BGPFilter rules acting on exporting - routes to a peer. - items: - description: BGPFilterRuleV6 defines a BGP filter rule consisting - a single IPv6 CIDR block and a filter action for this CIDR. - properties: - action: - type: string - cidr: - type: string - interface: - type: string - matchOperator: - type: string - prefixLength: - properties: - max: + type: array + x-kubernetes-list-type: atomic + cidr: + format: cidr + maxLength: 43 + type: string + communities: + properties: + values: + items: + maxLength: 32 + pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ + type: string + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - values + type: object + x-kubernetes-map-type: atomic + interface: + type: string + matchOperator: + enum: + - Equal + - NotEqual + - In + - NotIn + type: string + operations: + items: + maxProperties: 1 + minProperties: 1 + properties: + addCommunity: + properties: + value: + maxLength: 32 + pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ + type: string + required: + - value + type: object + x-kubernetes-map-type: atomic + prependASPath: + properties: + prefix: + items: + format: int32 + type: integer + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - prefix + type: object + x-kubernetes-map-type: atomic + setPriority: + properties: + value: + maximum: 2147483646 + minimum: 1 + type: integer + required: + - value + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + peerType: + enum: + - eBGP + - iBGP + type: string + prefixLength: + properties: + max: + format: int32 + maximum: 128 + minimum: 0 + type: integer + min: + format: int32 + maximum: 128 + minimum: 0 + type: integer + type: object + x-kubernetes-map-type: atomic + priority: + maximum: 2147483646 + minimum: 1 + type: integer + source: + enum: + - RemotePeers + type: string + required: + - action + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: cidr and matchOperator must both be set or both be empty + reason: FieldValueInvalid + rule: + (has(self.cidr) && size(self.cidr) > 0) == (has(self.matchOperator) + && size(self.matchOperator) > 0) + - message: cidr is required when prefixLength is set + reason: FieldValueInvalid + rule: + "!has(self.prefixLength) || (has(self.cidr) && size(self.cidr) + > 0)" + - message: operations may only be used with action Accept + rule: + "!has(self.operations) || size(self.operations) == 0 || + self.action == 'Accept'" + type: array + x-kubernetes-list-type: atomic + importV4: + items: + properties: + action: + enum: + - Accept + - Reject + type: string + asPathPrefix: + items: format: int32 - maximum: 128 - minimum: 0 type: integer - min: + type: array + x-kubernetes-list-type: atomic + cidr: + format: cidr + maxLength: 18 + type: string + communities: + properties: + values: + items: + maxLength: 32 + pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ + type: string + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - values + type: object + x-kubernetes-map-type: atomic + interface: + type: string + matchOperator: + enum: + - Equal + - NotEqual + - In + - NotIn + type: string + operations: + items: + maxProperties: 1 + minProperties: 1 + properties: + addCommunity: + properties: + value: + maxLength: 32 + pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ + type: string + required: + - value + type: object + x-kubernetes-map-type: atomic + prependASPath: + properties: + prefix: + items: + format: int32 + type: integer + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - prefix + type: object + x-kubernetes-map-type: atomic + setPriority: + properties: + value: + maximum: 2147483646 + minimum: 1 + type: integer + required: + - value + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + peerType: + enum: + - eBGP + - iBGP + type: string + prefixLength: + properties: + max: + format: int32 + maximum: 32 + minimum: 0 + type: integer + min: + format: int32 + maximum: 32 + minimum: 0 + type: integer + type: object + x-kubernetes-map-type: atomic + priority: + maximum: 2147483646 + minimum: 1 + type: integer + source: + enum: + - RemotePeers + type: string + required: + - action + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: cidr and matchOperator must both be set or both be empty + reason: FieldValueInvalid + rule: + (has(self.cidr) && size(self.cidr) > 0) == (has(self.matchOperator) + && size(self.matchOperator) > 0) + - message: cidr is required when prefixLength is set + reason: FieldValueInvalid + rule: + "!has(self.prefixLength) || (has(self.cidr) && size(self.cidr) + > 0)" + - message: operations may only be used with action Accept + rule: + "!has(self.operations) || size(self.operations) == 0 || + self.action == 'Accept'" + type: array + x-kubernetes-list-type: atomic + importV6: + items: + properties: + action: + enum: + - Accept + - Reject + type: string + asPathPrefix: + items: format: int32 - maximum: 128 - minimum: 0 type: integer - type: object - source: - type: string - required: - - action - type: object - type: array - importV4: - description: The ordered set of IPv4 BGPFilter rules acting on importing - routes from a peer. - items: - description: BGPFilterRuleV4 defines a BGP filter rule consisting - a single IPv4 CIDR block and a filter action for this CIDR. - properties: - action: - type: string - cidr: - type: string - interface: - type: string - matchOperator: - type: string - prefixLength: - properties: - max: - format: int32 - maximum: 32 - minimum: 0 - type: integer - min: - format: int32 - maximum: 32 - minimum: 0 - type: integer - type: object - source: - type: string - required: - - action - type: object - type: array - importV6: - description: The ordered set of IPv6 BGPFilter rules acting on importing - routes from a peer. - items: - description: BGPFilterRuleV6 defines a BGP filter rule consisting - a single IPv6 CIDR block and a filter action for this CIDR. - properties: - action: - type: string - cidr: - type: string - interface: - type: string - matchOperator: - type: string - prefixLength: - properties: - max: - format: int32 - maximum: 128 - minimum: 0 - type: integer - min: - format: int32 - maximum: 128 - minimum: 0 - type: integer - type: object - source: - type: string - required: - - action - type: object - type: array - type: object - type: object - served: true - storage: true + type: array + x-kubernetes-list-type: atomic + cidr: + format: cidr + maxLength: 43 + type: string + communities: + properties: + values: + items: + maxLength: 32 + pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ + type: string + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - values + type: object + x-kubernetes-map-type: atomic + interface: + type: string + matchOperator: + enum: + - Equal + - NotEqual + - In + - NotIn + type: string + operations: + items: + maxProperties: 1 + minProperties: 1 + properties: + addCommunity: + properties: + value: + maxLength: 32 + pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ + type: string + required: + - value + type: object + x-kubernetes-map-type: atomic + prependASPath: + properties: + prefix: + items: + format: int32 + type: integer + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - prefix + type: object + x-kubernetes-map-type: atomic + setPriority: + properties: + value: + maximum: 2147483646 + minimum: 1 + type: integer + required: + - value + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + peerType: + enum: + - eBGP + - iBGP + type: string + prefixLength: + properties: + max: + format: int32 + maximum: 128 + minimum: 0 + type: integer + min: + format: int32 + maximum: 128 + minimum: 0 + type: integer + type: object + x-kubernetes-map-type: atomic + priority: + maximum: 2147483646 + minimum: 1 + type: integer + source: + enum: + - RemotePeers + type: string + required: + - action + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: cidr and matchOperator must both be set or both be empty + reason: FieldValueInvalid + rule: + (has(self.cidr) && size(self.cidr) > 0) == (has(self.matchOperator) + && size(self.matchOperator) > 0) + - message: cidr is required when prefixLength is set + reason: FieldValueInvalid + rule: + "!has(self.prefixLength) || (has(self.cidr) && size(self.cidr) + > 0)" + - message: operations may only be used with action Accept + rule: + "!has(self.operations) || size(self.operations) == 0 || + self.action == 'Accept'" + type: array + x-kubernetes-list-type: atomic + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_bgppeers.yaml b/pkg/crds/calico/crd.projectcalico.org_bgppeers.yaml index 2bbb898195..4e79f04dcf 100644 --- a/pkg/crds/calico/crd.projectcalico.org_bgppeers.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_bgppeers.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: bgppeers.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,130 +14,125 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: BGPPeerSpec contains the specification for a BGPPeer resource. - properties: - asNumber: - description: The AS Number of the peer. - format: int32 - type: integer - filters: - description: The ordered set of BGPFilters applied on this BGP peer. - items: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + asNumber: + format: int32 + type: integer + filters: + items: + type: string + type: array + x-kubernetes-list-type: atomic + keepOriginalNextHop: + type: boolean + keepaliveTime: type: string - type: array - keepOriginalNextHop: - description: |- - Option to keep the original nexthop field when routes are sent to a BGP Peer. - Setting "true" configures the selected BGP Peers node to use the "next hop keep;" - instead of "next hop self;"(default) in the specific branch of the Node on "bird.cfg". - type: boolean - maxRestartTime: - description: |- - Time to allow for software restart. When specified, this is configured as the graceful - restart timeout. When not specified, the BIRD default of 120s is used. - type: string - node: - description: |- - The node name identifying the Calico node instance that is targeted by this peer. - If this is not set, and no nodeSelector is specified, then this BGP peer selects all - nodes in the cluster. - type: string - nodeSelector: - description: |- - Selector for the nodes that should have this peering. When this is set, the Node - field must be empty. - type: string - numAllowedLocalASNumbers: - description: |- - Maximum number of local AS numbers that are allowed in the AS path for received routes. - This removes BGP loop prevention and should only be used if absolutely necessary. - format: int32 - type: integer - password: - description: Optional BGP password for the peerings generated by this - BGPPeer resource. - properties: - secretKeyRef: - description: Selects a key of a secret in the node pod's namespace. - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - peerIP: - description: |- - The IP address of the peer followed by an optional port number to peer with. - If port number is given, format should be `[]:port` or `:` for IPv4. - If optional port number is not set, and this peer IP and ASNumber belongs to a calico/node - with ListenPort set in BGPConfiguration, then we use that port to peer. - type: string - peerSelector: - description: |- - Selector for the remote nodes to peer with. When this is set, the PeerIP and - ASNumber fields must be empty. For each peering between the local node and - selected remote nodes, we configure an IPv4 peering if both ends have - NodeBGPSpec.IPv4Address specified, and an IPv6 peering if both ends have - NodeBGPSpec.IPv6Address specified. The remote AS number comes from the remote - node's NodeBGPSpec.ASNumber, or the global default if that is not set. - type: string - reachableBy: - description: |- - Add an exact, i.e. /32, static route toward peer IP in order to prevent route flapping. - ReachableBy contains the address of the gateway which peer can be reached by. - type: string - sourceAddress: - description: |- - Specifies whether and how to configure a source address for the peerings generated by - this BGPPeer resource. Default value "UseNodeIP" means to configure the node IP as the - source address. "None" means not to configure a source address. - type: string - ttlSecurity: - description: |- - TTLSecurity enables the generalized TTL security mechanism (GTSM) which protects against spoofed packets by - ignoring received packets with a smaller than expected TTL value. The provided value is the number of hops - (edges) between the peers. - type: integer - type: object - type: object - served: true - storage: true + localASNumber: + format: int32 + type: integer + localWorkloadSelector: + maxLength: 4096 + type: string + maxRestartTime: + type: string + nextHopMode: + enum: + - Auto + - Self + - Keep + type: string + node: + maxLength: 253 + type: string + nodeSelector: + maxLength: 4096 + type: string + numAllowedLocalASNumbers: + format: int32 + type: integer + password: + properties: + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + peerIP: + maxLength: 64 + type: string + peerSelector: + maxLength: 4096 + type: string + reachableBy: + type: string + reversePeering: + allOf: + - enum: + - Auto + - Manual + - enum: + - Auto + - Manual + type: string + sourceAddress: + enum: + - UseNodeIP + - None + type: string + ttlSecurity: + type: integer + type: object + x-kubernetes-validations: + - message: node and nodeSelector cannot both be set + reason: FieldValueForbidden + rule: + (!has(self.node) || size(self.node) == 0) || (!has(self.nodeSelector) + || size(self.nodeSelector) == 0) + - message: peerIP and peerSelector cannot both be set + reason: FieldValueForbidden + rule: + (!has(self.peerIP) || size(self.peerIP) == 0) || (!has(self.peerSelector) + || size(self.peerSelector) == 0) + - message: asNumber must be empty when peerSelector is set + reason: FieldValueForbidden + rule: + (!has(self.peerSelector) || size(self.peerSelector) == 0) || !has(self.asNumber) + || self.asNumber == 0 + - message: peerIP must be empty when localWorkloadSelector is set + reason: FieldValueForbidden + rule: + (!has(self.localWorkloadSelector) || size(self.localWorkloadSelector) + == 0) || (!has(self.peerIP) || size(self.peerIP) == 0) + - message: peerSelector must be empty when localWorkloadSelector is set + reason: FieldValueForbidden + rule: + (!has(self.localWorkloadSelector) || size(self.localWorkloadSelector) + == 0) || (!has(self.peerSelector) || size(self.peerSelector) == 0) + - message: asNumber is required when localWorkloadSelector is set + reason: FieldValueInvalid + rule: + (!has(self.localWorkloadSelector) || size(self.localWorkloadSelector) + == 0) || (has(self.asNumber) && self.asNumber != 0) + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_blockaffinities.yaml b/pkg/crds/calico/crd.projectcalico.org_blockaffinities.yaml index 717f046e3d..c18b570977 100644 --- a/pkg/crds/calico/crd.projectcalico.org_blockaffinities.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_blockaffinities.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: blockaffinities.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,51 +14,34 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: BlockAffinitySpec contains the specification for a BlockAffinity - resource. - properties: - cidr: - type: string - deleted: - description: |- - Deleted indicates that this block affinity is being deleted. - This field is a string for compatibility with older releases that - mistakenly treat this field as a string. - type: string - node: - type: string - state: - type: string - type: - type: string - required: - - cidr - - deleted - - node - - state - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + cidr: + type: string + deleted: + type: string + node: + type: string + state: + type: string + type: + type: string + required: + - cidr + - deleted + - node + - state + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_caliconodestatuses.yaml b/pkg/crds/calico/crd.projectcalico.org_caliconodestatuses.yaml index e7b0ab1d2e..c0e6245b8d 100644 --- a/pkg/crds/calico/crd.projectcalico.org_caliconodestatuses.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_caliconodestatuses.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: caliconodestatuses.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,248 +14,206 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus - resource. - properties: - classes: - description: |- - Classes declares the types of information to monitor for this calico/node, - and allows for selective status reporting about certain subsets of information. - items: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + classes: + items: + enum: + - Agent + - BGP + - Routes + type: string + type: array + x-kubernetes-list-type: set + node: type: string - type: array - node: - description: The node name identifies the Calico node instance for - node status. - type: string - updatePeriodSeconds: - description: |- - UpdatePeriodSeconds is the period at which CalicoNodeStatus should be updated. - Set to 0 to disable CalicoNodeStatus refresh. Maximum update period is one day. - format: int32 - type: integer - type: object - status: - description: |- - CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus. - No validation needed for status since it is updated by Calico. - properties: - agent: - description: Agent holds agent status on the node. - properties: - birdV4: - description: BIRDV4 represents the latest observed status of bird4. - properties: - lastBootTime: - description: LastBootTime holds the value of lastBootTime - from bird.ctl output. - type: string - lastReconfigurationTime: - description: LastReconfigurationTime holds the value of lastReconfigTime - from bird.ctl output. - type: string - routerID: - description: Router ID used by bird. - type: string - state: - description: The state of the BGP Daemon. - type: string - version: - description: Version of the BGP daemon - type: string - type: object - birdV6: - description: BIRDV6 represents the latest observed status of bird6. - properties: - lastBootTime: - description: LastBootTime holds the value of lastBootTime - from bird.ctl output. - type: string - lastReconfigurationTime: - description: LastReconfigurationTime holds the value of lastReconfigTime - from bird.ctl output. - type: string - routerID: - description: Router ID used by bird. - type: string - state: - description: The state of the BGP Daemon. - type: string - version: - description: Version of the BGP daemon - type: string - type: object - type: object - bgp: - description: BGP holds node BGP status. - properties: - numberEstablishedV4: - description: The total number of IPv4 established bgp sessions. - type: integer - numberEstablishedV6: - description: The total number of IPv6 established bgp sessions. - type: integer - numberNotEstablishedV4: - description: The total number of IPv4 non-established bgp sessions. - type: integer - numberNotEstablishedV6: - description: The total number of IPv6 non-established bgp sessions. - type: integer - peersV4: - description: PeersV4 represents IPv4 BGP peers status on the node. - items: - description: CalicoNodePeer contains the status of BGP peers - on the node. + updatePeriodSeconds: + format: int32 + type: integer + type: object + status: + properties: + agent: + properties: + birdV4: properties: - peerIP: - description: IP address of the peer whose condition we are - reporting. + lastBootTime: type: string - since: - description: Since the state or reason last changed. + lastReconfigurationTime: type: string - state: - description: State is the BGP session state. - type: string - type: - description: |- - Type indicates whether this peer is configured via the node-to-node mesh, - or via en explicit global or per-node BGPPeer object. - type: string - type: object - type: array - peersV6: - description: PeersV6 represents IPv6 BGP peers status on the node. - items: - description: CalicoNodePeer contains the status of BGP peers - on the node. - properties: - peerIP: - description: IP address of the peer whose condition we are - reporting. - type: string - since: - description: Since the state or reason last changed. + routerID: type: string state: - description: State is the BGP session state. + enum: + - Ready + - NotReady type: string - type: - description: |- - Type indicates whether this peer is configured via the node-to-node mesh, - or via en explicit global or per-node BGPPeer object. + version: type: string type: object - type: array - required: - - numberEstablishedV4 - - numberEstablishedV6 - - numberNotEstablishedV4 - - numberNotEstablishedV6 - type: object - lastUpdated: - description: |- - LastUpdated is a timestamp representing the server time when CalicoNodeStatus object - last updated. It is represented in RFC3339 form and is in UTC. - format: date-time - nullable: true - type: string - routes: - description: Routes reports routes known to the Calico BGP daemon - on the node. - properties: - routesV4: - description: RoutesV4 represents IPv4 routes on the node. - items: - description: CalicoNodeRoute contains the status of BGP routes - on the node. + birdV6: properties: - destination: - description: Destination of the route. - type: string - gateway: - description: Gateway for the destination. + lastBootTime: type: string - interface: - description: Interface for the destination + lastReconfigurationTime: type: string - learnedFrom: - description: LearnedFrom contains information regarding - where this route originated. - properties: - peerIP: - description: If sourceType is NodeMesh or BGPPeer, IP - address of the router that sent us this route. - type: string - sourceType: - description: Type of the source where a route is learned - from. - type: string - type: object - type: - description: Type indicates if the route is being used for - forwarding or not. + routerID: type: string - type: object - type: array - routesV6: - description: RoutesV6 represents IPv6 routes on the node. - items: - description: CalicoNodeRoute contains the status of BGP routes - on the node. - properties: - destination: - description: Destination of the route. - type: string - gateway: - description: Gateway for the destination. - type: string - interface: - description: Interface for the destination + state: + enum: + - Ready + - NotReady type: string - learnedFrom: - description: LearnedFrom contains information regarding - where this route originated. - properties: - peerIP: - description: If sourceType is NodeMesh or BGPPeer, IP - address of the router that sent us this route. - type: string - sourceType: - description: Type of the source where a route is learned - from. - type: string - type: object - type: - description: Type indicates if the route is being used for - forwarding or not. + version: type: string type: object - type: array - type: object - type: object - type: object - served: true - storage: true + type: object + bgp: + properties: + numberEstablishedV4: + type: integer + numberEstablishedV6: + type: integer + numberNotEstablishedV4: + type: integer + numberNotEstablishedV6: + type: integer + peersV4: + items: + properties: + peerIP: + type: string + since: + type: string + state: + enum: + - Idle + - Connect + - Active + - OpenSent + - OpenConfirm + - Established + - Close + type: string + type: + enum: + - NodeMesh + - NodePeer + - GlobalPeer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + peersV6: + items: + properties: + peerIP: + type: string + since: + type: string + state: + enum: + - Idle + - Connect + - Active + - OpenSent + - OpenConfirm + - Established + - Close + type: string + type: + enum: + - NodeMesh + - NodePeer + - GlobalPeer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + required: + - numberEstablishedV4 + - numberEstablishedV6 + - numberNotEstablishedV4 + - numberNotEstablishedV6 + type: object + lastUpdated: + format: date-time + nullable: true + type: string + routes: + properties: + routesV4: + items: + properties: + destination: + type: string + gateway: + type: string + interface: + type: string + learnedFrom: + properties: + peerIP: + type: string + sourceType: + enum: + - Kernel + - Static + - Direct + - NodeMesh + - BGPPeer + type: string + type: object + type: + enum: + - FIB + - RIB + type: string + type: object + type: array + x-kubernetes-list-type: atomic + routesV6: + items: + properties: + destination: + type: string + gateway: + type: string + interface: + type: string + learnedFrom: + properties: + peerIP: + type: string + sourceType: + enum: + - Kernel + - Static + - Direct + - NodeMesh + - BGPPeer + type: string + type: object + type: + enum: + - FIB + - RIB + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_clusterinformations.yaml b/pkg/crds/calico/crd.projectcalico.org_clusterinformations.yaml index 43c70bb102..9f802f1320 100644 --- a/pkg/crds/calico/crd.projectcalico.org_clusterinformations.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_clusterinformations.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: clusterinformations.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,51 +14,29 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - description: ClusterInformation contains the cluster specific information. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterInformationSpec contains the values of describing - the cluster. - properties: - calicoVersion: - description: CalicoVersion is the version of Calico that the cluster - is running - type: string - clusterGUID: - description: ClusterGUID is the GUID of the cluster - type: string - clusterType: - description: ClusterType describes the type of the cluster - type: string - datastoreReady: - description: |- - DatastoreReady is used during significant datastore migrations to signal to components - such as Felix that it should wait before accessing the datastore. - type: boolean - variant: - description: Variant declares which variant of Calico should be active. - type: string - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + calicoVersion: + type: string + clusterGUID: + type: string + clusterType: + type: string + datastoreReady: + type: boolean + variant: + type: string + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml b/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml index d5acb94aa9..e383dd788f 100644 --- a/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: felixconfigurations.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,1185 +14,1382 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - description: Felix Configuration contains the configuration for Felix. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: FelixConfigurationSpec contains the values of the Felix configuration. - properties: - allowIPIPPacketsFromWorkloads: - description: |- - AllowIPIPPacketsFromWorkloads controls whether Felix will add a rule to drop IPIP encapsulated traffic - from workloads. [Default: false] - type: boolean - allowVXLANPacketsFromWorkloads: - description: |- - AllowVXLANPacketsFromWorkloads controls whether Felix will add a rule to drop VXLAN encapsulated traffic - from workloads. [Default: false] - type: boolean - awsSrcDstCheck: - description: |- - AWSSrcDstCheck controls whether Felix will try to change the "source/dest check" setting on the EC2 instance - on which it is running. A value of "Disable" will try to disable the source/dest check. Disabling the check - allows for sending workload traffic without encapsulation within the same AWS subnet. - [Default: DoNothing] - enum: - - DoNothing - - Enable - - Disable - type: string - bpfCTLBLogFilter: - description: |- - BPFCTLBLogFilter specifies, what is logged by connect time load balancer when BPFLogLevel is - debug. Currently has to be specified as 'all' when BPFLogFilters is set - to see CTLB logs. - [Default: unset - means logs are emitted when BPFLogLevel id debug and BPFLogFilters not set.] - type: string - bpfConnectTimeLoadBalancing: - description: |- - BPFConnectTimeLoadBalancing when in BPF mode, controls whether Felix installs the connect-time load - balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services - and it improves the performance of pod-to-service connections.When set to TCP, connect time load balancing - is available only for services with TCP ports. [Default: TCP] - enum: - - TCP - - Enabled - - Disabled - type: string - bpfConnectTimeLoadBalancingEnabled: - description: |- - BPFConnectTimeLoadBalancingEnabled when in BPF mode, controls whether Felix installs the connection-time load - balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services - and it improves the performance of pod-to-service connections. The only reason to disable it is for debugging - purposes. - - Deprecated: Use BPFConnectTimeLoadBalancing [Default: true] - type: boolean - bpfConntrackLogLevel: - description: |- - BPFConntrackLogLevel controls the log level of the BPF conntrack cleanup program, which runs periodically - to clean up expired BPF conntrack entries. - [Default: Off]. - enum: - - "Off" - - Debug - type: string - bpfConntrackMode: - description: |- - BPFConntrackCleanupMode controls how BPF conntrack entries are cleaned up. `Auto` will use a BPF program if supported, - falling back to userspace if not. `Userspace` will always use the userspace cleanup code. `BPFProgram` will - always use the BPF program (failing if not supported). - [Default: Auto] - enum: - - Auto - - Userspace - - BPFProgram - type: string - bpfConntrackTimeouts: - description: |- - BPFConntrackTimers overrides the default values for the specified conntrack timer if - set. Each value can be either a duration or `Auto` to pick the value from - a Linux conntrack timeout. + - name: v1 + schema: + openAPIV3Schema: + description: Felix Configuration contains the configuration for Felix. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: FelixConfigurationSpec contains the values of the Felix configuration. + properties: + allowIPIPPacketsFromWorkloads: + description: |- + AllowIPIPPacketsFromWorkloads controls whether Felix will add a rule to drop IPIP encapsulated traffic + from workloads. [Default: false] + type: boolean + allowVXLANPacketsFromWorkloads: + description: |- + AllowVXLANPacketsFromWorkloads controls whether Felix will add a rule to drop VXLAN encapsulated traffic + from workloads. [Default: false] + type: boolean + awsSrcDstCheck: + description: |- + AWSSrcDstCheck controls whether Felix will try to change the "source/dest check" setting on the EC2 instance + on which it is running. A value of "Disable" will try to disable the source/dest check. Disabling the check + allows for sending workload traffic without encapsulation within the same AWS subnet. + [Default: DoNothing] + enum: + - DoNothing + - Enable + - Disable + type: string + bpfAttachType: + description: |- + BPFAttachType controls how are the BPF programs at the network interfaces attached. + By default `TCX` is used where available to enable easier coexistence with 3rd party programs. + `TC` can force the legacy method of attaching via a qdisc. `TCX` falls back to `TC` if `TCX` is not available. + [Default: TCX] + enum: + - TC + - TCX + type: string + bpfCTLBLogFilter: + description: |- + BPFCTLBLogFilter specifies, what is logged by connect time load balancer when BPFLogLevel is + debug. Currently has to be specified as 'all' when BPFLogFilters is set + to see CTLB logs. + [Default: unset - means logs are emitted when BPFLogLevel id debug and BPFLogFilters not set.] + type: string + bpfConnectTimeLoadBalancing: + description: |- + BPFConnectTimeLoadBalancing when in BPF mode, controls whether Felix installs the connect-time load + balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services + and it improves the performance of pod-to-service connections.When set to TCP, connect time load balancing + is available only for services with TCP ports. [Default: TCP] + enum: + - TCP + - Enabled + - Disabled + type: string + bpfConnectTimeLoadBalancingEnabled: + description: |- + BPFConnectTimeLoadBalancingEnabled when in BPF mode, controls whether Felix installs the connection-time load + balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services + and it improves the performance of pod-to-service connections. The only reason to disable it is for debugging + purposes. - Configurable timers are: CreationGracePeriod, TCPSynSent, - TCPEstablished, TCPFinsSeen, TCPResetSeen, UDPTimeout, GenericTimeout, - ICMPTimeout. + Deprecated: Use BPFConnectTimeLoadBalancing [Default: true] + type: boolean + bpfConntrackLogLevel: + description: |- + BPFConntrackLogLevel controls the log level of the BPF conntrack cleanup program, which runs periodically + to clean up expired BPF conntrack entries. + [Default: Off]. + enum: + - "Off" + - Debug + type: string + bpfConntrackMode: + description: |- + BPFConntrackCleanupMode controls how BPF conntrack entries are cleaned up. `Auto` will use a BPF program if supported, + falling back to userspace if not. `Userspace` will always use the userspace cleanup code. `BPFProgram` will + always use the BPF program (failing if not supported). - Unset values are replaced by the default values with a warning log for - incorrect values. - properties: - creationGracePeriod: - description: |2- - CreationGracePeriod gives a generic grace period to new connection - before they are considered for cleanup [Default: 10s]. - pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ - type: string - genericTimeout: - description: |- - GenericTimeout controls how long it takes before considering this - entry for cleanup after the connection became idle. If set to 'Auto', the - value from nf_conntrack_generic_timeout is used. If nil, Calico uses its - own default value. [Default: 10m]. - pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ - type: string - icmpTimeout: - description: |- - ICMPTimeout controls how long it takes before considering this - entry for cleanup after the connection became idle. If set to 'Auto', the - value from nf_conntrack_icmp_timeout is used. If nil, Calico uses its - own default value. [Default: 5s]. - pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ - type: string - tcpEstablished: - description: |- - TCPEstablished controls how long it takes before considering this entry for - cleanup after the connection became idle. If set to 'Auto', the - value from nf_conntrack_tcp_timeout_established is used. If nil, Calico uses - its own default value. [Default: 1h]. - pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ - type: string - tcpFinsSeen: - description: |- - TCPFinsSeen controls how long it takes before considering this entry for - cleanup after the connection was closed gracefully. If set to 'Auto', the - value from nf_conntrack_tcp_timeout_time_wait is used. If nil, Calico uses - its own default value. [Default: Auto]. - pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ - type: string - tcpResetSeen: - description: |- - TCPResetSeen controls how long it takes before considering this entry for - cleanup after the connection was aborted. If nil, Calico uses its own - default value. [Default: 40s]. - pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ - type: string - tcpSynSent: - description: |- - TCPSynSent controls how long it takes before considering this entry for - cleanup after the last SYN without a response. If set to 'Auto', the - value from nf_conntrack_tcp_timeout_syn_sent is used. If nil, Calico uses - its own default value. [Default: 20s]. - pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ - type: string - udpTimeout: - description: |- - UDPTimeout controls how long it takes before considering this entry for - cleanup after the connection became idle. If nil, Calico uses its own - default value. [Default: 60s]. - pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ - type: string - type: object - bpfDSROptoutCIDRs: - description: |- - BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients - in those CIDRs will access service node ports as if BPFExternalServiceMode was set to - Tunnel. - items: - type: string - type: array - bpfDataIfacePattern: - description: |- - BPFDataIfacePattern is a regular expression that controls which interfaces Felix should attach BPF programs to - in order to catch traffic to/from the network. This needs to match the interfaces that Calico workload traffic - flows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the - cluster. It should not match the workload interfaces (usually named cali...) or any other special device managed - by Calico itself (e.g., tunnels). - type: string - bpfDisableGROForIfaces: - description: |- - BPFDisableGROForIfaces is a regular expression that controls which interfaces Felix should disable the - Generic Receive Offload [GRO] option. It should not match the workload interfaces (usually named cali...). - type: string - bpfDisableUnprivileged: - description: |- - BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable - unprivileged use of BPF. This ensures that unprivileged users cannot access Calico's BPF maps and - cannot insert their own BPF programs to interfere with Calico's. [Default: true] - type: boolean - bpfEnabled: - description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. - [Default: false]' - type: boolean - bpfEnforceRPF: - description: |- - BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of - what is the per-interfaces or global setting. Possible values are Disabled, Strict - or Loose. [Default: Loose] - pattern: ^(?i)(Disabled|Strict|Loose)?$ - type: string - bpfExcludeCIDRsFromNAT: - description: |- - BPFExcludeCIDRsFromNAT is a list of CIDRs that are to be excluded from NAT - resolution so that host can handle them. A typical usecase is node local - DNS cache. - items: - type: string - type: array - bpfExportBufferSizeMB: - description: |- - BPFExportBufferSizeMB in BPF mode, controls the buffer size used for sending BPF events to felix. - [Default: 1] - type: integer - bpfExtToServiceConnmark: - description: |- - BPFExtToServiceConnmark in BPF mode, controls a 32bit mark that is set on connections from an - external client to a local service. This mark allows us to control how packets of that - connection are routed within the host and how is routing interpreted by RPF check. [Default: 0] - type: integer - bpfExternalServiceMode: - description: |- - BPFExternalServiceMode in BPF mode, controls how connections from outside the cluster to services (node ports - and cluster IPs) are forwarded to remote workloads. If set to "Tunnel" then both request and response traffic - is tunneled to the remote node. If set to "DSR", the request traffic is tunneled but the response traffic - is sent directly from the remote node. In "DSR" mode, the remote node appears to use the IP of the ingress - node; this requires a permissive L2 network. [Default: Tunnel] - pattern: ^(?i)(Tunnel|DSR)?$ - type: string - bpfForceTrackPacketsFromIfaces: - description: |- - BPFForceTrackPacketsFromIfaces in BPF mode, forces traffic from these interfaces - to skip Calico's iptables NOTRACK rule, allowing traffic from those interfaces to be - tracked by Linux conntrack. Should only be used for interfaces that are not used for - the Calico fabric. For example, a docker bridge device for non-Calico-networked - containers. [Default: docker+] - items: - type: string - type: array - bpfHostConntrackBypass: - description: |- - BPFHostConntrackBypass Controls whether to bypass Linux conntrack in BPF mode for - workloads and services. [Default: true - bypass Linux conntrack] - type: boolean - bpfHostNetworkedNATWithoutCTLB: - description: |- - BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing - determines the CTLB behavior. [Default: Enabled] - enum: - - Enabled - - Disabled - type: string - bpfKubeProxyEndpointSlicesEnabled: - description: |- - BPFKubeProxyEndpointSlicesEnabled is deprecated and has no effect. BPF - kube-proxy always accepts endpoint slices. This option will be removed in - the next release. - type: boolean - bpfKubeProxyIptablesCleanupEnabled: - description: |- - BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF mode, Felix will proactively clean up the upstream - Kubernetes kube-proxy's iptables chains. Should only be enabled if kube-proxy is not running. [Default: true] - type: boolean - bpfKubeProxyMinSyncPeriod: - description: |- - BPFKubeProxyMinSyncPeriod, in BPF mode, controls the minimum time between updates to the dataplane for Felix's - embedded kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by - batching up more work. [Default: 1s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - bpfL3IfacePattern: - description: |- - BPFL3IfacePattern is a regular expression that allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices) - in addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows - over as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster. - type: string - bpfLogFilters: - additionalProperties: - type: string - description: |- - BPFLogFilters is a map of key=values where the value is - a pcap filter expression and the key is an interface name with 'all' - denoting all interfaces, 'weps' all workload endpoints and 'heps' all host - endpoints. + /To be deprecated in future versions as conntrack map type changed to + lru_hash and userspace cleanup is the only mode that is supported. + [Default: Userspace] + enum: + - Auto + - Userspace + - BPFProgram + type: string + bpfConntrackTimeouts: + description: |- + BPFConntrackTimers overrides the default values for the specified conntrack timer if + set. Each value can be either a duration or `Auto` to pick the value from + a Linux conntrack timeout. - When specified as an env var, it accepts a comma-separated list of - key=values. - [Default: unset - means all debug logs are emitted] - type: object - bpfLogLevel: - description: |- - BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of "Off", "Info", or - "Debug". The logs are emitted to the BPF trace pipe, accessible with the command `tc exec bpf debug`. - [Default: Off]. - pattern: ^(?i)(Off|Info|Debug)?$ - type: string - bpfMapSizeConntrack: - description: |- - BPFMapSizeConntrack sets the size for the conntrack map. This map must be large enough to hold - an entry for each active connection. Warning: changing the size of the conntrack map can cause disruption. - type: integer - bpfMapSizeConntrackCleanupQueue: - description: |- - BPFMapSizeConntrackCleanupQueue sets the size for the map used to hold NAT conntrack entries that are queued - for cleanup. This should be big enough to hold all the NAT entries that expire within one cleanup interval. - minimum: 1 - type: integer - bpfMapSizeConntrackScaling: - description: |- - BPFMapSizeConntrackScaling controls whether and how we scale the conntrack map size depending - on its usage. 'Disabled' make the size stay at the default or whatever is set by - BPFMapSizeConntrack*. 'DoubleIfFull' doubles the size when the map is pretty much full even - after cleanups. [Default: DoubleIfFull] - pattern: ^(?i)(Disabled|DoubleIfFull)?$ - type: string - bpfMapSizeIPSets: - description: |- - BPFMapSizeIPSets sets the size for ipsets map. The IP sets map must be large enough to hold an entry - for each endpoint matched by every selector in the source/destination matches in network policy. Selectors - such as "all()" can result in large numbers of entries (one entry per endpoint in that case). - type: integer - bpfMapSizeIfState: - description: |- - BPFMapSizeIfState sets the size for ifstate map. The ifstate map must be large enough to hold an entry - for each device (host + workloads) on a host. - type: integer - bpfMapSizeNATAffinity: - description: |- - BPFMapSizeNATAffinity sets the size of the BPF map that stores the affinity of a connection (for services that - enable that feature. - type: integer - bpfMapSizeNATBackend: - description: |- - BPFMapSizeNATBackend sets the size for NAT back end map. - This is the total number of endpoints. This is mostly - more than the size of the number of services. - type: integer - bpfMapSizeNATFrontend: - description: |- - BPFMapSizeNATFrontend sets the size for NAT front end map. - FrontendMap should be large enough to hold an entry for each nodeport, - external IP and each port in each service. - type: integer - bpfMapSizePerCpuConntrack: - description: |- - BPFMapSizePerCPUConntrack determines the size of conntrack map based on the number of CPUs. If set to a - non-zero value, overrides BPFMapSizeConntrack with `BPFMapSizePerCPUConntrack * (Number of CPUs)`. - This map must be large enough to hold an entry for each active connection. Warning: changing the size of the - conntrack map can cause disruption. - type: integer - bpfMapSizeRoute: - description: |- - BPFMapSizeRoute sets the size for the routes map. The routes map should be large enough - to hold one entry per workload and a handful of entries per host (enough to cover its own IPs and - tunnel IPs). - type: integer - bpfPSNATPorts: - anyOf: - - type: integer - - type: string - description: |- - BPFPSNATPorts sets the range from which we randomly pick a port if there is a source port - collision. This should be within the ephemeral range as defined by RFC 6056 (1024–65535) and - preferably outside the ephemeral ranges used by common operating systems. Linux uses - 32768–60999, while others mostly use the IANA defined range 49152–65535. It is not necessarily - a problem if this range overlaps with the operating systems. Both ends of the range are - inclusive. [Default: 20000:29999] - pattern: ^.* - x-kubernetes-int-or-string: true - bpfPolicyDebugEnabled: - description: |- - BPFPolicyDebugEnabled when true, Felix records detailed information - about the BPF policy programs, which can be examined with the calico-bpf command-line tool. - type: boolean - bpfProfiling: - description: |- - BPFProfiling controls profiling of BPF programs. At the monent, it can be - Disabled or Enabled. [Default: Disabled] - enum: - - Enabled - - Disabled - type: string - bpfRedirectToPeer: - description: |- - BPFRedirectToPeer controls which whether it is allowed to forward straight to the - peer side of the workload devices. It is allowed for any host L2 devices by default - (L2Only), but it breaks TCP dump on the host side of workload device as it bypasses - it on ingress. Value of Enabled also allows redirection from L3 host devices like - IPIP tunnel or Wireguard directly to the peer side of the workload's device. This - makes redirection faster, however, it breaks tools like tcpdump on the peer side. - Use Enabled with caution. [Default: L2Only] - enum: - - Enabled - - Disabled - - L2Only - type: string - chainInsertMode: - description: |- - ChainInsertMode controls whether Felix hooks the kernel's top-level iptables chains by inserting a rule - at the top of the chain or by appending a rule at the bottom. insert is the safe default since it prevents - Calico's rules from being bypassed. If you switch to append mode, be sure that the other rules in the chains - signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed. - [Default: insert] - pattern: ^(?i)(Insert|Append)?$ - type: string - dataplaneDriver: - description: |- - DataplaneDriver filename of the external dataplane driver to use. Only used if UseInternalDataplaneDriver - is set to false. - type: string - dataplaneWatchdogTimeout: - description: |- - DataplaneWatchdogTimeout is the readiness/liveness timeout used for Felix's (internal) dataplane driver. - Deprecated: replaced by the generic HealthTimeoutOverrides. - type: string - debugDisableLogDropping: - description: |- - DebugDisableLogDropping disables the dropping of log messages when the log buffer is full. This can - significantly impact performance if log write-out is a bottleneck. [Default: false] - type: boolean - debugHost: - description: |- - DebugHost is the host IP or hostname to bind the debug port to. Only used - if DebugPort is set. [Default:localhost] - type: string - debugMemoryProfilePath: - description: DebugMemoryProfilePath is the path to write the memory - profile to when triggered by signal. - type: string - debugPort: - description: |- - DebugPort if set, enables Felix's debug HTTP port, which allows memory and CPU profiles - to be retrieved. The debug port is not secure, it should not be exposed to the internet. - type: integer - debugSimulateCalcGraphHangAfter: - description: |- - DebugSimulateCalcGraphHangAfter is used to simulate a hang in the calculation graph after the specified duration. - This is useful in tests of the watchdog system only! - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - debugSimulateDataplaneApplyDelay: - description: |- - DebugSimulateDataplaneApplyDelay adds an artificial delay to every dataplane operation. This is useful for - simulating a heavily loaded system for test purposes only. - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - debugSimulateDataplaneHangAfter: - description: |- - DebugSimulateDataplaneHangAfter is used to simulate a hang in the dataplane after the specified duration. - This is useful in tests of the watchdog system only! - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - defaultEndpointToHostAction: - description: |- - DefaultEndpointToHostAction controls what happens to traffic that goes from a workload endpoint to the host - itself (after the endpoint's egress policy is applied). By default, Calico blocks traffic from workload - endpoints to the host itself with an iptables "DROP" action. If you want to allow some or all traffic from - endpoint to host, set this parameter to RETURN or ACCEPT. Use RETURN if you have your own rules in the iptables - "INPUT" chain; Calico will insert its rules at the top of that chain, then "RETURN" packets to the "INPUT" chain - once it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets - from workloads after processing workload endpoint egress policy. [Default: Drop] - pattern: ^(?i)(Drop|Accept|Return)?$ - type: string - deviceRouteProtocol: - description: |- - DeviceRouteProtocol controls the protocol to set on routes programmed by Felix. The protocol is an 8-bit label - used to identify the owner of the route. - type: integer - deviceRouteSourceAddress: - description: |- - DeviceRouteSourceAddress IPv4 address to set as the source hint for routes programmed by Felix. When not set - the source address for local traffic from host to workload will be determined by the kernel. - type: string - deviceRouteSourceAddressIPv6: - description: |- - DeviceRouteSourceAddressIPv6 IPv6 address to set as the source hint for routes programmed by Felix. When not set - the source address for local traffic from host to workload will be determined by the kernel. - type: string - disableConntrackInvalidCheck: - description: |- - DisableConntrackInvalidCheck disables the check for invalid connections in conntrack. While the conntrack - invalid check helps to detect malicious traffic, it can also cause issues with certain multi-NIC scenarios. - type: boolean - endpointReportingDelay: - description: |- - EndpointReportingDelay is the delay before Felix reports endpoint status to the datastore. This is only used - by the OpenStack integration. [Default: 1s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - endpointReportingEnabled: - description: |- - EndpointReportingEnabled controls whether Felix reports endpoint status to the datastore. This is only used - by the OpenStack integration. [Default: false] - type: boolean - endpointStatusPathPrefix: - description: |- - EndpointStatusPathPrefix is the path to the directory where endpoint status will be written. Endpoint status - file reporting is disabled if field is left empty. + Configurable timers are: CreationGracePeriod, TCPSynSent, + TCPEstablished, TCPFinsSeen, TCPResetSeen, UDPTimeout, GenericTimeout, + ICMPTimeout. - Chosen directory should match the directory used by the CNI plugin for PodStartupDelay. - [Default: /var/run/calico] - type: string - externalNodesList: - description: |- - ExternalNodesCIDRList is a list of CIDR's of external, non-Calico nodes from which VXLAN/IPIP overlay traffic - will be allowed. By default, external tunneled traffic is blocked to reduce attack surface. - items: - type: string - type: array - failsafeInboundHostPorts: - description: |- - FailsafeInboundHostPorts is a list of ProtoPort struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will - allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally - cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, - it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, - use the value "[]". The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. - [Default: tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667 ] - items: - description: ProtoPort is combination of protocol, port, and CIDR. - Protocol and port must be specified. + Unset values are replaced by the default values with a warning log for + incorrect values. properties: - net: + creationGracePeriod: + description: |- + CreationGracePeriod gives a generic grace period to new connections + before they are considered for cleanup [Default: 10s]. + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ type: string - port: - type: integer - protocol: + genericTimeout: + description: |- + GenericTimeout controls how long it takes before considering this + entry for cleanup after the connection became idle. If set to 'Auto', the + value from nf_conntrack_generic_timeout is used. If nil, Calico uses its + own default value. [Default: 10m]. + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ type: string - required: - - port - type: object - type: array - failsafeOutboundHostPorts: - description: |- - FailsafeOutboundHostPorts is a list of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix - will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally - cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults - to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, - use the value "[]". The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd - as well as allowing DHCP, DNS, BGP and the Kubernetes API. - [Default: udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667 ] - items: - description: ProtoPort is combination of protocol, port, and CIDR. - Protocol and port must be specified. - properties: - net: + icmpTimeout: + description: |- + ICMPTimeout controls how long it takes before considering this + entry for cleanup after the connection became idle. If set to 'Auto', the + value from nf_conntrack_icmp_timeout is used. If nil, Calico uses its + own default value. [Default: 5s]. + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ type: string - port: - type: integer - protocol: + tcpEstablished: + description: |- + TCPEstablished controls how long it takes before considering this entry for + cleanup after the connection became idle. If set to 'Auto', the + value from nf_conntrack_tcp_timeout_established is used. If nil, Calico uses + its own default value. [Default: 1h]. + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ type: string - required: - - port + tcpFinsSeen: + description: |- + TCPFinsSeen controls how long it takes before considering this entry for + cleanup after the connection was closed gracefully. If set to 'Auto', the + value from nf_conntrack_tcp_timeout_time_wait is used. If nil, Calico uses + its own default value. [Default: Auto]. + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ + type: string + tcpResetSeen: + description: |- + TCPResetSeen controls how long it takes before considering this entry for + cleanup after the connection was aborted. If nil, Calico uses its own + default value. [Default: 40s]. + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ + type: string + tcpSynSent: + description: |- + TCPSynSent controls how long it takes before considering this entry for + cleanup after the last SYN without a response. If set to 'Auto', the + value from nf_conntrack_tcp_timeout_syn_sent is used. If nil, Calico uses + its own default value. [Default: 20s]. + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ + type: string + udpTimeout: + description: |- + UDPTimeout controls how long it takes before considering this entry for + cleanup after the connection became idle. If nil, Calico uses its own + default value. [Default: 60s]. + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ + type: string + type: object + bpfDSROptoutCIDRs: + description: |- + BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients + in those CIDRs will access service node ports as if BPFExternalServiceMode was set to + Tunnel. + items: + type: string + type: array + bpfDataIfacePattern: + description: |- + BPFDataIfacePattern is a regular expression that controls which interfaces Felix should attach BPF programs to + in order to catch traffic to/from the network. This needs to match the interfaces that Calico workload traffic + flows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the + cluster. It should not match the workload interfaces (usually named cali...) or any other special device managed + by Calico itself (e.g., tunnels). + type: string + bpfDisableGROForIfaces: + description: |- + BPFDisableGROForIfaces is a regular expression that controls which interfaces Felix should disable the + Generic Receive Offload [GRO] option. It should not match the workload interfaces (usually named cali...). + type: string + bpfDisableUnprivileged: + description: |- + BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable + unprivileged use of BPF. This ensures that unprivileged users cannot access Calico's BPF maps and + cannot insert their own BPF programs to interfere with Calico's. [Default: true] + type: boolean + bpfEnabled: + description: + "BPFEnabled, if enabled Felix will use the BPF dataplane. + [Default: false]" + type: boolean + bpfEnforceRPF: + description: |- + BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of + what is the per-interfaces or global setting. Possible values are Disabled, Strict + or Loose. [Default: Loose] + pattern: ^(?i)(Disabled|Strict|Loose)?$ + type: string + bpfExcludeCIDRsFromNAT: + description: |- + BPFExcludeCIDRsFromNAT is a list of CIDRs that are to be excluded from NAT + resolution so that host can handle them. A typical usecase is node local + DNS cache. + items: + type: string + type: array + bpfExportBufferSizeMB: + description: |- + BPFExportBufferSizeMB in BPF mode, controls the buffer size used for sending BPF events to felix. + [Default: 1] + type: integer + bpfExtToServiceConnmark: + description: |- + BPFExtToServiceConnmark in BPF mode, controls a 32bit mark that is set on connections from an + external client to a local service. This mark allows us to control how packets of that + connection are routed within the host and how is routing interpreted by RPF check. [Default: 0] + type: integer + bpfExternalServiceMode: + description: |- + BPFExternalServiceMode in BPF mode, controls how connections from outside the cluster to services (node ports + and cluster IPs) are forwarded to remote workloads. If set to "Tunnel" then both request and response traffic + is tunneled to the remote node. If set to "DSR", the request traffic is tunneled but the response traffic + is sent directly from the remote node. In "DSR" mode, the remote node appears to use the IP of the ingress + node; this requires a permissive L2 network. [Default: Tunnel] + pattern: ^(?i)(Tunnel|DSR)?$ + type: string + bpfForceTrackPacketsFromIfaces: + description: |- + BPFForceTrackPacketsFromIfaces in BPF mode, forces traffic from these interfaces + to skip Calico's iptables NOTRACK rule, allowing traffic from those interfaces to be + tracked by Linux conntrack. Should only be used for interfaces that are not used for + the Calico fabric. For example, a docker bridge device for non-Calico-networked + containers. [Default: docker+] + items: + type: string + type: array + bpfHostConntrackBypass: + description: |- + BPFHostConntrackBypass Controls whether to bypass Linux conntrack in BPF mode for + workloads and services. [Default: true - bypass Linux conntrack] + type: boolean + bpfHostNetworkedNATWithoutCTLB: + description: |- + BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing + determines the CTLB behavior. [Default: Enabled] + enum: + - Enabled + - Disabled + type: string + bpfJITHardening: + allOf: + - enum: + - Auto + - Strict + - enum: + - Auto + - Strict + description: |- + BPFJITHardening controls BPF JIT hardening. When set to "Auto", Felix will set JIT hardening to 1 + if it detects the current value is 2 (strict mode that hurts performance). When set to "Strict", + Felix will not modify the JIT hardening setting. [Default: Auto] + type: string + bpfKubeProxyHealthzPort: + description: |- + BPFKubeProxyHealthzPort, in BPF mode, controls the port that Felix's embedded kube-proxy health check server binds to. + The health check server is used by external load balancers to determine if this node should receive traffic. + Set to 0 to disable the health check server. [Default: 10256] + type: integer + bpfKubeProxyIptablesCleanupEnabled: + description: |- + BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF mode, Felix will proactively clean up the upstream + Kubernetes kube-proxy's iptables chains. Should only be enabled if kube-proxy is not running. [Default: true] + type: boolean + bpfKubeProxyMinSyncPeriod: + description: |- + BPFKubeProxyMinSyncPeriod, in BPF mode, controls the minimum time between updates to the dataplane for Felix's + embedded kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by + batching up more work. [Default: 1s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + bpfL3IfacePattern: + description: |- + BPFL3IfacePattern is a regular expression that allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices) + in addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows + over as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster. + type: string + bpfLogFilters: + additionalProperties: + type: string + description: |- + BPFLogFilters is a map of key=values where the value is + a pcap filter expression and the key is an interface name with 'all' + denoting all interfaces, 'weps' all workload endpoints and 'heps' all host + endpoints. + + When specified as an env var, it accepts a comma-separated list of + key=values. + [Default: unset - means all debug logs are emitted] type: object - type: array - featureDetectOverride: - description: |- - FeatureDetectOverride is used to override feature detection based on auto-detected platform - capabilities. Values are specified in a comma separated list with no spaces, example; - "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". A value of "true" or "false" will - force enable/disable feature, empty or omitted values fall back to auto-detection. - pattern: ^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$ - type: string - featureGates: - description: |- - FeatureGates is used to enable or disable tech-preview Calico features. - Values are specified in a comma separated list with no spaces, example; - "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". This is - used to enable features that are not fully production ready. - pattern: ^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$ - type: string - floatingIPs: - description: |- - FloatingIPs configures whether or not Felix will program non-OpenStack floating IP addresses. (OpenStack-derived - floating IPs are always programmed, regardless of this setting.) - enum: - - Enabled - - Disabled - type: string - flowLogsCollectorDebugTrace: - description: |- - When FlowLogsCollectorDebugTrace is set to true, enables the logs in the collector to be - printed in their entirety. - type: boolean - flowLogsFlushInterval: - description: FlowLogsFlushInterval configures the interval at which - Felix exports flow logs. - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - flowLogsGoldmaneServer: - description: FlowLogGoldmaneServer is the flow server endpoint to - which flow data should be published. - type: string - flowLogsMaxOriginalIPsIncluded: - description: FlowLogsMaxOriginalIPsIncluded specifies the number of - unique IP addresses (if relevant) that should be included in Flow - logs. - type: integer - genericXDPEnabled: - description: |- - GenericXDPEnabled enables Generic XDP so network cards that don't support XDP offload or driver - modes can use XDP. This is not recommended since it doesn't provide better performance than - iptables. [Default: false] - type: boolean - goGCThreshold: - description: |- - GoGCThreshold Sets the Go runtime's garbage collection threshold. I.e. the percentage that the heap is - allowed to grow before garbage collection is triggered. In general, doubling the value halves the CPU time - spent doing GC, but it also doubles peak GC memory overhead. A special value of -1 can be used - to disable GC entirely; this should only be used in conjunction with the GoMemoryLimitMB setting. + bpfLogLevel: + description: |- + BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of "Off", "Info", or + "Debug". The logs are emitted to the BPF trace pipe, accessible with the command `tc exec bpf debug`. + [Default: Off]. + pattern: ^(?i)(Off|Info|Debug)?$ + type: string + bpfMaglevMaxEndpointsPerService: + description: |- + BPFMaglevMaxEndpointsPerService is the maximum number of endpoints + expected to be part of a single Maglev-enabled service. + + Influences the size of the per-service Maglev lookup-tables generated by Felix + and thus the amount of memory reserved. + + [Default: 100] + type: integer + bpfMaglevMaxServices: + description: |- + BPFMaglevMaxServices is the maximum number of expected Maglev-enabled + services that Felix will allocate lookup-tables for. - This setting is overridden by the GOGC environment variable. + [Default: 100] + type: integer + bpfMapSizeConntrack: + description: |- + BPFMapSizeConntrack sets the size for the conntrack map. This map must be large enough to hold + an entry for each active connection. Warning: changing the size of the conntrack map can cause disruption. + type: integer + bpfMapSizeConntrackCleanupQueue: + description: |- + BPFMapSizeConntrackCleanupQueue sets the size for the map used to hold NAT conntrack entries that are queued + for cleanup. This should be big enough to hold all the NAT entries that expire within one cleanup interval. + minimum: 1 + type: integer + bpfMapSizeConntrackScaling: + description: |- + BPFMapSizeConntrackScaling controls whether and how we scale the conntrack map size depending + on its usage. 'Disabled' make the size stay at the default or whatever is set by + BPFMapSizeConntrack*. 'DoubleIfFull' doubles the size when the map is pretty much full even + after cleanups. [Default: DoubleIfFull] + pattern: ^(?i)(Disabled|DoubleIfFull)?$ + type: string + bpfMapSizeIPSets: + description: |- + BPFMapSizeIPSets sets the size for ipsets map. The IP sets map must be large enough to hold an entry + for each endpoint matched by every selector in the source/destination matches in network policy. Selectors + such as "all()" can result in large numbers of entries (one entry per endpoint in that case). + type: integer + bpfMapSizeIfState: + description: |- + BPFMapSizeIfState sets the size for ifstate map. The ifstate map must be large enough to hold an entry + for each device (host + workloads) on a host. + type: integer + bpfMapSizeNATAffinity: + description: |- + BPFMapSizeNATAffinity sets the size of the BPF map that stores the affinity of a connection (for services that + enable that feature. + type: integer + bpfMapSizeNATBackend: + description: |- + BPFMapSizeNATBackend sets the size for NAT back end map. + This is the total number of endpoints. This is mostly + more than the size of the number of services. + type: integer + bpfMapSizeNATFrontend: + description: |- + BPFMapSizeNATFrontend sets the size for NAT front end map. + FrontendMap should be large enough to hold an entry for each nodeport, + external IP and each port in each service. + type: integer + bpfMapSizePerCpuConntrack: + description: |- + BPFMapSizePerCPUConntrack determines the size of conntrack map based on the number of CPUs. If set to a + non-zero value, overrides BPFMapSizeConntrack with `BPFMapSizePerCPUConntrack * (Number of CPUs)`. + This map must be large enough to hold an entry for each active connection. Warning: changing the size of the + conntrack map can cause disruption. + type: integer + bpfMapSizeRoute: + description: |- + BPFMapSizeRoute sets the size for the routes map. The routes map should be large enough + to hold one entry per workload and a handful of entries per host (enough to cover its own IPs and + tunnel IPs). + type: integer + bpfPSNATPorts: + anyOf: + - type: integer + - type: string + description: |- + BPFPSNATPorts sets the range from which we randomly pick a port if there is a source port + collision. This should be within the ephemeral range as defined by RFC 6056 (1024–65535) and + preferably outside the ephemeral ranges used by common operating systems. Linux uses + 32768–60999, while others mostly use the IANA defined range 49152–65535. It is not necessarily + a problem if this range overlaps with the operating systems. Both ends of the range are + inclusive. [Default: 20000:29999] + pattern: ^.* + x-kubernetes-int-or-string: true + bpfPolicyDebugEnabled: + description: |- + BPFPolicyDebugEnabled when true, Felix records detailed information + about the BPF policy programs, which can be examined with the calico-bpf command-line tool. + type: boolean + bpfProfiling: + description: |- + BPFProfiling controls profiling of BPF programs. At the monent, it can be + Disabled or Enabled. [Default: Disabled] + enum: + - Enabled + - Disabled + type: string + bpfRedirectToPeer: + description: |- + BPFRedirectToPeer controls whether traffic may be forwarded directly to the peer side of a workload’s device. + Note that the legacy "L2Only" option is now deprecated and if set it is treated like "Enabled. + Setting this option to "Enabled" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard), + which can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path. + As a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic. [Default: Enabled] + enum: + - Enabled + - Disabled + type: string + cgroupV2Path: + description: + CgroupV2Path overrides the default location where to + find the cgroup hierarchy. + type: string + chainInsertMode: + description: |- + ChainInsertMode controls whether Felix hooks the kernel's top-level iptables chains by inserting a rule + at the top of the chain or by appending a rule at the bottom. insert is the safe default since it prevents + Calico's rules from being bypassed. If you switch to append mode, be sure that the other rules in the chains + signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed. + [Default: insert] + pattern: ^(?i)(Insert|Append)?$ + type: string + dataplaneDriver: + description: |- + DataplaneDriver filename of the external dataplane driver to use. Only used if UseInternalDataplaneDriver + is set to false. + type: string + dataplaneWatchdogTimeout: + description: |- + DataplaneWatchdogTimeout is the readiness/liveness timeout used for Felix's (internal) dataplane driver. + Deprecated: replaced by the generic HealthTimeoutOverrides. + type: string + debugDisableLogDropping: + description: |- + DebugDisableLogDropping disables the dropping of log messages when the log buffer is full. This can + significantly impact performance if log write-out is a bottleneck. [Default: false] + type: boolean + debugHost: + description: |- + DebugHost is the host IP or hostname to bind the debug port to. Only used + if DebugPort is set. [Default:localhost] + type: string + debugMemoryProfilePath: + description: + DebugMemoryProfilePath is the path to write the memory + profile to when triggered by signal. + type: string + debugPort: + description: |- + DebugPort if set, enables Felix's debug HTTP port, which allows memory and CPU profiles + to be retrieved. The debug port is not secure, it should not be exposed to the internet. + type: integer + debugSimulateCalcGraphHangAfter: + description: |- + DebugSimulateCalcGraphHangAfter is used to simulate a hang in the calculation graph after the specified duration. + This is useful in tests of the watchdog system only! + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + debugSimulateDataplaneApplyDelay: + description: |- + DebugSimulateDataplaneApplyDelay adds an artificial delay to every dataplane operation. This is useful for + simulating a heavily loaded system for test purposes only. + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + debugSimulateDataplaneHangAfter: + description: |- + DebugSimulateDataplaneHangAfter is used to simulate a hang in the dataplane after the specified duration. + This is useful in tests of the watchdog system only! + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + defaultEndpointToHostAction: + description: |- + DefaultEndpointToHostAction controls what happens to traffic that goes from a workload endpoint to the host + itself (after the endpoint's egress policy is applied). By default, Calico blocks traffic from workload + endpoints to the host itself with an iptables "DROP" action. If you want to allow some or all traffic from + endpoint to host, set this parameter to RETURN or ACCEPT. Use RETURN if you have your own rules in the iptables + "INPUT" chain; Calico will insert its rules at the top of that chain, then "RETURN" packets to the "INPUT" chain + once it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets + from workloads after processing workload endpoint egress policy. [Default: Drop] + pattern: ^(?i)(Drop|Accept|Return)?$ + type: string + deviceRouteProtocol: + description: |- + DeviceRouteProtocol controls the protocol to set on routes programmed by Felix. The protocol is an 8-bit label + used to identify the owner of the route. + type: integer + deviceRouteSourceAddress: + description: |- + DeviceRouteSourceAddress IPv4 address to set as the source hint for routes programmed by Felix. When not set + the source address for local traffic from host to workload will be determined by the kernel. + type: string + deviceRouteSourceAddressIPv6: + description: |- + DeviceRouteSourceAddressIPv6 IPv6 address to set as the source hint for routes programmed by Felix. When not set + the source address for local traffic from host to workload will be determined by the kernel. + type: string + disableConntrackInvalidCheck: + description: |- + DisableConntrackInvalidCheck disables the check for invalid connections in conntrack. While the conntrack + invalid check helps to detect malicious traffic, it can also cause issues with certain multi-NIC scenarios. + type: boolean + endpointReportingDelay: + description: |- + EndpointReportingDelay is the delay before Felix reports endpoint status to the datastore. This is only used + by the OpenStack integration. [Default: 1s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + endpointReportingEnabled: + description: |- + EndpointReportingEnabled controls whether Felix reports endpoint status to the datastore. This is only used + by the OpenStack integration. [Default: false] + type: boolean + endpointStatusPathPrefix: + description: |- + EndpointStatusPathPrefix is the path to the directory where endpoint status will be written. Endpoint status + file reporting is disabled if field is left empty. + + Chosen directory should match the directory used by the CNI plugin for PodStartupDelay. + [Default: /var/run/calico] + type: string + externalNodesList: + description: |- + ExternalNodesCIDRList is a list of CIDR's of external, non-Calico nodes from which VXLAN/IPIP overlay traffic + will be allowed. By default, external tunneled traffic is blocked to reduce attack surface. + items: + type: string + type: array + failsafeInboundHostPorts: + description: |- + FailsafeInboundHostPorts is a list of ProtoPort struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will + allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally + cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, + it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, + use the value "[]". The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. + [Default: tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667 ] + items: + description: + ProtoPort is combination of protocol, port, and CIDR. + Protocol and port must be specified. + properties: + net: + type: string + port: + type: integer + protocol: + type: string + required: + - port + type: object + type: array + failsafeOutboundHostPorts: + description: |- + FailsafeOutboundHostPorts is a list of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix + will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally + cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults + to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, + use the value "[]". The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd + as well as allowing DHCP, DNS, BGP and the Kubernetes API. + [Default: udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667 ] + items: + description: + ProtoPort is combination of protocol, port, and CIDR. + Protocol and port must be specified. + properties: + net: + type: string + port: + type: integer + protocol: + type: string + required: + - port + type: object + type: array + featureDetectOverride: + description: |- + FeatureDetectOverride is used to override feature detection based on auto-detected platform + capabilities. Values are specified in a comma separated list with no spaces, example; + "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". A value of "true" or "false" will + force enable/disable feature, empty or omitted values fall back to auto-detection. + pattern: ^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$ + type: string + featureGates: + description: |- + FeatureGates is used to enable or disable tech-preview Calico features. + Values are specified in a comma separated list with no spaces, example; + "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". This is + used to enable features that are not fully production ready. + pattern: ^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$ + type: string + floatingIPs: + description: |- + FloatingIPs configures whether or not Felix will program non-OpenStack floating IP addresses. (OpenStack-derived + floating IPs are always programmed, regardless of this setting.) + enum: + - Enabled + - Disabled + type: string + flowLogsCollectorDebugTrace: + description: |- + When FlowLogsCollectorDebugTrace is set to true, enables the logs in the collector to be + printed in their entirety. + type: boolean + flowLogsFlushInterval: + description: + FlowLogsFlushInterval configures the interval at which + Felix exports flow logs. + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + flowLogsGoldmaneServer: + description: + FlowLogGoldmaneServer is the flow server endpoint to + which flow data should be published. + type: string + flowLogsLocalReporter: + description: + "FlowLogsLocalReporter configures local unix socket for + reporting flow data from each node. [Default: Disabled]" + enum: + - Disabled + - Enabled + type: string + flowLogsPolicyEvaluationMode: + description: |- + Continuous - Felix evaluates active flows on a regular basis to determine the rule + traces in the flow logs. Any policy updates that impact a flow will be reflected in the + pending_policies field, offering a near-real-time view of policy changes across flows. + None - Felix stops evaluating pending traces. + [Default: Continuous] + enum: + - None + - Continuous + type: string + genericXDPEnabled: + description: |- + GenericXDPEnabled enables Generic XDP so network cards that don't support XDP offload or driver + modes can use XDP. This is not recommended since it doesn't provide better performance than + iptables. [Default: false] + type: boolean + goGCThreshold: + description: |- + GoGCThreshold Sets the Go runtime's garbage collection threshold. I.e. the percentage that the heap is + allowed to grow before garbage collection is triggered. In general, doubling the value halves the CPU time + spent doing GC, but it also doubles peak GC memory overhead. A special value of -1 can be used + to disable GC entirely; this should only be used in conjunction with the GoMemoryLimitMB setting. - [Default: 40] - type: integer - goMaxProcs: - description: |- - GoMaxProcs sets the maximum number of CPUs that the Go runtime will use concurrently. A value of -1 means - "use the system default"; typically the number of real CPUs on the system. + This setting is overridden by the GOGC environment variable. - this setting is overridden by the GOMAXPROCS environment variable. + [Default: 40] + type: integer + goMaxProcs: + description: |- + GoMaxProcs sets the maximum number of CPUs that the Go runtime will use concurrently. A value of -1 means + "use the system default"; typically the number of real CPUs on the system. - [Default: -1] - type: integer - goMemoryLimitMB: - description: |- - GoMemoryLimitMB sets a (soft) memory limit for the Go runtime in MB. The Go runtime will try to keep its memory - usage under the limit by triggering GC as needed. To avoid thrashing, it will exceed the limit if GC starts to - take more than 50% of the process's CPU time. A value of -1 disables the memory limit. + this setting is overridden by the GOMAXPROCS environment variable. - Note that the memory limit, if used, must be considerably less than any hard resource limit set at the container - or pod level. This is because felix is not the only process that must run in the container or pod. + [Default: -1] + type: integer + goMemoryLimitMB: + description: |- + GoMemoryLimitMB sets a (soft) memory limit for the Go runtime in MB. The Go runtime will try to keep its memory + usage under the limit by triggering GC as needed. To avoid thrashing, it will exceed the limit if GC starts to + take more than 50% of the process's CPU time. A value of -1 disables the memory limit. - This setting is overridden by the GOMEMLIMIT environment variable. + Note that the memory limit, if used, must be considerably less than any hard resource limit set at the container + or pod level. This is because felix is not the only process that must run in the container or pod. - [Default: -1] - type: integer - healthEnabled: - description: |- - HealthEnabled if set to true, enables Felix's health port, which provides readiness and liveness endpoints. - [Default: false] - type: boolean - healthHost: - description: 'HealthHost is the host that the health server should - bind to. [Default: localhost]' - type: string - healthPort: - description: 'HealthPort is the TCP port that the health server should - bind to. [Default: 9099]' - type: integer - healthTimeoutOverrides: - description: |- - HealthTimeoutOverrides allows the internal watchdog timeouts of individual subcomponents to be - overridden. This is useful for working around "false positive" liveness timeouts that can occur - in particularly stressful workloads or if CPU is constrained. For a list of active - subcomponents, see Felix's logs. - items: - properties: - name: - type: string - timeout: - type: string - required: - - name - - timeout - type: object - type: array - interfaceExclude: - description: |- - InterfaceExclude A comma-separated list of interface names that should be excluded when Felix is resolving - host endpoints. The default value ensures that Felix ignores Kubernetes' internal `kube-ipvs0` device. If you - want to exclude multiple interface names using a single value, the list supports regular expressions. For - regular expressions you must wrap the value with `/`. For example having values `/^kube/,veth1` will exclude - all interfaces that begin with `kube` and also the interface `veth1`. [Default: kube-ipvs0] - type: string - interfacePrefix: - description: |- - InterfacePrefix is the interface name prefix that identifies workload endpoints and so distinguishes - them from host endpoint interfaces. Note: in environments other than bare metal, the orchestrators - configure this appropriately. For example our Kubernetes and Docker integrations set the 'cali' value, - and our OpenStack integration sets the 'tap' value. [Default: cali] - type: string - interfaceRefreshInterval: - description: |- - InterfaceRefreshInterval is the period at which Felix rescans local interfaces to verify their state. - The rescan can be disabled by setting the interval to 0. - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - ipForwarding: - description: |- - IPForwarding controls whether Felix sets the host sysctls to enable IP forwarding. IP forwarding is required - when using Calico for workload networking. This should be disabled only on hosts where Calico is used solely for - host protection. In BPF mode, due to a kernel interaction, either IPForwarding must be enabled or BPFEnforceRPF - must be disabled. [Default: Enabled] - enum: - - Enabled - - Disabled - type: string - ipipEnabled: - description: |- - IPIPEnabled overrides whether Felix should configure an IPIP interface on the host. Optional as Felix - determines this based on the existing IP pools. [Default: nil (unset)] - type: boolean - ipipMTU: - description: |- - IPIPMTU controls the MTU to set on the IPIP tunnel device. Optional as Felix auto-detects the MTU based on the - MTU of the host's interfaces. [Default: 0 (auto-detect)] - type: integer - ipsetsRefreshInterval: - description: |- - IpsetsRefreshInterval controls the period at which Felix re-checks all IP sets to look for discrepancies. - Set to 0 to disable the periodic refresh. [Default: 90s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - iptablesBackend: - description: |- - IptablesBackend controls which backend of iptables will be used. The default is `Auto`. + This setting is overridden by the GOMEMLIMIT environment variable. - Warning: changing this on a running system can leave "orphaned" rules in the "other" backend. These - should be cleaned up to avoid confusing interactions. - pattern: ^(?i)(Auto|Legacy|NFT)?$ - type: string - iptablesFilterAllowAction: - description: |- - IptablesFilterAllowAction controls what happens to traffic that is accepted by a Felix policy chain in the - iptables filter table (which is used for "normal" policy). The default will immediately `Accept` the traffic. Use - `Return` to send the traffic back up to the system chains for further processing. - pattern: ^(?i)(Accept|Return)?$ - type: string - iptablesFilterDenyAction: - description: |- - IptablesFilterDenyAction controls what happens to traffic that is denied by network policy. By default Calico blocks traffic - with an iptables "DROP" action. If you want to use "REJECT" action instead you can configure it in here. - pattern: ^(?i)(Drop|Reject)?$ - type: string - iptablesLockFilePath: - description: |- - IptablesLockFilePath is the location of the iptables lock file. You may need to change this - if the lock file is not in its standard location (for example if you have mapped it into Felix's - container at a different path). [Default: /run/xtables.lock] - type: string - iptablesLockProbeInterval: - description: |- - IptablesLockProbeInterval when IptablesLockTimeout is enabled: the time that Felix will wait between - attempts to acquire the iptables lock if it is not available. Lower values make Felix more - responsive when the lock is contended, but use more CPU. [Default: 50ms] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - iptablesLockTimeout: - description: |- - IptablesLockTimeout is the time that Felix itself will wait for the iptables lock (rather than delegating the - lock handling to the `iptables` command). + [Default: -1] + type: integer + healthEnabled: + description: |- + HealthEnabled if set to true, enables Felix's health port, which provides readiness and liveness endpoints. + [Default: false] + type: boolean + healthHost: + description: + "HealthHost is the host that the health server should + bind to. [Default: localhost]" + type: string + healthPort: + description: + "HealthPort is the TCP port that the health server should + bind to. [Default: 9099]" + type: integer + healthTimeoutOverrides: + description: |- + HealthTimeoutOverrides allows the internal watchdog timeouts of individual subcomponents to be + overridden. This is useful for working around "false positive" liveness timeouts that can occur + in particularly stressful workloads or if CPU is constrained. For a list of active + subcomponents, see Felix's logs. + items: + properties: + name: + type: string + timeout: + type: string + required: + - name + - timeout + type: object + type: array + x-kubernetes-list-type: atomic + interfaceExclude: + description: |- + InterfaceExclude A comma-separated list of interface names that should be excluded when Felix is resolving + host endpoints. The default value ensures that Felix ignores Kubernetes' internal `kube-ipvs0` device. If you + want to exclude multiple interface names using a single value, the list supports regular expressions. For + regular expressions you must wrap the value with `/`. For example having values `/^kube/,veth1` will exclude + all interfaces that begin with `kube` and also the interface `veth1`. [Default: kube-ipvs0] + type: string + interfacePrefix: + description: |- + InterfacePrefix is the interface name prefix that identifies workload endpoints and so distinguishes + them from host endpoint interfaces. Note: in environments other than bare metal, the orchestrators + configure this appropriately. For example our Kubernetes and Docker integrations set the 'cali' value, + and our OpenStack integration sets the 'tap' value. [Default: cali] + type: string + interfaceRefreshInterval: + description: |- + InterfaceRefreshInterval is the period at which Felix rescans local interfaces to verify their state. + The rescan can be disabled by setting the interval to 0. + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + ipForwarding: + description: |- + IPForwarding controls whether Felix sets the host sysctls to enable IP forwarding. IP forwarding is required + when using Calico for workload networking. This should be disabled only on hosts where Calico is used solely for + host protection. In BPF mode, due to a kernel interaction, either IPForwarding must be enabled or BPFEnforceRPF + must be disabled. [Default: Enabled] + enum: + - Enabled + - Disabled + type: string + ipipEnabled: + description: |- + IPIPEnabled overrides whether Felix should configure an IPIP interface on the host. Optional as Felix + determines this based on the existing IP pools. [Default: nil (unset)] + type: boolean + ipipMTU: + description: |- + IPIPMTU controls the MTU to set on the IPIP tunnel device. Optional as Felix auto-detects the MTU based on the + MTU of the host's interfaces. [Default: 0 (auto-detect)] + type: integer + ipsetsRefreshInterval: + description: |- + IpsetsRefreshInterval controls the period at which Felix re-checks all IP sets to look for discrepancies. + Set to 0 to disable the periodic refresh. [Default: 90s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + iptablesBackend: + description: |- + IptablesBackend controls which backend of iptables will be used. The default is `Auto`. - Deprecated: `iptables-restore` v1.8+ always takes the lock, so enabling this feature results in deadlock. - [Default: 0s disabled] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - iptablesMangleAllowAction: - description: |- - IptablesMangleAllowAction controls what happens to traffic that is accepted by a Felix policy chain in the - iptables mangle table (which is used for "pre-DNAT" policy). The default will immediately `Accept` the traffic. - Use `Return` to send the traffic back up to the system chains for further processing. - pattern: ^(?i)(Accept|Return)?$ - type: string - iptablesMarkMask: - description: |- - IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal - number with at least 8 bits set, none of which clash with any other mark bits in use on the system. - [Default: 0xffff0000] - format: int32 - type: integer - iptablesNATOutgoingInterfaceFilter: - description: |- - This parameter can be used to limit the host interfaces on which Calico will apply SNAT to traffic leaving a - Calico IPAM pool with "NAT outgoing" enabled. This can be useful if you have a main data interface, where - traffic should be SNATted and a secondary device (such as the docker bridge) which is local to the host and - doesn't require SNAT. This parameter uses the iptables interface matching syntax, which allows + as a - wildcard. Most users will not need to set this. Example: if your data interfaces are eth0 and eth1 and you - want to exclude the docker bridge, you could set this to eth+ - type: string - iptablesPostWriteCheckInterval: - description: |- - IptablesPostWriteCheckInterval is the period after Felix has done a write - to the dataplane that it schedules an extra read back in order to check the write was not - clobbered by another process. This should only occur if another application on the system - doesn't respect the iptables lock. [Default: 1s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - iptablesRefreshInterval: - description: |- - IptablesRefreshInterval is the period at which Felix re-checks the IP sets - in the dataplane to ensure that no other process has accidentally broken Calico's rules. - Set to 0 to disable IP sets refresh. Note: the default for this value is lower than the - other refresh intervals as a workaround for a Linux kernel bug that was fixed in kernel - version 4.11. If you are using v4.11 or greater you may want to set this to, a higher value - to reduce Felix CPU usage. [Default: 10s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - ipv6Support: - description: IPv6Support controls whether Felix enables support for - IPv6 (if supported by the in-use dataplane). - type: boolean - kubeNodePortRanges: - description: |- - KubeNodePortRanges holds list of port ranges used for service node ports. Only used if felix detects kube-proxy running in ipvs mode. - Felix uses these ranges to separate host and workload traffic. [Default: 30000:32767]. - items: + Warning: changing this on a running system can leave "orphaned" rules in the "other" backend. These + should be cleaned up to avoid confusing interactions. + enum: + - Legacy + - NFT + - Auto + pattern: ^(?i)(Auto|Legacy|NFT)?$ + type: string + iptablesFilterAllowAction: + description: |- + IptablesFilterAllowAction controls what happens to traffic that is accepted by a Felix policy chain in the + iptables filter table (which is used for "normal" policy). The default will immediately `Accept` the traffic. Use + `Return` to send the traffic back up to the system chains for further processing. + pattern: ^(?i)(Accept|Return)?$ + type: string + iptablesFilterDenyAction: + description: |- + IptablesFilterDenyAction controls what happens to traffic that is denied by network policy. By default Calico blocks traffic + with an iptables "DROP" action. If you want to use "REJECT" action instead you can configure it in here. + pattern: ^(?i)(Drop|Reject)?$ + type: string + iptablesLockProbeInterval: + description: |- + IptablesLockProbeInterval configures the interval between attempts to claim + the xtables lock. Shorter intervals are more responsive but use more CPU. [Default: 50ms] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + iptablesMangleAllowAction: + description: |- + IptablesMangleAllowAction controls what happens to traffic that is accepted by a Felix policy chain in the + iptables mangle table (which is used for "pre-DNAT" policy). The default will immediately `Accept` the traffic. + Use `Return` to send the traffic back up to the system chains for further processing. + pattern: ^(?i)(Accept|Return)?$ + type: string + iptablesMarkMask: + description: |- + IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal + number with at least 8 bits set, none of which clash with any other mark bits in use on the system. + [Default: 0xffff0000] + format: int32 + type: integer + iptablesNATOutgoingInterfaceFilter: + description: |- + This parameter can be used to limit the host interfaces on which Calico will apply SNAT to traffic leaving a + Calico IPAM pool with "NAT outgoing" enabled. This can be useful if you have a main data interface, where + traffic should be SNATted and a secondary device (such as the docker bridge) which is local to the host and + doesn't require SNAT. This parameter uses the iptables interface matching syntax, which allows + as a + wildcard. Most users will not need to set this. Example: if your data interfaces are eth0 and eth1 and you + want to exclude the docker bridge, you could set this to eth+ + type: string + iptablesPostWriteCheckInterval: + description: |- + IptablesPostWriteCheckInterval is the period after Felix has done a write + to the dataplane that it schedules an extra read back in order to check the write was not + clobbered by another process. This should only occur if another application on the system + doesn't respect the iptables lock. [Default: 1s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + iptablesRefreshInterval: + description: |- + IptablesRefreshInterval is the period at which Felix re-checks the IP sets + in the dataplane to ensure that no other process has accidentally broken Calico's rules. + Set to 0 to disable IP sets refresh. Note: the default for this value is lower than the + other refresh intervals as a workaround for a Linux kernel bug that was fixed in kernel + version 4.11. If you are using v4.11 or greater you may want to set this to, a higher value + to reduce Felix CPU usage. [Default: 10s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + ipv4ElevatedRoutePriority: + description: |- + Route Priority value for an elevated priority Calico-programmed IPv4 route. Note, higher + values mean lower priority. Elevated priority is used during VM live migration, and for + optimal behaviour IPv4ElevatedRoutePriority must be less than IPv4NormalRoutePriority + [Default: 512] + type: integer + ipv4NormalRoutePriority: + description: |- + Route Priority value for a normal priority Calico-programmed IPv4 route. Note, higher + values mean lower priority. [Default: 1024] + type: integer + ipv6ElevatedRoutePriority: + description: |- + Route Priority value for an elevated priority Calico-programmed IPv6 route. Note, higher + values mean lower priority. Elevated priority is used during VM live migration, and for + optimal behaviour IPv6ElevatedRoutePriority must be less than IPv6NormalRoutePriority + [Default: 512] + type: integer + ipv6NormalRoutePriority: + description: |- + Route Priority value for a normal priority Calico-programmed IPv6 route. Note, higher + values mean lower priority. [Default: 1024] + type: integer + ipv6Support: + description: + IPv6Support controls whether Felix enables support for + IPv6 (if supported by the in-use dataplane). + type: boolean + istioAmbientMode: + description: |- + IstioAmbientMode configures Felix to work together with Tigera's Istio distribution. + [Default: Disabled] + enum: + - Enabled + - Disabled + type: string + istioDSCPMark: + description: |- + IstioDSCPMark sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on + SYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used + with other Istio installation. [Default: 23] + pattern: ^.* + type: integer + x-kubernetes-int-or-string: true + kubeNodePortRanges: + description: |- + KubeNodePortRanges holds list of port ranges used for service node ports. Only used if felix detects kube-proxy running in ipvs mode. + Felix uses these ranges to separate host and workload traffic. [Default: 30000:32767]. + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + liveMigrationRouteConvergenceTime: + description: |- + LiveMigrationRouteConvergenceTime is the time to keep elevated route priority after a + VM live migration completes. This allows routes to converge across the cluster before + reverting to normal priority. [Default: 30s] + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))*$ + type: string + logActionRateLimit: + description: |- + LogActionRateLimit sets the rate of hitting a Log action. The value must be in the format "N/unit", + where N is a number and unit is one of: second, minute, hour, or day. For example: "10/second" or "100/hour". + pattern: ^[1-9]\d{0,3}/(?:second|minute|hour|day)$ + type: string + logActionRateLimitBurst: + description: + LogActionRateLimitBurst sets the rate limit burst of + hitting a Log action when LogActionRateLimit is enabled. + maximum: 9999 + minimum: 0 + type: integer + logDebugFilenameRegex: + description: |- + LogDebugFilenameRegex controls which source code files have their Debug log output included in the logs. + Only logs from files with names that match the given regular expression are included. The filter only applies + to Debug level logs. + type: string + logFilePath: + description: + "LogFilePath is the full path to the Felix log. Set to + none to disable file logging. [Default: /var/log/calico/felix.log]" + type: string + logPrefix: + description: |- + LogPrefix is the log prefix that Felix uses when rendering LOG rules. It is possible to use the following specifiers + to include extra information in the log prefix. + - %t: Tier name. + - %k: Kind (short names). + - %n: Policy or profile name. + - %p: Policy or profile name (namespace/name for namespaced kinds or just name for non namespaced kinds). + Calico includes ": " characters at the end of the generated log prefix. + Note that iptables shows up to 29 characters for the log prefix and nftables up to 127 characters. Extra characters are truncated. + [Default: calico-packet] + pattern: "^([a-zA-Z0-9%: /_-])*$" + type: string + logSeverityFile: + description: + "LogSeverityFile is the log severity above which logs + are sent to the log file. [Default: Info]" + pattern: ^(?i)(Trace|Debug|Info|Warning|Error|Fatal)?$ + type: string + logSeverityScreen: + description: + "LogSeverityScreen is the log severity above which logs + are sent to the stdout. [Default: Info]" + pattern: ^(?i)(Trace|Debug|Info|Warning|Error|Fatal)?$ + type: string + logSeveritySys: + description: |- + LogSeveritySys is the log severity above which logs are sent to the syslog. Set to None for no logging to syslog. + [Default: Info] + pattern: ^(?i)(Trace|Debug|Info|Warning|Error|Fatal)?$ + type: string + maxIpsetSize: + description: |- + MaxIpsetSize is the maximum number of IP addresses that can be stored in an IP set. Not applicable + if using the nftables backend. + type: integer + metadataAddr: + description: |- + MetadataAddr is the IP address or domain name of the server that can answer VM queries for + cloud-init metadata. In OpenStack, this corresponds to the machine running nova-api (or in + Ubuntu, nova-api-metadata). A value of none (case-insensitive) means that Felix should not + set up any NAT rule for the metadata path. [Default: 127.0.0.1] + type: string + metadataPort: + description: |- + MetadataPort is the port of the metadata server. This, combined with global.MetadataAddr (if + not 'None'), is used to set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. + In most cases this should not need to be changed [Default: 8775]. + type: integer + mtuIfacePattern: + description: |- + MTUIfacePattern is a regular expression that controls which interfaces Felix should scan in order + to calculate the host's MTU. + This should not match workload interfaces (usually named cali...). + type: string + natOutgoingAddress: + description: |- + NATOutgoingAddress specifies an address to use when performing source NAT for traffic in a natOutgoing pool that + is leaving the network. By default the address used is an address on the interface the traffic is leaving on + (i.e. it uses the iptables MASQUERADE target). + type: string + natOutgoingExclusions: + description: |- + When a IP pool setting `natOutgoing` is true, packets sent from Calico networked containers in this IP pool to destinations will be masqueraded. + Configure which type of destinations is excluded from being masqueraded. + - IPPoolsOnly: destinations outside of this IP pool will be masqueraded. + - IPPoolsAndHostIPs: destinations outside of this IP pool and all hosts will be masqueraded. + [Default: IPPoolsOnly] + enum: + - IPPoolsOnly + - IPPoolsAndHostIPs + type: string + natPortRange: anyOf: - - type: integer - - type: string + - type: integer + - type: string + description: |- + NATPortRange specifies the range of ports that is used for port mapping when doing outgoing NAT. When unset the default behavior of the + network stack is used. pattern: ^.* x-kubernetes-int-or-string: true - type: array - logDebugFilenameRegex: - description: |- - LogDebugFilenameRegex controls which source code files have their Debug log output included in the logs. - Only logs from files with names that match the given regular expression are included. The filter only applies - to Debug level logs. - type: string - logFilePath: - description: 'LogFilePath is the full path to the Felix log. Set to - none to disable file logging. [Default: /var/log/calico/felix.log]' - type: string - logPrefix: - description: 'LogPrefix is the log prefix that Felix uses when rendering - LOG rules. [Default: calico-packet]' - type: string - logSeverityFile: - description: 'LogSeverityFile is the log severity above which logs - are sent to the log file. [Default: Info]' - pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$ - type: string - logSeverityScreen: - description: 'LogSeverityScreen is the log severity above which logs - are sent to the stdout. [Default: Info]' - pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$ - type: string - logSeveritySys: - description: |- - LogSeveritySys is the log severity above which logs are sent to the syslog. Set to None for no logging to syslog. - [Default: Info] - pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$ - type: string - maxIpsetSize: - description: |- - MaxIpsetSize is the maximum number of IP addresses that can be stored in an IP set. Not applicable - if using the nftables backend. - type: integer - metadataAddr: - description: |- - MetadataAddr is the IP address or domain name of the server that can answer VM queries for - cloud-init metadata. In OpenStack, this corresponds to the machine running nova-api (or in - Ubuntu, nova-api-metadata). A value of none (case-insensitive) means that Felix should not - set up any NAT rule for the metadata path. [Default: 127.0.0.1] - type: string - metadataPort: - description: |- - MetadataPort is the port of the metadata server. This, combined with global.MetadataAddr (if - not 'None'), is used to set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. - In most cases this should not need to be changed [Default: 8775]. - type: integer - mtuIfacePattern: - description: |- - MTUIfacePattern is a regular expression that controls which interfaces Felix should scan in order - to calculate the host's MTU. - This should not match workload interfaces (usually named cali...). - type: string - natOutgoingAddress: - description: |- - NATOutgoingAddress specifies an address to use when performing source NAT for traffic in a natOutgoing pool that - is leaving the network. By default the address used is an address on the interface the traffic is leaving on - (i.e. it uses the iptables MASQUERADE target). - type: string - natPortRange: - anyOf: - - type: integer - - type: string - description: |- - NATPortRange specifies the range of ports that is used for port mapping when doing outgoing NAT. When unset the default behavior of the - network stack is used. - pattern: ^.* - x-kubernetes-int-or-string: true - netlinkTimeout: - description: |- - NetlinkTimeout is the timeout when talking to the kernel over the netlink protocol, used for programming - routes, rules, and other kernel objects. [Default: 10s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - nfNetlinkBufSize: - description: |- - NfNetlinkBufSize controls the size of NFLOG messages that the kernel will try to send to Felix. NFLOG messages - are used to report flow verdicts from the kernel. Warning: currently increasing the value may cause errors - due to a bug in the netlink library. - type: string - nftablesFilterAllowAction: - description: |- - NftablesFilterAllowAction controls the nftables action that Felix uses to represent the "allow" policy verdict - in the filter table. The default is to `ACCEPT` the traffic, which is a terminal action. Alternatively, - `RETURN` can be used to return the traffic back to the top-level chain for further processing by your rules. - pattern: ^(?i)(Accept|Return)?$ - type: string - nftablesFilterDenyAction: - description: |- - NftablesFilterDenyAction controls what happens to traffic that is denied by network policy. By default, Calico - blocks traffic with a "drop" action. If you want to use a "reject" action instead you can configure it here. - pattern: ^(?i)(Drop|Reject)?$ - type: string - nftablesMangleAllowAction: - description: |- - NftablesMangleAllowAction controls the nftables action that Felix uses to represent the "allow" policy verdict - in the mangle table. The default is to `ACCEPT` the traffic, which is a terminal action. Alternatively, - `RETURN` can be used to return the traffic back to the top-level chain for further processing by your rules. - pattern: ^(?i)(Accept|Return)?$ - type: string - nftablesMarkMask: - description: |- - NftablesMarkMask is the mask that Felix selects its nftables Mark bits from. Should be a 32 bit hexadecimal - number with at least 8 bits set, none of which clash with any other mark bits in use on the system. - [Default: 0xffff0000] - format: int32 - type: integer - nftablesMode: - description: 'NFTablesMode configures nftables support in Felix. [Default: - Disabled]' - enum: - - Disabled - - Enabled - - Auto - type: string - nftablesRefreshInterval: - description: 'NftablesRefreshInterval controls the interval at which - Felix periodically refreshes the nftables rules. [Default: 90s]' - type: string - openstackRegion: - description: |- - OpenstackRegion is the name of the region that a particular Felix belongs to. In a multi-region - Calico/OpenStack deployment, this must be configured somehow for each Felix (here in the datamodel, - or in felix.cfg or the environment on each compute node), and must match the [calico] - openstack_region value configured in neutron.conf on each node. [Default: Empty] - type: string - policySyncPathPrefix: - description: |- - PolicySyncPathPrefix is used to by Felix to communicate policy changes to external services, - like Application layer policy. [Default: Empty] - type: string - prometheusGoMetricsEnabled: - description: |- - PrometheusGoMetricsEnabled disables Go runtime metrics collection, which the Prometheus client does by default, when - set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true] - type: boolean - prometheusMetricsEnabled: - description: 'PrometheusMetricsEnabled enables the Prometheus metrics - server in Felix if set to true. [Default: false]' - type: boolean - prometheusMetricsHost: - description: 'PrometheusMetricsHost is the host that the Prometheus - metrics server should bind to. [Default: empty]' - type: string - prometheusMetricsPort: - description: 'PrometheusMetricsPort is the TCP port that the Prometheus - metrics server should bind to. [Default: 9091]' - type: integer - prometheusProcessMetricsEnabled: - description: |- - PrometheusProcessMetricsEnabled disables process metrics collection, which the Prometheus client does by default, when - set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true] - type: boolean - prometheusWireGuardMetricsEnabled: - description: |- - PrometheusWireGuardMetricsEnabled disables wireguard metrics collection, which the Prometheus client does by default, when - set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true] - type: boolean - removeExternalRoutes: - description: |- - RemoveExternalRoutes Controls whether Felix will remove unexpected routes to workload interfaces. Felix will - always clean up expected routes that use the configured DeviceRouteProtocol. To add your own routes, you must - use a distinct protocol (in addition to setting this field to false). - type: boolean - reportingInterval: - description: |- - ReportingInterval is the interval at which Felix reports its status into the datastore or 0 to disable. - Must be non-zero in OpenStack deployments. [Default: 30s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - reportingTTL: - description: 'ReportingTTL is the time-to-live setting for process-wide - status reports. [Default: 90s]' - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - routeRefreshInterval: - description: |- - RouteRefreshInterval is the period at which Felix re-checks the routes - in the dataplane to ensure that no other process has accidentally broken Calico's rules. - Set to 0 to disable route refresh. [Default: 90s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - routeSource: - description: |- - RouteSource configures where Felix gets its routing information. - - WorkloadIPs: use workload endpoints to construct routes. - - CalicoIPAM: the default - use IPAM data to construct routes. - pattern: ^(?i)(WorkloadIPs|CalicoIPAM)?$ - type: string - routeSyncDisabled: - description: |- - RouteSyncDisabled will disable all operations performed on the route table. Set to true to - run in network-policy mode only. - type: boolean - routeTableRange: - description: |- - Deprecated in favor of RouteTableRanges. - Calico programs additional Linux route tables for various purposes. - RouteTableRange specifies the indices of the route tables that Calico should use. - properties: - max: - type: integer - min: - type: integer - required: - - max - - min - type: object - routeTableRanges: - description: |- - Calico programs additional Linux route tables for various purposes. - RouteTableRanges specifies a set of table index ranges that Calico should use. - Deprecates`RouteTableRange`, overrides `RouteTableRange`. - items: + netlinkTimeout: + description: |- + NetlinkTimeout is the timeout when talking to the kernel over the netlink protocol, used for programming + routes, rules, and other kernel objects. [Default: 10s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + nftablesFilterAllowAction: + description: |- + NftablesFilterAllowAction controls the nftables action that Felix uses to represent the "allow" policy verdict + in the filter table. The default is to `ACCEPT` the traffic, which is a terminal action. Alternatively, + `RETURN` can be used to return the traffic back to the top-level chain for further processing by your rules. + pattern: ^(?i)(Accept|Return)?$ + type: string + nftablesFilterDenyAction: + description: |- + NftablesFilterDenyAction controls what happens to traffic that is denied by network policy. By default, Calico + blocks traffic with a "drop" action. If you want to use a "reject" action instead you can configure it here. + pattern: ^(?i)(Drop|Reject)?$ + type: string + nftablesMangleAllowAction: + description: |- + NftablesMangleAllowAction controls the nftables action that Felix uses to represent the "allow" policy verdict + in the mangle table. The default is to `ACCEPT` the traffic, which is a terminal action. Alternatively, + `RETURN` can be used to return the traffic back to the top-level chain for further processing by your rules. + pattern: ^(?i)(Accept|Return)?$ + type: string + nftablesMarkMask: + description: |- + NftablesMarkMask is the mask that Felix selects its nftables Mark bits from. Should be a 32 bit hexadecimal + number with at least 8 bits set, none of which clash with any other mark bits in use on the system. + [Default: 0xffff0000] + format: int32 + type: integer + nftablesMode: + default: Auto + description: + "NFTablesMode configures nftables support in Felix. [Default: + Auto]" + enum: + - Disabled + - Enabled + - Auto + type: string + nftablesRefreshInterval: + description: + "NftablesRefreshInterval controls the interval at which + Felix periodically refreshes the nftables rules. [Default: 90s]" + type: string + openstackRegion: + description: |- + OpenstackRegion is the name of the region that a particular Felix belongs to. In a multi-region + Calico/OpenStack deployment, this must be configured somehow for each Felix (here in the datamodel, + or in felix.cfg or the environment on each compute node), and must match the [calico] + openstack_region value configured in neutron.conf on each node. [Default: Empty] + type: string + policySyncPathPrefix: + description: |- + PolicySyncPathPrefix is used to by Felix to communicate policy changes to external services, + like Application layer policy. [Default: Empty] + type: string + programClusterRoutes: + description: |- + ProgramClusterRoutes controls how a cluster node gets a route to a workload on another node, + when that workload's IP comes from an IP Pool with vxlanMode: Never. When ProgramClusterRoutes is Disabled, + it is expected that confd and BIRD will program that route. When ProgramClusterRoutes is Enabled, Felix program that route. + Felix always programs such routes for IP Pools with vxlanMode: Always or vxlanMode: CrossSubnet. [Default: Disabled] + enum: + - Enabled + - Disabled + type: string + prometheusGoMetricsEnabled: + description: |- + PrometheusGoMetricsEnabled disables Go runtime metrics collection, which the Prometheus client does by default, when + set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true] + type: boolean + prometheusMetricsCAFile: + description: |- + PrometheusMetricsCAFile defines the absolute path to the TLS CA certificate file used for securing the /metrics endpoint. + This certificate must be valid and accessible by the calico-node process. + type: string + prometheusMetricsCertFile: + description: |- + PrometheusMetricsCertFile defines the absolute path to the TLS certificate file used for securing the /metrics endpoint. + This certificate must be valid and accessible by the calico-node process. + type: string + prometheusMetricsClientAuth: + description: |- + PrometheusMetricsClientAuth specifies the client authentication type for the /metrics endpoint. + This determines how the server validates client certificates. Default is "RequireAndVerifyClientCert". + type: string + prometheusMetricsEnabled: + description: + "PrometheusMetricsEnabled enables the Prometheus metrics + server in Felix if set to true. [Default: false]" + type: boolean + prometheusMetricsHost: + description: + "PrometheusMetricsHost is the host that the Prometheus + metrics server should bind to. [Default: empty]" + type: string + prometheusMetricsKeyFile: + description: |- + PrometheusMetricsKeyFile defines the absolute path to the private key file corresponding to the TLS certificate + used for securing the /metrics endpoint. The private key must be valid and accessible by the calico-node process. + type: string + prometheusMetricsPort: + description: + "PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. [Default: 9091]" + type: integer + prometheusProcessMetricsEnabled: + description: |- + PrometheusProcessMetricsEnabled disables process metrics collection, which the Prometheus client does by default, when + set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true] + type: boolean + prometheusWireGuardMetricsEnabled: + description: |- + PrometheusWireGuardMetricsEnabled disables wireguard metrics collection, which the Prometheus client does by default, when + set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true] + type: boolean + removeExternalRoutes: + description: |- + RemoveExternalRoutes Controls whether Felix will remove unexpected routes to workload interfaces. Felix will + always clean up expected routes that use the configured DeviceRouteProtocol. To add your own routes, you must + use a distinct protocol (in addition to setting this field to false). + type: boolean + reportingInterval: + description: |- + ReportingInterval is the interval at which Felix reports its status into the datastore or 0 to disable. + Must be non-zero in OpenStack deployments. [Default: 30s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + reportingTTL: + description: + "ReportingTTL is the time-to-live setting for process-wide + status reports. [Default: 90s]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + requireMTUFile: + description: |- + RequireMTUFile specifies whether mtu file is required to start the felix. + Optional as to keep the same as previous behavior. [Default: false] + type: boolean + routeRefreshInterval: + description: |- + RouteRefreshInterval is the period at which Felix re-checks the routes + in the dataplane to ensure that no other process has accidentally broken Calico's rules. + Set to 0 to disable route refresh. [Default: 90s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + routeSource: + description: |- + RouteSource configures where Felix gets its routing information. + - WorkloadIPs: use workload endpoints to construct routes. + - CalicoIPAM: the default - use IPAM data to construct routes. + pattern: ^(?i)(WorkloadIPs|CalicoIPAM)?$ + type: string + routeSyncDisabled: + description: |- + RouteSyncDisabled will disable all operations performed on the route table. Set to true to + run in network-policy mode only. + type: boolean + routeTableRange: + description: |- + Deprecated in favor of RouteTableRanges. + Calico programs additional Linux route tables for various purposes. + RouteTableRange specifies the indices of the route tables that Calico should use. properties: max: type: integer min: type: integer required: - - max - - min + - max + - min type: object - type: array - serviceLoopPrevention: - description: |- - When service IP advertisement is enabled, prevent routing loops to service IPs that are - not in use, by dropping or rejecting packets that do not get DNAT'd by kube-proxy. - Unless set to "Disabled", in which case such routing loops continue to be allowed. - [Default: Drop] - pattern: ^(?i)(Drop|Reject|Disabled)?$ - type: string - sidecarAccelerationEnabled: - description: 'SidecarAccelerationEnabled enables experimental sidecar - acceleration [Default: false]' - type: boolean - usageReportingEnabled: - description: |- - UsageReportingEnabled reports anonymous Calico version number and cluster size to projectcalico.org. Logs warnings returned by the usage - server. For example, if a significant security vulnerability has been discovered in the version of Calico being used. [Default: true] - type: boolean - usageReportingInitialDelay: - description: 'UsageReportingInitialDelay controls the minimum delay - before Felix makes a report. [Default: 300s]' - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - usageReportingInterval: - description: 'UsageReportingInterval controls the interval at which - Felix makes reports. [Default: 86400s]' - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - useInternalDataplaneDriver: - description: |- - UseInternalDataplaneDriver, if true, Felix will use its internal dataplane programming logic. If false, it - will launch an external dataplane driver and communicate with it over protobuf. - type: boolean - vxlanEnabled: - description: |- - VXLANEnabled overrides whether Felix should create the VXLAN tunnel device for IPv4 VXLAN networking. - Optional as Felix determines this based on the existing IP pools. [Default: nil (unset)] - type: boolean - vxlanMTU: - description: |- - VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the - MTU of the host's interfaces. [Default: 0 (auto-detect)] - type: integer - vxlanMTUV6: - description: |- - VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the - MTU of the host's interfaces. [Default: 0 (auto-detect)] - type: integer - vxlanPort: - description: 'VXLANPort is the UDP port number to use for VXLAN traffic. - [Default: 4789]' - type: integer - vxlanVNI: - description: |- - VXLANVNI is the VXLAN VNI to use for VXLAN traffic. You may need to change this if the default value is - in use on your system. [Default: 4096] - type: integer - windowsManageFirewallRules: - description: 'WindowsManageFirewallRules configures whether or not - Felix will program Windows Firewall rules (to allow inbound access - to its own metrics ports). [Default: Disabled]' - enum: - - Enabled - - Disabled - type: string - wireguardEnabled: - description: 'WireguardEnabled controls whether Wireguard is enabled - for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network). - [Default: false]' - type: boolean - wireguardEnabledV6: - description: 'WireguardEnabledV6 controls whether Wireguard is enabled - for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network). - [Default: false]' - type: boolean - wireguardHostEncryptionEnabled: - description: 'WireguardHostEncryptionEnabled controls whether Wireguard - host-to-host encryption is enabled. [Default: false]' - type: boolean - wireguardInterfaceName: - description: 'WireguardInterfaceName specifies the name to use for - the IPv4 Wireguard interface. [Default: wireguard.cali]' - type: string - wireguardInterfaceNameV6: - description: 'WireguardInterfaceNameV6 specifies the name to use for - the IPv6 Wireguard interface. [Default: wg-v6.cali]' - type: string - wireguardKeepAlive: - description: 'WireguardPersistentKeepAlive controls Wireguard PersistentKeepalive - option. Set 0 to disable. [Default: 0]' - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - wireguardListeningPort: - description: 'WireguardListeningPort controls the listening port used - by IPv4 Wireguard. [Default: 51820]' - type: integer - wireguardListeningPortV6: - description: 'WireguardListeningPortV6 controls the listening port - used by IPv6 Wireguard. [Default: 51821]' - type: integer - wireguardMTU: - description: 'WireguardMTU controls the MTU on the IPv4 Wireguard - interface. See Configuring MTU [Default: 1440]' - type: integer - wireguardMTUV6: - description: 'WireguardMTUV6 controls the MTU on the IPv6 Wireguard - interface. See Configuring MTU [Default: 1420]' - type: integer - wireguardRoutingRulePriority: - description: 'WireguardRoutingRulePriority controls the priority value - to use for the Wireguard routing rule. [Default: 99]' - type: integer - wireguardThreadingEnabled: - description: |- - WireguardThreadingEnabled controls whether Wireguard has Threaded NAPI enabled. [Default: false] - This increases the maximum number of packets a Wireguard interface can process. - Consider threaded NAPI only if you have high packets per second workloads that are causing dropping packets due to a saturated `softirq` CPU core. - There is a [known issue](https://lore.kernel.org/netdev/CALrw=nEoT2emQ0OAYCjM1d_6Xe_kNLSZ6dhjb5FxrLFYh4kozA@mail.gmail.com/T/) with this setting - that may cause NAPI to get stuck holding the global `rtnl_mutex` when a peer is removed. - Workaround: Make sure your Linux kernel [includes this patch](https://github.com/torvalds/linux/commit/56364c910691f6d10ba88c964c9041b9ab777bd6) to unwedge NAPI. - type: boolean - workloadSourceSpoofing: - description: |- - WorkloadSourceSpoofing controls whether pods can use the allowedSourcePrefixes annotation to send traffic with a source IP - address that is not theirs. This is disabled by default. When set to "Any", pods can request any prefix. - pattern: ^(?i)(Disabled|Any)?$ - type: string - xdpEnabled: - description: 'XDPEnabled enables XDP acceleration for suitable untracked - incoming deny rules. [Default: true]' - type: boolean - xdpRefreshInterval: - description: |- - XDPRefreshInterval is the period at which Felix re-checks all XDP state to ensure that no - other process has accidentally broken Calico's BPF maps or attached programs. Set to 0 to - disable XDP refresh. [Default: 90s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - type: object - type: object - served: true - storage: true + routeTableRanges: + description: |- + Calico programs additional Linux route tables for various purposes. + RouteTableRanges specifies a set of table index ranges that Calico should use. + Deprecates`RouteTableRange`, overrides `RouteTableRange`. + items: + properties: + max: + type: integer + min: + type: integer + required: + - max + - min + type: object + type: array + serviceLoopPrevention: + description: |- + When service IP advertisement is enabled, prevent routing loops to service IPs that are + not in use, by dropping or rejecting packets that do not get DNAT'd by kube-proxy. + Unless set to "Disabled", in which case such routing loops continue to be allowed. + [Default: Drop] + pattern: ^(?i)(Drop|Reject|Disabled)?$ + type: string + sidecarAccelerationEnabled: + description: + "SidecarAccelerationEnabled enables experimental sidecar + acceleration [Default: false]" + type: boolean + usageReportingEnabled: + description: |- + UsageReportingEnabled reports anonymous Calico version number and cluster size to projectcalico.org. Logs warnings returned by the usage + server. For example, if a significant security vulnerability has been discovered in the version of Calico being used. [Default: true] + type: boolean + usageReportingInitialDelay: + description: + "UsageReportingInitialDelay controls the minimum delay + before Felix makes a report. [Default: 300s]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + usageReportingInterval: + description: + "UsageReportingInterval controls the interval at which + Felix makes reports. [Default: 86400s]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + useInternalDataplaneDriver: + description: |- + UseInternalDataplaneDriver, if true, Felix will use its internal dataplane programming logic. If false, it + will launch an external dataplane driver and communicate with it over protobuf. + type: boolean + vxlanEnabled: + description: |- + VXLANEnabled overrides whether Felix should create the VXLAN tunnel device for IPv4 VXLAN networking. + Optional as Felix determines this based on the existing IP pools. [Default: nil (unset)] + type: boolean + vxlanMTU: + description: |- + VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the + MTU of the host's interfaces. [Default: 0 (auto-detect)] + type: integer + vxlanMTUV6: + description: |- + VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the + MTU of the host's interfaces. [Default: 0 (auto-detect)] + type: integer + vxlanPort: + description: + "VXLANPort is the UDP port number to use for VXLAN traffic. + [Default: 4789]" + type: integer + vxlanVNI: + description: |- + VXLANVNI is the VXLAN VNI to use for VXLAN traffic. You may need to change this if the default value is + in use on your system. [Default: 4096] + type: integer + windowsManageFirewallRules: + description: + "WindowsManageFirewallRules configures whether or not + Felix will program Windows Firewall rules (to allow inbound access + to its own metrics ports). [Default: Disabled]" + enum: + - Enabled + - Disabled + type: string + wireguardEnabled: + description: + "WireguardEnabled controls whether Wireguard is enabled + for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network). + [Default: false]" + type: boolean + wireguardEnabledV6: + description: + "WireguardEnabledV6 controls whether Wireguard is enabled + for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network). + [Default: false]" + type: boolean + wireguardHostEncryptionEnabled: + description: + "WireguardHostEncryptionEnabled controls whether Wireguard + host-to-host encryption is enabled. [Default: false]" + type: boolean + wireguardInterfaceName: + description: + "WireguardInterfaceName specifies the name to use for + the IPv4 Wireguard interface. [Default: wireguard.cali]" + type: string + wireguardInterfaceNameV6: + description: + "WireguardInterfaceNameV6 specifies the name to use for + the IPv6 Wireguard interface. [Default: wg-v6.cali]" + type: string + wireguardKeepAlive: + description: + "WireguardPersistentKeepAlive controls Wireguard PersistentKeepalive + option. Set 0 to disable. [Default: 0]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + wireguardListeningPort: + description: + "WireguardListeningPort controls the listening port used + by IPv4 Wireguard. [Default: 51820]" + type: integer + wireguardListeningPortV6: + description: + "WireguardListeningPortV6 controls the listening port + used by IPv6 Wireguard. [Default: 51821]" + type: integer + wireguardMTU: + description: + "WireguardMTU controls the MTU on the IPv4 Wireguard + interface. See Configuring MTU [Default: 1440]" + type: integer + wireguardMTUV6: + description: + "WireguardMTUV6 controls the MTU on the IPv6 Wireguard + interface. See Configuring MTU [Default: 1420]" + type: integer + wireguardRoutingRulePriority: + description: + "WireguardRoutingRulePriority controls the priority value + to use for the Wireguard routing rule. [Default: 99]" + type: integer + wireguardThreadingEnabled: + description: |- + WireguardThreadingEnabled controls whether Wireguard has Threaded NAPI enabled. [Default: false] + This increases the maximum number of packets a Wireguard interface can process. + Consider threaded NAPI only if you have high packets per second workloads that are causing dropping packets due to a saturated `softirq` CPU core. + There is a [known issue](https://lore.kernel.org/netdev/CALrw=nEoT2emQ0OAYCjM1d_6Xe_kNLSZ6dhjb5FxrLFYh4kozA@mail.gmail.com/T/) with this setting + that may cause NAPI to get stuck holding the global `rtnl_mutex` when a peer is removed. + Workaround: Make sure your Linux kernel [includes this patch](https://github.com/torvalds/linux/commit/56364c910691f6d10ba88c964c9041b9ab777bd6) to unwedge NAPI. + type: boolean + workloadSourceSpoofing: + description: |- + WorkloadSourceSpoofing controls whether pods can use the allowedSourcePrefixes annotation to send traffic with a source IP + address that is not theirs. This is disabled by default. When set to "Any", pods can request any prefix. + pattern: ^(?i)(Disabled|Any)?$ + type: string + xdpEnabled: + description: + "XDPEnabled enables XDP acceleration for suitable untracked + incoming deny rules. [Default: true]" + type: boolean + xdpRefreshInterval: + description: |- + XDPRefreshInterval is the period at which Felix re-checks all XDP state to ensure that no + other process has accidentally broken Calico's BPF maps or attached programs. Set to 0 to + disable XDP refresh. [Default: 90s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + type: object + x-kubernetes-validations: + - message: routeTableRange and routeTableRanges cannot both be set + reason: FieldValueForbidden + rule: "!has(self.routeTableRange) || !has(self.routeTableRanges)" + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_globalnetworkpolicies.yaml b/pkg/crds/calico/crd.projectcalico.org_globalnetworkpolicies.yaml index 6b9177d57b..cd61def7d0 100644 --- a/pkg/crds/calico/crd.projectcalico.org_globalnetworkpolicies.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_globalnetworkpolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: globalnetworkpolicies.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,867 +14,506 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - applyOnForward: - description: ApplyOnForward indicates to apply the rules in this policy - on forward traffic. - type: boolean - doNotTrack: - description: |- - DoNotTrack indicates whether packets matched by the rules in this policy should go through - the data plane's connection tracking, such as Linux conntrack. If True, the rules in - this policy are applied before any data plane connection tracking, and packets allowed by - this policy are marked as not to be tracked. - type: boolean - egress: - description: |- - The ordered set of egress rules. Each rule contains a set of packet match criteria and - a corresponding action to apply. - items: - description: |- - A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy - and security Profiles reference rules - separated out as a list of rules for both - ingress and egress packet matching. - - Each positive match criteria has a negated version, prefixed with "Not". All the match - criteria within a rule must be satisfied for a packet to match. A single rule can contain - the positive and negative version of a match and both must be satisfied for the rule to match. - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + applyOnForward: + type: boolean + doNotTrack: + type: boolean + egress: + items: + properties: + action: + enum: + - Allow + - Deny + - Log + - Pass + type: string + destination: + properties: + namespaceSelector: type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: - type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. - type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + nets: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: array + x-kubernetes-list-type: set + notNets: + items: type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: |- - Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed - HTTP Methods (e.g. GET, PUT, etc.) - Multiple methods are OR'd together. - items: + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - paths: - description: |- - Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed - HTTP Paths. - Multiple paths are OR'd together. - e.g: - - exact: /foo - - prefix: /bar - NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. - items: - description: |- - HTTPPath specifies an HTTP path to match. It may be either of the form: - exact: : which matches the path exactly or - prefix: : which matches the path prefix + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: + type: string + serviceAccounts: properties: - exact: - type: string - prefix: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string type: object - type: array - type: object - icmp: - description: |- - ICMP is an optional field that restricts the rule to apply to a specific type and - code of ICMP traffic. This should only be specified if the Protocol field is set to - "ICMP" or "ICMPv6". - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - ipVersion: - description: |- - IPVersion is an optional field that restricts the rule to only match a specific IP - version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: |- - Protocol is an optional field that restricts the rule to only apply to traffic of - a specific IP protocol. Required if any of the EntityRules contain Ports - (because ports only apply to certain protocols). - - Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" - or an integer in the range 1-255. - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + services: + properties: + name: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. - type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + namespace: + type: string + type: object + type: object + http: + properties: + methods: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + paths: + items: + properties: + exact: + maxLength: 1024 + type: string + prefix: + maxLength: 1024 + type: string + type: object + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + type: object + icmp: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + ipVersion: + enum: + - 4 + - 6 + type: integer + metadata: + properties: + annotations: + additionalProperties: type: string - type: object - type: object - required: - - action - type: object - type: array - ingress: - description: |- - The ordered set of ingress rules. Each rule contains a set of packet match criteria and - a corresponding action to apply. - items: - description: |- - A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy - and security Profiles reference rules - separated out as a list of rules for both - ingress and egress packet matching. - - Each positive match criteria has a negated version, prefixed with "Not". All the match - criteria within a rule must be satisfied for a packet to match. A single rule can contain - the positive and negative version of a match and both must be satisfied for the rule to match. - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: + type: object + type: object + notICMP: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + notProtocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + source: + properties: + namespaceSelector: type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: - type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. - type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + nets: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: array + x-kubernetes-list-type: set + notNets: + items: type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: |- - Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed - HTTP Methods (e.g. GET, PUT, etc.) - Multiple methods are OR'd together. - items: + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - paths: - description: |- - Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed - HTTP Paths. - Multiple paths are OR'd together. - e.g: - - exact: /foo - - prefix: /bar - NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. - items: - description: |- - HTTPPath specifies an HTTP path to match. It may be either of the form: - exact: : which matches the path exactly or - prefix: : which matches the path prefix + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: + type: string + serviceAccounts: properties: - exact: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string - prefix: + type: object + services: + properties: + name: + type: string + namespace: type: string type: object - type: array - type: object - icmp: - description: |- - ICMP is an optional field that restricts the rule to apply to a specific type and - code of ICMP traffic. This should only be specified if the Protocol field is set to - "ICMP" or "ICMPv6". - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - ipVersion: - description: |- - IPVersion is an optional field that restricts the rule to only match a specific IP - version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: + type: object + required: + - action + type: object + x-kubernetes-validations: + - message: rules with HTTP match must have protocol TCP or unset + reason: FieldValueInvalid + rule: + "!has(self.http) || !has(self.protocol) || self.protocol + == 'TCP' || self.protocol == 6" + - message: HTTP match is only valid on Allow rules + reason: FieldValueForbidden + rule: self.action == 'Allow' || !has(self.http) + - message: ports and notPorts cannot be specified with services + reason: FieldValueForbidden + rule: + "!has(self.destination) || !has(self.destination.services) + || (!has(self.destination.ports) || size(self.destination.ports) + == 0) && (!has(self.destination.notPorts) || size(self.destination.notPorts) + == 0)" + type: array + x-kubernetes-list-type: atomic + ingress: + items: + properties: + action: + enum: + - Allow + - Deny + - Log + - Pass + type: string + destination: + properties: + namespaceSelector: type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: |- - Protocol is an optional field that restricts the rule to only apply to traffic of - a specific IP protocol. Required if any of the EntityRules contain Ports - (because ports only apply to certain protocols). - - Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" - or an integer in the range 1-255. - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: + nets: + items: + type: string + type: array + x-kubernetes-list-type: set + notNets: + items: + type: string + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: + type: string + type: object + services: + properties: + name: + type: string + namespace: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. + type: object + type: object + http: + properties: + methods: + items: type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + paths: + items: + properties: + exact: + maxLength: 1024 + type: string + prefix: + maxLength: 1024 + type: string + type: object + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + type: object + icmp: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + ipVersion: + enum: + - 4 + - 6 + type: integer + metadata: + properties: + annotations: + additionalProperties: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: object + type: object + notICMP: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + notProtocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + source: + properties: + namespaceSelector: + type: string + nets: + items: type: string - type: object - type: object - required: - - action - type: object - type: array - namespaceSelector: - description: NamespaceSelector is an optional field for an expression - used to select a pod based on namespaces. - type: string - order: - description: |- - Order is an optional field that specifies the order in which the policy is applied. - Policies with higher "order" are applied after those with lower - order within the same tier. If the order is omitted, it may be considered to be "infinite" - i.e. the - policy will be applied last. Policies with identical order will be applied in - alphanumerical order based on the Policy "Name" within the tier. - type: number - performanceHints: - description: |- - PerformanceHints contains a list of hints to Calico's policy engine to - help process the policy more efficiently. Hints never change the - enforcement behaviour of the policy. - - Currently, the only available hint is "AssumeNeededOnEveryNode". When - that hint is set on a policy, Felix will act as if the policy matches - a local endpoint even if it does not. This is useful for "preloading" - any large static policies that are known to be used on every node. - If the policy is _not_ used on a particular node then the work - done to preload the policy (and to maintain it) is wasted. - items: + type: array + x-kubernetes-list-type: set + notNets: + items: + type: string + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: + type: string + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: + type: string + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: + type: string + type: object + services: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + required: + - action + type: object + x-kubernetes-validations: + - message: rules with HTTP match must have protocol TCP or unset + reason: FieldValueInvalid + rule: + "!has(self.http) || !has(self.protocol) || self.protocol + == 'TCP' || self.protocol == 6" + - message: HTTP match is only valid on Allow rules + reason: FieldValueForbidden + rule: self.action == 'Allow' || !has(self.http) + - message: ports and notPorts cannot be specified with services + reason: FieldValueForbidden + rule: + "!has(self.destination) || !has(self.destination.services) + || (!has(self.destination.ports) || size(self.destination.ports) + == 0) && (!has(self.destination.notPorts) || size(self.destination.notPorts) + == 0)" + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + type: string + order: + type: number + performanceHints: + items: + enum: + - AssumeNeededOnEveryNode + type: string + type: array + x-kubernetes-list-type: set + preDNAT: + type: boolean + selector: + type: string + serviceAccountSelector: type: string - type: array - preDNAT: - description: PreDNAT indicates to apply the rules in this policy before - any DNAT. - type: boolean - selector: - description: "The selector is an expression used to pick out the endpoints - that the policy should\nbe applied to.\n\nSelector expressions follow - this syntax:\n\n\tlabel == \"string_literal\" -> comparison, e.g. - my_label == \"foo bar\"\n\tlabel != \"string_literal\" -> not - equal; also matches if label is not present\n\tlabel in { \"a\", - \"b\", \"c\", ... } -> true if the value of label X is one of - \"a\", \"b\", \"c\"\n\tlabel not in { \"a\", \"b\", \"c\", ... } - \ -> true if the value of label X is not one of \"a\", \"b\", \"c\"\n\thas(label_name) - \ -> True if that label is present\n\t! expr -> negation of expr\n\texpr - && expr -> Short-circuit and\n\texpr || expr -> Short-circuit - or\n\t( expr ) -> parens for grouping\n\tall() or the empty selector - -> matches all endpoints.\n\nLabel names are allowed to contain - alphanumerics, -, _ and /. String literals are more permissive\nbut - they do not support escape characters.\n\nExamples (with made-up - labels):\n\n\ttype == \"webserver\" && deployment == \"prod\"\n\ttype - in {\"frontend\", \"backend\"}\n\tdeployment != \"dev\"\n\t! has(label_name)" - type: string - serviceAccountSelector: - description: ServiceAccountSelector is an optional field for an expression - used to select a pod based on service accounts. - type: string - tier: - description: |- - The name of the tier that this policy belongs to. If this is omitted, the default - tier (name is "default") is assumed. The specified tier must exist in order to create - security policies within the tier, the "default" tier is created automatically if it - does not exist, this means for deployments requiring only a single Tier, the tier name - may be omitted on all policy management requests. - type: string - types: - description: |- - Types indicates whether this policy applies to ingress, or to egress, or to both. When - not explicitly specified (and so the value on creation is empty or nil), Calico defaults - Types according to what Ingress and Egress rules are present in the policy. The - default is: - - - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are - also no Ingress rules) - - - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules - - - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. - - When the policy is read back again, Types will always be one of these values, never empty - or nil. - items: - description: PolicyType enumerates the possible values of the PolicySpec - Types field. + tier: + default: default type: string - type: array - type: object - type: object - served: true - storage: true + types: + items: + enum: + - Ingress + - Egress + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + type: object + x-kubernetes-validations: + - message: preDNAT and doNotTrack cannot both be true + reason: FieldValueForbidden + rule: + "!((has(self.doNotTrack) && self.doNotTrack) && (has(self.preDNAT) + && self.preDNAT))" + - message: preDNAT policy cannot have any egress rules + reason: FieldValueForbidden + rule: + (!has(self.preDNAT) || !self.preDNAT) || !has(self.egress) || + size(self.egress) == 0 + - message: preDNAT policy cannot have 'Egress' type + reason: FieldValueForbidden + rule: + (!has(self.preDNAT) || !self.preDNAT) || !has(self.types) || !self.types.exists(t, + t == 'Egress') + - message: + applyOnForward must be true if either preDNAT or doNotTrack + is true + reason: FieldValueInvalid + rule: + (has(self.applyOnForward) && self.applyOnForward) || ((!has(self.doNotTrack) + || !self.doNotTrack) && (!has(self.preDNAT) || !self.preDNAT)) + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_globalnetworksets.yaml b/pkg/crds/calico/crd.projectcalico.org_globalnetworksets.yaml index a01c7c7475..615c08528b 100644 --- a/pkg/crds/calico/crd.projectcalico.org_globalnetworksets.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_globalnetworksets.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: globalnetworksets.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,40 +14,24 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs that share labels to - allow rules to refer to them via selectors. The labels of GlobalNetworkSet are not namespaced. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GlobalNetworkSetSpec contains the specification for a NetworkSet - resource. - properties: - nets: - description: The list of IP networks that belong to this set. - items: - type: string - type: array - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + nets: + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_hostendpoints.yaml b/pkg/crds/calico/crd.projectcalico.org_hostendpoints.yaml index 90bbcb7b8a..9c942a3a0f 100644 --- a/pkg/crds/calico/crd.projectcalico.org_hostendpoints.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_hostendpoints.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: hostendpoints.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,93 +14,66 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: HostEndpointSpec contains the specification for a HostEndpoint - resource. - properties: - expectedIPs: - description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.\nIf - \"InterfaceName\" is not present, Calico will look for an interface - matching any\nof the IPs in the list and apply policy to that.\nNote:\n\tWhen - using the selector match criteria in an ingress or egress security - Policy\n\tor Profile, Calico converts the selector into a set of - IP addresses. For host\n\tendpoints, the ExpectedIPs field is used - for that purpose. (If only the interface\n\tname is specified, Calico - does not learn the IPs of the interface for use in match\n\tcriteria.)" - items: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + expectedIPs: + items: + type: string + type: array + x-kubernetes-list-type: set + interfaceName: + maxLength: 15 type: string - type: array - interfaceName: - description: |- - Either "*", or the name of a specific Linux interface to apply policy to; or empty. "*" - indicates that this HostEndpoint governs all traffic to, from or through the default - network namespace of the host named by the "Node" field; entering and leaving that - namespace via any interface, including those from/to non-host-networked local workloads. - - If InterfaceName is not "*", this HostEndpoint only governs traffic that enters or leaves - the host through the specific interface named by InterfaceName, or - when InterfaceName - is empty - through the specific interface that has one of the IPs in ExpectedIPs. - Therefore, when InterfaceName is empty, at least one expected IP must be specified. Only - external interfaces (such as "eth0") are supported here; it isn't possible for a - HostEndpoint to protect traffic through a specific local workload interface. - - Note: Only some kinds of policy are implemented for "*" HostEndpoints; initially just - pre-DNAT policy. Please check Calico documentation for the latest position. - type: string - node: - description: The node name identifying the Calico node instance. - type: string - ports: - description: Ports contains the endpoint's named ports, which may - be referenced in security policy rules. - items: - properties: - name: - type: string - port: - type: integer - protocol: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - required: - - name - - port - - protocol - type: object - type: array - profiles: - description: |- - A list of identifiers of security Profile objects that apply to this endpoint. Each - profile is applied in the order that they appear in this list. Profile rules are applied - after the selector-based security policy. - items: + node: + maxLength: 253 type: string - type: array - type: object - type: object - served: true - storage: true + ports: + items: + properties: + name: + type: string + port: + maximum: 65535 + minimum: 1 + type: integer + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + required: + - name + - port + - protocol + type: object + type: array + x-kubernetes-list-type: atomic + profiles: + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + x-kubernetes-validations: + - message: at least one of interfaceName or expectedIPs must be specified + reason: FieldValueInvalid + rule: + (has(self.interfaceName) && size(self.interfaceName) > 0) || (has(self.expectedIPs) + && size(self.expectedIPs) > 0) + - message: node must be specified + reason: FieldValueInvalid + rule: has(self.node) && size(self.node) > 0 + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_ipamblocks.yaml b/pkg/crds/calico/crd.projectcalico.org_ipamblocks.yaml index 6159addb9a..33210937b9 100644 --- a/pkg/crds/calico/crd.projectcalico.org_ipamblocks.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_ipamblocks.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: ipamblocks.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,106 +14,71 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IPAMBlockSpec contains the specification for an IPAMBlock - resource. - properties: - affinity: - description: |- - Affinity of the block, if this block has one. If set, it will be of the form - "host:". If not set, this block is not affine to a host. - type: string - allocations: - description: |- - Array of allocations in-use within this block. nil entries mean the allocation is free. - For non-nil entries at index i, the index is the ordinal of the allocation within this block - and the value is the index of the associated attributes in the Attributes array. - items: - type: integer - # TODO: This nullable is manually added in. We should update controller-gen - # to handle []*int properly itself. - nullable: true - type: array - attributes: - description: |- - Attributes is an array of arbitrary metadata associated with allocations in the block. To find - attributes for a given allocation, use the value of the allocation's entry in the Allocations array - as the index of the element in this array. - items: - properties: - handle_id: - type: string - secondary: - additionalProperties: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + affinity: + type: string + affinityClaimTime: + format: date-time + type: string + allocations: + items: + type: integer + # TODO: This nullable is manually added in. We should update controller-gen + # to handle []*int properly itself. + nullable: true + type: array + attributes: + items: + properties: + alternateOwnerAttrs: + additionalProperties: + type: string + type: object + handle_id: type: string - type: object - type: object - type: array - cidr: - description: The block's CIDR. - type: string - deleted: - description: |- - Deleted is an internal boolean used to workaround a limitation in the Kubernetes API whereby - deletion will not return a conflict error if the block has been updated. It should not be set manually. - type: boolean - sequenceNumber: - default: 0 - description: |- - We store a sequence number that is updated each time the block is written. - Each allocation will also store the sequence number of the block at the time of its creation. - When releasing an IP, passing the sequence number associated with the allocation allows us - to protect against a race condition and ensure the IP hasn't been released and re-allocated - since the release request. - format: int64 - type: integer - sequenceNumberForAllocation: - additionalProperties: + secondary: + additionalProperties: + type: string + type: object + type: object + type: array + cidr: + type: string + deleted: + type: boolean + sequenceNumber: + default: 0 format: int64 type: integer - description: |- - Map of allocated ordinal within the block to sequence number of the block at - the time of allocation. Kubernetes does not allow numerical keys for maps, so - the key is cast to a string. - type: object - strictAffinity: - description: StrictAffinity on the IPAMBlock is deprecated and no - longer used by the code. Use IPAMConfig StrictAffinity instead. - type: boolean - unallocated: - description: Unallocated is an ordered list of allocations which are - free in the block. - items: - type: integer - type: array - required: - - allocations - - attributes - - cidr - - strictAffinity - - unallocated - type: object - type: object - served: true - storage: true + sequenceNumberForAllocation: + additionalProperties: + format: int64 + type: integer + type: object + strictAffinity: + type: boolean + unallocated: + items: + type: integer + type: array + required: + - allocations + - attributes + - cidr + - strictAffinity + - unallocated + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_ipamconfigs.yaml b/pkg/crds/calico/crd.projectcalico.org_ipamconfigs.yaml index fe82385ce4..5cbb52cb2c 100644 --- a/pkg/crds/calico/crd.projectcalico.org_ipamconfigs.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_ipamconfigs.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: ipamconfigs.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,46 +14,35 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IPAMConfigSpec contains the specification for an IPAMConfig - resource. - properties: - autoAllocateBlocks: - type: boolean - maxBlocksPerHost: - description: |- - MaxBlocksPerHost, if non-zero, is the max number of blocks that can be - affine to each host. - maximum: 2147483647 - minimum: 0 - type: integer - strictAffinity: - type: boolean - required: - - autoAllocateBlocks - - strictAffinity - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + autoAllocateBlocks: + type: boolean + kubeVirtVMAddressPersistence: + enum: + - Enabled + - Disabled + type: string + maxBlocksPerHost: + maximum: 2147483647 + minimum: 0 + type: integer + strictAffinity: + type: boolean + required: + - autoAllocateBlocks + - strictAffinity + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_ipamhandles.yaml b/pkg/crds/calico/crd.projectcalico.org_ipamhandles.yaml index 342fe33e62..d2305fe418 100644 --- a/pkg/crds/calico/crd.projectcalico.org_ipamhandles.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_ipamhandles.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: ipamhandles.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,43 +14,30 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IPAMHandleSpec contains the specification for an IPAMHandle - resource. - properties: - block: - additionalProperties: - type: integer - type: object - deleted: - type: boolean - handleID: - type: string - required: - - block - - handleID - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + block: + additionalProperties: + type: integer + type: object + deleted: + type: boolean + handleID: + type: string + required: + - block + - handleID + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_ippools.yaml b/pkg/crds/calico/crd.projectcalico.org_ippools.yaml index 5da8d37c9c..00eafddbfb 100644 --- a/pkg/crds/calico/crd.projectcalico.org_ippools.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_ippools.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: ippools.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,105 +14,105 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IPPoolSpec contains the specification for an IPPool resource. - properties: - allowedUses: - description: |- - AllowedUse controls what the IP pool will be used for. If not specified or empty, defaults to - ["Tunnel", "Workload"] for back-compatibility - items: - type: string - type: array - assignmentMode: - description: Determines the mode how IP addresses should be assigned - from this pool - enum: - - Automatic - - Manual - type: string - blockSize: - description: The block size to use for IP address assignments from - this pool. Defaults to 26 for IPv4 and 122 for IPv6. - type: integer - cidr: - description: The pool CIDR. - type: string - disableBGPExport: - description: 'Disable exporting routes from this IP Pool''s CIDR over - BGP. [Default: false]' - type: boolean - disabled: - description: When disabled is true, Calico IPAM will not assign addresses - from this pool. - type: boolean - ipip: - description: |- - Deprecated: this field is only used for APIv1 backwards compatibility. - Setting this field is not allowed, this field is for internal use only. - properties: - enabled: - description: |- - When enabled is true, ipip tunneling will be used to deliver packets to - destinations within this pool. - type: boolean - mode: - description: |- - The IPIP mode. This can be one of "always" or "cross-subnet". A mode - of "always" will also use IPIP tunneling for routing to destination IP - addresses within this pool. A mode of "cross-subnet" will only use IPIP - tunneling when the destination node is on a different subnet to the - originating node. The default value (if not specified) is "always". + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + allowedUses: + items: + enum: + - Workload + - Tunnel + - LoadBalancer type: string - type: object - ipipMode: - description: |- - Contains configuration for IPIP tunneling for this pool. If not specified, - then this is defaulted to "Never" (i.e. IPIP tunneling is disabled). - type: string - nat-outgoing: - description: |- - Deprecated: this field is only used for APIv1 backwards compatibility. - Setting this field is not allowed, this field is for internal use only. - type: boolean - natOutgoing: - description: |- - When natOutgoing is true, packets sent from Calico networked containers in - this pool to destinations outside of this pool will be masqueraded. - type: boolean - nodeSelector: - description: Allows IPPool to allocate for a specific node by label - selector. - type: string - vxlanMode: - description: |- - Contains configuration for VXLAN tunneling for this pool. If not specified, - then this is defaulted to "Never" (i.e. VXLAN tunneling is disabled). - type: string - required: - - cidr - type: object - type: object - served: true - storage: true + maxItems: 10 + type: array + x-kubernetes-list-type: set + assignmentMode: + default: Automatic + enum: + - Automatic + - Manual + type: string + blockSize: + maximum: 128 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: + Block size cannot be changed; follow IP pool migration + guide to avoid corruption. + reason: FieldValueInvalid + rule: self == oldSelf + cidr: + format: cidr + maxLength: 48 + type: string + x-kubernetes-validations: + - message: + CIDR cannot be changed; follow IP pool migration guide + to avoid corruption. + reason: FieldValueInvalid + rule: self == oldSelf + disableBGPExport: + type: boolean + disabled: + type: boolean + ipipMode: + enum: + - Never + - Always + - CrossSubnet + type: string + namespaceSelector: + type: string + natOutgoing: + type: boolean + nodeSelector: + type: string + vxlanMode: + enum: + - Never + - Always + - CrossSubnet + type: string + required: + - cidr + type: object + x-kubernetes-validations: + - message: ipipMode and vxlanMode cannot both be enabled + reason: FieldValueForbidden + rule: + "!has(self.ipipMode) || !has(self.vxlanMode) || self.ipipMode + == 'Never' || self.vxlanMode == 'Never' || size(self.ipipMode) + == 0 || size(self.vxlanMode) == 0" + - message: LoadBalancer IP pool cannot have IPIP or VXLAN enabled + reason: FieldValueForbidden + rule: + "!has(self.allowedUses) || !self.allowedUses.exists(u, u == 'LoadBalancer') + || (!has(self.ipipMode) || size(self.ipipMode) == 0 || self.ipipMode + == 'Never') && (!has(self.vxlanMode) || size(self.vxlanMode) == + 0 || self.vxlanMode == 'Never')" + - message: + LoadBalancer cannot be combined with Workload or Tunnel allowed + uses + reason: FieldValueForbidden + rule: + "!has(self.allowedUses) || !self.allowedUses.exists(u, u == 'LoadBalancer') + || !self.allowedUses.exists(u, u == 'Workload' || u == 'Tunnel')" + - message: IPIP is not supported on IPv6 pools + reason: FieldValueForbidden + rule: + "!self.cidr.contains(':') || !has(self.ipipMode) || self.ipipMode + == 'Never' || size(self.ipipMode) == 0" + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_ipreservations.yaml b/pkg/crds/calico/crd.projectcalico.org_ipreservations.yaml index 6942d6fe0c..251ba2b7be 100644 --- a/pkg/crds/calico/crd.projectcalico.org_ipreservations.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_ipreservations.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: ipreservations.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,38 +14,25 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IPReservationSpec contains the specification for an IPReservation - resource. - properties: - reservedCIDRs: - description: ReservedCIDRs is a list of CIDRs and/or IP addresses - that Calico IPAM will exclude from new allocations. - items: - type: string - type: array - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + reservedCIDRs: + format: cidr + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_kubecontrollersconfigurations.yaml b/pkg/crds/calico/crd.projectcalico.org_kubecontrollersconfigurations.yaml index 9e34dac744..d2f779eeff 100644 --- a/pkg/crds/calico/crd.projectcalico.org_kubecontrollersconfigurations.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_kubecontrollersconfigurations.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: kubecontrollersconfigurations.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,256 +14,259 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: KubeControllersConfigurationSpec contains the values of the - Kubernetes controllers configuration. - properties: - controllers: - description: Controllers enables and configures individual Kubernetes - controllers - properties: - loadBalancer: - description: LoadBalancer enables and configures the LoadBalancer - controller. Enabled by default, set to nil to disable. - properties: - assignIPs: - type: string - type: object - namespace: - description: Namespace enables and configures the namespace controller. - Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - type: object - node: - description: Node enables and configures the node controller. - Enabled by default, set to nil to disable. - properties: - hostEndpoint: - description: HostEndpoint controls syncing nodes to host endpoints. - Disabled by default, set to nil to disable. - properties: - autoCreate: - description: 'AutoCreate enables automatic creation of - host endpoints for every node. [Default: Disabled]' - type: string - type: object - leakGracePeriod: - description: |- - LeakGracePeriod is the period used by the controller to determine if an IP address has been leaked. - Set to 0 to disable IP garbage collection. [Default: 15m] - type: string - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - syncLabels: - description: 'SyncLabels controls whether to copy Kubernetes - node labels to Calico nodes. [Default: Enabled]' - type: string - type: object - policy: - description: Policy enables and configures the policy controller. - Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - type: object - serviceAccount: - description: ServiceAccount enables and configures the service - account controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - type: object - workloadEndpoint: - description: WorkloadEndpoint enables and configures the workload - endpoint controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - type: object - type: object - debugProfilePort: - description: |- - DebugProfilePort configures the port to serve memory and cpu profiles on. If not specified, profiling - is disabled. - format: int32 - type: integer - etcdV3CompactionPeriod: - description: 'EtcdV3CompactionPeriod is the period between etcdv3 - compaction requests. Set to 0 to disable. [Default: 10m]' - type: string - healthChecks: - description: 'HealthChecks enables or disables support for health - checks [Default: Enabled]' - type: string - logSeverityScreen: - description: 'LogSeverityScreen is the log severity above which logs - are sent to the stdout. [Default: Info]' - type: string - prometheusMetricsPort: - description: 'PrometheusMetricsPort is the TCP port that the Prometheus - metrics server should bind to. Set to 0 to disable. [Default: 9094]' - type: integer - required: - - controllers - type: object - status: - description: |- - KubeControllersConfigurationStatus represents the status of the configuration. It's useful for admins to - be able to see the actual config that was applied, which can be modified by environment variables on the - kube-controllers process. - properties: - environmentVars: - additionalProperties: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + controllers: + properties: + loadBalancer: + properties: + assignIPs: + default: AllServices + enum: + - AllServices + - RequestedServicesOnly + type: string + type: object + migration: + properties: + policyNameMigrator: + default: Enabled + enum: + - Disabled + - Enabled + type: string + type: object + namespace: + properties: + reconcilerPeriod: + type: string + type: object + node: + properties: + hostEndpoint: + properties: + autoCreate: + enum: + - Enabled + - Disabled + type: string + createDefaultHostEndpoint: + type: string + templates: + items: + properties: + generateName: + maxLength: 253 + type: string + interfaceCIDRs: + items: + type: string + type: array + x-kubernetes-list-type: set + interfacePattern: + type: string + labels: + additionalProperties: + type: string + type: object + nodeSelector: + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + leakGracePeriod: + type: string + reconcilerPeriod: + type: string + syncLabels: + enum: + - Enabled + - Disabled + type: string + type: object + policy: + properties: + reconcilerPeriod: + type: string + type: object + serviceAccount: + properties: + reconcilerPeriod: + type: string + type: object + workloadEndpoint: + properties: + reconcilerPeriod: + type: string + type: object + type: object + debugProfilePort: + format: int32 + maximum: 65535 + minimum: 0 + type: integer + etcdV3CompactionPeriod: type: string - description: |- - EnvironmentVars contains the environment variables on the kube-controllers that influenced - the RunningConfig. - type: object - runningConfig: - description: |- - RunningConfig contains the effective config that is running in the kube-controllers pod, after - merging the API resource with any environment variables. - properties: - controllers: - description: Controllers enables and configures individual Kubernetes - controllers - properties: - loadBalancer: - description: LoadBalancer enables and configures the LoadBalancer - controller. Enabled by default, set to nil to disable. - properties: - assignIPs: - type: string - type: object - namespace: - description: Namespace enables and configures the namespace - controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - type: object - node: - description: Node enables and configures the node controller. - Enabled by default, set to nil to disable. - properties: - hostEndpoint: - description: HostEndpoint controls syncing nodes to host - endpoints. Disabled by default, set to nil to disable. - properties: - autoCreate: - description: 'AutoCreate enables automatic creation - of host endpoints for every node. [Default: Disabled]' - type: string - type: object - leakGracePeriod: - description: |- - LeakGracePeriod is the period used by the controller to determine if an IP address has been leaked. - Set to 0 to disable IP garbage collection. [Default: 15m] - type: string - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - syncLabels: - description: 'SyncLabels controls whether to copy Kubernetes - node labels to Calico nodes. [Default: Enabled]' - type: string - type: object - policy: - description: Policy enables and configures the policy controller. - Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - type: object - serviceAccount: - description: ServiceAccount enables and configures the service - account controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - type: object - workloadEndpoint: - description: WorkloadEndpoint enables and configures the workload - endpoint controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - type: object - type: object - debugProfilePort: - description: |- - DebugProfilePort configures the port to serve memory and cpu profiles on. If not specified, profiling - is disabled. - format: int32 - type: integer - etcdV3CompactionPeriod: - description: 'EtcdV3CompactionPeriod is the period between etcdv3 - compaction requests. Set to 0 to disable. [Default: 10m]' - type: string - healthChecks: - description: 'HealthChecks enables or disables support for health - checks [Default: Enabled]' - type: string - logSeverityScreen: - description: 'LogSeverityScreen is the log severity above which - logs are sent to the stdout. [Default: Info]' - type: string - prometheusMetricsPort: - description: 'PrometheusMetricsPort is the TCP port that the Prometheus - metrics server should bind to. Set to 0 to disable. [Default: - 9094]' - type: integer - required: + healthChecks: + default: Enabled + enum: + - Enabled + - Disabled + type: string + logSeverityScreen: + enum: + - None + - Debug + - Info + - Warning + - Error + - Fatal + - Panic + type: string + prometheusMetricsPort: + maximum: 65535 + minimum: 0 + type: integer + required: - controllers - type: object - type: object - type: object - served: true - storage: true + type: object + status: + properties: + environmentVars: + additionalProperties: + type: string + type: object + runningConfig: + properties: + controllers: + properties: + loadBalancer: + properties: + assignIPs: + default: AllServices + enum: + - AllServices + - RequestedServicesOnly + type: string + type: object + migration: + properties: + policyNameMigrator: + default: Enabled + enum: + - Disabled + - Enabled + type: string + type: object + namespace: + properties: + reconcilerPeriod: + type: string + type: object + node: + properties: + hostEndpoint: + properties: + autoCreate: + enum: + - Enabled + - Disabled + type: string + createDefaultHostEndpoint: + type: string + templates: + items: + properties: + generateName: + maxLength: 253 + type: string + interfaceCIDRs: + items: + type: string + type: array + x-kubernetes-list-type: set + interfacePattern: + type: string + labels: + additionalProperties: + type: string + type: object + nodeSelector: + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + leakGracePeriod: + type: string + reconcilerPeriod: + type: string + syncLabels: + enum: + - Enabled + - Disabled + type: string + type: object + policy: + properties: + reconcilerPeriod: + type: string + type: object + serviceAccount: + properties: + reconcilerPeriod: + type: string + type: object + workloadEndpoint: + properties: + reconcilerPeriod: + type: string + type: object + type: object + debugProfilePort: + format: int32 + maximum: 65535 + minimum: 0 + type: integer + etcdV3CompactionPeriod: + type: string + healthChecks: + default: Enabled + enum: + - Enabled + - Disabled + type: string + logSeverityScreen: + enum: + - None + - Debug + - Info + - Warning + - Error + - Fatal + - Panic + type: string + prometheusMetricsPort: + maximum: 65535 + minimum: 0 + type: integer + required: + - controllers + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/pkg/crds/calico/crd.projectcalico.org_networkpolicies.yaml b/pkg/crds/calico/crd.projectcalico.org_networkpolicies.yaml index 9e54c8dccf..89ba6ea424 100644 --- a/pkg/crds/calico/crd.projectcalico.org_networkpolicies.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_networkpolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: networkpolicies.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,848 +14,475 @@ spec: preserveUnknownFields: false scope: Namespaced versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - egress: - description: |- - The ordered set of egress rules. Each rule contains a set of packet match criteria and - a corresponding action to apply. - items: - description: |- - A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy - and security Profiles reference rules - separated out as a list of rules for both - ingress and egress packet matching. - - Each positive match criteria has a negated version, prefixed with "Not". All the match - criteria within a rule must be satisfied for a packet to match. A single rule can contain - the positive and negative version of a match and both must be satisfied for the rule to match. - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + egress: + items: + properties: + action: + enum: + - Allow + - Deny + - Log + - Pass + type: string + destination: + properties: + namespaceSelector: type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: - type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. - type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + nets: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: array + x-kubernetes-list-type: set + notNets: + items: type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: |- - Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed - HTTP Methods (e.g. GET, PUT, etc.) - Multiple methods are OR'd together. - items: + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - paths: - description: |- - Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed - HTTP Paths. - Multiple paths are OR'd together. - e.g: - - exact: /foo - - prefix: /bar - NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. - items: - description: |- - HTTPPath specifies an HTTP path to match. It may be either of the form: - exact: : which matches the path exactly or - prefix: : which matches the path prefix + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: + type: string + serviceAccounts: properties: - exact: - type: string - prefix: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string type: object - type: array - type: object - icmp: - description: |- - ICMP is an optional field that restricts the rule to apply to a specific type and - code of ICMP traffic. This should only be specified if the Protocol field is set to - "ICMP" or "ICMPv6". - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - ipVersion: - description: |- - IPVersion is an optional field that restricts the rule to only match a specific IP - version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: |- - Protocol is an optional field that restricts the rule to only apply to traffic of - a specific IP protocol. Required if any of the EntityRules contain Ports - (because ports only apply to certain protocols). - - Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" - or an integer in the range 1-255. - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + services: + properties: + name: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. - type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + namespace: + type: string + type: object + type: object + http: + properties: + methods: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + paths: + items: + properties: + exact: + maxLength: 1024 + type: string + prefix: + maxLength: 1024 + type: string + type: object + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + type: object + icmp: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + ipVersion: + enum: + - 4 + - 6 + type: integer + metadata: + properties: + annotations: + additionalProperties: type: string - type: object - type: object - required: - - action - type: object - type: array - ingress: - description: |- - The ordered set of ingress rules. Each rule contains a set of packet match criteria and - a corresponding action to apply. - items: - description: |- - A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy - and security Profiles reference rules - separated out as a list of rules for both - ingress and egress packet matching. - - Each positive match criteria has a negated version, prefixed with "Not". All the match - criteria within a rule must be satisfied for a packet to match. A single rule can contain - the positive and negative version of a match and both must be satisfied for the rule to match. - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: + type: object + type: object + notICMP: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + notProtocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + source: + properties: + namespaceSelector: type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: - type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. - type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + nets: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: array + x-kubernetes-list-type: set + notNets: + items: type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: |- - Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed - HTTP Methods (e.g. GET, PUT, etc.) - Multiple methods are OR'd together. - items: + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - paths: - description: |- - Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed - HTTP Paths. - Multiple paths are OR'd together. - e.g: - - exact: /foo - - prefix: /bar - NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. - items: - description: |- - HTTPPath specifies an HTTP path to match. It may be either of the form: - exact: : which matches the path exactly or - prefix: : which matches the path prefix + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: + type: string + serviceAccounts: properties: - exact: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string - prefix: + type: object + services: + properties: + name: + type: string + namespace: type: string type: object - type: array - type: object - icmp: - description: |- - ICMP is an optional field that restricts the rule to apply to a specific type and - code of ICMP traffic. This should only be specified if the Protocol field is set to - "ICMP" or "ICMPv6". - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - ipVersion: - description: |- - IPVersion is an optional field that restricts the rule to only match a specific IP - version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: + type: object + required: + - action + type: object + x-kubernetes-validations: + - message: rules with HTTP match must have protocol TCP or unset + reason: FieldValueInvalid + rule: + "!has(self.http) || !has(self.protocol) || self.protocol + == 'TCP' || self.protocol == 6" + - message: HTTP match is only valid on Allow rules + reason: FieldValueForbidden + rule: self.action == 'Allow' || !has(self.http) + - message: ports and notPorts cannot be specified with services + reason: FieldValueForbidden + rule: + "!has(self.destination) || !has(self.destination.services) + || (!has(self.destination.ports) || size(self.destination.ports) + == 0) && (!has(self.destination.notPorts) || size(self.destination.notPorts) + == 0)" + type: array + x-kubernetes-list-type: atomic + ingress: + items: + properties: + action: + enum: + - Allow + - Deny + - Log + - Pass + type: string + destination: + properties: + namespaceSelector: type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: |- - Protocol is an optional field that restricts the rule to only apply to traffic of - a specific IP protocol. Required if any of the EntityRules contain Ports - (because ports only apply to certain protocols). - - Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" - or an integer in the range 1-255. - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: + nets: + items: + type: string + type: array + x-kubernetes-list-type: set + notNets: + items: + type: string + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: + type: string + type: object + services: + properties: + name: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. + namespace: + type: string + type: object + type: object + http: + properties: + methods: + items: + type: string + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + paths: + items: + properties: + exact: + maxLength: 1024 + type: string + prefix: + maxLength: 1024 + type: string + type: object + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + type: object + icmp: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + ipVersion: + enum: + - 4 + - 6 + type: integer + metadata: + properties: + annotations: + additionalProperties: type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + type: object + type: object + notICMP: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + notProtocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + source: + properties: + namespaceSelector: + type: string + nets: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: array + x-kubernetes-list-type: set + notNets: + items: type: string - type: object - type: object - required: - - action - type: object - type: array - order: - description: |- - Order is an optional field that specifies the order in which the policy is applied. - Policies with higher "order" are applied after those with lower - order within the same tier. If the order is omitted, it may be considered to be "infinite" - i.e. the - policy will be applied last. Policies with identical order will be applied in - alphanumerical order based on the Policy "Name" within the tier. - type: number - performanceHints: - description: |- - PerformanceHints contains a list of hints to Calico's policy engine to - help process the policy more efficiently. Hints never change the - enforcement behaviour of the policy. - - Currently, the only available hint is "AssumeNeededOnEveryNode". When - that hint is set on a policy, Felix will act as if the policy matches - a local endpoint even if it does not. This is useful for "preloading" - any large static policies that are known to be used on every node. - If the policy is _not_ used on a particular node then the work - done to preload the policy (and to maintain it) is wasted. - items: + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: + type: string + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: + type: string + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: + type: string + type: object + services: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + required: + - action + type: object + x-kubernetes-validations: + - message: rules with HTTP match must have protocol TCP or unset + reason: FieldValueInvalid + rule: + "!has(self.http) || !has(self.protocol) || self.protocol + == 'TCP' || self.protocol == 6" + - message: HTTP match is only valid on Allow rules + reason: FieldValueForbidden + rule: self.action == 'Allow' || !has(self.http) + - message: ports and notPorts cannot be specified with services + reason: FieldValueForbidden + rule: + "!has(self.destination) || !has(self.destination.services) + || (!has(self.destination.ports) || size(self.destination.ports) + == 0) && (!has(self.destination.notPorts) || size(self.destination.notPorts) + == 0)" + type: array + x-kubernetes-list-type: atomic + order: + type: number + performanceHints: + items: + enum: + - AssumeNeededOnEveryNode + type: string + type: array + x-kubernetes-list-type: set + selector: + type: string + serviceAccountSelector: type: string - type: array - selector: - description: "The selector is an expression used to pick out the endpoints - that the policy should\nbe applied to.\n\nSelector expressions follow - this syntax:\n\n\tlabel == \"string_literal\" -> comparison, e.g. - my_label == \"foo bar\"\n\tlabel != \"string_literal\" -> not - equal; also matches if label is not present\n\tlabel in { \"a\", - \"b\", \"c\", ... } -> true if the value of label X is one of - \"a\", \"b\", \"c\"\n\tlabel not in { \"a\", \"b\", \"c\", ... } - \ -> true if the value of label X is not one of \"a\", \"b\", \"c\"\n\thas(label_name) - \ -> True if that label is present\n\t! expr -> negation of expr\n\texpr - && expr -> Short-circuit and\n\texpr || expr -> Short-circuit - or\n\t( expr ) -> parens for grouping\n\tall() or the empty selector - -> matches all endpoints.\n\nLabel names are allowed to contain - alphanumerics, -, _ and /. String literals are more permissive\nbut - they do not support escape characters.\n\nExamples (with made-up - labels):\n\n\ttype == \"webserver\" && deployment == \"prod\"\n\ttype - in {\"frontend\", \"backend\"}\n\tdeployment != \"dev\"\n\t! has(label_name)" - type: string - serviceAccountSelector: - description: ServiceAccountSelector is an optional field for an expression - used to select a pod based on service accounts. - type: string - tier: - description: |- - The name of the tier that this policy belongs to. If this is omitted, the default - tier (name is "default") is assumed. The specified tier must exist in order to create - security policies within the tier, the "default" tier is created automatically if it - does not exist, this means for deployments requiring only a single Tier, the tier name - may be omitted on all policy management requests. - type: string - types: - description: |- - Types indicates whether this policy applies to ingress, or to egress, or to both. When - not explicitly specified (and so the value on creation is empty or nil), Calico defaults - Types according to what Ingress and Egress are present in the policy. The - default is: - - - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are - also no Ingress rules) - - - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules - - - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. - - When the policy is read back again, Types will always be one of these values, never empty - or nil. - items: - description: PolicyType enumerates the possible values of the PolicySpec - Types field. + tier: + default: default type: string - type: array - type: object - type: object - served: true - storage: true + types: + items: + enum: + - Ingress + - Egress + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_networksets.yaml b/pkg/crds/calico/crd.projectcalico.org_networksets.yaml index 2c34c3cace..7e43fbd8f0 100644 --- a/pkg/crds/calico/crd.projectcalico.org_networksets.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_networksets.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: networksets.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,38 +14,24 @@ spec: preserveUnknownFields: false scope: Namespaced versions: - - name: v1 - schema: - openAPIV3Schema: - description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: NetworkSetSpec contains the specification for a NetworkSet - resource. - properties: - nets: - description: The list of IP networks that belong to this set. - items: - type: string - type: array - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + nets: + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_stagedglobalnetworkpolicies.yaml b/pkg/crds/calico/crd.projectcalico.org_stagedglobalnetworkpolicies.yaml index 738bcafa20..e775e1573c 100644 --- a/pkg/crds/calico/crd.projectcalico.org_stagedglobalnetworkpolicies.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_stagedglobalnetworkpolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: stagedglobalnetworkpolicies.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,872 +14,514 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - applyOnForward: - description: ApplyOnForward indicates to apply the rules in this policy - on forward traffic. - type: boolean - doNotTrack: - description: |- - DoNotTrack indicates whether packets matched by the rules in this policy should go through - the data plane's connection tracking, such as Linux conntrack. If True, the rules in - this policy are applied before any data plane connection tracking, and packets allowed by - this policy are marked as not to be tracked. - type: boolean - egress: - description: |- - The ordered set of egress rules. Each rule contains a set of packet match criteria and - a corresponding action to apply. - items: - description: |- - A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy - and security Profiles reference rules - separated out as a list of rules for both - ingress and egress packet matching. - - Each positive match criteria has a negated version, prefixed with "Not". All the match - criteria within a rule must be satisfied for a packet to match. A single rule can contain - the positive and negative version of a match and both must be satisfied for the rule to match. - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + applyOnForward: + type: boolean + doNotTrack: + type: boolean + egress: + items: + properties: + action: + enum: + - Allow + - Deny + - Log + - Pass + type: string + destination: + properties: + namespaceSelector: type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: - type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. - type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + nets: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: array + x-kubernetes-list-type: set + notNets: + items: type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: |- - Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed - HTTP Methods (e.g. GET, PUT, etc.) - Multiple methods are OR'd together. - items: + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - paths: - description: |- - Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed - HTTP Paths. - Multiple paths are OR'd together. - e.g: - - exact: /foo - - prefix: /bar - NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. - items: - description: |- - HTTPPath specifies an HTTP path to match. It may be either of the form: - exact: : which matches the path exactly or - prefix: : which matches the path prefix + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: + type: string + serviceAccounts: properties: - exact: - type: string - prefix: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string type: object - type: array - type: object - icmp: - description: |- - ICMP is an optional field that restricts the rule to apply to a specific type and - code of ICMP traffic. This should only be specified if the Protocol field is set to - "ICMP" or "ICMPv6". - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - ipVersion: - description: |- - IPVersion is an optional field that restricts the rule to only match a specific IP - version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: |- - Protocol is an optional field that restricts the rule to only apply to traffic of - a specific IP protocol. Required if any of the EntityRules contain Ports - (because ports only apply to certain protocols). - - Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" - or an integer in the range 1-255. - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + services: + properties: + name: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. - type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + namespace: + type: string + type: object + type: object + http: + properties: + methods: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + paths: + items: + properties: + exact: + maxLength: 1024 + type: string + prefix: + maxLength: 1024 + type: string + type: object + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + type: object + icmp: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + ipVersion: + enum: + - 4 + - 6 + type: integer + metadata: + properties: + annotations: + additionalProperties: type: string - type: object - type: object - required: - - action - type: object - type: array - ingress: - description: |- - The ordered set of ingress rules. Each rule contains a set of packet match criteria and - a corresponding action to apply. - items: - description: |- - A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy - and security Profiles reference rules - separated out as a list of rules for both - ingress and egress packet matching. - - Each positive match criteria has a negated version, prefixed with "Not". All the match - criteria within a rule must be satisfied for a packet to match. A single rule can contain - the positive and negative version of a match and both must be satisfied for the rule to match. - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: + type: object + type: object + notICMP: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + notProtocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + source: + properties: + namespaceSelector: type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: - type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. - type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + nets: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: array + x-kubernetes-list-type: set + notNets: + items: type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: |- - Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed - HTTP Methods (e.g. GET, PUT, etc.) - Multiple methods are OR'd together. - items: + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: + type: string + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - paths: - description: |- - Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed - HTTP Paths. - Multiple paths are OR'd together. - e.g: - - exact: /foo - - prefix: /bar - NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. - items: - description: |- - HTTPPath specifies an HTTP path to match. It may be either of the form: - exact: : which matches the path exactly or - prefix: : which matches the path prefix + serviceAccounts: properties: - exact: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string - prefix: + type: object + services: + properties: + name: + type: string + namespace: type: string type: object - type: array - type: object - icmp: - description: |- - ICMP is an optional field that restricts the rule to apply to a specific type and - code of ICMP traffic. This should only be specified if the Protocol field is set to - "ICMP" or "ICMPv6". - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - ipVersion: - description: |- - IPVersion is an optional field that restricts the rule to only match a specific IP - version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: + type: object + required: + - action + type: object + x-kubernetes-validations: + - message: rules with HTTP match must have protocol TCP or unset + reason: FieldValueInvalid + rule: + "!has(self.http) || !has(self.protocol) || self.protocol + == 'TCP' || self.protocol == 6" + - message: HTTP match is only valid on Allow rules + reason: FieldValueForbidden + rule: self.action == 'Allow' || !has(self.http) + - message: ports and notPorts cannot be specified with services + reason: FieldValueForbidden + rule: + "!has(self.destination) || !has(self.destination.services) + || (!has(self.destination.ports) || size(self.destination.ports) + == 0) && (!has(self.destination.notPorts) || size(self.destination.notPorts) + == 0)" + type: array + x-kubernetes-list-type: atomic + ingress: + items: + properties: + action: + enum: + - Allow + - Deny + - Log + - Pass + type: string + destination: + properties: + namespaceSelector: type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: |- - Protocol is an optional field that restricts the rule to only apply to traffic of - a specific IP protocol. Required if any of the EntityRules contain Ports - (because ports only apply to certain protocols). - - Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" - or an integer in the range 1-255. - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: + nets: + items: + type: string + type: array + x-kubernetes-list-type: set + notNets: + items: + type: string + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: + type: string + type: object + services: + properties: + name: + type: string + namespace: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. + type: object + type: object + http: + properties: + methods: + items: type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + paths: + items: + properties: + exact: + maxLength: 1024 + type: string + prefix: + maxLength: 1024 + type: string + type: object + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + type: object + icmp: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + ipVersion: + enum: + - 4 + - 6 + type: integer + metadata: + properties: + annotations: + additionalProperties: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: object + type: object + notICMP: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + notProtocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + source: + properties: + namespaceSelector: + type: string + nets: + items: + type: string + type: array + x-kubernetes-list-type: set + notNets: + items: type: string - type: object - type: object - required: - - action - type: object - type: array - namespaceSelector: - description: NamespaceSelector is an optional field for an expression - used to select a pod based on namespaces. - type: string - order: - description: |- - Order is an optional field that specifies the order in which the policy is applied. - Policies with higher "order" are applied after those with lower - order within the same tier. If the order is omitted, it may be considered to be "infinite" - i.e. the - policy will be applied last. Policies with identical order will be applied in - alphanumerical order based on the Policy "Name" within the tier. - type: number - performanceHints: - description: |- - PerformanceHints contains a list of hints to Calico's policy engine to - help process the policy more efficiently. Hints never change the - enforcement behaviour of the policy. - - Currently, the only available hint is "AssumeNeededOnEveryNode". When - that hint is set on a policy, Felix will act as if the policy matches - a local endpoint even if it does not. This is useful for "preloading" - any large static policies that are known to be used on every node. - If the policy is _not_ used on a particular node then the work - done to preload the policy (and to maintain it) is wasted. - items: + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: + type: string + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: + type: string + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: + type: string + type: object + services: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + required: + - action + type: object + x-kubernetes-validations: + - message: rules with HTTP match must have protocol TCP or unset + reason: FieldValueInvalid + rule: + "!has(self.http) || !has(self.protocol) || self.protocol + == 'TCP' || self.protocol == 6" + - message: HTTP match is only valid on Allow rules + reason: FieldValueForbidden + rule: self.action == 'Allow' || !has(self.http) + - message: ports and notPorts cannot be specified with services + reason: FieldValueForbidden + rule: + "!has(self.destination) || !has(self.destination.services) + || (!has(self.destination.ports) || size(self.destination.ports) + == 0) && (!has(self.destination.notPorts) || size(self.destination.notPorts) + == 0)" + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + type: string + order: + type: number + performanceHints: + items: + enum: + - AssumeNeededOnEveryNode + type: string + type: array + x-kubernetes-list-type: set + preDNAT: + type: boolean + selector: + type: string + serviceAccountSelector: + type: string + stagedAction: + default: Set + enum: + - Set + - Delete + - Learn + - Ignore type: string - type: array - preDNAT: - description: PreDNAT indicates to apply the rules in this policy before - any DNAT. - type: boolean - selector: - description: "The selector is an expression used to pick pick out - the endpoints that the policy should\nbe applied to.\n\nSelector - expressions follow this syntax:\n\n\tlabel == \"string_literal\" - \ -> comparison, e.g. my_label == \"foo bar\"\n\tlabel != \"string_literal\" - \ -> not equal; also matches if label is not present\n\tlabel - in { \"a\", \"b\", \"c\", ... } -> true if the value of label - X is one of \"a\", \"b\", \"c\"\n\tlabel not in { \"a\", \"b\", - \"c\", ... } -> true if the value of label X is not one of \"a\", - \"b\", \"c\"\n\thas(label_name) -> True if that label is present\n\t! - expr -> negation of expr\n\texpr && expr -> Short-circuit and\n\texpr - || expr -> Short-circuit or\n\t( expr ) -> parens for grouping\n\tall() - or the empty selector -> matches all endpoints.\n\nLabel names are - allowed to contain alphanumerics, -, _ and /. String literals are - more permissive\nbut they do not support escape characters.\n\nExamples - (with made-up labels):\n\n\ttype == \"webserver\" && deployment - == \"prod\"\n\ttype in {\"frontend\", \"backend\"}\n\tdeployment - != \"dev\"\n\t! has(label_name)" - type: string - serviceAccountSelector: - description: ServiceAccountSelector is an optional field for an expression - used to select a pod based on service accounts. - type: string - stagedAction: - description: The staged action. If this is omitted, the default is - Set. - type: string - tier: - description: |- - The name of the tier that this policy belongs to. If this is omitted, the default - tier (name is "default") is assumed. The specified tier must exist in order to create - security policies within the tier, the "default" tier is created automatically if it - does not exist, this means for deployments requiring only a single Tier, the tier name - may be omitted on all policy management requests. - type: string - types: - description: |- - Types indicates whether this policy applies to ingress, or to egress, or to both. When - not explicitly specified (and so the value on creation is empty or nil), Calico defaults - Types according to what Ingress and Egress rules are present in the policy. The - default is: - - - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are - also no Ingress rules) - - - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules - - - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. - - When the policy is read back again, Types will always be one of these values, never empty - or nil. - items: - description: PolicyType enumerates the possible values of the PolicySpec - Types field. + tier: + default: default type: string - type: array - type: object - type: object - served: true - storage: true + types: + items: + enum: + - Ingress + - Egress + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + type: object + x-kubernetes-validations: + - message: preDNAT and doNotTrack cannot both be true + reason: FieldValueForbidden + rule: + "!((has(self.doNotTrack) && self.doNotTrack) && (has(self.preDNAT) + && self.preDNAT))" + - message: preDNAT policy cannot have any egress rules + reason: FieldValueForbidden + rule: + (!has(self.preDNAT) || !self.preDNAT) || !has(self.egress) || + size(self.egress) == 0 + - message: preDNAT policy cannot have 'Egress' type + reason: FieldValueForbidden + rule: + (!has(self.preDNAT) || !self.preDNAT) || !has(self.types) || !self.types.exists(t, + t == 'Egress') + - message: + applyOnForward must be true if either preDNAT or doNotTrack + is true + reason: FieldValueInvalid + rule: + (has(self.applyOnForward) && self.applyOnForward) || ((!has(self.doNotTrack) + || !self.doNotTrack) && (!has(self.preDNAT) || !self.preDNAT)) + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_stagedkubernetesnetworkpolicies.yaml b/pkg/crds/calico/crd.projectcalico.org_stagedkubernetesnetworkpolicies.yaml index a55ed2e991..6eb1129cde 100644 --- a/pkg/crds/calico/crd.projectcalico.org_stagedkubernetesnetworkpolicies.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_stagedkubernetesnetworkpolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: stagedkubernetesnetworkpolicies.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,493 +14,244 @@ spec: preserveUnknownFields: false scope: Namespaced versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - egress: - description: |- - List of egress rules to be applied to the selected pods. Outgoing traffic is - allowed if there are no NetworkPolicies selecting the pod (and cluster policy - otherwise allows the traffic), OR if the traffic matches at least one egress rule - across all of the NetworkPolicy objects whose podSelector matches the pod. If - this field is empty then this NetworkPolicy limits all outgoing traffic (and serves - solely to ensure that the pods it selects are isolated by default). - This field is beta-level in 1.8 - items: - description: |- - NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods - matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. - This type is beta-level in 1.8 - properties: - ports: - description: |- - ports is a list of destination ports for outgoing traffic. - Each item in this list is combined using a logical OR. If this field is - empty or missing, this rule matches all ports (traffic not restricted by port). - If this field is present and contains at least one item, then this rule allows - traffic only if the traffic matches at least one port in the list. - items: - description: NetworkPolicyPort describes a port to allow traffic - on - properties: - endPort: - description: |- - endPort indicates that the range of ports from port to endPort if set, inclusive, - should be allowed by the policy. This field cannot be defined if the port field - is not defined or if the port field is defined as a named (string) port. - The endPort must be equal or greater than port. - format: int32 - type: integer - port: - anyOf: - - type: integer - - type: string - description: |- - port represents the port on the given protocol. This can either be a numerical or named - port on a pod. If this field is not provided, this matches all port names and - numbers. - If present, only traffic on the specified protocol AND port will be matched. - x-kubernetes-int-or-string: true - protocol: - description: |- - protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. - If not specified, this field defaults to TCP. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - to: - description: |- - to is a list of destinations for outgoing traffic of pods selected for this rule. - Items in this list are combined using a logical OR operation. If this field is - empty or missing, this rule matches all destinations (traffic not restricted by - destination). If this field is present and contains at least one item, this rule - allows traffic only if the traffic matches at least one item in the to list. - items: - description: |- - NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of - fields are allowed - properties: - ipBlock: - description: |- - ipBlock defines policy on a particular IPBlock. If this field is set then - neither of the other fields can be. - properties: - cidr: - description: |- - cidr is a string representing the IPBlock - Valid examples are "192.168.1.0/24" or "2001:db8::/64" - type: string - except: - description: |- - except is a slice of CIDRs that should not be included within an IPBlock - Valid examples are "192.168.1.0/24" or "2001:db8::/64" - Except values will be rejected if they are outside the cidr range - items: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + egress: + items: + properties: + ports: + items: + properties: + endPort: + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + x-kubernetes-list-type: atomic + to: + items: + properties: + ipBlock: + properties: + cidr: type: string - type: array - x-kubernetes-list-type: atomic - required: - - cidr - type: object - namespaceSelector: - description: |- - namespaceSelector selects namespaces using cluster-scoped labels. This field follows - standard label selector semantics; if present but empty, it selects all namespaces. - - If podSelector is also set, then the NetworkPolicyPeer as a whole selects - the pods matching podSelector in the namespaces selected by namespaceSelector. - Otherwise it selects all pods in the namespaces selected by namespaceSelector. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: + except: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - cidr + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - podSelector is a label selector which selects pods. This field follows standard label - selector semantics; if present but empty, it selects all pods. - - If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects - the pods matching podSelector in the Namespaces selected by NamespaceSelector. - Otherwise it selects the pods matching podSelector in the policy's own namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: + type: object + x-kubernetes-map-type: atomic + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: array - ingress: - description: |- - List of ingress rules to be applied to the selected pods. Traffic is allowed to - a pod if there are no NetworkPolicies selecting the pod - (and cluster policy otherwise allows the traffic), OR if the traffic source is - the pod's local node, OR if the traffic matches at least one ingress rule - across all of the NetworkPolicy objects whose podSelector matches the pod. If - this field is empty then this NetworkPolicy does not allow any traffic (and serves - solely to ensure that the pods it selects are isolated by default) - items: - description: |- - NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods - matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from. - properties: - from: - description: |- - from is a list of sources which should be able to access the pods selected for this rule. - Items in this list are combined using a logical OR operation. If this field is - empty or missing, this rule matches all sources (traffic not restricted by - source). If this field is present and contains at least one item, this rule - allows traffic only if the traffic matches at least one item in the from list. - items: - description: |- - NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of - fields are allowed - properties: - ipBlock: - description: |- - ipBlock defines policy on a particular IPBlock. If this field is set then - neither of the other fields can be. - properties: - cidr: - description: |- - cidr is a string representing the IPBlock - Valid examples are "192.168.1.0/24" or "2001:db8::/64" - type: string - except: - description: |- - except is a slice of CIDRs that should not be included within an IPBlock - Valid examples are "192.168.1.0/24" or "2001:db8::/64" - Except values will be rejected if they are outside the cidr range - items: + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + ingress: + items: + properties: + from: + items: + properties: + ipBlock: + properties: + cidr: type: string - type: array - x-kubernetes-list-type: atomic - required: - - cidr - type: object - namespaceSelector: - description: |- - namespaceSelector selects namespaces using cluster-scoped labels. This field follows - standard label selector semantics; if present but empty, it selects all namespaces. - - If podSelector is also set, then the NetworkPolicyPeer as a whole selects - the pods matching podSelector in the namespaces selected by namespaceSelector. - Otherwise it selects all pods in the namespaces selected by namespaceSelector. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: + except: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - cidr + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - podSelector is a label selector which selects pods. This field follows standard label - selector semantics; if present but empty, it selects all pods. - - If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects - the pods matching podSelector in the Namespaces selected by NamespaceSelector. - Otherwise it selects the pods matching podSelector in the policy's own namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: + type: object + x-kubernetes-map-type: atomic + podSelector: + properties: + matchExpressions: + items: + properties: + key: type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - ports is a list of ports which should be made accessible on the pods selected for - this rule. Each item in this list is combined using a logical OR. If this field is - empty or missing, this rule matches all ports (traffic not restricted by port). - If this field is present and contains at least one item, then this rule allows - traffic only if the traffic matches at least one port in the list. + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + ports: + items: + properties: + endPort: + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + podSelector: + properties: + matchExpressions: items: - description: NetworkPolicyPort describes a port to allow traffic - on properties: - endPort: - description: |- - endPort indicates that the range of ports from port to endPort if set, inclusive, - should be allowed by the policy. This field cannot be defined if the port field - is not defined or if the port field is defined as a named (string) port. - The endPort must be equal or greater than port. - format: int32 - type: integer - port: - anyOf: - - type: integer - - type: string - description: |- - port represents the port on the given protocol. This can either be a numerical or named - port on a pod. If this field is not provided, this matches all port names and - numbers. - If present, only traffic on the specified protocol AND port will be matched. - x-kubernetes-int-or-string: true - protocol: - description: |- - protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. - If not specified, this field defaults to TCP. + key: + type: string + operator: type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator type: object type: array x-kubernetes-list-type: atomic - type: object - type: array - podSelector: - description: |- - Selects the pods to which this NetworkPolicy object applies. The array of - ingress rules is applied to any pods selected by this field. Multiple network - policies can select the same set of pods. In this case, the ingress rules for - each are combined additively. This field is NOT optional and follows standard - label selector semantics. An empty podSelector matches all pods in this - namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator + matchLabels: + additionalProperties: + type: string type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - policyTypes: - description: |- - List of rule types that the NetworkPolicy relates to. - Valid options are Ingress, Egress, or Ingress,Egress. - If this field is not specified, it will default based on the existence of Ingress or Egress rules; - policies that contain an Egress section are assumed to affect Egress, and all policies - (whether or not they contain an Ingress section) are assumed to affect Ingress. - If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. - Likewise, if you want to write a policy that specifies that no egress is allowed, - you must specify a policyTypes value that include "Egress" (since such a policy would not include - an Egress section and would otherwise default to just [ "Ingress" ]). - This field is beta-level in 1.8 - items: - description: |- - PolicyType string describes the NetworkPolicy type - This type is beta-level in 1.8 + type: object + x-kubernetes-map-type: atomic + policyTypes: + items: + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + stagedAction: + default: Set + enum: + - Set + - Delete + - Learn + - Ignore type: string - type: array - stagedAction: - description: The staged action. If this is omitted, the default is - Set. - type: string - type: object - type: object - served: true - storage: true + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_stagednetworkpolicies.yaml b/pkg/crds/calico/crd.projectcalico.org_stagednetworkpolicies.yaml index 969ec97172..143deef28e 100644 --- a/pkg/crds/calico/crd.projectcalico.org_stagednetworkpolicies.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_stagednetworkpolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: stagednetworkpolicies.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,853 +14,483 @@ spec: preserveUnknownFields: false scope: Namespaced versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - egress: - description: |- - The ordered set of egress rules. Each rule contains a set of packet match criteria and - a corresponding action to apply. - items: - description: |- - A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy - and security Profiles reference rules - separated out as a list of rules for both - ingress and egress packet matching. - - Each positive match criteria has a negated version, prefixed with "Not". All the match - criteria within a rule must be satisfied for a packet to match. A single rule can contain - the positive and negative version of a match and both must be satisfied for the rule to match. - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + egress: + items: + properties: + action: + enum: + - Allow + - Deny + - Log + - Pass + type: string + destination: + properties: + namespaceSelector: type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: - type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. - type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + nets: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: array + x-kubernetes-list-type: set + notNets: + items: type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: |- - Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed - HTTP Methods (e.g. GET, PUT, etc.) - Multiple methods are OR'd together. - items: + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - paths: - description: |- - Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed - HTTP Paths. - Multiple paths are OR'd together. - e.g: - - exact: /foo - - prefix: /bar - NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. - items: - description: |- - HTTPPath specifies an HTTP path to match. It may be either of the form: - exact: : which matches the path exactly or - prefix: : which matches the path prefix + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: + type: string + serviceAccounts: properties: - exact: - type: string - prefix: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string type: object - type: array - type: object - icmp: - description: |- - ICMP is an optional field that restricts the rule to apply to a specific type and - code of ICMP traffic. This should only be specified if the Protocol field is set to - "ICMP" or "ICMPv6". - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - ipVersion: - description: |- - IPVersion is an optional field that restricts the rule to only match a specific IP - version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: |- - Protocol is an optional field that restricts the rule to only apply to traffic of - a specific IP protocol. Required if any of the EntityRules contain Ports - (because ports only apply to certain protocols). - - Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" - or an integer in the range 1-255. - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + services: + properties: + name: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. - type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + namespace: + type: string + type: object + type: object + http: + properties: + methods: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + paths: + items: + properties: + exact: + maxLength: 1024 + type: string + prefix: + maxLength: 1024 + type: string + type: object + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + type: object + icmp: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + ipVersion: + enum: + - 4 + - 6 + type: integer + metadata: + properties: + annotations: + additionalProperties: type: string - type: object - type: object - required: - - action - type: object - type: array - ingress: - description: |- - The ordered set of ingress rules. Each rule contains a set of packet match criteria and - a corresponding action to apply. - items: - description: |- - A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy - and security Profiles reference rules - separated out as a list of rules for both - ingress and egress packet matching. - - Each positive match criteria has a negated version, prefixed with "Not". All the match - criteria within a rule must be satisfied for a packet to match. A single rule can contain - the positive and negative version of a match and both must be satisfied for the rule to match. - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: + type: object + type: object + notICMP: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + notProtocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + source: + properties: + namespaceSelector: type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: - type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. - type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + nets: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: array + x-kubernetes-list-type: set + notNets: + items: type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: |- - Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed - HTTP Methods (e.g. GET, PUT, etc.) - Multiple methods are OR'd together. - items: + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - paths: - description: |- - Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed - HTTP Paths. - Multiple paths are OR'd together. - e.g: - - exact: /foo - - prefix: /bar - NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. - items: - description: |- - HTTPPath specifies an HTTP path to match. It may be either of the form: - exact: : which matches the path exactly or - prefix: : which matches the path prefix + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: + type: string + serviceAccounts: properties: - exact: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string - prefix: + type: object + services: + properties: + name: + type: string + namespace: type: string type: object - type: array - type: object - icmp: - description: |- - ICMP is an optional field that restricts the rule to apply to a specific type and - code of ICMP traffic. This should only be specified if the Protocol field is set to - "ICMP" or "ICMPv6". - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - ipVersion: - description: |- - IPVersion is an optional field that restricts the rule to only match a specific IP - version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: + type: object + required: + - action + type: object + x-kubernetes-validations: + - message: rules with HTTP match must have protocol TCP or unset + reason: FieldValueInvalid + rule: + "!has(self.http) || !has(self.protocol) || self.protocol + == 'TCP' || self.protocol == 6" + - message: HTTP match is only valid on Allow rules + reason: FieldValueForbidden + rule: self.action == 'Allow' || !has(self.http) + - message: ports and notPorts cannot be specified with services + reason: FieldValueForbidden + rule: + "!has(self.destination) || !has(self.destination.services) + || (!has(self.destination.ports) || size(self.destination.ports) + == 0) && (!has(self.destination.notPorts) || size(self.destination.notPorts) + == 0)" + type: array + x-kubernetes-list-type: atomic + ingress: + items: + properties: + action: + enum: + - Allow + - Deny + - Log + - Pass + type: string + destination: + properties: + namespaceSelector: type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: |- - Protocol is an optional field that restricts the rule to only apply to traffic of - a specific IP protocol. Required if any of the EntityRules contain Ports - (because ports only apply to certain protocols). - - Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" - or an integer in the range 1-255. - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: + nets: + items: + type: string + type: array + x-kubernetes-list-type: set + notNets: + items: + type: string + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: + type: string + type: object + services: + properties: + name: + type: string + namespace: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. + type: object + type: object + http: + properties: + methods: + items: type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + paths: + items: + properties: + exact: + maxLength: 1024 + type: string + prefix: + maxLength: 1024 + type: string + type: object + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + type: object + icmp: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + ipVersion: + enum: + - 4 + - 6 + type: integer + metadata: + properties: + annotations: + additionalProperties: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: object + type: object + notICMP: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + notProtocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + source: + properties: + namespaceSelector: + type: string + nets: + items: type: string - type: object - type: object - required: - - action - type: object - type: array - order: - description: |- - Order is an optional field that specifies the order in which the policy is applied. - Policies with higher "order" are applied after those with lower - order within the same tier. If the order is omitted, it may be considered to be "infinite" - i.e. the - policy will be applied last. Policies with identical order will be applied in - alphanumerical order based on the Policy "Name" within the tier. - type: number - performanceHints: - description: |- - PerformanceHints contains a list of hints to Calico's policy engine to - help process the policy more efficiently. Hints never change the - enforcement behaviour of the policy. - - Currently, the only available hint is "AssumeNeededOnEveryNode". When - that hint is set on a policy, Felix will act as if the policy matches - a local endpoint even if it does not. This is useful for "preloading" - any large static policies that are known to be used on every node. - If the policy is _not_ used on a particular node then the work - done to preload the policy (and to maintain it) is wasted. - items: + type: array + x-kubernetes-list-type: set + notNets: + items: + type: string + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: + type: string + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: + type: string + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: + type: string + type: object + services: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + required: + - action + type: object + x-kubernetes-validations: + - message: rules with HTTP match must have protocol TCP or unset + reason: FieldValueInvalid + rule: + "!has(self.http) || !has(self.protocol) || self.protocol + == 'TCP' || self.protocol == 6" + - message: HTTP match is only valid on Allow rules + reason: FieldValueForbidden + rule: self.action == 'Allow' || !has(self.http) + - message: ports and notPorts cannot be specified with services + reason: FieldValueForbidden + rule: + "!has(self.destination) || !has(self.destination.services) + || (!has(self.destination.ports) || size(self.destination.ports) + == 0) && (!has(self.destination.notPorts) || size(self.destination.notPorts) + == 0)" + type: array + x-kubernetes-list-type: atomic + order: + type: number + performanceHints: + items: + enum: + - AssumeNeededOnEveryNode + type: string + type: array + x-kubernetes-list-type: set + selector: + type: string + serviceAccountSelector: + type: string + stagedAction: + default: Set + enum: + - Set + - Delete + - Learn + - Ignore type: string - type: array - selector: - description: "The selector is an expression used to pick pick out - the endpoints that the policy should\nbe applied to.\n\nSelector - expressions follow this syntax:\n\n\tlabel == \"string_literal\" - \ -> comparison, e.g. my_label == \"foo bar\"\n\tlabel != \"string_literal\" - \ -> not equal; also matches if label is not present\n\tlabel - in { \"a\", \"b\", \"c\", ... } -> true if the value of label - X is one of \"a\", \"b\", \"c\"\n\tlabel not in { \"a\", \"b\", - \"c\", ... } -> true if the value of label X is not one of \"a\", - \"b\", \"c\"\n\thas(label_name) -> True if that label is present\n\t! - expr -> negation of expr\n\texpr && expr -> Short-circuit and\n\texpr - || expr -> Short-circuit or\n\t( expr ) -> parens for grouping\n\tall() - or the empty selector -> matches all endpoints.\n\nLabel names are - allowed to contain alphanumerics, -, _ and /. String literals are - more permissive\nbut they do not support escape characters.\n\nExamples - (with made-up labels):\n\n\ttype == \"webserver\" && deployment - == \"prod\"\n\ttype in {\"frontend\", \"backend\"}\n\tdeployment - != \"dev\"\n\t! has(label_name)" - type: string - serviceAccountSelector: - description: ServiceAccountSelector is an optional field for an expression - used to select a pod based on service accounts. - type: string - stagedAction: - description: The staged action. If this is omitted, the default is - Set. - type: string - tier: - description: |- - The name of the tier that this policy belongs to. If this is omitted, the default - tier (name is "default") is assumed. The specified tier must exist in order to create - security policies within the tier, the "default" tier is created automatically if it - does not exist, this means for deployments requiring only a single Tier, the tier name - may be omitted on all policy management requests. - type: string - types: - description: |- - Types indicates whether this policy applies to ingress, or to egress, or to both. When - not explicitly specified (and so the value on creation is empty or nil), Calico defaults - Types according to what Ingress and Egress are present in the policy. The - default is: - - - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are - also no Ingress rules) - - - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules - - - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. - - When the policy is read back again, Types will always be one of these values, never empty - or nil. - items: - description: PolicyType enumerates the possible values of the PolicySpec - Types field. + tier: + default: default type: string - type: array - type: object - type: object - served: true - storage: true + types: + items: + enum: + - Ingress + - Egress + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/calico/crd.projectcalico.org_tiers.yaml b/pkg/crds/calico/crd.projectcalico.org_tiers.yaml index c7911c7d00..ec40a19200 100644 --- a/pkg/crds/calico/crd.projectcalico.org_tiers.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_tiers.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: tiers.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,49 +14,49 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: TierSpec contains the specification for a security policy - tier resource. - properties: - defaultAction: - description: |- - DefaultAction specifies the action applied to workloads selected by a policy in the tier, - but not rule matched the workload's traffic. - [Default: Deny] - enum: - - Pass - - Deny - type: string - order: - description: |- - Order is an optional field that specifies the order in which the tier is applied. - Tiers with higher "order" are applied after those with lower order. If the order - is omitted, it may be considered to be "infinite" - i.e. the tier will be applied - last. Tiers with identical order will be applied in alphanumerical order based - on the Tier "Name". - type: number - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + defaultAction: + allOf: + - enum: + - Allow + - Deny + - Log + - Pass + - enum: + - Pass + - Deny + default: Deny + type: string + order: + type: number + type: object + required: + - metadata + - spec + type: object + x-kubernetes-validations: + - message: The 'kube-admin' tier must have default action 'Pass' + rule: + "self.metadata.name == 'kube-admin' ? self.spec.defaultAction == + 'Pass' : true" + - message: The 'kube-baseline' tier must have default action 'Pass' + rule: + "self.metadata.name == 'kube-baseline' ? self.spec.defaultAction + == 'Pass' : true" + - message: The 'default' tier must have default action 'Deny' + rule: + "self.metadata.name == 'default' ? self.spec.defaultAction == 'Deny' + : true" + served: true + storage: true diff --git a/pkg/crds/calico/policy.networking.k8s.io_adminnetworkpolicies.yaml b/pkg/crds/calico/policy.networking.k8s.io_adminnetworkpolicies.yaml deleted file mode 100644 index 174d4c1ace..0000000000 --- a/pkg/crds/calico/policy.networking.k8s.io_adminnetworkpolicies.yaml +++ /dev/null @@ -1,1082 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/30 - policy.networking.k8s.io/bundle-version: v0.1.1 - policy.networking.k8s.io/channel: experimental - creationTimestamp: null - name: adminnetworkpolicies.policy.networking.k8s.io -spec: - group: policy.networking.k8s.io - names: - kind: AdminNetworkPolicy - listKind: AdminNetworkPolicyList - plural: adminnetworkpolicies - shortNames: - - anp - singular: adminnetworkpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.priority - name: Priority - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - AdminNetworkPolicy is a cluster level resource that is part of the - AdminNetworkPolicy API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired behavior of AdminNetworkPolicy. - properties: - egress: - description: |- - Egress is the list of Egress rules to be applied to the selected pods. - A total of 100 rules will be allowed in each ANP instance. - The relative precedence of egress rules within a single ANP object (all of - which share the priority) will be determined by the order in which the rule - is written. Thus, a rule that appears at the top of the egress rules - would take the highest precedence. - ANPs with no egress rules do not affect egress traffic. - - - Support: Core - items: - description: |- - AdminNetworkPolicyEgressRule describes an action to take on a particular - set of traffic originating from pods selected by a AdminNetworkPolicy's - Subject field. - - properties: - action: - description: |- - Action specifies the effect this rule will have on matching traffic. - Currently the following actions are supported: - Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy) - Deny: denies the selected traffic - Pass: instructs the selected traffic to skip any remaining ANP rules, and - then pass execution to any NetworkPolicies that select the pod. - If the pod is not selected by any NetworkPolicies then execution - is passed to any BaselineAdminNetworkPolicies that select the pod. - - - Support: Core - enum: - - Allow - - Deny - - Pass - type: string - name: - description: |- - Name is an identifier for this rule, that may be no more than 100 characters - in length. This field should be used by the implementation to help - improve observability, readability and error-reporting for any applied - AdminNetworkPolicies. - - - Support: Core - maxLength: 100 - type: string - ports: - description: |- - Ports allows for matching traffic based on port and protocols. - This field is a list of destination ports for the outgoing egress traffic. - If Ports is not set then the rule does not filter traffic via port. - - - Support: Core - items: - description: |- - AdminNetworkPolicyPort describes how to select network ports on pod(s). - Exactly one field must be set. - maxProperties: 1 - minProperties: 1 - properties: - namedPort: - description: |- - NamedPort selects a port on a pod(s) based on name. - - - Support: Extended - - - - type: string - portNumber: - description: |- - Port selects a port on a pod(s) based on number. - - - Support: Core - properties: - port: - description: |- - Number defines a network port value. - - - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - - - Support: Core - type: string - required: - - port - - protocol - type: object - portRange: - description: |- - PortRange selects a port range on a pod(s) based on provided start and end - values. - - - Support: Core - properties: - end: - description: |- - End defines a network port that is the end of a port range, the End value - must be greater than Start. - - - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - - - Support: Core - type: string - start: - description: |- - Start defines a network port that is the start of a port range, the Start - value must be less than End. - - - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - type: object - maxItems: 100 - type: array - to: - description: |- - To is the List of destinations whose traffic this rule applies to. - If any AdminNetworkPolicyEgressPeer matches the destination of outgoing - traffic then the specified action is applied. - This field must be defined and contain at least one item. - - - Support: Core - items: - description: |- - AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. - Exactly one of the selector pointers must be set for a given peer. If a - consumer observes none of its fields are set, they must assume an unknown - option has been specified and fail closed. - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: |- - Namespaces defines a way to select all pods within a set of Namespaces. - Note that host-networked pods are not included in this type of peer. - - - Support: Core - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - networks: - description: |- - Networks defines a way to select peers via CIDR blocks. - This is intended for representing entities that live outside the cluster, - which can't be selected by pods, namespaces and nodes peers, but note - that cluster-internal traffic will be checked against the rule as - well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow - or deny all IPv4 pod-to-pod traffic as well. If you don't want that, - add a rule that Passes all pod traffic before the Networks rule. - - - Each item in Networks should be provided in the CIDR format and should be - IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - - - Networks can have upto 25 CIDRs specified. - - - Support: Extended - - - - items: - description: |- - CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - This string must be validated by implementations using net.ParseCIDR - TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available. - maxLength: 43 - type: string - x-kubernetes-validations: - - message: CIDR must be either an IPv4 or IPv6 address. - IPv4 address embedded in IPv6 addresses are not - supported - rule: self.contains(':') != self.contains('.') - maxItems: 25 - minItems: 1 - type: array - x-kubernetes-list-type: set - nodes: - description: |- - Nodes defines a way to select a set of nodes in - the cluster. This field follows standard label selector - semantics; if present but empty, it selects all Nodes. - - - Support: Extended - - - - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: |- - Pods defines a way to select a set of pods in - a set of namespaces. Note that host-networked pods - are not included in this type of peer. - - - Support: Core - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - required: - - action - - to - type: object - x-kubernetes-validations: - - message: networks/nodes peer cannot be set with namedPorts since - there are no namedPorts for networks/nodes - rule: '!(self.to.exists(peer, has(peer.networks) || has(peer.nodes)) - && has(self.ports) && self.ports.exists(port, has(port.namedPort)))' - maxItems: 100 - type: array - ingress: - description: |- - Ingress is the list of Ingress rules to be applied to the selected pods. - A total of 100 rules will be allowed in each ANP instance. - The relative precedence of ingress rules within a single ANP object (all of - which share the priority) will be determined by the order in which the rule - is written. Thus, a rule that appears at the top of the ingress rules - would take the highest precedence. - ANPs with no ingress rules do not affect ingress traffic. - - - Support: Core - items: - description: |- - AdminNetworkPolicyIngressRule describes an action to take on a particular - set of traffic destined for pods selected by an AdminNetworkPolicy's - Subject field. - properties: - action: - description: |- - Action specifies the effect this rule will have on matching traffic. - Currently the following actions are supported: - Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy) - Deny: denies the selected traffic - Pass: instructs the selected traffic to skip any remaining ANP rules, and - then pass execution to any NetworkPolicies that select the pod. - If the pod is not selected by any NetworkPolicies then execution - is passed to any BaselineAdminNetworkPolicies that select the pod. - - - Support: Core - enum: - - Allow - - Deny - - Pass - type: string - from: - description: |- - From is the list of sources whose traffic this rule applies to. - If any AdminNetworkPolicyIngressPeer matches the source of incoming - traffic then the specified action is applied. - This field must be defined and contain at least one item. - - - Support: Core - items: - description: |- - AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from. - Exactly one of the selector pointers must be set for a given peer. If a - consumer observes none of its fields are set, they must assume an unknown - option has been specified and fail closed. - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: |- - Namespaces defines a way to select all pods within a set of Namespaces. - Note that host-networked pods are not included in this type of peer. - - - Support: Core - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: |- - Pods defines a way to select a set of pods in - a set of namespaces. Note that host-networked pods - are not included in this type of peer. - - - Support: Core - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - name: - description: |- - Name is an identifier for this rule, that may be no more than 100 characters - in length. This field should be used by the implementation to help - improve observability, readability and error-reporting for any applied - AdminNetworkPolicies. - - - Support: Core - maxLength: 100 - type: string - ports: - description: |- - Ports allows for matching traffic based on port and protocols. - This field is a list of ports which should be matched on - the pods selected for this policy i.e the subject of the policy. - So it matches on the destination port for the ingress traffic. - If Ports is not set then the rule does not filter traffic via port. - - - Support: Core - items: - description: |- - AdminNetworkPolicyPort describes how to select network ports on pod(s). - Exactly one field must be set. - maxProperties: 1 - minProperties: 1 - properties: - namedPort: - description: |- - NamedPort selects a port on a pod(s) based on name. - - - Support: Extended - - - - type: string - portNumber: - description: |- - Port selects a port on a pod(s) based on number. - - - Support: Core - properties: - port: - description: |- - Number defines a network port value. - - - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - - - Support: Core - type: string - required: - - port - - protocol - type: object - portRange: - description: |- - PortRange selects a port range on a pod(s) based on provided start and end - values. - - - Support: Core - properties: - end: - description: |- - End defines a network port that is the end of a port range, the End value - must be greater than Start. - - - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - - - Support: Core - type: string - start: - description: |- - Start defines a network port that is the start of a port range, the Start - value must be less than End. - - - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - type: object - maxItems: 100 - type: array - required: - - action - - from - type: object - maxItems: 100 - type: array - priority: - description: |- - Priority is a value from 0 to 1000. Rules with lower priority values have - higher precedence, and are checked before rules with higher priority values. - All AdminNetworkPolicy rules have higher precedence than NetworkPolicy or - BaselineAdminNetworkPolicy rules - The behavior is undefined if two ANP objects have same priority. - - - Support: Core - format: int32 - maximum: 1000 - minimum: 0 - type: integer - subject: - description: |- - Subject defines the pods to which this AdminNetworkPolicy applies. - Note that host-networked pods are not included in subject selection. - - - Support: Core - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: Namespaces is used to select pods via namespace selectors. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: Pods is used to select pods via namespace AND pod - selectors. - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - required: - - priority - - subject - type: object - status: - description: Status is the status to be reported by the implementation. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - required: - - conditions - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null diff --git a/pkg/crds/calico/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml b/pkg/crds/calico/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml deleted file mode 100644 index 587e27ac65..0000000000 --- a/pkg/crds/calico/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml +++ /dev/null @@ -1,1057 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/30 - policy.networking.k8s.io/bundle-version: v0.1.1 - policy.networking.k8s.io/channel: experimental - creationTimestamp: null - name: baselineadminnetworkpolicies.policy.networking.k8s.io -spec: - group: policy.networking.k8s.io - names: - kind: BaselineAdminNetworkPolicy - listKind: BaselineAdminNetworkPolicyList - plural: baselineadminnetworkpolicies - shortNames: - - banp - singular: baselineadminnetworkpolicy - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - BaselineAdminNetworkPolicy is a cluster level resource that is part of the - AdminNetworkPolicy API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired behavior of BaselineAdminNetworkPolicy. - properties: - egress: - description: |- - Egress is the list of Egress rules to be applied to the selected pods if - they are not matched by any AdminNetworkPolicy or NetworkPolicy rules. - A total of 100 Egress rules will be allowed in each BANP instance. - The relative precedence of egress rules within a single BANP object - will be determined by the order in which the rule is written. - Thus, a rule that appears at the top of the egress rules - would take the highest precedence. - BANPs with no egress rules do not affect egress traffic. - - - Support: Core - items: - description: |- - BaselineAdminNetworkPolicyEgressRule describes an action to take on a particular - set of traffic originating from pods selected by a BaselineAdminNetworkPolicy's - Subject field. - - properties: - action: - description: |- - Action specifies the effect this rule will have on matching traffic. - Currently the following actions are supported: - Allow: allows the selected traffic - Deny: denies the selected traffic - - - Support: Core - enum: - - Allow - - Deny - type: string - name: - description: |- - Name is an identifier for this rule, that may be no more than 100 characters - in length. This field should be used by the implementation to help - improve observability, readability and error-reporting for any applied - BaselineAdminNetworkPolicies. - - - Support: Core - maxLength: 100 - type: string - ports: - description: |- - Ports allows for matching traffic based on port and protocols. - This field is a list of destination ports for the outgoing egress traffic. - If Ports is not set then the rule does not filter traffic via port. - items: - description: |- - AdminNetworkPolicyPort describes how to select network ports on pod(s). - Exactly one field must be set. - maxProperties: 1 - minProperties: 1 - properties: - namedPort: - description: |- - NamedPort selects a port on a pod(s) based on name. - - - Support: Extended - - - - type: string - portNumber: - description: |- - Port selects a port on a pod(s) based on number. - - - Support: Core - properties: - port: - description: |- - Number defines a network port value. - - - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - - - Support: Core - type: string - required: - - port - - protocol - type: object - portRange: - description: |- - PortRange selects a port range on a pod(s) based on provided start and end - values. - - - Support: Core - properties: - end: - description: |- - End defines a network port that is the end of a port range, the End value - must be greater than Start. - - - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - - - Support: Core - type: string - start: - description: |- - Start defines a network port that is the start of a port range, the Start - value must be less than End. - - - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - type: object - maxItems: 100 - type: array - to: - description: |- - To is the list of destinations whose traffic this rule applies to. - If any AdminNetworkPolicyEgressPeer matches the destination of outgoing - traffic then the specified action is applied. - This field must be defined and contain at least one item. - - - Support: Core - items: - description: |- - AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. - Exactly one of the selector pointers must be set for a given peer. If a - consumer observes none of its fields are set, they must assume an unknown - option has been specified and fail closed. - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: |- - Namespaces defines a way to select all pods within a set of Namespaces. - Note that host-networked pods are not included in this type of peer. - - - Support: Core - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - networks: - description: |- - Networks defines a way to select peers via CIDR blocks. - This is intended for representing entities that live outside the cluster, - which can't be selected by pods, namespaces and nodes peers, but note - that cluster-internal traffic will be checked against the rule as - well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow - or deny all IPv4 pod-to-pod traffic as well. If you don't want that, - add a rule that Passes all pod traffic before the Networks rule. - - - Each item in Networks should be provided in the CIDR format and should be - IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - - - Networks can have upto 25 CIDRs specified. - - - Support: Extended - - - - items: - description: |- - CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - This string must be validated by implementations using net.ParseCIDR - TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available. - maxLength: 43 - type: string - x-kubernetes-validations: - - message: CIDR must be either an IPv4 or IPv6 address. - IPv4 address embedded in IPv6 addresses are not - supported - rule: self.contains(':') != self.contains('.') - maxItems: 25 - minItems: 1 - type: array - x-kubernetes-list-type: set - nodes: - description: |- - Nodes defines a way to select a set of nodes in - the cluster. This field follows standard label selector - semantics; if present but empty, it selects all Nodes. - - - Support: Extended - - - - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: |- - Pods defines a way to select a set of pods in - a set of namespaces. Note that host-networked pods - are not included in this type of peer. - - - Support: Core - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - required: - - action - - to - type: object - x-kubernetes-validations: - - message: networks/nodes peer cannot be set with namedPorts since - there are no namedPorts for networks/nodes - rule: '!(self.to.exists(peer, has(peer.networks) || has(peer.nodes)) - && has(self.ports) && self.ports.exists(port, has(port.namedPort)))' - maxItems: 100 - type: array - ingress: - description: |- - Ingress is the list of Ingress rules to be applied to the selected pods - if they are not matched by any AdminNetworkPolicy or NetworkPolicy rules. - A total of 100 Ingress rules will be allowed in each BANP instance. - The relative precedence of ingress rules within a single BANP object - will be determined by the order in which the rule is written. - Thus, a rule that appears at the top of the ingress rules - would take the highest precedence. - BANPs with no ingress rules do not affect ingress traffic. - - - Support: Core - items: - description: |- - BaselineAdminNetworkPolicyIngressRule describes an action to take on a particular - set of traffic destined for pods selected by a BaselineAdminNetworkPolicy's - Subject field. - properties: - action: - description: |- - Action specifies the effect this rule will have on matching traffic. - Currently the following actions are supported: - Allow: allows the selected traffic - Deny: denies the selected traffic - - - Support: Core - enum: - - Allow - - Deny - type: string - from: - description: |- - From is the list of sources whose traffic this rule applies to. - If any AdminNetworkPolicyIngressPeer matches the source of incoming - traffic then the specified action is applied. - This field must be defined and contain at least one item. - - - Support: Core - items: - description: |- - AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from. - Exactly one of the selector pointers must be set for a given peer. If a - consumer observes none of its fields are set, they must assume an unknown - option has been specified and fail closed. - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: |- - Namespaces defines a way to select all pods within a set of Namespaces. - Note that host-networked pods are not included in this type of peer. - - - Support: Core - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: |- - Pods defines a way to select a set of pods in - a set of namespaces. Note that host-networked pods - are not included in this type of peer. - - - Support: Core - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - name: - description: |- - Name is an identifier for this rule, that may be no more than 100 characters - in length. This field should be used by the implementation to help - improve observability, readability and error-reporting for any applied - BaselineAdminNetworkPolicies. - - - Support: Core - maxLength: 100 - type: string - ports: - description: |- - Ports allows for matching traffic based on port and protocols. - This field is a list of ports which should be matched on - the pods selected for this policy i.e the subject of the policy. - So it matches on the destination port for the ingress traffic. - If Ports is not set then the rule does not filter traffic via port. - - - Support: Core - items: - description: |- - AdminNetworkPolicyPort describes how to select network ports on pod(s). - Exactly one field must be set. - maxProperties: 1 - minProperties: 1 - properties: - namedPort: - description: |- - NamedPort selects a port on a pod(s) based on name. - - - Support: Extended - - - - type: string - portNumber: - description: |- - Port selects a port on a pod(s) based on number. - - - Support: Core - properties: - port: - description: |- - Number defines a network port value. - - - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - - - Support: Core - type: string - required: - - port - - protocol - type: object - portRange: - description: |- - PortRange selects a port range on a pod(s) based on provided start and end - values. - - - Support: Core - properties: - end: - description: |- - End defines a network port that is the end of a port range, the End value - must be greater than Start. - - - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. - - - Support: Core - type: string - start: - description: |- - Start defines a network port that is the start of a port range, the Start - value must be less than End. - - - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - type: object - maxItems: 100 - type: array - required: - - action - - from - type: object - maxItems: 100 - type: array - subject: - description: |- - Subject defines the pods to which this BaselineAdminNetworkPolicy applies. - Note that host-networked pods are not included in subject selection. - - - Support: Core - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: Namespaces is used to select pods via namespace selectors. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: Pods is used to select pods via namespace AND pod - selectors. - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - required: - - subject - type: object - status: - description: Status is the status to be reported by the implementation. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - required: - - conditions - type: object - required: - - metadata - - spec - type: object - x-kubernetes-validations: - - message: Only one baseline admin network policy with metadata.name="default" - can be created in the cluster - rule: self.metadata.name == 'default' - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: null - storedVersions: null diff --git a/pkg/crds/calico/policy.networking.k8s.io_clusternetworkpolicies.yaml b/pkg/crds/calico/policy.networking.k8s.io_clusternetworkpolicies.yaml new file mode 100644 index 0000000000..cced723679 --- /dev/null +++ b/pkg/crds/calico/policy.networking.k8s.io_clusternetworkpolicies.yaml @@ -0,0 +1,1184 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/300 + policy.networking.k8s.io/bundle-version: v0.1.7 + policy.networking.k8s.io/channel: standard + name: clusternetworkpolicies.policy.networking.k8s.io +spec: + group: policy.networking.k8s.io + names: + kind: ClusterNetworkPolicy + listKind: ClusterNetworkPolicyList + plural: clusternetworkpolicies + shortNames: + - cnp + singular: clusternetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.tier + name: Tier + type: string + - jsonPath: .spec.priority + name: Priority + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: ClusterNetworkPolicy is a cluster-wide network policy resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired behavior of ClusterNetworkPolicy. + properties: + egress: + description: |- + Egress is the list of Egress rules to be applied to the selected pods. + + A maximum of 25 rules is allowed in this block. + + The relative precedence of egress rules within a single CNP object + (all of which share the priority) will be determined by the order + in which the rule is written. + Thus, a rule that appears at the top of the egress rules + would take the highest precedence. + CNPs with no egress rules do not affect egress traffic. + items: + description: |- + ClusterNetworkPolicyEgressRule describes an action to take on a particular + set of traffic originating from pods selected by a ClusterNetworkPolicy's + Subject field. + + + properties: + action: + description: |- + Action specifies the effect this rule will have on matching + traffic. Currently the following actions are supported: + + - Accept: Accepts the selected traffic, allowing it to + egress. No further ClusterNetworkPolicy or NetworkPolicy + rules will be processed. + + - Deny: Drops the selected traffic. No further + ClusterNetworkPolicy or NetworkPolicy rules will be + processed. + + - Pass: Skips all further ClusterNetworkPolicy rules in the + current tier for the selected traffic, and passes + evaluation to the next tier. + enum: + - Accept + - Deny + - Pass + type: string + name: + description: |- + Name is an identifier for this rule, that may be no more than + 100 characters in length. This field should be used by the implementation + to help improve observability, readability and error-reporting + for any applied policies. + maxLength: 100 + type: string + protocols: + description: |- + Protocols allows for more fine-grain matching of traffic on + protocol-specific attributes such as the port. If + unspecified, protocol-specific attributes will not be used + to match traffic. + items: + description: |- + ClusterNetworkPolicyProtocol describes additional protocol-specific match rules. + Exactly one field must be set. + maxProperties: 1 + minProperties: 1 + properties: + destinationNamedPort: + description: |- + DestinationNamedPort selects a destination port on a pod based on the + ContainerPort name. You can't use this in a rule that targets resources + without named ports (e.g. Nodes or Networks). + type: string + sctp: + description: SCTP specific protocol matches. + minProperties: 1 + properties: + destinationPort: + description: DestinationPort for the match. + maxProperties: 1 + minProperties: 1 + properties: + number: + description: Number defines a network port value. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + range: + description: + Range defines a contiguous range + of ports. + properties: + end: + description: |- + end specifies the last port in the range. It must be + greater than start. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + start: + description: |- + start defines a network port that is the start of a port + range, the Start value must be less than End. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start + type: object + x-kubernetes-validations: + - message: Start port must be less than End port + rule: self.start < self.end + type: object + type: object + tcp: + description: TCP specific protocol matches. + minProperties: 1 + properties: + destinationPort: + description: DestinationPort for the match. + maxProperties: 1 + minProperties: 1 + properties: + number: + description: Number defines a network port value. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + range: + description: + Range defines a contiguous range + of ports. + properties: + end: + description: |- + end specifies the last port in the range. It must be + greater than start. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + start: + description: |- + start defines a network port that is the start of a port + range, the Start value must be less than End. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start + type: object + x-kubernetes-validations: + - message: Start port must be less than End port + rule: self.start < self.end + type: object + type: object + udp: + description: UDP specific protocol matches. + minProperties: 1 + properties: + destinationPort: + description: DestinationPort for the match. + maxProperties: 1 + minProperties: 1 + properties: + number: + description: Number defines a network port value. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + range: + description: + Range defines a contiguous range + of ports. + properties: + end: + description: |- + end specifies the last port in the range. It must be + greater than start. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + start: + description: |- + start defines a network port that is the start of a port + range, the Start value must be less than End. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start + type: object + x-kubernetes-validations: + - message: Start port must be less than End port + rule: self.start < self.end + type: object + type: object + type: object + maxItems: 25 + minItems: 1 + type: array + to: + description: |- + To is the list of destinations whose traffic this rule applies to. If any + element matches the destination of outgoing traffic then the specified + action is applied. This field must be defined and contain at least one + item. + items: + description: |- + ClusterNetworkPolicyEgressPeer defines a peer to allow traffic to. + + Exactly one of the fields must be set for a given peer and this is enforced + by the validation rules on the CRD. If an implementation sees no fields are + set then it can infer that the deployed CRD is of an incompatible version + with an unknown field. In that case it should fail closed. + + For "Accept" rules, "fail closed" means: "treat the rule as matching no + traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule + as a 'Deny all' rule". + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + networks: + description: |- + Networks defines a way to select peers via CIDR blocks. + This is intended for representing entities that live outside the cluster, + which can't be selected by pods, namespaces and nodes peers, but note + that cluster-internal traffic will be checked against the rule as + well. So if you Accept or Deny traffic to `"0.0.0.0/0"`, that will allow + or deny all IPv4 pod-to-pod traffic as well. If you don't want that, + add a rule that Passes all pod traffic before the Networks rule. + + Each item in Networks should be provided in the CIDR format and should be + IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". + + Networks can have up to 25 CIDRs specified. + items: + description: |- + CIDR is an IP address range in CIDR notation + (for example, "10.0.0.0/8" or "fd00::/8"). + maxLength: 43 + type: string + x-kubernetes-validations: + - message: Invalid CIDR format provided + rule: isCIDR(self) + maxItems: 25 + minItems: 1 + type: array + x-kubernetes-list-type: set + pods: + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + properties: + namespaceSelector: + description: |- + NamespaceSelector follows standard label selector + semantics; if empty, it selects all Namespaces. + properties: + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; + if empty, it selects all Pods. + properties: + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - podSelector + type: object + type: object + maxItems: 25 + minItems: 1 + type: array + required: + - action + - to + type: object + maxItems: 25 + type: array + ingress: + description: |- + Ingress is the list of Ingress rules to be applied to the selected pods. + + A maximum of 25 rules is allowed in this block. + + The relative precedence of ingress rules within a single CNP object + (all of which share the priority) will be determined by the order + in which the rule is written. + Thus, a rule that appears at the top of the ingress rules + would take the highest precedence. + CNPs with no ingress rules do not affect ingress traffic. + items: + description: |- + ClusterNetworkPolicyIngressRule describes an action to take on a particular + set of traffic destined for pods selected by a ClusterNetworkPolicy's + Subject field. + properties: + action: + description: |- + Action specifies the effect this rule will have on matching + traffic. Currently the following actions are supported: + + - Accept: Accepts the selected traffic, allowing it into + the destination. No further ClusterNetworkPolicy or + NetworkPolicy rules will be processed. + + Note: while Accept ensures traffic is accepted by + Kubernetes network policy, it is still possible that the + packet is blocked in other ways: custom nftable rules, + high-layers e.g. service mesh. + + - Deny: Drops the selected traffic. No further + ClusterNetworkPolicy or NetworkPolicy rules will be + processed. + + - Pass: Skips all further ClusterNetworkPolicy rules in the + current tier for the selected traffic, and passes + evaluation to the next tier. + enum: + - Accept + - Deny + - Pass + type: string + from: + description: |- + From is the list of sources whose traffic this rule applies to. + If any element matches the source of incoming + traffic then the specified action is applied. + This field must be defined and contain at least one item. + items: + description: |- + ClusterNetworkPolicyIngressPeer defines a peer to allow traffic from. + + Exactly one of the fields must be set for a given peer and this is enforced + by the validation rules on the CRD. If an implementation sees no fields are + set then it can infer that the deployed CRD is of an incompatible version + with an unknown field. In that case it should fail closed. + + For "Accept" rules, "fail closed" means: "treat the rule as matching no + traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule + as a 'Deny all' rule". + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + pods: + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + properties: + namespaceSelector: + description: |- + NamespaceSelector follows standard label selector + semantics; if empty, it selects all Namespaces. + properties: + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; + if empty, it selects all Pods. + properties: + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - podSelector + type: object + type: object + maxItems: 25 + minItems: 1 + type: array + name: + description: |- + Name is an identifier for this rule, that may be no more than + 100 characters in length. This field should be used by the implementation + to help improve observability, readability and error-reporting + for any applied policies. + maxLength: 100 + type: string + protocols: + description: |- + Protocols allows for more fine-grain matching of traffic on + protocol-specific attributes such as the port. If + unspecified, protocol-specific attributes will not be used + to match traffic. + items: + description: |- + ClusterNetworkPolicyProtocol describes additional protocol-specific match rules. + Exactly one field must be set. + maxProperties: 1 + minProperties: 1 + properties: + destinationNamedPort: + description: |- + DestinationNamedPort selects a destination port on a pod based on the + ContainerPort name. You can't use this in a rule that targets resources + without named ports (e.g. Nodes or Networks). + type: string + sctp: + description: SCTP specific protocol matches. + minProperties: 1 + properties: + destinationPort: + description: DestinationPort for the match. + maxProperties: 1 + minProperties: 1 + properties: + number: + description: Number defines a network port value. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + range: + description: + Range defines a contiguous range + of ports. + properties: + end: + description: |- + end specifies the last port in the range. It must be + greater than start. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + start: + description: |- + start defines a network port that is the start of a port + range, the Start value must be less than End. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start + type: object + x-kubernetes-validations: + - message: Start port must be less than End port + rule: self.start < self.end + type: object + type: object + tcp: + description: TCP specific protocol matches. + minProperties: 1 + properties: + destinationPort: + description: DestinationPort for the match. + maxProperties: 1 + minProperties: 1 + properties: + number: + description: Number defines a network port value. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + range: + description: + Range defines a contiguous range + of ports. + properties: + end: + description: |- + end specifies the last port in the range. It must be + greater than start. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + start: + description: |- + start defines a network port that is the start of a port + range, the Start value must be less than End. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start + type: object + x-kubernetes-validations: + - message: Start port must be less than End port + rule: self.start < self.end + type: object + type: object + udp: + description: UDP specific protocol matches. + minProperties: 1 + properties: + destinationPort: + description: DestinationPort for the match. + maxProperties: 1 + minProperties: 1 + properties: + number: + description: Number defines a network port value. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + range: + description: + Range defines a contiguous range + of ports. + properties: + end: + description: |- + end specifies the last port in the range. It must be + greater than start. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + start: + description: |- + start defines a network port that is the start of a port + range, the Start value must be less than End. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start + type: object + x-kubernetes-validations: + - message: Start port must be less than End port + rule: self.start < self.end + type: object + type: object + type: object + maxItems: 25 + minItems: 1 + type: array + required: + - action + - from + type: object + maxItems: 25 + type: array + priority: + description: |- + Priority is a value from 0 to 1000 indicating the precedence of + the policy within its tier. Policies with lower priority values have + higher precedence, and are checked before policies with higher priority + values in the same tier. All Admin tier rules have higher precedence than + NetworkPolicy or Baseline tier rules. + If two (or more) policies in the same tier with the same priority + could match a connection, then the implementation can apply any of the + matching policies to the connection, and there is no way for the user to + reliably determine which one it will choose. Administrators must be + careful about assigning the priorities for policies with rules that will + match many connections, and ensure that policies have unique priority + values in cases where ambiguity would be unacceptable. + format: int32 + maximum: 1000 + minimum: 0 + type: integer + subject: + description: + Subject defines the pods to which this ClusterNetworkPolicy + applies. + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: Namespaces is used to select pods via namespace selectors. + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + pods: + description: + Pods is used to select pods via namespace AND pod + selectors. + properties: + namespaceSelector: + description: |- + NamespaceSelector follows standard label selector + semantics; if empty, it selects all Namespaces. + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; + if empty, it selects all Pods. + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - podSelector + type: object + type: object + tier: + description: |- + Tier is used as the top-level grouping for network policy prioritization. + + Policy tiers are evaluated in the following order: + * Admin tier + * NetworkPolicy tier + * Baseline tier + + ClusterNetworkPolicy can use 2 of these tiers: Admin and Baseline. + + The Admin tier takes precedence over all other policies. Policies + defined in this tier are used to set cluster-wide security rules + that cannot be overridden in the other tiers. If Admin tier has + made a final decision (Accept or Deny) on a connection, then no + further evaluation is done. + + NetworkPolicy tier is the tier for the namespaced v1.NetworkPolicy. + These policies are intended for the application developer to describe + the security policy associated with their deployments inside their + namespace. v1.NetworkPolicy always makes a final decision for selected + pods. Further evaluation only happens for Pods not selected by a + v1.NetworkPolicy. + + Baseline tier is a cluster-wide policy that can be overridden by the + v1.NetworkPolicy. If Baseline tier has made a final decision (Accept or + Deny) on a connection, then no further evaluation is done. + + If a given connection wasn't allowed or denied by any of the tiers, + the default kubernetes policy is applied, which says that + all pods can communicate with each other. + enum: + - Admin + - Baseline + type: string + required: + - priority + - subject + - tier + type: object + status: + description: Status is the status to be reported by the implementation. + properties: + conditions: + items: + description: + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + required: + - conditions + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/pkg/crds/enterprise/01-crd-eck-agent.yaml b/pkg/crds/enterprise/01-crd-eck-agent.yaml deleted file mode 100644 index cb6ce8b034..0000000000 --- a/pkg/crds/enterprise/01-crd-eck-agent.yaml +++ /dev/null @@ -1,1090 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.5 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '2.16.0' - name: agents.agent.k8s.elastic.co -spec: - group: agent.k8s.elastic.co - names: - categories: - - elastic - kind: Agent - listKind: AgentList - plural: agents - shortNames: - - agent - singular: agent - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: available - type: integer - - description: Expected nodes - jsonPath: .status.expectedNodes - name: expected - type: integer - - description: Agent version - jsonPath: .status.version - name: version - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: Agent is the Schema for the Agents API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AgentSpec defines the desired state of the Agent - properties: - config: - description: Config holds the Agent configuration. At most one of [`Config`, `ConfigRef`] can be specified. - type: object - x-kubernetes-preserve-unknown-fields: true - configRef: - description: |- - ConfigRef contains a reference to an existing Kubernetes Secret holding the Agent configuration. - Agent settings must be specified as yaml, under a single "agent.yml" entry. At most one of [`Config`, `ConfigRef`] - can be specified. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - daemonSet: - description: |- - DaemonSet specifies the Agent should be deployed as a DaemonSet, and allows providing its spec. - Cannot be used along with `deployment` or `statefulSet`. - properties: - podTemplate: - description: PodTemplateSpec describes the data a pod should have when created from a template - type: object - x-kubernetes-preserve-unknown-fields: true - updateStrategy: - description: DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet. - properties: - rollingUpdate: - description: Rolling update config params. Present only if type = "RollingUpdate". - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of nodes with an existing available DaemonSet pod that - can have an updated DaemonSet pod during during an update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - This can not be 0 if MaxUnavailable is 0. - Absolute number is calculated from percentage by rounding up to a minimum of 1. - Default value is 0. - Example: when this is set to 30%, at most 30% of the total number of nodes - that should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their a new pod created before the old pod is marked as deleted. - The update starts by launching new pods on 30% of nodes. Once an updated - pod is available (Ready for at least minReadySeconds) the old DaemonSet pod - on that node is marked deleted. If the old pod becomes unavailable for any - reason (Ready transitions to false, is evicted, or is drained) an updated - pod is immediatedly created on that node without considering surge limits. - Allowing surge implies the possibility that the resources consumed by the - daemonset on any given node can double if the readiness check fails, and - so resource intensive daemonsets should take into account that they may - cause evictions during disruption. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of DaemonSet pods that can be unavailable during the - update. Value can be an absolute number (ex: 5) or a percentage of total - number of DaemonSet pods at the start of the update (ex: 10%). Absolute - number is calculated from percentage by rounding up. - This cannot be 0 if MaxSurge is 0 - Default value is 1. - Example: when this is set to 30%, at most 30% of the total number of nodes - that should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their pods stopped for an update at any given time. The update - starts by stopping at most 30% of those DaemonSet pods and then brings - up new DaemonSet pods in their place. Once the new pods are available, - it then proceeds onto other DaemonSet pods, thus ensuring that at least - 70% of original number of DaemonSet pods are available at all times during - the update. - x-kubernetes-int-or-string: true - type: object - type: - description: Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate. - type: string - type: object - type: object - deployment: - description: |- - Deployment specifies the Agent should be deployed as a Deployment, and allows providing its spec. - Cannot be used along with `daemonSet` or `statefulSet`. - properties: - podTemplate: - description: PodTemplateSpec describes the data a pod should have when created from a template - type: object - x-kubernetes-preserve-unknown-fields: true - replicas: - format: int32 - type: integer - strategy: - description: DeploymentStrategy describes how to replace existing pods with new ones. - properties: - rollingUpdate: - description: |- - Rolling update config params. Present only if DeploymentStrategyType = - RollingUpdate. - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be scheduled above the desired number of - pods. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - This can not be 0 if MaxUnavailable is 0. - Absolute number is calculated from percentage by rounding up. - Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when - the rolling update starts, such that the total number of old and new pods do not exceed - 130% of desired pods. Once old pods have been killed, - new ReplicaSet can be scaled up further, ensuring that total number of pods running - at any time during the update is at most 130% of desired pods. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be unavailable during the update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - Absolute number is calculated from percentage by rounding down. - This can not be 0 if MaxSurge is 0. - Defaults to 25%. - Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods - immediately when the rolling update starts. Once new pods are ready, old ReplicaSet - can be scaled down further, followed by scaling up the new ReplicaSet, ensuring - that the total number of pods available at all times during the update is at - least 70% of desired pods. - x-kubernetes-int-or-string: true - type: object - type: - description: Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate. - type: string - type: object - type: object - elasticsearchRefs: - description: |- - ElasticsearchRefs is a reference to a list of Elasticsearch clusters running in the same Kubernetes cluster. - Due to existing limitations, only a single ES cluster is currently supported. - items: - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - outputName: - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - type: array - fleetServerEnabled: - description: FleetServerEnabled determines whether this Agent will launch Fleet Server. Don't set unless `mode` is set to `fleet`. - type: boolean - fleetServerRef: - description: |- - FleetServerRef is a reference to Fleet Server that this Agent should connect to to obtain it's configuration. - Don't set unless `mode` is set to `fleet`. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - http: - description: HTTP holds the HTTP layer configuration for the Agent in Fleet mode with Fleet Server enabled. - properties: - service: - description: Service defines the template for the associated Kubernetes Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic is - distributed to Service endpoints. Implementations can use this field as a - hint, but are not required to guarantee strict adherence. If the field is - not set, the implementation will apply its default routing strategy. If set - to "PreferClose", implementations should prioritize endpoints that are - topologically close (e.g., same zone). - This is an alpha field and requires enabling ServiceTrafficDistribution feature. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Agent Docker image to deploy. Version has to match the Agent in the image. - type: string - kibanaRef: - description: |- - KibanaRef is a reference to Kibana where Fleet should be set up and this Agent should be enrolled. Don't set - unless `mode` is set to `fleet`. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - mode: - description: |- - Mode specifies the source of configuration for the Agent. The configuration can be specified locally through - `config` or `configRef` (`standalone` mode), or come from Fleet during runtime (`fleet` mode). - Defaults to `standalone` mode. - enum: - - standalone - - fleet - type: string - policyID: - description: |- - PolicyID determines into which Agent Policy this Agent will be enrolled. - This field will become mandatory in a future release, default policies are deprecated since 8.1.0. - type: string - revisionHistoryLimit: - description: RevisionHistoryLimit is the number of revisions to retain to allow rollback in the underlying DaemonSet or Deployment or StatefulSet. - format: int32 - type: integer - secureSettings: - description: |- - SecureSettings is a list of references to Kubernetes Secrets containing sensitive configuration options for the Agent. - Secrets data can be then referenced in the Agent config using the Secret's keys or as specified in `Entries` field of - each SecureSetting. - items: - description: SecretSource defines a data source based on a Kubernetes Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: |- - ServiceAccountName is used to check access from the current resource to an Elasticsearch resource in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - statefulSet: - description: |- - StatefulSet specifies the Agent should be deployed as a StatefulSet, and allows providing its spec. - Cannot be used along with `daemonSet` or `deployment`. - properties: - podManagementPolicy: - default: Parallel - description: |- - PodManagementPolicy controls how pods are created during initial scale up, - when replacing pods on nodes, or when scaling down. The default policy is - `Parallel`, where pods are created in parallel to match the desired scale - without waiting, and on scale down will delete all pods at once. - The alternative policy is `OrderedReady`, the default for vanilla kubernetes - StatefulSets, where pods are created in increasing order in increasing order - (pod-0, then pod-1, etc.) and the controller will wait until each pod is ready before - continuing. When scaling down, the pods are removed in the opposite order. - enum: - - OrderedReady - - Parallel - type: string - podTemplate: - description: PodTemplateSpec describes the data a pod should have when created from a template - type: object - x-kubernetes-preserve-unknown-fields: true - replicas: - format: int32 - type: integer - serviceName: - type: string - volumeClaimTemplates: - description: |- - VolumeClaimTemplates is a list of persistent volume claims to be used by each Pod. - Every claim in this list must have a matching volumeMount in one of the containers defined in the PodTemplate. - Items defined here take precedence over any default claims added by the operator with the same name. - items: - description: PersistentVolumeClaim is a user's request for and claim to a persistent volume - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: |- - spec defines the desired characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the PersistentVolume backing this claim. - type: string - type: object - type: object - type: array - type: object - version: - description: Version of the Agent. - type: string - required: - - version - type: object - status: - description: AgentStatus defines the observed state of the Agent - properties: - availableNodes: - format: int32 - type: integer - elasticsearchAssociationsStatus: - additionalProperties: - description: AssociationStatus is the status of an association resource. - type: string - description: |- - AssociationStatusMap is the map of association's namespaced name string to its AssociationStatus. For resources that - have a single Association of a given type (for ex. single ES reference), this map contains a single entry. - type: object - expectedNodes: - format: int32 - type: integer - fleetServerAssociationStatus: - description: AssociationStatus is the status of an association resource. - type: string - health: - type: string - kibanaAssociationStatus: - description: AssociationStatus is the status of an association resource. - type: string - observedGeneration: - description: |- - ObservedGeneration is the most recent generation observed for this Elastic Agent. - It corresponds to the metadata generation, which is updated on mutation by the API Server. - If the generation observed in status diverges from the generation in metadata, the Elastic - Agent controller has not yet processed the changes contained in the Elastic Agent specification. - format: int64 - type: integer - version: - description: |- - Version of the stack resource currently running. During version upgrades, multiple versions may run - in parallel: this value specifies the lowest version currently running. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/pkg/crds/enterprise/01-crd-eck-apmserver.yaml b/pkg/crds/enterprise/01-crd-eck-apmserver.yaml deleted file mode 100644 index 1a4043f3c0..0000000000 --- a/pkg/crds/enterprise/01-crd-eck-apmserver.yaml +++ /dev/null @@ -1,1182 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.5 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '2.16.0' - name: apmservers.apm.k8s.elastic.co -spec: - group: apm.k8s.elastic.co - names: - categories: - - elastic - kind: ApmServer - listKind: ApmServerList - plural: apmservers - shortNames: - - apm - singular: apmserver - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: nodes - type: integer - - description: APM version - jsonPath: .status.version - name: version - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1 - schema: - openAPIV3Schema: - description: ApmServer represents an APM Server resource in a Kubernetes cluster. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ApmServerSpec holds the specification of an APM Server. - properties: - config: - description: 'Config holds the APM Server configuration. See: https://www.elastic.co/guide/en/apm/server/current/configuring-howto-apm-server.html' - type: object - x-kubernetes-preserve-unknown-fields: true - count: - description: Count of APM Server instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to the output Elasticsearch cluster running in the same Kubernetes cluster. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - http: - description: HTTP holds the HTTP layer configuration for the APM Server resource. - properties: - service: - description: Service defines the template for the associated Kubernetes Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic is - distributed to Service endpoints. Implementations can use this field as a - hint, but are not required to guarantee strict adherence. If the field is - not set, the implementation will apply its default routing strategy. If set - to "PreferClose", implementations should prioritize endpoints that are - topologically close (e.g., same zone). - This is an alpha field and requires enabling ServiceTrafficDistribution feature. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the APM Server Docker image to deploy. - type: string - kibanaRef: - description: |- - KibanaRef is a reference to a Kibana instance running in the same Kubernetes cluster. - It allows APM agent central configuration management in Kibana. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, affinity rules, resource requests, and so on) for the APM Server pods. - type: object - x-kubernetes-preserve-unknown-fields: true - revisionHistoryLimit: - description: RevisionHistoryLimit is the number of revisions to retain to allow rollback in the underlying Deployment. - format: int32 - type: integer - secureSettings: - description: SecureSettings is a list of references to Kubernetes secrets containing sensitive configuration options for APM Server. - items: - description: SecretSource defines a data source based on a Kubernetes Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: |- - ServiceAccountName is used to check access from the current resource to a resource (for ex. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of the APM Server. - type: string - required: - - version - type: object - status: - description: ApmServerStatus defines the observed state of ApmServer - properties: - availableNodes: - description: AvailableNodes is the number of available replicas in the deployment. - format: int32 - type: integer - count: - description: Count corresponds to Scale.Status.Replicas, which is the actual number of observed instances of the scaled object. - format: int32 - type: integer - elasticsearchAssociationStatus: - description: ElasticsearchAssociationStatus is the status of any auto-linking to Elasticsearch clusters. - type: string - health: - description: Health of the deployment. - type: string - kibanaAssociationStatus: - description: KibanaAssociationStatus is the status of any auto-linking to Kibana. - type: string - observedGeneration: - description: |- - ObservedGeneration represents the .metadata.generation that the status is based upon. - It corresponds to the metadata generation, which is updated on mutation by the API Server. - If the generation observed in status diverges from the generation in metadata, the APM Server - controller has not yet processed the changes contained in the APM Server specification. - format: int64 - type: integer - secretTokenSecret: - description: SecretTokenSecretName is the name of the Secret that contains the secret token - type: string - selector: - description: Selector is the label selector used to find all pods. - type: string - service: - description: ExternalService is the name of the service the agents should connect to. - type: string - version: - description: |- - Version of the stack resource currently running. During version upgrades, multiple versions may run - in parallel: this value specifies the lowest version currently running. - type: string - type: object - type: object - served: true - storage: true - subresources: - scale: - labelSelectorPath: .status.selector - specReplicasPath: .spec.count - statusReplicasPath: .status.count - status: {} - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: nodes - type: integer - - description: APM version - jsonPath: .spec.version - name: version - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: ApmServer represents an APM Server resource in a Kubernetes cluster. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ApmServerSpec holds the specification of an APM Server. - properties: - config: - description: 'Config holds the APM Server configuration. See: https://www.elastic.co/guide/en/apm/server/current/configuring-howto-apm-server.html' - type: object - x-kubernetes-preserve-unknown-fields: true - count: - description: Count of APM Server instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to the output Elasticsearch cluster running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - required: - - name - type: object - http: - description: HTTP holds the HTTP layer configuration for the APM Server resource. - properties: - service: - description: Service defines the template for the associated Kubernetes Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic is - distributed to Service endpoints. Implementations can use this field as a - hint, but are not required to guarantee strict adherence. If the field is - not set, the implementation will apply its default routing strategy. If set - to "PreferClose", implementations should prioritize endpoints that are - topologically close (e.g., same zone). - This is an alpha field and requires enabling ServiceTrafficDistribution feature. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the APM Server Docker image to deploy. - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, affinity rules, resource requests, and so on) for the APM Server pods. - type: object - x-kubernetes-preserve-unknown-fields: true - secureSettings: - description: SecureSettings is a list of references to Kubernetes secrets containing sensitive configuration options for APM Server. - items: - description: SecretSource defines a data source based on a Kubernetes Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - version: - description: Version of the APM Server. - type: string - type: object - status: - description: ApmServerStatus defines the observed state of ApmServer - properties: - associationStatus: - description: Association is the status of any auto-linking to Elasticsearch clusters. - type: string - availableNodes: - format: int32 - type: integer - health: - description: ApmServerHealth expresses the status of the Apm Server instances. - type: string - secretTokenSecret: - description: SecretTokenSecretName is the name of the Secret that contains the secret token - type: string - service: - description: ExternalService is the name of the service the agents should connect to. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha1 - schema: - openAPIV3Schema: - description: to not break compatibility when upgrading from previous versions of the CRD - type: object - served: false - storage: false diff --git a/pkg/crds/enterprise/01-crd-eck-autoscaling.yaml b/pkg/crds/enterprise/01-crd-eck-autoscaling.yaml deleted file mode 100644 index 133bc36988..0000000000 --- a/pkg/crds/enterprise/01-crd-eck-autoscaling.yaml +++ /dev/null @@ -1,319 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.5 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '2.16.0' - name: elasticsearchautoscalers.autoscaling.k8s.elastic.co -spec: - group: autoscaling.k8s.elastic.co - names: - categories: - - elastic - kind: ElasticsearchAutoscaler - listKind: ElasticsearchAutoscalerList - plural: elasticsearchautoscalers - shortNames: - - esa - singular: elasticsearchautoscaler - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.elasticsearchRef.name - name: Target - type: string - - jsonPath: .status.conditions[?(@.type=='Active')].status - name: Active - type: string - - jsonPath: .status.conditions[?(@.type=='Healthy')].status - name: Healthy - type: string - - jsonPath: .status.conditions[?(@.type=='Limited')].status - name: Limited - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: ElasticsearchAutoscaler represents an ElasticsearchAutoscaler resource in a Kubernetes cluster. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ElasticsearchAutoscalerSpec holds the specification of an Elasticsearch autoscaler resource. - properties: - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch cluster that exists in the same namespace. - properties: - name: - description: Name is the name of the Elasticsearch resource to scale automatically. - minLength: 1 - type: string - type: object - policies: - items: - description: AutoscalingPolicySpec holds a named autoscaling policy and the associated resources limits (cpu, memory, storage). - properties: - deciders: - additionalProperties: - additionalProperties: - type: string - description: |- - DeciderSettings allow the user to tweak autoscaling deciders. - The map data structure complies with the format expected by Elasticsearch. - type: object - description: Deciders allow the user to override default settings for autoscaling deciders. - type: object - name: - description: Name identifies the autoscaling policy in the autoscaling specification. - type: string - resources: - description: |- - AutoscalingResources model the limits, submitted by the user, for the supported resources in an autoscaling policy. - Only the node count range is mandatory. For other resources, a limit range is required only - if the Elasticsearch autoscaling capacity API returns a requirement for a given resource. - For example, the memory limit range is only required if the autoscaling API response contains a memory requirement. - If there is no limit range for a resource, and if that resource is not mandatory, then the resources in the NodeSets - managed by the autoscaling policy are left untouched. - properties: - cpu: - description: QuantityRange models a resource limit range for resources which can be expressed with resource.Quantity. - properties: - max: - anyOf: - - type: integer - - type: string - description: Max represents the upper limit for the resources managed by the autoscaler. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - min: - anyOf: - - type: integer - - type: string - description: Min represents the lower limit for the resources managed by the autoscaler. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - requestsToLimitsRatio: - anyOf: - - type: integer - - type: string - description: RequestsToLimitsRatio allows to customize Kubernetes resource Limit based on the Request. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - required: - - max - - min - type: object - memory: - description: QuantityRange models a resource limit range for resources which can be expressed with resource.Quantity. - properties: - max: - anyOf: - - type: integer - - type: string - description: Max represents the upper limit for the resources managed by the autoscaler. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - min: - anyOf: - - type: integer - - type: string - description: Min represents the lower limit for the resources managed by the autoscaler. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - requestsToLimitsRatio: - anyOf: - - type: integer - - type: string - description: RequestsToLimitsRatio allows to customize Kubernetes resource Limit based on the Request. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - required: - - max - - min - type: object - nodeCount: - description: NodeCountRange is used to model the minimum and the maximum number of nodes over all the NodeSets managed by the same autoscaling policy. - properties: - max: - description: Max represents the maximum number of nodes in a tier. - format: int32 - type: integer - min: - description: Min represents the minimum number of nodes in a tier. - format: int32 - type: integer - required: - - max - - min - type: object - storage: - description: QuantityRange models a resource limit range for resources which can be expressed with resource.Quantity. - properties: - max: - anyOf: - - type: integer - - type: string - description: Max represents the upper limit for the resources managed by the autoscaler. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - min: - anyOf: - - type: integer - - type: string - description: Min represents the lower limit for the resources managed by the autoscaler. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - requestsToLimitsRatio: - anyOf: - - type: integer - - type: string - description: RequestsToLimitsRatio allows to customize Kubernetes resource Limit based on the Request. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - required: - - max - - min - type: object - required: - - nodeCount - type: object - roles: - description: An autoscaling policy must target a unique set of roles. - items: - type: string - type: array - required: - - resources - type: object - type: array - pollingPeriod: - description: PollingPeriod is the period at which to synchronize with the Elasticsearch autoscaling API. - type: string - required: - - elasticsearchRef - - policies - type: object - status: - properties: - conditions: - description: Conditions holds the current service state of the autoscaling controller. - items: - description: |- - Condition represents Elasticsearch resource's condition. - **This API is in technical preview and may be changed or removed in a future release.** - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - status: - type: string - type: - description: ConditionType defines the condition of an Elasticsearch resource. - type: string - required: - - status - - type - type: object - type: array - observedGeneration: - description: ObservedGeneration is the last observed generation by the controller. - format: int64 - type: integer - policies: - description: AutoscalingPolicyStatuses is used to expose state messages to user or external system. - items: - properties: - lastModificationTime: - description: LastModificationTime is the last time the resources have been updated, used by the cooldown algorithm. - format: date-time - type: string - name: - description: Name is the name of the autoscaling policy - type: string - nodeSets: - description: NodeSetNodeCount holds the number of nodes for each nodeSet. - items: - description: NodeSetNodeCount models the number of nodes expected in a given NodeSet. - properties: - name: - description: Name of the Nodeset. - type: string - nodeCount: - description: NodeCount is the number of nodes, as computed by the autoscaler, expected in this NodeSet. - format: int32 - type: integer - required: - - name - - nodeCount - type: object - type: array - resources: - description: |- - ResourcesSpecification holds the resource values common to all the nodeSets managed by a same autoscaling policy. - Only the resources managed by the autoscaling controller are saved in the Status. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) pairs. - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) pairs. - type: object - type: object - state: - description: PolicyStates may contain various messages regarding the current state of this autoscaling policy. - items: - properties: - messages: - items: - type: string - type: array - type: - type: string - required: - - messages - - type - type: object - type: array - required: - - name - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/pkg/crds/enterprise/01-crd-eck-beat.yaml b/pkg/crds/enterprise/01-crd-eck-beat.yaml deleted file mode 100644 index 73e8714976..0000000000 --- a/pkg/crds/enterprise/01-crd-eck-beat.yaml +++ /dev/null @@ -1,455 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.5 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '2.16.0' - name: beats.beat.k8s.elastic.co -spec: - group: beat.k8s.elastic.co - names: - categories: - - elastic - kind: Beat - listKind: BeatList - plural: beats - shortNames: - - beat - singular: beat - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: available - type: integer - - description: Expected nodes - jsonPath: .status.expectedNodes - name: expected - type: integer - - description: Beat type - jsonPath: .spec.type - name: type - type: string - - description: Beat version - jsonPath: .status.version - name: version - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Beat is the Schema for the Beats API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: BeatSpec defines the desired state of a Beat. - properties: - config: - description: Config holds the Beat configuration. At most one of [`Config`, `ConfigRef`] can be specified. - type: object - x-kubernetes-preserve-unknown-fields: true - configRef: - description: |- - ConfigRef contains a reference to an existing Kubernetes Secret holding the Beat configuration. - Beat settings must be specified as yaml, under a single "beat.yml" entry. At most one of [`Config`, `ConfigRef`] - can be specified. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - daemonSet: - description: |- - DaemonSet specifies the Beat should be deployed as a DaemonSet, and allows providing its spec. - Cannot be used along with `deployment`. If both are absent a default for the Type is used. - properties: - podTemplate: - description: PodTemplateSpec describes the data a pod should have when created from a template - type: object - x-kubernetes-preserve-unknown-fields: true - updateStrategy: - description: DaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet. - properties: - rollingUpdate: - description: Rolling update config params. Present only if type = "RollingUpdate". - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of nodes with an existing available DaemonSet pod that - can have an updated DaemonSet pod during during an update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - This can not be 0 if MaxUnavailable is 0. - Absolute number is calculated from percentage by rounding up to a minimum of 1. - Default value is 0. - Example: when this is set to 30%, at most 30% of the total number of nodes - that should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their a new pod created before the old pod is marked as deleted. - The update starts by launching new pods on 30% of nodes. Once an updated - pod is available (Ready for at least minReadySeconds) the old DaemonSet pod - on that node is marked deleted. If the old pod becomes unavailable for any - reason (Ready transitions to false, is evicted, or is drained) an updated - pod is immediatedly created on that node without considering surge limits. - Allowing surge implies the possibility that the resources consumed by the - daemonset on any given node can double if the readiness check fails, and - so resource intensive daemonsets should take into account that they may - cause evictions during disruption. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of DaemonSet pods that can be unavailable during the - update. Value can be an absolute number (ex: 5) or a percentage of total - number of DaemonSet pods at the start of the update (ex: 10%). Absolute - number is calculated from percentage by rounding up. - This cannot be 0 if MaxSurge is 0 - Default value is 1. - Example: when this is set to 30%, at most 30% of the total number of nodes - that should be running the daemon pod (i.e. status.desiredNumberScheduled) - can have their pods stopped for an update at any given time. The update - starts by stopping at most 30% of those DaemonSet pods and then brings - up new DaemonSet pods in their place. Once the new pods are available, - it then proceeds onto other DaemonSet pods, thus ensuring that at least - 70% of original number of DaemonSet pods are available at all times during - the update. - x-kubernetes-int-or-string: true - type: object - type: - description: Type of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate. - type: string - type: object - type: object - deployment: - description: |- - Deployment specifies the Beat should be deployed as a Deployment, and allows providing its spec. - Cannot be used along with `daemonSet`. If both are absent a default for the Type is used. - properties: - podTemplate: - description: PodTemplateSpec describes the data a pod should have when created from a template - type: object - x-kubernetes-preserve-unknown-fields: true - replicas: - format: int32 - type: integer - strategy: - description: DeploymentStrategy describes how to replace existing pods with new ones. - properties: - rollingUpdate: - description: |- - Rolling update config params. Present only if DeploymentStrategyType = - RollingUpdate. - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be scheduled above the desired number of - pods. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - This can not be 0 if MaxUnavailable is 0. - Absolute number is calculated from percentage by rounding up. - Defaults to 25%. - Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when - the rolling update starts, such that the total number of old and new pods do not exceed - 130% of desired pods. Once old pods have been killed, - new ReplicaSet can be scaled up further, ensuring that total number of pods running - at any time during the update is at most 130% of desired pods. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be unavailable during the update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - Absolute number is calculated from percentage by rounding down. - This can not be 0 if MaxSurge is 0. - Defaults to 25%. - Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods - immediately when the rolling update starts. Once new pods are ready, old ReplicaSet - can be scaled down further, followed by scaling up the new ReplicaSet, ensuring - that the total number of pods available at all times during the update is at - least 70% of desired pods. - x-kubernetes-int-or-string: true - type: object - type: - description: Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate. - type: string - type: object - type: object - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch cluster running in the same Kubernetes cluster. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - image: - description: Image is the Beat Docker image to deploy. Version and Type have to match the Beat in the image. - type: string - kibanaRef: - description: |- - KibanaRef is a reference to a Kibana instance running in the same Kubernetes cluster. - It allows automatic setup of dashboards and visualizations. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - monitoring: - description: |- - Monitoring enables you to collect and ship logs and metrics for this Beat. - Metricbeat and/or Filebeat sidecars are configured and send monitoring data to an - Elasticsearch monitoring cluster running in the same Kubernetes cluster. - properties: - logs: - description: Logs holds references to Elasticsearch clusters which receive log data from an associated resource. - properties: - elasticsearchRefs: - description: |- - ElasticsearchRefs is a reference to a list of monitoring Elasticsearch clusters running in the same Kubernetes cluster. - Due to existing limitations, only a single Elasticsearch cluster is currently supported. - items: - description: |- - ObjectSelector defines a reference to a Kubernetes object which can be an Elastic resource managed by the operator - or a Secret describing an external Elastic resource not managed by the operator. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - type: array - type: object - metrics: - description: Metrics holds references to Elasticsearch clusters which receive monitoring data from this resource. - properties: - elasticsearchRefs: - description: |- - ElasticsearchRefs is a reference to a list of monitoring Elasticsearch clusters running in the same Kubernetes cluster. - Due to existing limitations, only a single Elasticsearch cluster is currently supported. - items: - description: |- - ObjectSelector defines a reference to a Kubernetes object which can be an Elastic resource managed by the operator - or a Secret describing an external Elastic resource not managed by the operator. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - type: array - type: object - type: object - revisionHistoryLimit: - description: RevisionHistoryLimit is the number of revisions to retain to allow rollback in the underlying DaemonSet or Deployment. - format: int32 - type: integer - secureSettings: - description: |- - SecureSettings is a list of references to Kubernetes Secrets containing sensitive configuration options for the Beat. - Secrets data can be then referenced in the Beat config using the Secret's keys or as specified in `Entries` field of - each SecureSetting. - items: - description: SecretSource defines a data source based on a Kubernetes Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: |- - ServiceAccountName is used to check access from the current resource to Elasticsearch resource in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - type: - description: |- - Type is the type of the Beat to deploy (filebeat, metricbeat, heartbeat, auditbeat, journalbeat, packetbeat, and so on). - Any string can be used, but well-known types will have the image field defaulted and have the appropriate - Elasticsearch roles created automatically. It also allows for dashboard setup when combined with a `KibanaRef`. - maxLength: 20 - pattern: '[a-zA-Z0-9-]+' - type: string - version: - description: Version of the Beat. - type: string - required: - - type - - version - type: object - status: - description: BeatStatus defines the observed state of a Beat. - properties: - availableNodes: - format: int32 - type: integer - elasticsearchAssociationStatus: - description: AssociationStatus is the status of an association resource. - type: string - expectedNodes: - format: int32 - type: integer - health: - type: string - kibanaAssociationStatus: - description: AssociationStatus is the status of an association resource. - type: string - monitoringAssociationStatus: - additionalProperties: - description: AssociationStatus is the status of an association resource. - type: string - description: |- - AssociationStatusMap is the map of association's namespaced name string to its AssociationStatus. For resources that - have a single Association of a given type (for ex. single ES reference), this map contains a single entry. - type: object - observedGeneration: - description: |- - ObservedGeneration represents the .metadata.generation that the status is based upon. - It corresponds to the metadata generation, which is updated on mutation by the API Server. - If the generation observed in status diverges from the generation in metadata, the Beats - controller has not yet processed the changes contained in the Beats specification. - format: int64 - type: integer - version: - description: |- - Version of the stack resource currently running. During version upgrades, multiple versions may run - in parallel: this value specifies the lowest version currently running. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/pkg/crds/enterprise/01-crd-eck-elasticmapsserver.yaml b/pkg/crds/enterprise/01-crd-eck-elasticmapsserver.yaml deleted file mode 100644 index 3fc9106a20..0000000000 --- a/pkg/crds/enterprise/01-crd-eck-elasticmapsserver.yaml +++ /dev/null @@ -1,580 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.5 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '2.16.0' - name: elasticmapsservers.maps.k8s.elastic.co -spec: - group: maps.k8s.elastic.co - names: - categories: - - elastic - kind: ElasticMapsServer - listKind: ElasticMapsServerList - plural: elasticmapsservers - shortNames: - - ems - singular: elasticmapsserver - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: nodes - type: integer - - description: ElasticMapsServer version - jsonPath: .status.version - name: version - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: ElasticMapsServer represents an Elastic Map Server resource in a Kubernetes cluster. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: MapsSpec holds the specification of an Elastic Maps Server instance. - properties: - config: - description: 'Config holds the ElasticMapsServer configuration. See: https://www.elastic.co/guide/en/kibana/current/maps-connect-to-ems.html#elastic-maps-server-configuration' - type: object - x-kubernetes-preserve-unknown-fields: true - configRef: - description: |- - ConfigRef contains a reference to an existing Kubernetes Secret holding the Elastic Maps Server configuration. - Configuration settings are merged and have precedence over settings specified in `config`. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - count: - description: Count of Elastic Maps Server instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch cluster running in the same Kubernetes cluster. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - http: - description: HTTP holds the HTTP layer configuration for Elastic Maps Server. - properties: - service: - description: Service defines the template for the associated Kubernetes Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic is - distributed to Service endpoints. Implementations can use this field as a - hint, but are not required to guarantee strict adherence. If the field is - not set, the implementation will apply its default routing strategy. If set - to "PreferClose", implementations should prioritize endpoints that are - topologically close (e.g., same zone). - This is an alpha field and requires enabling ServiceTrafficDistribution feature. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Elastic Maps Server Docker image to deploy. - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, affinity rules, resource requests, and so on) for the Elastic Maps Server pods - type: object - x-kubernetes-preserve-unknown-fields: true - revisionHistoryLimit: - description: RevisionHistoryLimit is the number of revisions to retain to allow rollback in the underlying Deployment. - format: int32 - type: integer - serviceAccountName: - description: |- - ServiceAccountName is used to check access from the current resource to a resource (for ex. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of Elastic Maps Server. - type: string - required: - - version - type: object - status: - description: MapsStatus defines the observed state of Elastic Maps Server - properties: - associationStatus: - description: AssociationStatus is the status of an association resource. - type: string - availableNodes: - description: AvailableNodes is the number of available replicas in the deployment. - format: int32 - type: integer - count: - description: Count corresponds to Scale.Status.Replicas, which is the actual number of observed instances of the scaled object. - format: int32 - type: integer - health: - description: Health of the deployment. - type: string - observedGeneration: - description: |- - ObservedGeneration is the most recent generation observed for this Elastic Maps Server. - It corresponds to the metadata generation, which is updated on mutation by the API Server. - If the generation observed in status diverges from the generation in metadata, the Elastic - Maps controller has not yet processed the changes contained in the Elastic Maps specification. - format: int64 - type: integer - selector: - description: Selector is the label selector used to find all pods. - type: string - version: - description: |- - Version of the stack resource currently running. During version upgrades, multiple versions may run - in parallel: this value specifies the lowest version currently running. - type: string - type: object - type: object - served: true - storage: true - subresources: - scale: - labelSelectorPath: .status.selector - specReplicasPath: .spec.count - statusReplicasPath: .status.count - status: {} diff --git a/pkg/crds/enterprise/01-crd-eck-elasticsearch.yaml b/pkg/crds/enterprise/01-crd-eck-elasticsearch.yaml deleted file mode 100644 index 5d8776030a..0000000000 --- a/pkg/crds/enterprise/01-crd-eck-elasticsearch.yaml +++ /dev/null @@ -1,2688 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.5 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '2.16.0' - name: elasticsearches.elasticsearch.k8s.elastic.co -spec: - group: elasticsearch.k8s.elastic.co - names: - categories: - - elastic - kind: Elasticsearch - listKind: ElasticsearchList - plural: elasticsearches - shortNames: - - es - singular: elasticsearch - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: nodes - type: integer - - description: Elasticsearch version - jsonPath: .status.version - name: version - type: string - - jsonPath: .status.phase - name: phase - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1 - schema: - openAPIV3Schema: - description: Elasticsearch represents an Elasticsearch resource in a Kubernetes cluster. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ElasticsearchSpec holds the specification of an Elasticsearch cluster. - properties: - auth: - description: Auth contains user authentication and authorization security settings for Elasticsearch. - properties: - disableElasticUser: - description: DisableElasticUser disables the default elastic user that is created by ECK. - type: boolean - fileRealm: - description: FileRealm to propagate to the Elasticsearch cluster. - items: - description: FileRealmSource references users to create in the Elasticsearch cluster. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - type: array - roles: - description: Roles to propagate to the Elasticsearch cluster. - items: - description: RoleSource references roles to create in the Elasticsearch cluster. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - type: array - type: object - http: - description: HTTP holds HTTP layer settings for Elasticsearch. - properties: - service: - description: Service defines the template for the associated Kubernetes Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic is - distributed to Service endpoints. Implementations can use this field as a - hint, but are not required to guarantee strict adherence. If the field is - not set, the implementation will apply its default routing strategy. If set - to "PreferClose", implementations should prioritize endpoints that are - topologically close (e.g., same zone). - This is an alpha field and requires enabling ServiceTrafficDistribution feature. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Elasticsearch Docker image to deploy. - type: string - monitoring: - description: |- - Monitoring enables you to collect and ship log and monitoring data of this Elasticsearch cluster. - See https://www.elastic.co/guide/en/elasticsearch/reference/current/monitor-elasticsearch-cluster.html. - Metricbeat and Filebeat are deployed in the same Pod as sidecars and each one sends data to one or two different - Elasticsearch monitoring clusters running in the same Kubernetes cluster. - properties: - logs: - description: Logs holds references to Elasticsearch clusters which receive log data from an associated resource. - properties: - elasticsearchRefs: - description: |- - ElasticsearchRefs is a reference to a list of monitoring Elasticsearch clusters running in the same Kubernetes cluster. - Due to existing limitations, only a single Elasticsearch cluster is currently supported. - items: - description: |- - ObjectSelector defines a reference to a Kubernetes object which can be an Elastic resource managed by the operator - or a Secret describing an external Elastic resource not managed by the operator. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - type: array - type: object - metrics: - description: Metrics holds references to Elasticsearch clusters which receive monitoring data from this resource. - properties: - elasticsearchRefs: - description: |- - ElasticsearchRefs is a reference to a list of monitoring Elasticsearch clusters running in the same Kubernetes cluster. - Due to existing limitations, only a single Elasticsearch cluster is currently supported. - items: - description: |- - ObjectSelector defines a reference to a Kubernetes object which can be an Elastic resource managed by the operator - or a Secret describing an external Elastic resource not managed by the operator. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - type: array - type: object - type: object - nodeSets: - description: NodeSets allow specifying groups of Elasticsearch nodes sharing the same configuration and Pod templates. - items: - description: NodeSet is the specification for a group of Elasticsearch nodes sharing the same configuration and a Pod template. - properties: - config: - description: Config holds the Elasticsearch configuration. - type: object - x-kubernetes-preserve-unknown-fields: true - count: - description: |- - Count of Elasticsearch nodes to deploy. - If the node set is managed by an autoscaling policy the initial value is automatically set by the autoscaling controller. - format: int32 - type: integer - name: - description: Name of this set of nodes. Becomes a part of the Elasticsearch node.name setting. - maxLength: 23 - pattern: '[a-zA-Z0-9-]+' - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, affinity rules, resource requests, and so on) for the Pods belonging to this NodeSet. - type: object - x-kubernetes-preserve-unknown-fields: true - volumeClaimTemplates: - description: |- - VolumeClaimTemplates is a list of persistent volume claims to be used by each Pod in this NodeSet. - Every claim in this list must have a matching volumeMount in one of the containers defined in the PodTemplate. - Items defined here take precedence over any default claims added by the operator with the same name. - items: - description: PersistentVolumeClaim is a user's request for and claim to a persistent volume - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: |- - spec defines the desired characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the PersistentVolume backing this claim. - type: string - type: object - type: object - type: array - required: - - name - type: object - minItems: 1 - type: array - podDisruptionBudget: - description: |- - PodDisruptionBudget provides access to the default Pod disruption budget for the Elasticsearch cluster. - The default budget doesn't allow any Pod to be removed in case the cluster is not green or if there is only one node of type `data` or `master`. - In all other cases the default PodDisruptionBudget sets `minUnavailable` equal to the total number of nodes minus 1. - To disable, set `PodDisruptionBudget` to the empty value (`{}` in YAML). - properties: - metadata: - description: |- - ObjectMeta is the metadata of the PDB. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the PDB. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - An eviction is allowed if at most "maxUnavailable" pods selected by - "selector" are unavailable after the eviction, i.e. even in absence of - the evicted pod. For example, one can prevent all voluntary evictions - by specifying 0. This is a mutually exclusive setting with "minAvailable". - x-kubernetes-int-or-string: true - minAvailable: - anyOf: - - type: integer - - type: string - description: |- - An eviction is allowed if at least "minAvailable" pods selected by - "selector" will still be available after the eviction, i.e. even in the - absence of the evicted pod. So for example you can prevent all voluntary - evictions by specifying "100%". - x-kubernetes-int-or-string: true - selector: - description: |- - Label query over pods whose evictions are managed by the disruption - budget. - A null selector will match no pods, while an empty ({}) selector will select - all pods within the namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - unhealthyPodEvictionPolicy: - description: |- - UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods - should be considered for eviction. Current implementation considers healthy pods, - as pods that have status.conditions item with type="Ready",status="True". - - Valid policies are IfHealthyBudget and AlwaysAllow. - If no policy is specified, the default behavior will be used, - which corresponds to the IfHealthyBudget policy. - - IfHealthyBudget policy means that running pods (status.phase="Running"), - but not yet healthy can be evicted only if the guarded application is not - disrupted (status.currentHealthy is at least equal to status.desiredHealthy). - Healthy pods will be subject to the PDB for eviction. - - AlwaysAllow policy means that all running pods (status.phase="Running"), - but not yet healthy are considered disrupted and can be evicted regardless - of whether the criteria in a PDB is met. This means perspective running - pods of a disrupted application might not get a chance to become healthy. - Healthy pods will be subject to the PDB for eviction. - - Additional policies may be added in the future. - Clients making eviction decisions should disallow eviction of unhealthy pods - if they encounter an unrecognized policy in this field. - - This field is beta-level. The eviction API uses this field when - the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default). - type: string - type: object - type: object - remoteClusterServer: - description: |- - RemoteClusterServer specifies if the remote cluster server should be enabled. - This must be enabled if this cluster is a remote cluster which is expected to be accessed using API key authentication. - properties: - enabled: - type: boolean - type: object - remoteClusters: - description: RemoteClusters enables you to establish uni-directional connections to a remote Elasticsearch cluster. - items: - description: RemoteCluster declares a remote Elasticsearch cluster connection. - properties: - apiKey: - description: 'APIKey can be used to enable remote cluster access using Cross-Cluster API keys: https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-cross-cluster-api-key.html' - properties: - access: - description: Access is the name of the API Key. It is automatically generated if not set or empty. - properties: - replication: - properties: - names: - items: - type: string - type: array - required: - - names - type: object - search: - properties: - allow_restricted_indices: - type: boolean - field_security: - properties: - except: - items: - type: string - type: array - grant: - items: - type: string - type: array - required: - - except - - grant - type: object - names: - items: - type: string - type: array - query: - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - names - type: object - type: object - required: - - access - type: object - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch cluster running within the same k8s cluster. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - name: - description: |- - Name is the name of the remote cluster as it is set in the Elasticsearch settings. - The name is expected to be unique for each remote clusters. - minLength: 1 - type: string - required: - - name - type: object - type: array - revisionHistoryLimit: - description: RevisionHistoryLimit is the number of revisions to retain to allow rollback in the underlying StatefulSets. - format: int32 - type: integer - secureSettings: - description: SecureSettings is a list of references to Kubernetes secrets containing sensitive configuration options for Elasticsearch. - items: - description: SecretSource defines a data source based on a Kubernetes Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: |- - ServiceAccountName is used to check access from the current resource to a resource (for ex. a remote Elasticsearch cluster) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - transport: - description: Transport holds transport layer settings for Elasticsearch. - properties: - service: - description: Service defines the template for the associated Kubernetes Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic is - distributed to Service endpoints. Implementations can use this field as a - hint, but are not required to guarantee strict adherence. If the field is - not set, the implementation will apply its default routing strategy. If set - to "PreferClose", implementations should prioritize endpoints that are - topologically close (e.g., same zone). - This is an alpha field and requires enabling ServiceTrafficDistribution feature. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS on the transport layer. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the CA certificate - and private key for generating node certificates. - The referenced secret should contain the following: - - - `ca.crt`: The CA certificate in PEM format. - - `ca.key`: The private key for the CA certificate in PEM format. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - certificateAuthorities: - description: |- - CertificateAuthorities is a reference to a config map that contains one or more x509 certificates for - trusted authorities in PEM format. The certificates need to be in a file called `ca.crt`. - properties: - configMapName: - type: string - type: object - otherNameSuffix: - description: |- - OtherNameSuffix when defined will be prefixed with the Pod name and used as the common name, - and the first DNSName, as well as an OtherName required by Elasticsearch in the Subject Alternative Name - extension of each Elasticsearch node's transport TLS certificate. - Example: if set to "node.cluster.local", the generated certificate will have its otherName set to ".node.cluster.local". - type: string - selfSignedCertificates: - description: SelfSignedCertificates allows configuring the self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that provisioning of the self-signed certificates should be disabled. - type: boolean - type: object - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to include in the generated node transport TLS certificates. - items: - description: SubjectAlternativeName represents a SAN entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - updateStrategy: - description: UpdateStrategy specifies how updates to the cluster should be performed. - properties: - changeBudget: - description: ChangeBudget defines the constraints to consider when applying changes to the Elasticsearch cluster. - properties: - maxSurge: - description: |- - MaxSurge is the maximum number of new Pods that can be created exceeding the original number of Pods defined in - the specification. MaxSurge is only taken into consideration when scaling up. Setting a negative value will - disable the restriction. Defaults to unbounded if not specified. - format: int32 - type: integer - maxUnavailable: - description: |- - MaxUnavailable is the maximum number of Pods that can be unavailable (not ready) during the update due to - circumstances under the control of the operator. Setting a negative value will disable this restriction. - Defaults to 1 if not specified. - format: int32 - type: integer - type: object - type: object - version: - description: Version of Elasticsearch. - type: string - volumeClaimDeletePolicy: - description: |- - VolumeClaimDeletePolicy sets the policy for handling deletion of PersistentVolumeClaims for all NodeSets. - Possible values are DeleteOnScaledownOnly and DeleteOnScaledownAndClusterDeletion. Defaults to DeleteOnScaledownAndClusterDeletion. - enum: - - DeleteOnScaledownOnly - - DeleteOnScaledownAndClusterDeletion - type: string - required: - - nodeSets - - version - type: object - status: - description: ElasticsearchStatus represents the observed state of Elasticsearch. - properties: - availableNodes: - description: AvailableNodes is the number of available instances. - format: int32 - type: integer - conditions: - description: |- - Conditions holds the current service state of an Elasticsearch cluster. - **This API is in technical preview and may be changed or removed in a future release.** - items: - description: |- - Condition represents Elasticsearch resource's condition. - **This API is in technical preview and may be changed or removed in a future release.** - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - status: - type: string - type: - description: ConditionType defines the condition of an Elasticsearch resource. - type: string - required: - - status - - type - type: object - type: array - health: - description: ElasticsearchHealth is the health of the cluster as returned by the health API. - type: string - inProgressOperations: - description: |- - InProgressOperations represents changes being applied by the operator to the Elasticsearch cluster. - **This API is in technical preview and may be changed or removed in a future release.** - properties: - downscale: - description: |- - DownscaleOperation provides details about in progress downscale operations. - **This API is in technical preview and may be changed or removed in a future release.** - properties: - lastUpdatedTime: - format: date-time - type: string - nodes: - description: Nodes which are scheduled to be removed from the cluster. - items: - description: |- - DownscaledNode provides an overview of in progress changes applied by the operator to remove Elasticsearch nodes from the cluster. - **This API is in technical preview and may be changed or removed in a future release.** - properties: - explanation: - description: |- - Explanation provides details about an in progress node shutdown. It is only available for clusters managed with the - Elasticsearch shutdown API. - type: string - name: - description: Name of the Elasticsearch node that should be removed. - type: string - shutdownStatus: - description: |- - Shutdown status as returned by the Elasticsearch shutdown API. - If the Elasticsearch shutdown API is not available, the shutdown status is then inferred from the remaining - shards on the nodes, as observed by the operator. - type: string - required: - - name - - shutdownStatus - type: object - type: array - stalled: - description: |- - Stalled represents a state where no progress can be made. - It is only available for clusters managed with the Elasticsearch shutdown API. - type: boolean - type: object - upgrade: - description: |- - UpgradeOperation provides an overview of the pending or in progress changes applied by the operator to update the Elasticsearch nodes in the cluster. - **This API is in technical preview and may be changed or removed in a future release.** - properties: - lastUpdatedTime: - format: date-time - type: string - nodes: - description: Nodes that must be restarted for upgrade. - items: - description: |- - UpgradedNode provides details about the status of nodes which are expected to be updated. - **This API is in technical preview and may be changed or removed in a future release.** - properties: - message: - description: Optional message to explain why a node may not be immediately restarted for upgrade. - type: string - name: - description: Name of the Elasticsearch node that should be upgraded. - type: string - predicate: - description: Predicate is the name of the predicate currently preventing this node from being deleted for an upgrade. - type: string - status: - description: |- - Status states if the node is either in the process of being deleted for an upgrade, - or blocked by a predicate or another condition stated in the message field. - type: string - required: - - name - - status - type: object - type: array - type: object - upscale: - description: |- - UpscaleOperation provides an overview of in progress changes applied by the operator to add Elasticsearch nodes to the cluster. - **This API is in technical preview and may be changed or removed in a future release.** - properties: - lastUpdatedTime: - format: date-time - type: string - nodes: - description: Nodes expected to be added by the operator. - items: - properties: - message: - description: Optional message to explain why a node may not be immediately added. - type: string - name: - description: Name of the Elasticsearch node that should be added to the cluster. - type: string - status: - description: NewNodeStatus states if a new node is being created, or if the upscale is delayed. - type: string - required: - - name - - status - type: object - type: array - type: object - required: - - downscale - - upgrade - - upscale - type: object - monitoringAssociationStatus: - additionalProperties: - description: AssociationStatus is the status of an association resource. - type: string - description: |- - AssociationStatusMap is the map of association's namespaced name string to its AssociationStatus. For resources that - have a single Association of a given type (for ex. single ES reference), this map contains a single entry. - type: object - observedGeneration: - description: |- - ObservedGeneration is the most recent generation observed for this Elasticsearch cluster. - It corresponds to the metadata generation, which is updated on mutation by the API Server. - If the generation observed in status diverges from the generation in metadata, the Elasticsearch - controller has not yet processed the changes contained in the Elasticsearch specification. - format: int64 - type: integer - phase: - description: ElasticsearchOrchestrationPhase is the phase Elasticsearch is in from the controller point of view. - type: string - version: - description: |- - Version of the stack resource currently running. During version upgrades, multiple versions may run - in parallel: this value specifies the lowest version currently running. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: nodes - type: integer - - description: Elasticsearch version - jsonPath: .spec.version - name: version - type: string - - jsonPath: .status.phase - name: phase - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Elasticsearch represents an Elasticsearch resource in a Kubernetes cluster. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ElasticsearchSpec holds the specification of an Elasticsearch cluster. - properties: - http: - description: HTTP holds HTTP layer settings for Elasticsearch. - properties: - service: - description: Service defines the template for the associated Kubernetes Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic is - distributed to Service endpoints. Implementations can use this field as a - hint, but are not required to guarantee strict adherence. If the field is - not set, the implementation will apply its default routing strategy. If set - to "PreferClose", implementations should prioritize endpoints that are - topologically close (e.g., same zone). - This is an alpha field and requires enabling ServiceTrafficDistribution feature. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Elasticsearch Docker image to deploy. - type: string - nodeSets: - description: NodeSets allow specifying groups of Elasticsearch nodes sharing the same configuration and Pod templates. - items: - description: NodeSet is the specification for a group of Elasticsearch nodes sharing the same configuration and a Pod template. - properties: - config: - description: Config holds the Elasticsearch configuration. - type: object - count: - description: Count of Elasticsearch nodes to deploy. - format: int32 - minimum: 1 - type: integer - name: - description: Name of this set of nodes. Becomes a part of the Elasticsearch node.name setting. - maxLength: 23 - pattern: '[a-zA-Z0-9-]+' - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, affinity rules, resource requests, and so on) for the Pods belonging to this NodeSet. - type: object - volumeClaimTemplates: - description: |- - VolumeClaimTemplates is a list of persistent volume claims to be used by each Pod in this NodeSet. - Every claim in this list must have a matching volumeMount in one of the containers defined in the PodTemplate. - Items defined here take precedence over any default claims added by the operator with the same name. - items: - description: PersistentVolumeClaim is a user's request for and claim to a persistent volume - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: |- - spec defines the desired characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the PersistentVolume backing this claim. - type: string - type: object - type: object - type: array - required: - - count - - name - type: object - minItems: 1 - type: array - podDisruptionBudget: - description: |- - PodDisruptionBudget provides access to the default pod disruption budget for the Elasticsearch cluster. - The default budget selects all cluster pods and sets `maxUnavailable` to 1. To disable, set `PodDisruptionBudget` - to the empty value (`{}` in YAML). - properties: - metadata: - description: |- - ObjectMeta is the metadata of the PDB. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the PDB. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - An eviction is allowed if at most "maxUnavailable" pods selected by - "selector" are unavailable after the eviction, i.e. even in absence of - the evicted pod. For example, one can prevent all voluntary evictions - by specifying 0. This is a mutually exclusive setting with "minAvailable". - x-kubernetes-int-or-string: true - minAvailable: - anyOf: - - type: integer - - type: string - description: |- - An eviction is allowed if at least "minAvailable" pods selected by - "selector" will still be available after the eviction, i.e. even in the - absence of the evicted pod. So for example you can prevent all voluntary - evictions by specifying "100%". - x-kubernetes-int-or-string: true - selector: - description: |- - Label query over pods whose evictions are managed by the disruption - budget. - A null selector selects no pods. - An empty selector ({}) also selects no pods, which differs from standard behavior of selecting all pods. - In policy/v1, an empty selector will select all pods in the namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - unhealthyPodEvictionPolicy: - description: |- - UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods - should be considered for eviction. Current implementation considers healthy pods, - as pods that have status.conditions item with type="Ready",status="True". - - Valid policies are IfHealthyBudget and AlwaysAllow. - If no policy is specified, the default behavior will be used, - which corresponds to the IfHealthyBudget policy. - - IfHealthyBudget policy means that running pods (status.phase="Running"), - but not yet healthy can be evicted only if the guarded application is not - disrupted (status.currentHealthy is at least equal to status.desiredHealthy). - Healthy pods will be subject to the PDB for eviction. - - AlwaysAllow policy means that all running pods (status.phase="Running"), - but not yet healthy are considered disrupted and can be evicted regardless - of whether the criteria in a PDB is met. This means perspective running - pods of a disrupted application might not get a chance to become healthy. - Healthy pods will be subject to the PDB for eviction. - - Additional policies may be added in the future. - Clients making eviction decisions should disallow eviction of unhealthy pods - if they encounter an unrecognized policy in this field. - - This field is beta-level. The eviction API uses this field when - the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default). - type: string - type: object - type: object - secureSettings: - description: SecureSettings is a list of references to Kubernetes secrets containing sensitive configuration options for Elasticsearch. - items: - description: SecretSource defines a data source based on a Kubernetes Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - updateStrategy: - description: UpdateStrategy specifies how updates to the cluster should be performed. - properties: - changeBudget: - description: ChangeBudget defines the constraints to consider when applying changes to the Elasticsearch cluster. - properties: - maxSurge: - description: |- - MaxSurge is the maximum number of new pods that can be created exceeding the original number of pods defined in - the specification. MaxSurge is only taken into consideration when scaling up. Setting a negative value will - disable the restriction. Defaults to unbounded if not specified. - format: int32 - type: integer - maxUnavailable: - description: |- - MaxUnavailable is the maximum number of pods that can be unavailable (not ready) during the update due to - circumstances under the control of the operator. Setting a negative value will disable this restriction. - Defaults to 1 if not specified. - format: int32 - type: integer - type: object - type: object - version: - description: Version of Elasticsearch. - type: string - required: - - nodeSets - type: object - status: - description: ElasticsearchStatus defines the observed state of Elasticsearch - properties: - availableNodes: - format: int32 - type: integer - health: - description: ElasticsearchHealth is the health of the cluster as returned by the health API. - type: string - phase: - description: ElasticsearchOrchestrationPhase is the phase Elasticsearch is in from the controller point of view. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha1 - schema: - openAPIV3Schema: - description: to not break compatibility when upgrading from previous versions of the CRD - type: object - served: false - storage: false diff --git a/pkg/crds/enterprise/01-crd-eck-enterprisesearch.yaml b/pkg/crds/enterprise/01-crd-eck-enterprisesearch.yaml deleted file mode 100644 index 53dc07a578..0000000000 --- a/pkg/crds/enterprise/01-crd-eck-enterprisesearch.yaml +++ /dev/null @@ -1,1126 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.5 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '2.16.0' - name: enterprisesearches.enterprisesearch.k8s.elastic.co -spec: - group: enterprisesearch.k8s.elastic.co - names: - categories: - - elastic - kind: EnterpriseSearch - listKind: EnterpriseSearchList - plural: enterprisesearches - shortNames: - - ent - singular: enterprisesearch - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: nodes - type: integer - - description: Enterprise Search version - jsonPath: .status.version - name: version - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1 - schema: - openAPIV3Schema: - description: EnterpriseSearch is a Kubernetes CRD to represent Enterprise Search. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: EnterpriseSearchSpec holds the specification of an Enterprise Search resource. - properties: - config: - description: Config holds the Enterprise Search configuration. - type: object - x-kubernetes-preserve-unknown-fields: true - configRef: - description: |- - ConfigRef contains a reference to an existing Kubernetes Secret holding the Enterprise Search configuration. - Configuration settings are merged and have precedence over settings specified in `config`. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - count: - description: Count of Enterprise Search instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to the Elasticsearch cluster running in the same Kubernetes cluster. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - http: - description: HTTP holds the HTTP layer configuration for Enterprise Search resource. - properties: - service: - description: Service defines the template for the associated Kubernetes Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic is - distributed to Service endpoints. Implementations can use this field as a - hint, but are not required to guarantee strict adherence. If the field is - not set, the implementation will apply its default routing strategy. If set - to "PreferClose", implementations should prioritize endpoints that are - topologically close (e.g., same zone). - This is an alpha field and requires enabling ServiceTrafficDistribution feature. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Enterprise Search Docker image to deploy. - type: string - podTemplate: - description: |- - PodTemplate provides customisation options (labels, annotations, affinity rules, resource requests, and so on) - for the Enterprise Search pods. - type: object - x-kubernetes-preserve-unknown-fields: true - revisionHistoryLimit: - description: RevisionHistoryLimit is the number of revisions to retain to allow rollback in the underlying Deployment. - format: int32 - type: integer - serviceAccountName: - description: |- - ServiceAccountName is used to check access from the current resource to a resource (for ex. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of Enterprise Search. - type: string - type: object - status: - description: EnterpriseSearchStatus defines the observed state of EnterpriseSearch - properties: - associationStatus: - description: Association is the status of any auto-linking to Elasticsearch clusters. - type: string - availableNodes: - description: AvailableNodes is the number of available replicas in the deployment. - format: int32 - type: integer - count: - description: Count corresponds to Scale.Status.Replicas, which is the actual number of observed instances of the scaled object. - format: int32 - type: integer - health: - description: Health of the deployment. - type: string - observedGeneration: - description: |- - ObservedGeneration represents the .metadata.generation that the status is based upon. - It corresponds to the metadata generation, which is updated on mutation by the API Server. - If the generation observed in status diverges from the generation in metadata, the Enterprise Search - controller has not yet processed the changes contained in the Enterprise Search specification. - format: int64 - type: integer - selector: - description: Selector is the label selector used to find all pods. - type: string - service: - description: ExternalService is the name of the service associated to the Enterprise Search Pods. - type: string - version: - description: |- - Version of the stack resource currently running. During version upgrades, multiple versions may run - in parallel: this value specifies the lowest version currently running. - type: string - type: object - type: object - served: true - storage: true - subresources: - scale: - labelSelectorPath: .status.selector - specReplicasPath: .spec.count - statusReplicasPath: .status.count - status: {} - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: nodes - type: integer - - description: Enterprise Search version - jsonPath: .status.version - name: version - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: EnterpriseSearch is a Kubernetes CRD to represent Enterprise Search. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: EnterpriseSearchSpec holds the specification of an Enterprise Search resource. - properties: - config: - description: Config holds the Enterprise Search configuration. - type: object - x-kubernetes-preserve-unknown-fields: true - configRef: - description: |- - ConfigRef contains a reference to an existing Kubernetes Secret holding the Enterprise Search configuration. - Configuration settings are merged and have precedence over settings specified in `config`. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - count: - description: Count of Enterprise Search instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to the Elasticsearch cluster running in the same Kubernetes cluster. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - http: - description: HTTP holds the HTTP layer configuration for Enterprise Search resource. - properties: - service: - description: Service defines the template for the associated Kubernetes Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic is - distributed to Service endpoints. Implementations can use this field as a - hint, but are not required to guarantee strict adherence. If the field is - not set, the implementation will apply its default routing strategy. If set - to "PreferClose", implementations should prioritize endpoints that are - topologically close (e.g., same zone). - This is an alpha field and requires enabling ServiceTrafficDistribution feature. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Enterprise Search Docker image to deploy. - type: string - podTemplate: - description: |- - PodTemplate provides customisation options (labels, annotations, affinity rules, resource requests, and so on) - for the Enterprise Search pods. - type: object - x-kubernetes-preserve-unknown-fields: true - serviceAccountName: - description: |- - ServiceAccountName is used to check access from the current resource to a resource (for ex. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of Enterprise Search. - type: string - type: object - status: - description: EnterpriseSearchStatus defines the observed state of EnterpriseSearch - properties: - associationStatus: - description: Association is the status of any auto-linking to Elasticsearch clusters. - type: string - availableNodes: - description: AvailableNodes is the number of available replicas in the deployment. - format: int32 - type: integer - count: - description: Count corresponds to Scale.Status.Replicas, which is the actual number of observed instances of the scaled object. - format: int32 - type: integer - health: - description: Health of the deployment. - type: string - selector: - description: Selector is the label selector used to find all pods. - type: string - service: - description: ExternalService is the name of the service associated to the Enterprise Search Pods. - type: string - version: - description: |- - Version of the stack resource currently running. During version upgrades, multiple versions may run - in parallel: this value specifies the lowest version currently running. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} diff --git a/pkg/crds/enterprise/01-crd-eck-kibana.yaml b/pkg/crds/enterprise/01-crd-eck-kibana.yaml deleted file mode 100644 index 222ee62c71..0000000000 --- a/pkg/crds/enterprise/01-crd-eck-kibana.yaml +++ /dev/null @@ -1,1265 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.5 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '2.16.0' - name: kibanas.kibana.k8s.elastic.co -spec: - group: kibana.k8s.elastic.co - names: - categories: - - elastic - kind: Kibana - listKind: KibanaList - plural: kibanas - shortNames: - - kb - singular: kibana - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: nodes - type: integer - - description: Kibana version - jsonPath: .status.version - name: version - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1 - schema: - openAPIV3Schema: - description: Kibana represents a Kibana resource in a Kubernetes cluster. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: KibanaSpec holds the specification of a Kibana instance. - properties: - config: - description: 'Config holds the Kibana configuration. See: https://www.elastic.co/guide/en/kibana/current/settings.html' - type: object - x-kubernetes-preserve-unknown-fields: true - count: - description: Count of Kibana instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch cluster running in the same Kubernetes cluster. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - enterpriseSearchRef: - description: |- - EnterpriseSearchRef is a reference to an EnterpriseSearch running in the same Kubernetes cluster. - Kibana provides the default Enterprise Search UI starting version 7.14. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - http: - description: HTTP holds the HTTP layer configuration for Kibana. - properties: - service: - description: Service defines the template for the associated Kubernetes Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic is - distributed to Service endpoints. Implementations can use this field as a - hint, but are not required to guarantee strict adherence. If the field is - not set, the implementation will apply its default routing strategy. If set - to "PreferClose", implementations should prioritize endpoints that are - topologically close (e.g., same zone). - This is an alpha field and requires enabling ServiceTrafficDistribution feature. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Kibana Docker image to deploy. - type: string - monitoring: - description: |- - Monitoring enables you to collect and ship log and monitoring data of this Kibana. - See https://www.elastic.co/guide/en/kibana/current/xpack-monitoring.html. - Metricbeat and Filebeat are deployed in the same Pod as sidecars and each one sends data to one or two different - Elasticsearch monitoring clusters running in the same Kubernetes cluster. - properties: - logs: - description: Logs holds references to Elasticsearch clusters which receive log data from an associated resource. - properties: - elasticsearchRefs: - description: |- - ElasticsearchRefs is a reference to a list of monitoring Elasticsearch clusters running in the same Kubernetes cluster. - Due to existing limitations, only a single Elasticsearch cluster is currently supported. - items: - description: |- - ObjectSelector defines a reference to a Kubernetes object which can be an Elastic resource managed by the operator - or a Secret describing an external Elastic resource not managed by the operator. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - type: array - type: object - metrics: - description: Metrics holds references to Elasticsearch clusters which receive monitoring data from this resource. - properties: - elasticsearchRefs: - description: |- - ElasticsearchRefs is a reference to a list of monitoring Elasticsearch clusters running in the same Kubernetes cluster. - Due to existing limitations, only a single Elasticsearch cluster is currently supported. - items: - description: |- - ObjectSelector defines a reference to a Kubernetes object which can be an Elastic resource managed by the operator - or a Secret describing an external Elastic resource not managed by the operator. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - type: array - type: object - type: object - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, affinity rules, resource requests, and so on) for the Kibana pods - type: object - x-kubernetes-preserve-unknown-fields: true - revisionHistoryLimit: - description: RevisionHistoryLimit is the number of revisions to retain to allow rollback in the underlying Deployment. - format: int32 - type: integer - secureSettings: - description: SecureSettings is a list of references to Kubernetes secrets containing sensitive configuration options for Kibana. - items: - description: SecretSource defines a data source based on a Kubernetes Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: |- - ServiceAccountName is used to check access from the current resource to a resource (for ex. Elasticsearch) in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - version: - description: Version of Kibana. - type: string - required: - - version - type: object - status: - description: KibanaStatus defines the observed state of Kibana - properties: - associationStatus: - description: |- - AssociationStatus is the status of any auto-linking to Elasticsearch clusters. - This field is deprecated and will be removed in a future release. Use ElasticsearchAssociationStatus instead. - type: string - availableNodes: - description: AvailableNodes is the number of available replicas in the deployment. - format: int32 - type: integer - count: - description: Count corresponds to Scale.Status.Replicas, which is the actual number of observed instances of the scaled object. - format: int32 - type: integer - elasticsearchAssociationStatus: - description: ElasticsearchAssociationStatus is the status of any auto-linking to Elasticsearch clusters. - type: string - enterpriseSearchAssociationStatus: - description: EnterpriseSearchAssociationStatus is the status of any auto-linking to Enterprise Search. - type: string - health: - description: Health of the deployment. - type: string - monitoringAssociationStatus: - additionalProperties: - description: AssociationStatus is the status of an association resource. - type: string - description: MonitoringAssociationStatus is the status of any auto-linking to monitoring Elasticsearch clusters. - type: object - observedGeneration: - description: |- - ObservedGeneration is the most recent generation observed for this Kibana instance. - It corresponds to the metadata generation, which is updated on mutation by the API Server. - If the generation observed in status diverges from the generation in metadata, the Kibana - controller has not yet processed the changes contained in the Kibana specification. - format: int64 - type: integer - selector: - description: Selector is the label selector used to find all pods. - type: string - version: - description: |- - Version of the stack resource currently running. During version upgrades, multiple versions may run - in parallel: this value specifies the lowest version currently running. - type: string - type: object - type: object - served: true - storage: true - subresources: - scale: - labelSelectorPath: .status.selector - specReplicasPath: .spec.count - statusReplicasPath: .status.count - status: {} - - additionalPrinterColumns: - - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: nodes - type: integer - - description: Kibana version - jsonPath: .spec.version - name: version - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Kibana represents a Kibana resource in a Kubernetes cluster. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: KibanaSpec holds the specification of a Kibana instance. - properties: - config: - description: 'Config holds the Kibana configuration. See: https://www.elastic.co/guide/en/kibana/current/settings.html' - type: object - x-kubernetes-preserve-unknown-fields: true - count: - description: Count of Kibana instances to deploy. - format: int32 - type: integer - elasticsearchRef: - description: ElasticsearchRef is a reference to an Elasticsearch cluster running in the same Kubernetes cluster. - properties: - name: - description: Name of the Kubernetes object. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - required: - - name - type: object - http: - description: HTTP holds the HTTP layer configuration for Kibana. - properties: - service: - description: Service defines the template for the associated Kubernetes Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic is - distributed to Service endpoints. Implementations can use this field as a - hint, but are not required to guarantee strict adherence. If the field is - not set, the implementation will apply its default routing strategy. If set - to "PreferClose", implementations should prioritize endpoints that are - topologically close (e.g., same zone). - This is an alpha field and requires enabling ServiceTrafficDistribution feature. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - image: - description: Image is the Kibana Docker image to deploy. - type: string - podTemplate: - description: PodTemplate provides customisation options (labels, annotations, affinity rules, resource requests, and so on) for the Kibana pods - type: object - x-kubernetes-preserve-unknown-fields: true - secureSettings: - description: SecureSettings is a list of references to Kubernetes secrets containing sensitive configuration options for Kibana. - items: - description: SecretSource defines a data source based on a Kubernetes Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - version: - description: Version of Kibana. - type: string - type: object - status: - description: KibanaStatus defines the observed state of Kibana - properties: - associationStatus: - description: AssociationStatus is the status of an association resource. - type: string - availableNodes: - format: int32 - type: integer - health: - description: KibanaHealth expresses the status of the Kibana instances. - type: string - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha1 - schema: - openAPIV3Schema: - description: to not break compatibility when upgrading from previous versions of the CRD - type: object - served: false - storage: false diff --git a/pkg/crds/enterprise/01-crd-eck-logstash.yaml b/pkg/crds/enterprise/01-crd-eck-logstash.yaml deleted file mode 100644 index 8a33fffbda..0000000000 --- a/pkg/crds/enterprise/01-crd-eck-logstash.yaml +++ /dev/null @@ -1,1133 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.5 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '2.16.0' - name: logstashes.logstash.k8s.elastic.co -spec: - group: logstash.k8s.elastic.co - names: - categories: - - elastic - kind: Logstash - listKind: LogstashList - plural: logstashes - shortNames: - - ls - singular: logstash - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Health - jsonPath: .status.health - name: health - type: string - - description: Available nodes - jsonPath: .status.availableNodes - name: available - type: integer - - description: Expected nodes - jsonPath: .status.expectedNodes - name: expected - type: integer - - jsonPath: .metadata.creationTimestamp - name: age - type: date - - description: Logstash version - jsonPath: .status.version - name: version - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: Logstash is the Schema for the logstashes API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: LogstashSpec defines the desired state of Logstash - properties: - config: - description: Config holds the Logstash configuration. At most one of [`Config`, `ConfigRef`] can be specified. - type: object - x-kubernetes-preserve-unknown-fields: true - configRef: - description: |- - ConfigRef contains a reference to an existing Kubernetes Secret holding the Logstash configuration. - Logstash settings must be specified as yaml, under a single "logstash.yml" entry. At most one of [`Config`, `ConfigRef`] - can be specified. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - count: - format: int32 - type: integer - elasticsearchRefs: - description: ElasticsearchRefs are references to Elasticsearch clusters running in the same Kubernetes cluster. - items: - description: ElasticsearchCluster is a named reference to an Elasticsearch cluster which can be used in a Logstash pipeline. - properties: - clusterName: - description: |- - ClusterName is an alias for the cluster to be used to refer to the Elasticsearch cluster in Logstash - configuration files, and will be used to identify "named clusters" in Logstash - minLength: 1 - type: string - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - required: - - clusterName - type: object - type: array - image: - description: Image is the Logstash Docker image to deploy. Version and Type have to match the Logstash in the image. - type: string - monitoring: - description: |- - Monitoring enables you to collect and ship log and monitoring data of this Logstash. - Metricbeat and Filebeat are deployed in the same Pod as sidecars and each one sends data to one or two different - Elasticsearch monitoring clusters running in the same Kubernetes cluster. - properties: - logs: - description: Logs holds references to Elasticsearch clusters which receive log data from an associated resource. - properties: - elasticsearchRefs: - description: |- - ElasticsearchRefs is a reference to a list of monitoring Elasticsearch clusters running in the same Kubernetes cluster. - Due to existing limitations, only a single Elasticsearch cluster is currently supported. - items: - description: |- - ObjectSelector defines a reference to a Kubernetes object which can be an Elastic resource managed by the operator - or a Secret describing an external Elastic resource not managed by the operator. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - type: array - type: object - metrics: - description: Metrics holds references to Elasticsearch clusters which receive monitoring data from this resource. - properties: - elasticsearchRefs: - description: |- - ElasticsearchRefs is a reference to a list of monitoring Elasticsearch clusters running in the same Kubernetes cluster. - Due to existing limitations, only a single Elasticsearch cluster is currently supported. - items: - description: |- - ObjectSelector defines a reference to a Kubernetes object which can be an Elastic resource managed by the operator - or a Secret describing an external Elastic resource not managed by the operator. - properties: - name: - description: Name of an existing Kubernetes object corresponding to an Elastic resource managed by ECK. - type: string - namespace: - description: Namespace of the Kubernetes object. If empty, defaults to the current namespace. - type: string - secretName: - description: |- - SecretName is the name of an existing Kubernetes secret that contains connection information for associating an - Elastic resource not managed by the operator. The referenced secret must contain the following: - - `url`: the URL to reach the Elastic resource - - `username`: the username of the user to be authenticated to the Elastic resource - - `password`: the password of the user to be authenticated to the Elastic resource - - `ca.crt`: the CA certificate in PEM format (optional) - - `api-key`: the key to authenticate against the Elastic resource instead of a username and password (supported only for `elasticsearchRefs` in AgentSpec and in BeatSpec) - This field cannot be used in combination with the other fields name, namespace or serviceName. - type: string - serviceName: - description: |- - ServiceName is the name of an existing Kubernetes service which is used to make requests to the referenced - object. It has to be in the same namespace as the referenced resource. If left empty, the default HTTP service of - the referenced resource is used. - type: string - type: object - type: array - type: object - type: object - pipelines: - description: Pipelines holds the Logstash Pipelines. At most one of [`Pipelines`, `PipelinesRef`] can be specified. - items: - type: object - type: array - x-kubernetes-preserve-unknown-fields: true - pipelinesRef: - description: |- - PipelinesRef contains a reference to an existing Kubernetes Secret holding the Logstash Pipelines. - Logstash pipelines must be specified as yaml, under a single "pipelines.yml" entry. At most one of [`Pipelines`, `PipelinesRef`] - can be specified. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - podTemplate: - description: PodTemplate provides customisation options for the Logstash pods. - type: object - x-kubernetes-preserve-unknown-fields: true - revisionHistoryLimit: - description: RevisionHistoryLimit is the number of revisions to retain to allow rollback in the underlying StatefulSet. - format: int32 - type: integer - secureSettings: - description: |- - SecureSettings is a list of references to Kubernetes Secrets containing sensitive configuration options for the Logstash. - Secrets data can be then referenced in the Logstash config using the Secret's keys or as specified in `Entries` field of - each SecureSetting. - items: - description: SecretSource defines a data source based on a Kubernetes Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - serviceAccountName: - description: |- - ServiceAccountName is used to check access from the current resource to Elasticsearch resource in a different namespace. - Can only be used if ECK is enforcing RBAC on references. - type: string - services: - description: |- - Services contains details of services that Logstash should expose - similar to the HTTP layer configuration for the - rest of the stack, but also applicable for more use cases than the metrics API, as logstash may need to - be opened up for other services: Beats, TCP, UDP, etc, inputs. - items: - properties: - name: - type: string - service: - description: Service defines the template for the associated Kubernetes Service object. - properties: - metadata: - description: |- - ObjectMeta is the metadata of the service. - The name and namespace provided here are managed by ECK and will be ignored. - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: Spec is the specification of the service. - properties: - allocateLoadBalancerNodePorts: - description: |- - allocateLoadBalancerNodePorts defines if NodePorts will be automatically - allocated for services with type LoadBalancer. Default is "true". It - may be set to "false" if the cluster load-balancer does not rely on - NodePorts. If the caller requests specific NodePorts (by specifying a - value), those requests will be respected, regardless of this field. - This field may only be set for services with type LoadBalancer and will - be cleared if the type is changed to any other type. - type: boolean - clusterIP: - description: |- - clusterIP is the IP address of the service and is usually assigned - randomly. If an address is specified manually, is in-range (as per - system configuration), and is not in use, it will be allocated to the - service; otherwise creation of the service will fail. This field may not - be changed through updates unless the type field is also being changed - to ExternalName (which requires this field to be blank) or the type - field is being changed from ExternalName (in which case this field may - optionally be specified, as describe above). Valid values are "None", - empty string (""), or a valid IP address. Setting this to "None" makes a - "headless service" (no virtual IP), which is useful when direct endpoint - connections are preferred and proxying is not required. Only applies to - types ClusterIP, NodePort, and LoadBalancer. If this field is specified - when creating a Service of type ExternalName, creation will fail. This - field will be wiped when updating a Service to type ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - clusterIPs: - description: |- - ClusterIPs is a list of IP addresses assigned to this service, and are - usually assigned randomly. If an address is specified manually, is - in-range (as per system configuration), and is not in use, it will be - allocated to the service; otherwise creation of the service will fail. - This field may not be changed through updates unless the type field is - also being changed to ExternalName (which requires this field to be - empty) or the type field is being changed from ExternalName (in which - case this field may optionally be specified, as describe above). Valid - values are "None", empty string (""), or a valid IP address. Setting - this to "None" makes a "headless service" (no virtual IP), which is - useful when direct endpoint connections are preferred and proxying is - not required. Only applies to types ClusterIP, NodePort, and - LoadBalancer. If this field is specified when creating a Service of type - ExternalName, creation will fail. This field will be wiped when updating - a Service to type ExternalName. If this field is not specified, it will - be initialized from the clusterIP field. If this field is specified, - clients must ensure that clusterIPs[0] and clusterIP have the same - value. - - This field may hold a maximum of two entries (dual-stack IPs, in either order). - These IPs must correspond to the values of the ipFamilies field. Both - clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalIPs: - description: |- - externalIPs is a list of IP addresses for which nodes in the cluster - will also accept traffic for this service. These IPs are not managed by - Kubernetes. The user is responsible for ensuring that traffic arrives - at a node with this IP. A common example is external load-balancers - that are not part of the Kubernetes system. - items: - type: string - type: array - x-kubernetes-list-type: atomic - externalName: - description: |- - externalName is the external reference that discovery mechanisms will - return as an alias for this service (e.g. a DNS CNAME record). No - proxying will be involved. Must be a lowercase RFC-1123 hostname - (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName". - type: string - externalTrafficPolicy: - description: |- - externalTrafficPolicy describes how nodes distribute service traffic they - receive on one of the Service's "externally-facing" addresses (NodePorts, - ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure - the service in a way that assumes that external load balancers will take care - of balancing the service traffic between nodes, and so each node will deliver - traffic only to the node-local endpoints of the service, without masquerading - the client source IP. (Traffic mistakenly sent to a node with no endpoints will - be dropped.) The default value, "Cluster", uses the standard behavior of - routing to all endpoints evenly (possibly modified by topology and other - features). Note that traffic sent to an External IP or LoadBalancer IP from - within the cluster will always get "Cluster" semantics, but clients sending to - a NodePort from within the cluster may need to take traffic policy into account - when picking a node. - type: string - healthCheckNodePort: - description: |- - healthCheckNodePort specifies the healthcheck nodePort for the service. - This only applies when type is set to LoadBalancer and - externalTrafficPolicy is set to Local. If a value is specified, is - in-range, and is not in use, it will be used. If not specified, a value - will be automatically allocated. External systems (e.g. load-balancers) - can use this port to determine if a given node holds endpoints for this - service or not. If this field is specified when creating a Service - which does not need it, creation will fail. This field will be wiped - when updating a Service to no longer need it (e.g. changing type). - This field cannot be updated once set. - format: int32 - type: integer - internalTrafficPolicy: - description: |- - InternalTrafficPolicy describes how nodes distribute service traffic they - receive on the ClusterIP. If set to "Local", the proxy will assume that pods - only want to talk to endpoints of the service on the same node as the pod, - dropping the traffic if there are no local endpoints. The default value, - "Cluster", uses the standard behavior of routing to all endpoints evenly - (possibly modified by topology and other features). - type: string - ipFamilies: - description: |- - IPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this - service. This field is usually assigned automatically based on cluster - configuration and the ipFamilyPolicy field. If this field is specified - manually, the requested family is available in the cluster, - and ipFamilyPolicy allows it, it will be used; otherwise creation of - the service will fail. This field is conditionally mutable: it allows - for adding or removing a secondary IP family, but it does not allow - changing the primary IP family of the Service. Valid values are "IPv4" - and "IPv6". This field only applies to Services of types ClusterIP, - NodePort, and LoadBalancer, and does apply to "headless" services. - This field will be wiped when updating a Service to type ExternalName. - - This field may hold a maximum of two entries (dual-stack families, in - either order). These families must correspond to the values of the - clusterIPs field, if specified. Both clusterIPs and ipFamilies are - governed by the ipFamilyPolicy field. - items: - description: |- - IPFamily represents the IP Family (IPv4 or IPv6). This type is used - to express the family of an IP expressed by a type (e.g. service.spec.ipFamilies). - type: string - type: array - x-kubernetes-list-type: atomic - ipFamilyPolicy: - description: |- - IPFamilyPolicy represents the dual-stack-ness requested or required by - this Service. If there is no value provided, then this field will be set - to SingleStack. Services can be "SingleStack" (a single IP family), - "PreferDualStack" (two IP families on dual-stack configured clusters or - a single IP family on single-stack clusters), or "RequireDualStack" - (two IP families on dual-stack configured clusters, otherwise fail). The - ipFamilies and clusterIPs fields depend on the value of this field. This - field will be wiped when updating a service to type ExternalName. - type: string - loadBalancerClass: - description: |- - loadBalancerClass is the class of the load balancer implementation this Service belongs to. - If specified, the value of this field must be a label-style identifier, with an optional prefix, - e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. - This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load - balancer implementation is used, today this is typically done through the cloud provider integration, - but should apply for any default implementation. If set, it is assumed that a load balancer - implementation is watching for Services with a matching class. Any default load balancer - implementation (e.g. cloud providers) should ignore Services that set this field. - This field can only be set when creating or updating a Service to type 'LoadBalancer'. - Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type. - type: string - loadBalancerIP: - description: |- - Only applies to Service Type: LoadBalancer. - This feature depends on whether the underlying cloud-provider supports specifying - the loadBalancerIP when a load balancer is created. - This field will be ignored if the cloud-provider does not support the feature. - Deprecated: This field was under-specified and its meaning varies across implementations. - Using it is non-portable and it may not support dual-stack. - Users are encouraged to use implementation-specific annotations when available. - type: string - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, this will restrict traffic through the cloud-provider - load-balancer will be restricted to the specified client IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/ - items: - type: string - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - The list of ports that are exposed by this service. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - items: - description: ServicePort contains information on service's port. - properties: - appProtocol: - description: |- - The application protocol for this port. - This is used as a hint for implementations to offer richer behavior for protocols that they understand. - This field follows standard Kubernetes label syntax. - Valid values are either: - - * Un-prefixed protocol names - reserved for IANA standard service names (as per - RFC-6335 and https://www.iana.org/assignments/service-names). - - * Kubernetes-defined prefixed names: - * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- - * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 - * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 - - * Other protocols should use implementation-defined prefixed names such as - mycompany.com/my-custom-protocol. - type: string - name: - description: |- - The name of this port within the service. This must be a DNS_LABEL. - All ports within a ServiceSpec must have unique names. When considering - the endpoints for a Service, this must match the 'name' field in the - EndpointPort. - Optional if only one ServicePort is defined on this service. - type: string - nodePort: - description: |- - The port on each node on which this service is exposed when type is - NodePort or LoadBalancer. Usually assigned by the system. If a value is - specified, in-range, and not in use it will be used, otherwise the - operation will fail. If not specified, a port will be allocated if this - Service requires one. If this field is specified when creating a - Service which does not need it, creation will fail. This field will be - wiped when updating a Service to no longer need it (e.g. changing type - from NodePort to ClusterIP). - More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - format: int32 - type: integer - port: - description: The port that will be exposed by this service. - format: int32 - type: integer - protocol: - default: TCP - description: |- - The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - Default is TCP. - type: string - targetPort: - anyOf: - - type: integer - - type: string - description: |- - Number or name of the port to access on the pods targeted by the service. - Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - If this is a string, it will be looked up as a named port in the - target Pod's container ports. If this is not specified, the value - of the 'port' field is used (an identity map). - This field is ignored for services with clusterIP=None, and should be - omitted or set equal to the 'port' field. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - x-kubernetes-int-or-string: true - required: - - port - type: object - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - description: |- - publishNotReadyAddresses indicates that any agent which deals with endpoints for this - Service should disregard any indications of ready/not-ready. - The primary use case for setting this field is for a StatefulSet's Headless Service to - propagate SRV DNS records for its Pods for the purpose of peer discovery. - The Kubernetes controllers that generate Endpoints and EndpointSlice resources for - Services interpret this to mean that all endpoints are considered "ready" even if the - Pods themselves are not. Agents which consume only Kubernetes generated endpoints - through the Endpoints or EndpointSlice resources can safely assume this behavior. - type: boolean - selector: - additionalProperties: - type: string - description: |- - Route service traffic to pods with label keys and values matching this - selector. If empty or not present, the service is assumed to have an - external process managing its endpoints, which Kubernetes will not - modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - Ignored if type is ExternalName. - More info: https://kubernetes.io/docs/concepts/services-networking/service/ - type: object - x-kubernetes-map-type: atomic - sessionAffinity: - description: |- - Supports "ClientIP" and "None". Used to maintain session affinity. - Enable client IP based session affinity. - Must be ClientIP or None. - Defaults to None. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - type: string - sessionAffinityConfig: - description: sessionAffinityConfig contains the configurations of session affinity. - properties: - clientIP: - description: clientIP contains the configurations of Client IP based session affinity. - properties: - timeoutSeconds: - description: |- - timeoutSeconds specifies the seconds of ClientIP type session sticky time. - The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". - Default value is 10800(for 3 hours). - format: int32 - type: integer - type: object - type: object - trafficDistribution: - description: |- - TrafficDistribution offers a way to express preferences for how traffic is - distributed to Service endpoints. Implementations can use this field as a - hint, but are not required to guarantee strict adherence. If the field is - not set, the implementation will apply its default routing strategy. If set - to "PreferClose", implementations should prioritize endpoints that are - topologically close (e.g., same zone). - This is an alpha field and requires enabling ServiceTrafficDistribution feature. - type: string - type: - description: |- - type determines how the Service is exposed. Defaults to ClusterIP. Valid - options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - "ClusterIP" allocates a cluster-internal IP address for load-balancing - to endpoints. Endpoints are determined by the selector or if that is not - specified, by manual construction of an Endpoints object or - EndpointSlice objects. If clusterIP is "None", no virtual IP is - allocated and the endpoints are published as a set of endpoints rather - than a virtual IP. - "NodePort" builds on ClusterIP and allocates a port on every node which - routes to the same endpoints as the clusterIP. - "LoadBalancer" builds on NodePort and creates an external load-balancer - (if supported in the current cloud) which routes to the same endpoints - as the clusterIP. - "ExternalName" aliases this service to the specified externalName. - Several other fields do not apply to ExternalName services. - More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - type: string - type: object - type: object - tls: - description: TLS defines options for configuring TLS for HTTP. - properties: - certificate: - description: |- - Certificate is a reference to a Kubernetes secret that contains the certificate and private key for enabling TLS. - The referenced secret should contain the following: - - - `ca.crt`: The certificate authority (optional). - - `tls.crt`: The certificate (or a chain). - - `tls.key`: The private key to the first certificate in the certificate chain. - properties: - secretName: - description: SecretName is the name of the secret. - type: string - type: object - selfSignedCertificate: - description: SelfSignedCertificate allows configuring the self-signed certificate generated by the operator. - properties: - disabled: - description: Disabled indicates that the provisioning of the self-signed certifcate should be disabled. - type: boolean - subjectAltNames: - description: SubjectAlternativeNames is a list of SANs to include in the generated HTTP TLS certificate. - items: - description: SubjectAlternativeName represents a SAN entry in a x509 certificate. - properties: - dns: - description: DNS is the DNS name of the subject. - type: string - ip: - description: IP is the IP address of the subject. - type: string - type: object - type: array - type: object - type: object - type: object - type: array - updateStrategy: - description: UpdateStrategy is a StatefulSetUpdateStrategy. The default type is "RollingUpdate". - properties: - rollingUpdate: - description: RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - The maximum number of pods that can be unavailable during the update. - Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). - Absolute number is calculated from percentage by rounding up. This can not be 0. - Defaults to 1. This field is alpha-level and is only honored by servers that enable the - MaxUnavailableStatefulSet feature. The field applies to all pods in the range 0 to - Replicas-1. That means if there is any unavailable pod in the range 0 to Replicas-1, it - will be counted towards MaxUnavailable. - x-kubernetes-int-or-string: true - partition: - description: |- - Partition indicates the ordinal at which the StatefulSet should be partitioned - for updates. During a rolling update, all pods from ordinal Replicas-1 to - Partition are updated. All pods from ordinal Partition-1 to 0 remain untouched. - This is helpful in being able to do a canary based deployment. The default value is 0. - format: int32 - type: integer - type: object - type: - description: |- - Type indicates the type of the StatefulSetUpdateStrategy. - Default is RollingUpdate. - type: string - type: object - version: - description: Version of the Logstash. - type: string - volumeClaimTemplates: - description: |- - VolumeClaimTemplates is a list of persistent volume claims to be used by each Pod. - Every claim in this list must have a matching volumeMount in one of the containers defined in the PodTemplate. - Items defined here take precedence over any default claims added by the operator with the same name. - items: - description: PersistentVolumeClaim is a user's request for and claim to a persistent volume - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - description: |- - Standard object's metadata. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - description: |- - spec defines the desired characteristics of a volume requested by a pod author. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the desired access modes the volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - dataSource: - description: |- - dataSource field can be used to specify either: - * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller can support the specified data source, - it will create a new volume based on the contents of the specified data source. - When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, - and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. - If the namespace is specified, then dataSourceRef will not be copied to dataSource. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - dataSourceRef: - description: |- - dataSourceRef specifies the object from which to populate the volume with data, if a non-empty - volume is desired. This may be any object from a non-empty API group (non - core object) or a PersistentVolumeClaim object. - When this field is specified, volume binding will only succeed if the type of - the specified object matches some installed volume populator or dynamic - provisioner. - This field will replace the functionality of the dataSource field and as such - if both fields are non-empty, they must have the same value. For backwards - compatibility, when namespace isn't specified in dataSourceRef, - both fields (dataSource and dataSourceRef) will be set to the same - value automatically if one of them is empty and the other is non-empty. - When namespace is specified in dataSourceRef, - dataSource isn't set to the same value and must be empty. - There are three important differences between dataSource and dataSourceRef: - * While dataSource only allows two specific types of objects, dataSourceRef - allows any non-core object, as well as PersistentVolumeClaim objects. - * While dataSource ignores disallowed values (dropping them), dataSourceRef - preserves all values, and generates an error if a disallowed value is - specified. - * While dataSource only allows local objects, dataSourceRef allows objects - in any namespaces. - (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. - (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - properties: - apiGroup: - description: |- - APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in the core API group. - For any other third-party types, APIGroup is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - namespace: - description: |- - Namespace is the namespace of resource being referenced - Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. - (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. - type: string - required: - - kind - - name - type: object - resources: - description: |- - resources represents the minimum resources the volume should have. - If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements - that are lower than previous value but must still be higher than capacity recorded in the - status field of the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - selector: - description: selector is a label query over volumes to consider for binding. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - storageClassName: - description: |- - storageClassName is the name of the StorageClass required by the claim. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 - type: string - volumeAttributesClassName: - description: |- - volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. - If specified, the CSI driver will create or update the volume with the attributes defined - in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, - it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass - will be applied to the claim but it's not allowed to reset this field to empty string once it is set. - If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass - will be set by the persistentvolume controller if it exists. - If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be - set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource - exists. - More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). - type: string - volumeMode: - description: |- - volumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - type: string - volumeName: - description: volumeName is the binding reference to the PersistentVolume backing this claim. - type: string - type: object - status: - description: |- - status represents the current information/status of a persistent volume claim. - Read-only. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims - properties: - accessModes: - description: |- - accessModes contains the actual access modes the volume backing the PVC has. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 - items: - type: string - type: array - x-kubernetes-list-type: atomic - allocatedResourceStatuses: - additionalProperties: - description: |- - When a controller receives persistentvolume claim update with ClaimResourceStatus for a resource - that it does not recognizes, then it should ignore that update and let other controllers - handle it. - type: string - description: "allocatedResourceStatuses stores status of resource being resized for the given PVC.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\nClaimResourceStatus can be in any of following states:\n\t- ControllerResizeInProgress:\n\t\tState set when resize controller starts resizing the volume in control-plane.\n\t- ControllerResizeFailed:\n\t\tState set when resize has failed in resize controller with a terminal error.\n\t- NodeResizePending:\n\t\tState set when resize controller has finished resizing the volume but further resizing of\n\t\tvolume is needed on the node.\n\t- NodeResizeInProgress:\n\t\tState set when kubelet starts resizing the volume.\n\t- NodeResizeFailed:\n\t\tState set when resizing has failed in kubelet with a terminal error. Transient errors don't set\n\t\tNodeResizeFailed.\nFor example: if expanding a PVC for more capacity - this field can be one of the following states:\n\t- pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] = \"ControllerResizeFailed\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizePending\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeInProgress\"\n - pvc.status.allocatedResourceStatus['storage'] = \"NodeResizeFailed\"\nWhen this field is not set, it means that no resize operation is in progress for the given PVC.\n\nA controller that receives PVC update with previously unknown resourceName or ClaimResourceStatus\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature." - type: object - x-kubernetes-map-type: granular - allocatedResources: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: "allocatedResources tracks the resources allocated to a PVC including its capacity.\nKey names follow standard Kubernetes label syntax. Valid values are either:\n\t* Un-prefixed keys:\n\t\t- storage - the capacity of the volume.\n\t* Custom resources must use implementation-defined prefixed names such as \"example.com/my-custom-resource\"\nApart from above values - keys that are unprefixed or have kubernetes.io prefix are considered\nreserved and hence may not be used.\n\nCapacity reported here may be larger than the actual capacity when a volume expansion operation\nis requested.\nFor storage quota, the larger value from allocatedResources and PVC.spec.resources is used.\nIf allocatedResources is not set, PVC.spec.resources alone is used for quota calculation.\nIf a volume expansion capacity request is lowered, allocatedResources is only\nlowered if there are no expansion operations in progress and if the actual volume capacity\nis equal or lower than the requested capacity.\n\nA controller that receives PVC update with previously unknown resourceName\nshould ignore the update for the purpose it was designed. For example - a controller that\nonly is responsible for resizing capacity of the volume, should ignore PVC updates that change other valid\nresources associated with PVC.\n\nThis is an alpha field and requires enabling RecoverVolumeExpansionFailure feature." - type: object - capacity: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: capacity represents the actual resources of the underlying volume. - type: object - conditions: - description: |- - conditions is the current Condition of persistent volume claim. If underlying persistent volume is being - resized then the Condition will be set to 'Resizing'. - items: - description: PersistentVolumeClaimCondition contains details about state of pvc - properties: - lastProbeTime: - description: lastProbeTime is the time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: lastTransitionTime is the time the condition transitioned from one status to another. - format: date-time - type: string - message: - description: message is the human-readable message indicating details about last transition. - type: string - reason: - description: |- - reason is a unique, this should be a short, machine understandable string that gives the reason - for condition's last transition. If it reports "Resizing" that means the underlying - persistent volume is being resized. - type: string - status: - type: string - type: - description: |- - PersistentVolumeClaimConditionType defines the condition of PV claim. - Valid values are: - - "Resizing", "FileSystemResizePending" - - If RecoverVolumeExpansionFailure feature gate is enabled, then following additional values can be expected: - - "ControllerResizeError", "NodeResizeError" - - If VolumeAttributesClass feature gate is enabled, then following additional values can be expected: - - "ModifyVolumeError", "ModifyingVolume" - type: string - required: - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - currentVolumeAttributesClassName: - description: |- - currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using. - When unset, there is no VolumeAttributeClass applied to this PersistentVolumeClaim - This is a beta field and requires enabling VolumeAttributesClass feature (off by default). - type: string - modifyVolumeStatus: - description: |- - ModifyVolumeStatus represents the status object of ControllerModifyVolume operation. - When this is unset, there is no ModifyVolume operation being attempted. - This is a beta field and requires enabling VolumeAttributesClass feature (off by default). - properties: - status: - description: "status is the status of the ControllerModifyVolume operation. It can be in any of following states:\n - Pending\n Pending indicates that the PersistentVolumeClaim cannot be modified due to unmet requirements, such as\n the specified VolumeAttributesClass not existing.\n - InProgress\n InProgress indicates that the volume is being modified.\n - Infeasible\n Infeasible indicates that the request has been rejected as invalid by the CSI driver. To\n\t resolve the error, a valid VolumeAttributesClass needs to be specified.\nNote: New statuses can be added in the future. Consumers should check for unknown statuses and fail appropriately." - type: string - targetVolumeAttributesClassName: - description: targetVolumeAttributesClassName is the name of the VolumeAttributesClass the PVC currently being reconciled - type: string - required: - - status - type: object - phase: - description: phase represents the current phase of PersistentVolumeClaim. - type: string - type: object - type: object - type: array - required: - - version - type: object - status: - description: LogstashStatus defines the observed state of Logstash - properties: - availableNodes: - format: int32 - type: integer - elasticsearchAssociationsStatus: - additionalProperties: - description: AssociationStatus is the status of an association resource. - type: string - description: ElasticsearchAssociationStatus is the status of any auto-linking to Elasticsearch clusters. - type: object - expectedNodes: - format: int32 - type: integer - health: - type: string - monitoringAssociationStatus: - additionalProperties: - description: AssociationStatus is the status of an association resource. - type: string - description: MonitoringAssociationStatus is the status of any auto-linking to monitoring Elasticsearch clusters. - type: object - observedGeneration: - description: |- - ObservedGeneration is the most recent generation observed for this Logstash instance. - It corresponds to the metadata generation, which is updated on mutation by the API Server. - If the generation observed in status diverges from the generation in metadata, the Logstash - controller has not yet processed the changes contained in the Logstash specification. - format: int64 - type: integer - selector: - type: string - version: - description: |- - Version of the stack resource currently running. During version upgrades, multiple versions may run - in parallel: this value specifies the lowest version currently running. - type: string - required: - - selector - type: object - type: object - served: true - storage: true - subresources: - scale: - labelSelectorPath: .status.selector - specReplicasPath: .spec.count - statusReplicasPath: .status.expectedNodes - status: {} diff --git a/pkg/crds/enterprise/01-crd-eck-stackconfigpolicy.yaml b/pkg/crds/enterprise/01-crd-eck-stackconfigpolicy.yaml deleted file mode 100644 index 8a8ee413d4..0000000000 --- a/pkg/crds/enterprise/01-crd-eck-stackconfigpolicy.yaml +++ /dev/null @@ -1,359 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.16.5 - helm.sh/resource-policy: keep - labels: - app.kubernetes.io/instance: 'elastic-operator' - app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '2.16.0' - name: stackconfigpolicies.stackconfigpolicy.k8s.elastic.co -spec: - group: stackconfigpolicy.k8s.elastic.co - names: - categories: - - elastic - kind: StackConfigPolicy - listKind: StackConfigPolicyList - plural: stackconfigpolicies - shortNames: - - scp - singular: stackconfigpolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Resources configured - jsonPath: .status.readyCount - name: Ready - type: string - - jsonPath: .status.phase - name: Phase - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: StackConfigPolicy represents a StackConfigPolicy resource in a Kubernetes cluster. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - elasticsearch: - properties: - clusterSettings: - description: ClusterSettings holds the Elasticsearch cluster settings (/_cluster/settings) - type: object - x-kubernetes-preserve-unknown-fields: true - config: - description: Config holds the settings that go into elasticsearch.yml. - type: object - x-kubernetes-preserve-unknown-fields: true - indexLifecyclePolicies: - description: IndexLifecyclePolicies holds the Index Lifecycle policies settings (/_ilm/policy) - type: object - x-kubernetes-preserve-unknown-fields: true - indexTemplates: - description: IndexTemplates holds the Index and Component Templates settings - properties: - componentTemplates: - description: ComponentTemplates holds the Component Templates settings (/_component_template) - type: object - x-kubernetes-preserve-unknown-fields: true - composableIndexTemplates: - description: ComposableIndexTemplates holds the Index Templates settings (/_index_template) - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - x-kubernetes-preserve-unknown-fields: true - ingestPipelines: - description: IngestPipelines holds the Ingest Pipelines settings (/_ingest/pipeline) - type: object - x-kubernetes-preserve-unknown-fields: true - secretMounts: - description: SecretMounts are additional Secrets that need to be mounted into the Elasticsearch pods. - items: - description: SecretMount contains information about additional secrets to be mounted to the elasticsearch pods - properties: - mountPath: - description: MountPath denotes the path to which the secret should be mounted to inside the elasticsearch pod - type: string - secretName: - description: SecretName denotes the name of the secret that needs to be mounted to the elasticsearch pod - type: string - type: object - type: array - x-kubernetes-preserve-unknown-fields: true - secureSettings: - description: SecureSettings are additional Secrets that contain data to be configured to Elasticsearch's keystore. - items: - description: SecretSource defines a data source based on a Kubernetes Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - x-kubernetes-preserve-unknown-fields: true - securityRoleMappings: - description: SecurityRoleMappings holds the Role Mappings settings (/_security/role_mapping) - type: object - x-kubernetes-preserve-unknown-fields: true - snapshotLifecyclePolicies: - description: SnapshotLifecyclePolicies holds the Snapshot Lifecycle Policies settings (/_slm/policy) - type: object - x-kubernetes-preserve-unknown-fields: true - snapshotRepositories: - description: SnapshotRepositories holds the Snapshot Repositories settings (/_snapshot) - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - kibana: - properties: - config: - description: Config holds the settings that go into kibana.yml. - type: object - x-kubernetes-preserve-unknown-fields: true - secureSettings: - description: SecureSettings are additional Secrets that contain data to be configured to Kibana's keystore. - items: - description: SecretSource defines a data source based on a Kubernetes Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - x-kubernetes-preserve-unknown-fields: true - type: object - resourceSelector: - description: |- - A label selector is a label query over a set of resources. The result of matchLabels and - matchExpressions are ANDed. An empty label selector matches all objects. A null - label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - secureSettings: - description: 'Deprecated: SecureSettings only applies to Elasticsearch and is deprecated. It must be set per application instead.' - items: - description: SecretSource defines a data source based on a Kubernetes Secret. - properties: - entries: - description: |- - Entries define how to project each key-value pair in the secret to filesystem paths. - If not defined, all keys will be projected to similarly named paths in the filesystem. - If defined, only the specified keys will be projected to the corresponding paths. - items: - description: KeyToPath defines how to map a key in a Secret object to a filesystem path. - properties: - key: - description: Key is the key contained in the secret. - type: string - path: - description: |- - Path is the relative file path to map the key to. - Path must not be an absolute file path and must not contain any ".." components. - type: string - required: - - key - type: object - type: array - secretName: - description: SecretName is the name of the secret. - type: string - required: - - secretName - type: object - type: array - type: object - status: - properties: - details: - additionalProperties: - additionalProperties: - description: ResourcePolicyStatus models the status of the policy for one resource to be configured. - properties: - currentVersion: - description: |- - CurrentVersion denotes the current version of filesettings applied to the Elasticsearch cluster - This field does not apply to Kibana resources - format: int64 - type: integer - error: - properties: - message: - type: string - version: - format: int64 - type: integer - type: object - expectedVersion: - description: |- - ExpectedVersion denotes the expected version of filesettings that should be applied to the Elasticsearch cluster - This field does not apply to Kibana resources - format: int64 - type: integer - phase: - type: string - type: object - type: object - description: Details holds the status details for each resource to be configured. - type: object - errors: - description: Errors is the number of resources which have an incorrect configuration - type: integer - observedGeneration: - description: ObservedGeneration is the most recent generation observed for this StackConfigPolicy. - format: int64 - type: integer - phase: - description: Phase is the phase of the StackConfigPolicy. - type: string - ready: - description: Ready is the number of resources successfully configured. - type: integer - readyCount: - description: ReadyCount is a human representation of the number of resources successfully configured. - type: string - resources: - description: Resources is the number of resources to be configured. - type: integer - resourcesStatuses: - additionalProperties: - description: ResourcePolicyStatus models the status of the policy for one resource to be configured. - properties: - currentVersion: - description: |- - CurrentVersion denotes the current version of filesettings applied to the Elasticsearch cluster - This field does not apply to Kibana resources - format: int64 - type: integer - error: - properties: - message: - type: string - version: - format: int64 - type: integer - type: object - expectedVersion: - description: |- - ExpectedVersion denotes the expected version of filesettings that should be applied to the Elasticsearch cluster - This field does not apply to Kibana resources - format: int64 - type: integer - phase: - type: string - type: object - description: |- - ResourcesStatuses holds the status for each resource to be configured. - Deprecated: Details is used to store the status of resources from ECK 2.11 - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/pkg/crds/enterprise/crd.projectcalico.org_alertexceptions.yaml b/pkg/crds/enterprise/crd.projectcalico.org_alertexceptions.yaml index 98018d0607..485dd37d65 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_alertexceptions.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_alertexceptions.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: alertexceptions.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,59 +14,35 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AlertExceptionSpec contains the specification for an alert - exception resource. - properties: - description: - description: The description is displayed by the UI. - type: string - endTime: - description: |- - EndTime defines the end time at which this alert exception will expire. - If omitted the alert exception filtering will continue indefinitely. - format: date-time - type: string - selector: - description: Selector defines a query string for alert events to be - excluded from UI search results. - type: string - startTime: - description: |- - StartTime defines the start time from which this alert exception will take effect. - If the value is in the past, matched alerts will be filtered immediately. - If the value is changed to a future time, alert exceptions will restart at that time. - format: date-time - type: string - required: - - description - - selector - - startTime - type: object - status: - description: AlertExceptionStatus contains the status of an alert exception. - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + description: + type: string + endTime: + format: date-time + type: string + selector: + type: string + startTime: + format: date-time + type: string + required: + - description + - selector + - startTime + type: object + status: + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_bfdconfigurations.yaml b/pkg/crds/enterprise/crd.projectcalico.org_bfdconfigurations.yaml index b9cccb12bd..c8028b424e 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_bfdconfigurations.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_bfdconfigurations.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: bfdconfigurations.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,74 +14,43 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - description: BFDConfiguration contains the configuration for BFD sessions. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: BFDConfigurationSpec contains the specification for a BFDConfiguration - resource. - properties: - interfaces: - items: - description: BFDInterface contains per-interface parameters for - BFD failure detection. - properties: - idleSendInterval: - default: 1m - description: IdleSendInterval is the interval between transmitted - BFD packets when the BFD peer is idle. Must be a whole number - of milliseconds greater than 0. - type: string - matchPattern: - description: |- - MatchPattern is a pattern to match one or more interfaces. - Supports exact interface names, match on interface prefixes (e.g., “eth*”), - or “*” to select all interfaces on the selected node(s). - type: string - minimumRecvInterval: - default: 10ms - description: MinimumRecvInterval is the minimum interval between - received BFD packets. Must be a whole number of milliseconds - greater than 0. - type: string - minimumSendInterval: - default: 100ms - description: MinimumSendInterval is the minimum interval between - transmitted BFD packets. Must be a whole number of milliseconds - greater than 0. - type: string - multiplier: - default: 5 - description: Multiplier is the number of intervals that must - pass without receiving a BFD packet before the peer is considered - down. - type: integer - required: - - matchPattern - type: object - type: array - nodeSelector: - type: string - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + interfaces: + items: + properties: + idleSendInterval: + default: 1m + type: string + matchPattern: + type: string + minimumRecvInterval: + default: 10ms + type: string + minimumSendInterval: + default: 100ms + type: string + multiplier: + default: 5 + type: integer + required: + - matchPattern + type: object + type: array + x-kubernetes-list-type: atomic + nodeSelector: + type: string + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_bgpconfigurations.yaml b/pkg/crds/enterprise/crd.projectcalico.org_bgpconfigurations.yaml index ce99d590c1..5c772c91b6 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_bgpconfigurations.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_bgpconfigurations.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: bgpconfigurations.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,182 +14,159 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - description: BGPConfiguration contains the configuration for any BGP routing. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: BGPConfigurationSpec contains the values of the BGP configuration. - properties: - asNumber: - description: 'ASNumber is the default AS number used by a node. [Default: - 64512]' - format: int32 - type: integer - bindMode: - description: |- - BindMode indicates whether to listen for BGP connections on all addresses (None) - or only on the node's canonical IP address Node.Spec.BGP.IPvXAddress (NodeIP). - Default behaviour is to listen for BGP connections on all addresses. - type: string - communities: - description: Communities is a list of BGP community values and their - arbitrary names for tagging routes. - items: - description: Community contains standard or large community value - and its name. - properties: - name: - description: Name given to community value. - type: string - value: - description: |- - Value must be of format `aa:nn` or `aa:nn:mm`. - For standard community use `aa:nn` format, where `aa` and `nn` are 16 bit number. - For large community use `aa:nn:mm` format, where `aa`, `nn` and `mm` are 32 bit number. - Where, `aa` is an AS Number, `nn` and `mm` are per-AS identifier. - pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ - type: string - type: object - type: array - extensions: - additionalProperties: - type: string - description: Extensions is a mapping of keys to values that can be - used in custom BGP templates - type: object - ignoredInterfaces: - description: IgnoredInterfaces indicates the network interfaces that - needs to be excluded when reading device routes. - items: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + asNumber: + format: int32 + type: integer + bindMode: + enum: + - None + - NodeIP type: string - type: array - listenPort: - description: ListenPort is the port where BGP protocol should listen. - Defaults to 179 - maximum: 65535 - minimum: 1 - type: integer - logSeverityScreen: - description: 'LogSeverityScreen is the log severity above which logs - are sent to the stdout. [Default: INFO]' - type: string - nodeMeshMaxRestartTime: - description: |- - Time to allow for software restart for node-to-mesh peerings. When specified, this is configured - as the graceful restart timeout. When not specified, the BIRD default of 120s is used. - This field can only be set on the default BGPConfiguration instance and requires that NodeMesh is enabled - type: string - nodeMeshPassword: - description: |- - Optional BGP password for full node-to-mesh peerings. - This field can only be set on the default BGPConfiguration instance and requires that NodeMesh is enabled - properties: - secretKeyRef: - description: Selects a key of a secret in the node pod's namespace. + communities: + items: properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key + value: + pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ + type: string type: object x-kubernetes-map-type: atomic - type: object - nodeToNodeMeshEnabled: - description: 'NodeToNodeMeshEnabled sets whether full node to node - BGP mesh is enabled. [Default: true]' - type: boolean - prefixAdvertisements: - description: PrefixAdvertisements contains per-prefix advertisement - configuration. - items: - description: PrefixAdvertisement configures advertisement properties - for the specified CIDR. - properties: - cidr: - description: CIDR for which properties should be advertised. - type: string - communities: - description: |- - Communities can be list of either community names already defined in `Specs.Communities` or community value of format `aa:nn` or `aa:nn:mm`. - For standard community use `aa:nn` format, where `aa` and `nn` are 16 bit number. - For large community use `aa:nn:mm` format, where `aa`, `nn` and `mm` are 32 bit number. - Where,`aa` is an AS Number, `nn` and `mm` are per-AS identifier. - items: - type: string - type: array - type: object - type: array - serviceClusterIPs: - description: |- - ServiceClusterIPs are the CIDR blocks from which service cluster IPs are allocated. - If specified, Calico will advertise these blocks, as well as any cluster IPs within them. - items: - description: ServiceClusterIPBlock represents a single allowed ClusterIP - CIDR block. - properties: - cidr: - type: string + type: array + x-kubernetes-list-type: set + extensions: + additionalProperties: + type: string type: object - type: array - serviceExternalIPs: - description: |- - ServiceExternalIPs are the CIDR blocks for Kubernetes Service External IPs. - Kubernetes Service ExternalIPs will only be advertised if they are within one of these blocks. - items: - description: ServiceExternalIPBlock represents a single allowed - External IP CIDR block. - properties: - cidr: - type: string - type: object - type: array - serviceLoadBalancerIPs: - description: |- - ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes Service LoadBalancer IPs. - Kubernetes Service status.LoadBalancer.Ingress IPs will only be advertised if they are within one of these blocks. - items: - description: ServiceLoadBalancerIPBlock represents a single allowed - LoadBalancer IP CIDR block. + ignoredInterfaces: + items: + type: string + type: array + x-kubernetes-list-type: set + ipv4NormalRoutePriority: + maximum: 2147483646 + minimum: 1 + type: integer + ipv6NormalRoutePriority: + maximum: 2147483646 + minimum: 1 + type: integer + listenPort: + maximum: 65535 + minimum: 1 + type: integer + localWorkloadPeeringIPV4: + type: string + localWorkloadPeeringIPV6: + type: string + logSeverityScreen: + default: Info + pattern: ^(?i)(Trace|Debug|Info|Warning|Error|Fatal)?$ + type: string + nodeMeshMaxRestartTime: + type: string + nodeMeshPassword: properties: - cidr: - type: string + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic type: object - type: array - type: object - type: object - served: true - storage: true + nodeToNodeMeshEnabled: + type: boolean + prefixAdvertisements: + items: + properties: + cidr: + format: cidr + type: string + communities: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: set + programClusterRoutes: + enum: + - Enabled + - Disabled + type: string + serviceClusterIPs: + items: + properties: + cidr: + format: cidr + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: set + serviceExternalIPs: + items: + properties: + cidr: + format: cidr + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: set + serviceLoadBalancerAggregation: + default: Enabled + enum: + - Enabled + - Disabled + type: string + serviceLoadBalancerIPs: + items: + properties: + cidr: + format: cidr + type: string + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: set + type: object + x-kubernetes-validations: + - message: + nodeMeshPassword cannot be set when nodeToNodeMeshEnabled is + false + reason: FieldValueForbidden + rule: + "!has(self.nodeMeshPassword) || !has(self.nodeToNodeMeshEnabled) + || self.nodeToNodeMeshEnabled == true" + - message: + nodeMeshMaxRestartTime cannot be set when nodeToNodeMeshEnabled + is false + reason: FieldValueForbidden + rule: + "!has(self.nodeMeshMaxRestartTime) || !has(self.nodeToNodeMeshEnabled) + || self.nodeToNodeMeshEnabled == true" + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_bgpfilters.yaml b/pkg/crds/enterprise/crd.projectcalico.org_bgpfilters.yaml index c46ca68621..193208e8db 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_bgpfilters.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_bgpfilters.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: bgpfilters.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,168 +14,559 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of - the BGP Filter. - properties: - exportV4: - description: The ordered set of IPv4 BGPFilter rules acting on exporting - routes to a peer. - items: - description: BGPFilterRuleV4 defines a BGP filter rule consisting - a single IPv4 CIDR block and a filter action for this CIDR. - properties: - action: - type: string - cidr: - type: string - interface: - type: string - matchOperator: - type: string - prefixLength: - properties: - max: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + exportV4: + items: + properties: + action: + enum: + - Accept + - Reject + type: string + asPathPrefix: + items: format: int32 - maximum: 32 - minimum: 0 type: integer - min: + type: array + x-kubernetes-list-type: atomic + cidr: + format: cidr + maxLength: 18 + type: string + communities: + properties: + values: + items: + maxLength: 32 + pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ + type: string + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - values + type: object + x-kubernetes-map-type: atomic + interface: + type: string + matchOperator: + enum: + - Equal + - NotEqual + - In + - NotIn + type: string + operations: + items: + maxProperties: 1 + minProperties: 1 + properties: + addCommunity: + properties: + value: + maxLength: 32 + pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ + type: string + required: + - value + type: object + x-kubernetes-map-type: atomic + prependASPath: + properties: + prefix: + items: + format: int32 + type: integer + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - prefix + type: object + x-kubernetes-map-type: atomic + setPriority: + properties: + value: + maximum: 2147483646 + minimum: 1 + type: integer + required: + - value + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + peerType: + enum: + - eBGP + - iBGP + type: string + prefixLength: + properties: + max: + format: int32 + maximum: 32 + minimum: 0 + type: integer + min: + format: int32 + maximum: 32 + minimum: 0 + type: integer + type: object + x-kubernetes-map-type: atomic + priority: + maximum: 2147483646 + minimum: 1 + type: integer + source: + enum: + - RemotePeers + type: string + required: + - action + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: cidr and matchOperator must both be set or both be empty + reason: FieldValueInvalid + rule: + (has(self.cidr) && size(self.cidr) > 0) == (has(self.matchOperator) + && size(self.matchOperator) > 0) + - message: cidr is required when prefixLength is set + reason: FieldValueInvalid + rule: + "!has(self.prefixLength) || (has(self.cidr) && size(self.cidr) + > 0)" + - message: operations may only be used with action Accept + rule: + "!has(self.operations) || size(self.operations) == 0 || + self.action == 'Accept'" + type: array + x-kubernetes-list-type: atomic + exportV6: + items: + properties: + action: + enum: + - Accept + - Reject + type: string + asPathPrefix: + items: format: int32 - maximum: 32 - minimum: 0 type: integer - type: object - source: - type: string - required: - - action - type: object - type: array - exportV6: - description: The ordered set of IPv6 BGPFilter rules acting on exporting - routes to a peer. - items: - description: BGPFilterRuleV6 defines a BGP filter rule consisting - a single IPv6 CIDR block and a filter action for this CIDR. - properties: - action: - type: string - cidr: - type: string - interface: - type: string - matchOperator: - type: string - prefixLength: - properties: - max: + type: array + x-kubernetes-list-type: atomic + cidr: + format: cidr + maxLength: 43 + type: string + communities: + properties: + values: + items: + maxLength: 32 + pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ + type: string + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - values + type: object + x-kubernetes-map-type: atomic + interface: + type: string + matchOperator: + enum: + - Equal + - NotEqual + - In + - NotIn + type: string + operations: + items: + maxProperties: 1 + minProperties: 1 + properties: + addCommunity: + properties: + value: + maxLength: 32 + pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ + type: string + required: + - value + type: object + x-kubernetes-map-type: atomic + prependASPath: + properties: + prefix: + items: + format: int32 + type: integer + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - prefix + type: object + x-kubernetes-map-type: atomic + setPriority: + properties: + value: + maximum: 2147483646 + minimum: 1 + type: integer + required: + - value + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + peerType: + enum: + - eBGP + - iBGP + type: string + prefixLength: + properties: + max: + format: int32 + maximum: 128 + minimum: 0 + type: integer + min: + format: int32 + maximum: 128 + minimum: 0 + type: integer + type: object + x-kubernetes-map-type: atomic + priority: + maximum: 2147483646 + minimum: 1 + type: integer + source: + enum: + - RemotePeers + type: string + required: + - action + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: cidr and matchOperator must both be set or both be empty + reason: FieldValueInvalid + rule: + (has(self.cidr) && size(self.cidr) > 0) == (has(self.matchOperator) + && size(self.matchOperator) > 0) + - message: cidr is required when prefixLength is set + reason: FieldValueInvalid + rule: + "!has(self.prefixLength) || (has(self.cidr) && size(self.cidr) + > 0)" + - message: operations may only be used with action Accept + rule: + "!has(self.operations) || size(self.operations) == 0 || + self.action == 'Accept'" + type: array + x-kubernetes-list-type: atomic + importV4: + items: + properties: + action: + enum: + - Accept + - Reject + type: string + asPathPrefix: + items: format: int32 - maximum: 128 - minimum: 0 type: integer - min: + type: array + x-kubernetes-list-type: atomic + cidr: + format: cidr + maxLength: 18 + type: string + communities: + properties: + values: + items: + maxLength: 32 + pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ + type: string + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - values + type: object + x-kubernetes-map-type: atomic + interface: + type: string + matchOperator: + enum: + - Equal + - NotEqual + - In + - NotIn + type: string + operations: + items: + maxProperties: 1 + minProperties: 1 + properties: + addCommunity: + properties: + value: + maxLength: 32 + pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ + type: string + required: + - value + type: object + x-kubernetes-map-type: atomic + prependASPath: + properties: + prefix: + items: + format: int32 + type: integer + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - prefix + type: object + x-kubernetes-map-type: atomic + setPriority: + properties: + value: + maximum: 2147483646 + minimum: 1 + type: integer + required: + - value + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + peerType: + enum: + - eBGP + - iBGP + type: string + prefixLength: + properties: + max: + format: int32 + maximum: 32 + minimum: 0 + type: integer + min: + format: int32 + maximum: 32 + minimum: 0 + type: integer + type: object + x-kubernetes-map-type: atomic + priority: + maximum: 2147483646 + minimum: 1 + type: integer + source: + enum: + - RemotePeers + type: string + required: + - action + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: cidr and matchOperator must both be set or both be empty + reason: FieldValueInvalid + rule: + (has(self.cidr) && size(self.cidr) > 0) == (has(self.matchOperator) + && size(self.matchOperator) > 0) + - message: cidr is required when prefixLength is set + reason: FieldValueInvalid + rule: + "!has(self.prefixLength) || (has(self.cidr) && size(self.cidr) + > 0)" + - message: operations may only be used with action Accept + rule: + "!has(self.operations) || size(self.operations) == 0 || + self.action == 'Accept'" + type: array + x-kubernetes-list-type: atomic + importV6: + items: + properties: + action: + enum: + - Accept + - Reject + type: string + asPathPrefix: + items: format: int32 - maximum: 128 - minimum: 0 type: integer - type: object - source: - type: string - required: - - action - type: object - type: array - importV4: - description: The ordered set of IPv4 BGPFilter rules acting on importing - routes from a peer. - items: - description: BGPFilterRuleV4 defines a BGP filter rule consisting - a single IPv4 CIDR block and a filter action for this CIDR. - properties: - action: - type: string - cidr: - type: string - interface: - type: string - matchOperator: - type: string - prefixLength: - properties: - max: - format: int32 - maximum: 32 - minimum: 0 - type: integer - min: - format: int32 - maximum: 32 - minimum: 0 - type: integer - type: object - source: - type: string - required: - - action - type: object - type: array - importV6: - description: The ordered set of IPv6 BGPFilter rules acting on importing - routes from a peer. - items: - description: BGPFilterRuleV6 defines a BGP filter rule consisting - a single IPv6 CIDR block and a filter action for this CIDR. - properties: - action: - type: string - cidr: - type: string - interface: - type: string - matchOperator: - type: string - prefixLength: - properties: - max: - format: int32 - maximum: 128 - minimum: 0 - type: integer - min: - format: int32 - maximum: 128 - minimum: 0 - type: integer - type: object - source: - type: string - required: - - action - type: object - type: array - type: object - type: object - served: true - storage: true + type: array + x-kubernetes-list-type: atomic + cidr: + format: cidr + maxLength: 43 + type: string + communities: + properties: + values: + items: + maxLength: 32 + pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ + type: string + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - values + type: object + x-kubernetes-map-type: atomic + interface: + type: string + matchOperator: + enum: + - Equal + - NotEqual + - In + - NotIn + type: string + operations: + items: + maxProperties: 1 + minProperties: 1 + properties: + addCommunity: + properties: + value: + maxLength: 32 + pattern: ^(([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]):([0-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])|([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]):([0-9]|[1-9][0-9]{1,8}|[1-3][0-9]{9}|4[0-1][0-9]{8}|42[0-8][0-9]{7}|429[0-3][0-9]{6}|4294[0-8][0-9]{5}|42949[0-5][0-9]{4}|429496[0-6][0-9]{3}|4294967[0-1][0-9]{2}|42949672[0-8][0-9]|429496729[0-5]))$ + type: string + required: + - value + type: object + x-kubernetes-map-type: atomic + prependASPath: + properties: + prefix: + items: + format: int32 + type: integer + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - prefix + type: object + x-kubernetes-map-type: atomic + setPriority: + properties: + value: + maximum: 2147483646 + minimum: 1 + type: integer + required: + - value + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + maxItems: 10 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + peerType: + enum: + - eBGP + - iBGP + type: string + prefixLength: + properties: + max: + format: int32 + maximum: 128 + minimum: 0 + type: integer + min: + format: int32 + maximum: 128 + minimum: 0 + type: integer + type: object + x-kubernetes-map-type: atomic + priority: + maximum: 2147483646 + minimum: 1 + type: integer + source: + enum: + - RemotePeers + type: string + required: + - action + type: object + x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: cidr and matchOperator must both be set or both be empty + reason: FieldValueInvalid + rule: + (has(self.cidr) && size(self.cidr) > 0) == (has(self.matchOperator) + && size(self.matchOperator) > 0) + - message: cidr is required when prefixLength is set + reason: FieldValueInvalid + rule: + "!has(self.prefixLength) || (has(self.cidr) && size(self.cidr) + > 0)" + - message: operations may only be used with action Accept + rule: + "!has(self.operations) || size(self.operations) == 0 || + self.action == 'Accept'" + type: array + x-kubernetes-list-type: atomic + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_bgppeers.yaml b/pkg/crds/enterprise/crd.projectcalico.org_bgppeers.yaml index ed1a1ce979..3fe202204b 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_bgppeers.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_bgppeers.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: bgppeers.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,160 +14,137 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: BGPPeerSpec contains the specification for a BGPPeer resource. - properties: - asNumber: - description: The AS Number of the peer. - format: int32 - type: integer - birdGatewayMode: - description: |- - Specifies the BIRD "gateway" mode, i.e. method for computing the immediate next hop for - each received route, for peerings generated by this BGPPeer resource. Default value - "Recursive" means "gateway recursive". "DirectIfDirectlyConnected" means to configure - "gateway direct" when the peer is directly connected. - type: string - extensions: - additionalProperties: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + asNumber: + format: int32 + type: integer + birdGatewayMode: type: string - description: Extensions is a mapping of keys to values that can be - used in custom BGP templates - type: object - externalNetwork: - description: Name of the external network to which this peer belongs. - type: string - failureDetectionMode: - description: |- - Specifies whether and how to detect loss of connectivity on the peerings generated by - this BGPPeer resource. Default value "None" means nothing beyond BGP's own (slow) hold - timer. "BFDIfDirectlyConnected" means to use BFD when the peer is directly connected. - type: string - filters: - description: The ordered set of BGPFilters applied on this BGP peer. - items: + extensions: + additionalProperties: + type: string + type: object + externalNetwork: type: string - type: array - keepOriginalNextHop: - description: |- - Option to keep the original nexthop field when routes are sent to a BGP Peer. - Setting "true" configures the selected BGP Peers node to use the "next hop keep;" - instead of "next hop self;"(default) in the specific branch of the Node on "bird.cfg". - type: boolean - maxRestartTime: - description: |- - Time to allow for software restart. When specified, this is configured as the graceful - restart timeout when RestartMode is "GracefulRestart", and as the LLGR stale time when - RestartMode is "LongLivedGracefulRestart". When not specified, the BIRD defaults are - used, which are 120s for "GracefulRestart" and 3600s for "LongLivedGracefulRestart". - type: string - node: - description: |- - The node name identifying the Calico node instance that is targeted by this peer. - If this is not set, and no nodeSelector is specified, then this BGP peer selects all - nodes in the cluster. - type: string - nodeSelector: - description: |- - Selector for the nodes that should have this peering. When this is set, the Node - field must be empty. - type: string - numAllowedLocalASNumbers: - description: |- - Maximum number of local AS numbers that are allowed in the AS path for received routes. - This removes BGP loop prevention and should only be used if absolutely necessary. - format: int32 - type: integer - password: - description: Optional BGP password for the peerings generated by this - BGPPeer resource. - properties: - secretKeyRef: - description: Selects a key of a secret in the node pod's namespace. - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - peerIP: - description: |- - The IP address of the peer followed by an optional port number to peer with. - If port number is given, format should be `[]:port` or `:` for IPv4. - If optional port number is not set, and this peer IP and ASNumber belongs to a calico/node - with ListenPort set in BGPConfiguration, then we use that port to peer. - type: string - peerSelector: - description: |- - Selector for the remote nodes to peer with. When this is set, the PeerIP and - ASNumber fields must be empty. For each peering between the local node and - selected remote nodes, we configure an IPv4 peering if both ends have - NodeBGPSpec.IPv4Address specified, and an IPv6 peering if both ends have - NodeBGPSpec.IPv6Address specified. The remote AS number comes from the remote - node's NodeBGPSpec.ASNumber, or the global default if that is not set. - type: string - reachableBy: - description: |- - Add an exact, i.e. /32, static route toward peer IP in order to prevent route flapping. - ReachableBy contains the address of the gateway which peer can be reached by. - type: string - restartMode: - description: |- - Specifies restart behaviour to configure on the peerings generated by this BGPPeer - resource. Default value "GracefulRestart" means traditional graceful restart. - "LongLivedGracefulRestart" means LLGR according to draft-uttaro-idr-bgp-persistence-05. - type: string - sourceAddress: - description: |- - Specifies whether and how to configure a source address for the peerings generated by - this BGPPeer resource. Default value "UseNodeIP" means to configure the node IP as the - source address. "None" means not to configure a source address. - type: string - ttlSecurity: - description: |- - TTLSecurity enables the generalized TTL security mechanism (GTSM) which protects against spoofed packets by - ignoring received packets with a smaller than expected TTL value. The provided value is the number of hops - (edges) between the peers. - type: integer - type: object - type: object - served: true - storage: true + failureDetectionMode: + type: string + filters: + items: + type: string + type: array + x-kubernetes-list-type: atomic + keepOriginalNextHop: + type: boolean + keepaliveTime: + type: string + localASNumber: + format: int32 + type: integer + localWorkloadSelector: + maxLength: 4096 + type: string + maxRestartTime: + type: string + nextHopMode: + enum: + - Auto + - Self + - Keep + type: string + node: + maxLength: 253 + type: string + nodeSelector: + maxLength: 4096 + type: string + numAllowedLocalASNumbers: + format: int32 + type: integer + password: + properties: + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + peerIP: + maxLength: 64 + type: string + peerSelector: + maxLength: 4096 + type: string + reachableBy: + type: string + restartMode: + type: string + reversePeering: + allOf: + - enum: + - Auto + - Manual + - enum: + - Auto + - Manual + type: string + sourceAddress: + enum: + - UseNodeIP + - None + type: string + ttlSecurity: + type: integer + type: object + x-kubernetes-validations: + - message: node and nodeSelector cannot both be set + reason: FieldValueForbidden + rule: + (!has(self.node) || size(self.node) == 0) || (!has(self.nodeSelector) + || size(self.nodeSelector) == 0) + - message: peerIP and peerSelector cannot both be set + reason: FieldValueForbidden + rule: + (!has(self.peerIP) || size(self.peerIP) == 0) || (!has(self.peerSelector) + || size(self.peerSelector) == 0) + - message: asNumber must be empty when peerSelector is set + reason: FieldValueForbidden + rule: + (!has(self.peerSelector) || size(self.peerSelector) == 0) || !has(self.asNumber) + || self.asNumber == 0 + - message: peerIP must be empty when localWorkloadSelector is set + reason: FieldValueForbidden + rule: + (!has(self.localWorkloadSelector) || size(self.localWorkloadSelector) + == 0) || (!has(self.peerIP) || size(self.peerIP) == 0) + - message: peerSelector must be empty when localWorkloadSelector is set + reason: FieldValueForbidden + rule: + (!has(self.localWorkloadSelector) || size(self.localWorkloadSelector) + == 0) || (!has(self.peerSelector) || size(self.peerSelector) == 0) + - message: asNumber is required when localWorkloadSelector is set + reason: FieldValueInvalid + rule: + (!has(self.localWorkloadSelector) || size(self.localWorkloadSelector) + == 0) || (has(self.asNumber) && self.asNumber != 0) + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_blockaffinities.yaml b/pkg/crds/enterprise/crd.projectcalico.org_blockaffinities.yaml index 717f046e3d..c18b570977 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_blockaffinities.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_blockaffinities.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: blockaffinities.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,51 +14,34 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: BlockAffinitySpec contains the specification for a BlockAffinity - resource. - properties: - cidr: - type: string - deleted: - description: |- - Deleted indicates that this block affinity is being deleted. - This field is a string for compatibility with older releases that - mistakenly treat this field as a string. - type: string - node: - type: string - state: - type: string - type: - type: string - required: - - cidr - - deleted - - node - - state - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + cidr: + type: string + deleted: + type: string + node: + type: string + state: + type: string + type: + type: string + required: + - cidr + - deleted + - node + - state + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_caliconodestatuses.yaml b/pkg/crds/enterprise/crd.projectcalico.org_caliconodestatuses.yaml index e7b0ab1d2e..c0e6245b8d 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_caliconodestatuses.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_caliconodestatuses.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: caliconodestatuses.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,248 +14,206 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus - resource. - properties: - classes: - description: |- - Classes declares the types of information to monitor for this calico/node, - and allows for selective status reporting about certain subsets of information. - items: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + classes: + items: + enum: + - Agent + - BGP + - Routes + type: string + type: array + x-kubernetes-list-type: set + node: type: string - type: array - node: - description: The node name identifies the Calico node instance for - node status. - type: string - updatePeriodSeconds: - description: |- - UpdatePeriodSeconds is the period at which CalicoNodeStatus should be updated. - Set to 0 to disable CalicoNodeStatus refresh. Maximum update period is one day. - format: int32 - type: integer - type: object - status: - description: |- - CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus. - No validation needed for status since it is updated by Calico. - properties: - agent: - description: Agent holds agent status on the node. - properties: - birdV4: - description: BIRDV4 represents the latest observed status of bird4. - properties: - lastBootTime: - description: LastBootTime holds the value of lastBootTime - from bird.ctl output. - type: string - lastReconfigurationTime: - description: LastReconfigurationTime holds the value of lastReconfigTime - from bird.ctl output. - type: string - routerID: - description: Router ID used by bird. - type: string - state: - description: The state of the BGP Daemon. - type: string - version: - description: Version of the BGP daemon - type: string - type: object - birdV6: - description: BIRDV6 represents the latest observed status of bird6. - properties: - lastBootTime: - description: LastBootTime holds the value of lastBootTime - from bird.ctl output. - type: string - lastReconfigurationTime: - description: LastReconfigurationTime holds the value of lastReconfigTime - from bird.ctl output. - type: string - routerID: - description: Router ID used by bird. - type: string - state: - description: The state of the BGP Daemon. - type: string - version: - description: Version of the BGP daemon - type: string - type: object - type: object - bgp: - description: BGP holds node BGP status. - properties: - numberEstablishedV4: - description: The total number of IPv4 established bgp sessions. - type: integer - numberEstablishedV6: - description: The total number of IPv6 established bgp sessions. - type: integer - numberNotEstablishedV4: - description: The total number of IPv4 non-established bgp sessions. - type: integer - numberNotEstablishedV6: - description: The total number of IPv6 non-established bgp sessions. - type: integer - peersV4: - description: PeersV4 represents IPv4 BGP peers status on the node. - items: - description: CalicoNodePeer contains the status of BGP peers - on the node. + updatePeriodSeconds: + format: int32 + type: integer + type: object + status: + properties: + agent: + properties: + birdV4: properties: - peerIP: - description: IP address of the peer whose condition we are - reporting. + lastBootTime: type: string - since: - description: Since the state or reason last changed. + lastReconfigurationTime: type: string - state: - description: State is the BGP session state. - type: string - type: - description: |- - Type indicates whether this peer is configured via the node-to-node mesh, - or via en explicit global or per-node BGPPeer object. - type: string - type: object - type: array - peersV6: - description: PeersV6 represents IPv6 BGP peers status on the node. - items: - description: CalicoNodePeer contains the status of BGP peers - on the node. - properties: - peerIP: - description: IP address of the peer whose condition we are - reporting. - type: string - since: - description: Since the state or reason last changed. + routerID: type: string state: - description: State is the BGP session state. + enum: + - Ready + - NotReady type: string - type: - description: |- - Type indicates whether this peer is configured via the node-to-node mesh, - or via en explicit global or per-node BGPPeer object. + version: type: string type: object - type: array - required: - - numberEstablishedV4 - - numberEstablishedV6 - - numberNotEstablishedV4 - - numberNotEstablishedV6 - type: object - lastUpdated: - description: |- - LastUpdated is a timestamp representing the server time when CalicoNodeStatus object - last updated. It is represented in RFC3339 form and is in UTC. - format: date-time - nullable: true - type: string - routes: - description: Routes reports routes known to the Calico BGP daemon - on the node. - properties: - routesV4: - description: RoutesV4 represents IPv4 routes on the node. - items: - description: CalicoNodeRoute contains the status of BGP routes - on the node. + birdV6: properties: - destination: - description: Destination of the route. - type: string - gateway: - description: Gateway for the destination. + lastBootTime: type: string - interface: - description: Interface for the destination + lastReconfigurationTime: type: string - learnedFrom: - description: LearnedFrom contains information regarding - where this route originated. - properties: - peerIP: - description: If sourceType is NodeMesh or BGPPeer, IP - address of the router that sent us this route. - type: string - sourceType: - description: Type of the source where a route is learned - from. - type: string - type: object - type: - description: Type indicates if the route is being used for - forwarding or not. + routerID: type: string - type: object - type: array - routesV6: - description: RoutesV6 represents IPv6 routes on the node. - items: - description: CalicoNodeRoute contains the status of BGP routes - on the node. - properties: - destination: - description: Destination of the route. - type: string - gateway: - description: Gateway for the destination. - type: string - interface: - description: Interface for the destination + state: + enum: + - Ready + - NotReady type: string - learnedFrom: - description: LearnedFrom contains information regarding - where this route originated. - properties: - peerIP: - description: If sourceType is NodeMesh or BGPPeer, IP - address of the router that sent us this route. - type: string - sourceType: - description: Type of the source where a route is learned - from. - type: string - type: object - type: - description: Type indicates if the route is being used for - forwarding or not. + version: type: string type: object - type: array - type: object - type: object - type: object - served: true - storage: true + type: object + bgp: + properties: + numberEstablishedV4: + type: integer + numberEstablishedV6: + type: integer + numberNotEstablishedV4: + type: integer + numberNotEstablishedV6: + type: integer + peersV4: + items: + properties: + peerIP: + type: string + since: + type: string + state: + enum: + - Idle + - Connect + - Active + - OpenSent + - OpenConfirm + - Established + - Close + type: string + type: + enum: + - NodeMesh + - NodePeer + - GlobalPeer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + peersV6: + items: + properties: + peerIP: + type: string + since: + type: string + state: + enum: + - Idle + - Connect + - Active + - OpenSent + - OpenConfirm + - Established + - Close + type: string + type: + enum: + - NodeMesh + - NodePeer + - GlobalPeer + type: string + type: object + type: array + x-kubernetes-list-type: atomic + required: + - numberEstablishedV4 + - numberEstablishedV6 + - numberNotEstablishedV4 + - numberNotEstablishedV6 + type: object + lastUpdated: + format: date-time + nullable: true + type: string + routes: + properties: + routesV4: + items: + properties: + destination: + type: string + gateway: + type: string + interface: + type: string + learnedFrom: + properties: + peerIP: + type: string + sourceType: + enum: + - Kernel + - Static + - Direct + - NodeMesh + - BGPPeer + type: string + type: object + type: + enum: + - FIB + - RIB + type: string + type: object + type: array + x-kubernetes-list-type: atomic + routesV6: + items: + properties: + destination: + type: string + gateway: + type: string + interface: + type: string + learnedFrom: + properties: + peerIP: + type: string + sourceType: + enum: + - Kernel + - Static + - Direct + - NodeMesh + - BGPPeer + type: string + type: object + type: + enum: + - FIB + - RIB + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_clusterinformations.yaml b/pkg/crds/enterprise/crd.projectcalico.org_clusterinformations.yaml index cc4d7fbeca..0a80cc2c0b 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_clusterinformations.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_clusterinformations.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: clusterinformations.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,55 +14,33 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - description: ClusterInformation contains the cluster specific information. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterInformationSpec contains the values of describing - the cluster. - properties: - calicoVersion: - description: CalicoVersion is the version of Calico that the cluster - is running - type: string - clusterGUID: - description: ClusterGUID is the GUID of the cluster - type: string - clusterType: - description: ClusterType describes the type of the cluster - type: string - cnxVersion: - description: CNXVersion is the version of CNX that the cluster is - running - type: string - datastoreReady: - description: |- - DatastoreReady is used during significant datastore migrations to signal to components - such as Felix that it should wait before accessing the datastore. - type: boolean - variant: - description: Variant declares which variant of Calico should be active. - type: string - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + calicoEnterpriseVersion: + type: string + calicoVersion: + type: string + clusterGUID: + type: string + clusterType: + type: string + cnxVersion: + type: string + datastoreReady: + type: boolean + variant: + type: string + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_deeppacketinspections.yaml b/pkg/crds/enterprise/crd.projectcalico.org_deeppacketinspections.yaml index 9a580983c0..b80937eb8c 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_deeppacketinspections.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_deeppacketinspections.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: deeppacketinspections.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,94 +14,54 @@ spec: preserveUnknownFields: false scope: Namespaced versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: DeepPacketInspectionSpec contains the values of the deep - packet inspection. - properties: - selector: - description: "The selector is an expression used to pick out the endpoints - for which deep packet inspection should\nbe performed on. The selector - will only match endpoints in the same namespace as the\nDeepPacketInspection - resource.\n\nSelector expressions follow this syntax:\n\n\tlabel - == \"string_literal\" -> comparison, e.g. my_label == \"foo bar\"\n\tlabel - != \"string_literal\" -> not equal; also matches if label is - not present\n\tlabel in { \"a\", \"b\", \"c\", ... } -> true if - the value of label X is one of \"a\", \"b\", \"c\"\n\tlabel not - in { \"a\", \"b\", \"c\", ... } -> true if the value of label - X is not one of \"a\", \"b\", \"c\"\n\thas(label_name) -> True - if that label is present\n\t! expr -> negation of expr\n\texpr && - expr -> Short-circuit and\n\texpr || expr -> Short-circuit or\n\t( - expr ) -> parens for grouping\n\tall() or the empty selector -> - matches all endpoints.\n\nLabel names are allowed to contain alphanumerics, - -, _ and /. String literals are more permissive\nbut they do not - support escape characters.\n\nExamples (with made-up labels):\n\n\ttype - == \"webserver\" && deployment == \"prod\"\n\ttype in {\"frontend\", - \"backend\"}\n\tdeployment != \"dev\"\n\t! has(label_name)" - type: string - type: object - status: - description: DeepPacketInspectionStatus contains status of deep packet - inspection in each node. - properties: - nodes: - items: - properties: - active: - properties: - lastUpdated: - description: Timestamp of when the active status was last - updated. - format: date-time - type: string - success: - description: Success indicates if deep packet inspection - is running on all workloads matching the selector. - type: boolean - type: object - errorConditions: - items: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + selector: + type: string + type: object + status: + properties: + nodes: + items: + properties: + active: properties: lastUpdated: - description: Timestamp of when this error message was - added. format: date-time type: string - message: - description: Message from deep packet inspection error. - type: string + success: + type: boolean type: object - maxItems: 10 - type: array - node: - description: Node identifies with a physical node from the cluster - via its hostname. - type: string - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} + errorConditions: + items: + properties: + lastUpdated: + format: date-time + type: string + message: + type: string + type: object + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + node: + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/pkg/crds/enterprise/crd.projectcalico.org_egressgatewaypolicies.yaml b/pkg/crds/enterprise/crd.projectcalico.org_egressgatewaypolicies.yaml index 08e37baeba..7c937f5a28 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_egressgatewaypolicies.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_egressgatewaypolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: egressgatewaypolicies.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,82 +14,47 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: EgressGatewayPolicySpec contains the egress policy rules - for each destination network - properties: - rules: - description: The ordered set of Egress Gateway Policies to define - how traffic exit a cluster - items: - description: EgressGatewayRule defines an Egress Gateway to reach - a destination network - properties: - description: - description: The description of the EgressGatewayPolicy rule. - type: string - destination: - description: |- - The destination network that can be reached via egress gateway. - If no destination is set, the default route, 0.0.0.0/0, is used instead. - properties: - cidr: - description: The destination network CIDR. - type: string - type: object - gateway: - description: |- - Gateway specifies the egress gateway that should be used for the specified destination. - If no gateway is set then the destination is routed normally rather than via an egress gateway. - properties: - maxNextHops: - description: |- - MaxNextHops specifies the maximum number of egress gateway replicas from the selected - deployment that a pod should depend on. - type: integer - namespaceSelector: - description: NamespaceSelector selects one or more namespaces - containing an egress gateway deployment. - type: string - selector: - description: |- - Selector is an expression used to pick out the egress gateway that the destination can - be reached via. - type: string - type: object - gatewayPreference: - default: None - description: |- - GatewayPreference specifies which egress gateways to use. If set to PreferNodeLocal, egress gateways in the same node as - the client will be used if available. Otherwise all the active egress gateways will be used. - enum: - - None - - PreferNodeLocal - type: string - type: object - type: array - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + rules: + items: + properties: + description: + type: string + destination: + properties: + cidr: + type: string + type: object + gateway: + properties: + maxNextHops: + type: integer + namespaceSelector: + type: string + selector: + type: string + type: object + gatewayPreference: + default: None + enum: + - None + - PreferNodeLocal + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_externalnetworks.yaml b/pkg/crds/enterprise/crd.projectcalico.org_externalnetworks.yaml index 68a0eac8f5..b6f4409dd0 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_externalnetworks.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_externalnetworks.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: externalnetworks.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,42 +14,24 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ExternalNetworkSpec contains the specification for a external - network resource. - properties: - routeTableIndex: - description: |- - The index of a linux kernel routing table that should be used for the routes associated with the external network. - The value should be unique for each external network. - The value should not be in the range of `RouteTableRanges` field in FelixConfiguration. - The kernel routing table index should not be used by other processes on the node. - format: int32 - type: integer - required: - - routeTableIndex - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + routeTableIndex: + format: int32 + type: integer + required: + - routeTableIndex + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml b/pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml index 8df48d6cba..f32568dc70 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_felixconfigurations.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: felixconfigurations.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,1852 +14,2138 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - description: Felix Configuration contains the configuration for Felix. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: FelixConfigurationSpec contains the values of the Felix configuration. - properties: - allowIPIPPacketsFromWorkloads: - description: |- - AllowIPIPPacketsFromWorkloads controls whether Felix will add a rule to drop IPIP encapsulated traffic - from workloads. [Default: false] - type: boolean - allowVXLANPacketsFromWorkloads: - description: |- - AllowVXLANPacketsFromWorkloads controls whether Felix will add a rule to drop VXLAN encapsulated traffic - from workloads. [Default: false] - type: boolean - awsRequestTimeout: - description: 'AWSRequestTimeout is the timeout on AWS API requests. - [Default: 30s]' - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - awsSecondaryIPRoutingRulePriority: - description: |- - AWSSecondaryIPRoutingRulePriority controls the priority that Felix will use for routing rules when programming - them for AWS Secondary IP support. [Default: 101] - type: integer - awsSecondaryIPSupport: - description: |- - AWSSecondaryIPSupport controls whether Felix will try to provision AWS secondary ENIs for - workloads that have IPs from IP pools that are configured with an AWS subnet ID. If the field is set to - "EnabledENIPerWorkload" then each workload with an AWS-backed IP will be assigned its own secondary ENI. - If set to "Enabled" then each workload with an AWS-backed IP pool will be allocated a secondary IP address - on a secondary ENI; this mode requires additional IP pools to be provisioned for the host to claim IPs for - the primary IP of the secondary ENIs. Accepted value must be one of "Enabled", "EnabledENIPerWorkload" or - "Disabled". [Default: Disabled] - pattern: ^(?i)(Enabled|EnabledENIPerWorkload|Disabled)?$ - type: string - awsSrcDstCheck: - description: |- - AWSSrcDstCheck controls whether Felix will try to change the "source/dest check" setting on the EC2 instance - on which it is running. A value of "Disable" will try to disable the source/dest check. Disabling the check - allows for sending workload traffic without encapsulation within the same AWS subnet. - [Default: DoNothing] - enum: - - DoNothing - - Enable - - Disable - type: string - bpfCTLBLogFilter: - description: |- - BPFCTLBLogFilter specifies, what is logged by connect time load balancer when BPFLogLevel is - debug. Currently has to be specified as 'all' when BPFLogFilters is set - to see CTLB logs. - [Default: unset - means logs are emitted when BPFLogLevel id debug and BPFLogFilters not set.] - type: string - bpfConnectTimeLoadBalancing: - description: |- - BPFConnectTimeLoadBalancing when in BPF mode, controls whether Felix installs the connect-time load - balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services - and it improves the performance of pod-to-service connections.When set to TCP, connect time load balancing - is available only for services with TCP ports. [Default: TCP] - enum: - - TCP - - Enabled - - Disabled - type: string - bpfConnectTimeLoadBalancingEnabled: - description: |- - BPFConnectTimeLoadBalancingEnabled when in BPF mode, controls whether Felix installs the connection-time load - balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services - and it improves the performance of pod-to-service connections. The only reason to disable it is for debugging - purposes. + - name: v1 + schema: + openAPIV3Schema: + description: Felix Configuration contains the configuration for Felix. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: FelixConfigurationSpec contains the values of the Felix configuration. + properties: + allowIPIPPacketsFromWorkloads: + description: |- + AllowIPIPPacketsFromWorkloads controls whether Felix will add a rule to drop IPIP encapsulated traffic + from workloads. [Default: false] + type: boolean + allowVXLANPacketsFromWorkloads: + description: |- + AllowVXLANPacketsFromWorkloads controls whether Felix will add a rule to drop VXLAN encapsulated traffic + from workloads. [Default: false] + type: boolean + awsRequestTimeout: + description: + "AWSRequestTimeout is the timeout on AWS API requests. + [Default: 30s]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + awsSecondaryIPRoutingRulePriority: + description: |- + AWSSecondaryIPRoutingRulePriority controls the priority that Felix will use for routing rules when programming + them for AWS Secondary IP support. [Default: 101] + type: integer + awsSecondaryIPSupport: + description: |- + AWSSecondaryIPSupport controls whether Felix will try to provision AWS secondary ENIs for + workloads that have IPs from IP pools that are configured with an AWS subnet ID. If the field is set to + "EnabledENIPerWorkload" then each workload with an AWS-backed IP will be assigned its own secondary ENI. + If set to "Enabled" then each workload with an AWS-backed IP pool will be allocated a secondary IP address + on a secondary ENI; this mode requires additional IP pools to be provisioned for the host to claim IPs for + the primary IP of the secondary ENIs. Accepted value must be one of "Enabled", "EnabledENIPerWorkload" or + "Disabled". [Default: Disabled] + pattern: ^(?i)(Enabled|EnabledENIPerWorkload|Disabled)?$ + type: string + awsSrcDstCheck: + description: |- + AWSSrcDstCheck controls whether Felix will try to change the "source/dest check" setting on the EC2 instance + on which it is running. A value of "Disable" will try to disable the source/dest check. Disabling the check + allows for sending workload traffic without encapsulation within the same AWS subnet. + [Default: DoNothing] + enum: + - DoNothing + - Enable + - Disable + type: string + bpfAttachType: + description: |- + BPFAttachType controls how are the BPF programs at the network interfaces attached. + By default `TCX` is used where available to enable easier coexistence with 3rd party programs. + `TC` can force the legacy method of attaching via a qdisc. `TCX` falls back to `TC` if `TCX` is not available. + [Default: TCX] + enum: + - TC + - TCX + type: string + bpfCTLBLogFilter: + description: |- + BPFCTLBLogFilter specifies, what is logged by connect time load balancer when BPFLogLevel is + debug. Currently has to be specified as 'all' when BPFLogFilters is set + to see CTLB logs. + [Default: unset - means logs are emitted when BPFLogLevel id debug and BPFLogFilters not set.] + type: string + bpfConnectTimeLoadBalancing: + description: |- + BPFConnectTimeLoadBalancing when in BPF mode, controls whether Felix installs the connect-time load + balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services + and it improves the performance of pod-to-service connections.When set to TCP, connect time load balancing + is available only for services with TCP ports. [Default: TCP] + enum: + - TCP + - Enabled + - Disabled + type: string + bpfConnectTimeLoadBalancingEnabled: + description: |- + BPFConnectTimeLoadBalancingEnabled when in BPF mode, controls whether Felix installs the connection-time load + balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services + and it improves the performance of pod-to-service connections. The only reason to disable it is for debugging + purposes. - Deprecated: Use BPFConnectTimeLoadBalancing [Default: true] - type: boolean - bpfConntrackLogLevel: - description: |- - BPFConntrackLogLevel controls the log level of the BPF conntrack cleanup program, which runs periodically - to clean up expired BPF conntrack entries. - [Default: Off]. - enum: - - "Off" - - Debug - type: string - bpfConntrackMode: - description: |- - BPFConntrackCleanupMode controls how BPF conntrack entries are cleaned up. `Auto` will use a BPF program if supported, - falling back to userspace if not. `Userspace` will always use the userspace cleanup code. `BPFProgram` will - always use the BPF program (failing if not supported). - [Default: Auto] - enum: - - Auto - - Userspace - - BPFProgram - type: string - bpfConntrackTimeouts: - description: |- - BPFConntrackTimers overrides the default values for the specified conntrack timer if - set. Each value can be either a duration or `Auto` to pick the value from - a Linux conntrack timeout. + Deprecated: Use BPFConnectTimeLoadBalancing [Default: true] + type: boolean + bpfConntrackLogLevel: + description: |- + BPFConntrackLogLevel controls the log level of the BPF conntrack cleanup program, which runs periodically + to clean up expired BPF conntrack entries. + [Default: Off]. + enum: + - "Off" + - Debug + type: string + bpfConntrackMode: + description: |- + BPFConntrackCleanupMode controls how BPF conntrack entries are cleaned up. `Auto` will use a BPF program if supported, + falling back to userspace if not. `Userspace` will always use the userspace cleanup code. `BPFProgram` will + always use the BPF program (failing if not supported). - Configurable timers are: CreationGracePeriod, TCPSynSent, - TCPEstablished, TCPFinsSeen, TCPResetSeen, UDPTimeout, GenericTimeout, - ICMPTimeout. + /To be deprecated in future versions as conntrack map type changed to + lru_hash and userspace cleanup is the only mode that is supported. + [Default: Userspace] + enum: + - Auto + - Userspace + - BPFProgram + type: string + bpfConntrackTimeouts: + description: |- + BPFConntrackTimers overrides the default values for the specified conntrack timer if + set. Each value can be either a duration or `Auto` to pick the value from + a Linux conntrack timeout. - Unset values are replaced by the default values with a warning log for - incorrect values. - properties: - creationGracePeriod: - description: |2- - CreationGracePeriod gives a generic grace period to new connection - before they are considered for cleanup [Default: 10s]. - pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ - type: string - genericTimeout: - description: |- - GenericTimeout controls how long it takes before considering this - entry for cleanup after the connection became idle. If set to 'Auto', the - value from nf_conntrack_generic_timeout is used. If nil, Calico uses its - own default value. [Default: 10m]. - pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ - type: string - icmpTimeout: - description: |- - ICMPTimeout controls how long it takes before considering this - entry for cleanup after the connection became idle. If set to 'Auto', the - value from nf_conntrack_icmp_timeout is used. If nil, Calico uses its - own default value. [Default: 5s]. - pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ - type: string - tcpEstablished: - description: |- - TCPEstablished controls how long it takes before considering this entry for - cleanup after the connection became idle. If set to 'Auto', the - value from nf_conntrack_tcp_timeout_established is used. If nil, Calico uses - its own default value. [Default: 1h]. - pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ - type: string - tcpFinsSeen: - description: |- - TCPFinsSeen controls how long it takes before considering this entry for - cleanup after the connection was closed gracefully. If set to 'Auto', the - value from nf_conntrack_tcp_timeout_time_wait is used. If nil, Calico uses - its own default value. [Default: Auto]. - pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ + Configurable timers are: CreationGracePeriod, TCPSynSent, + TCPEstablished, TCPFinsSeen, TCPResetSeen, UDPTimeout, GenericTimeout, + ICMPTimeout. + + Unset values are replaced by the default values with a warning log for + incorrect values. + properties: + creationGracePeriod: + description: |- + CreationGracePeriod gives a generic grace period to new connections + before they are considered for cleanup [Default: 10s]. + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ + type: string + genericTimeout: + description: |- + GenericTimeout controls how long it takes before considering this + entry for cleanup after the connection became idle. If set to 'Auto', the + value from nf_conntrack_generic_timeout is used. If nil, Calico uses its + own default value. [Default: 10m]. + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ + type: string + icmpTimeout: + description: |- + ICMPTimeout controls how long it takes before considering this + entry for cleanup after the connection became idle. If set to 'Auto', the + value from nf_conntrack_icmp_timeout is used. If nil, Calico uses its + own default value. [Default: 5s]. + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ + type: string + tcpEstablished: + description: |- + TCPEstablished controls how long it takes before considering this entry for + cleanup after the connection became idle. If set to 'Auto', the + value from nf_conntrack_tcp_timeout_established is used. If nil, Calico uses + its own default value. [Default: 1h]. + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ + type: string + tcpFinsSeen: + description: |- + TCPFinsSeen controls how long it takes before considering this entry for + cleanup after the connection was closed gracefully. If set to 'Auto', the + value from nf_conntrack_tcp_timeout_time_wait is used. If nil, Calico uses + its own default value. [Default: Auto]. + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ + type: string + tcpResetSeen: + description: |- + TCPResetSeen controls how long it takes before considering this entry for + cleanup after the connection was aborted. If nil, Calico uses its own + default value. [Default: 40s]. + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ + type: string + tcpSynSent: + description: |- + TCPSynSent controls how long it takes before considering this entry for + cleanup after the last SYN without a response. If set to 'Auto', the + value from nf_conntrack_tcp_timeout_syn_sent is used. If nil, Calico uses + its own default value. [Default: 20s]. + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ + type: string + udpTimeout: + description: |- + UDPTimeout controls how long it takes before considering this entry for + cleanup after the connection became idle. If nil, Calico uses its own + default value. [Default: 60s]. + pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ + type: string + type: object + bpfDNSPolicyMode: + description: |- + BPFDNSPolicyMode specifies how DNS policy programming will be handled. + Inline - BPF parses DNS response inline with DNS response packet + processing. This guarantees the DNS rules reflect any change immediately. + NoDelay - Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time + the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial + connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. + [Default: DelayDeniedPacket] + type: string + bpfDSROptoutCIDRs: + description: |- + BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients + in those CIDRs will access service node ports as if BPFExternalServiceMode was set to + Tunnel. + items: type: string - tcpResetSeen: - description: |- - TCPFinsSeen controls how long it takes before considering this entry for - cleanup after the connection was aborted. If nil, Calico uses its own - default value. [Default: 40s]. - pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ + type: array + bpfDataIfacePattern: + description: |- + BPFDataIfacePattern is a regular expression that controls which interfaces Felix should attach BPF programs to + in order to catch traffic to/from the network. This needs to match the interfaces that Calico workload traffic + flows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the + cluster. It should not match the workload interfaces (usually named cali...) or any other special device managed + by Calico itself (e.g., tunnels). + type: string + bpfDisableGROForIfaces: + description: |- + BPFDisableGROForIfaces is a regular expression that controls which interfaces Felix should disable the + Generic Receive Offload [GRO] option. It should not match the workload interfaces (usually named cali...). + type: string + bpfDisableUnprivileged: + description: |- + BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable + unprivileged use of BPF. This ensures that unprivileged users cannot access Calico's BPF maps and + cannot insert their own BPF programs to interfere with Calico's. [Default: true] + type: boolean + bpfEnabled: + description: + "BPFEnabled, if enabled Felix will use the BPF dataplane. + [Default: false]" + type: boolean + bpfEnforceRPF: + description: |- + BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of + what is the per-interfaces or global setting. Possible values are Disabled, Strict + or Loose. [Default: Loose] + pattern: ^(?i)(Disabled|Strict|Loose)?$ + type: string + bpfExcludeCIDRsFromNAT: + description: |- + BPFExcludeCIDRsFromNAT is a list of CIDRs that are to be excluded from NAT + resolution so that host can handle them. A typical usecase is node local + DNS cache. + items: type: string - tcpSynSent: - description: |- - TCPSynSent controls how long it takes before considering this entry for - cleanup after the last SYN without a response. If set to 'Auto', the - value from nf_conntrack_tcp_timeout_syn_sent is used. If nil, Calico uses - its own default value. [Default: 20s]. - pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ + type: array + bpfExportBufferSizeMB: + description: |- + BPFExportBufferSizeMB in BPF mode, controls the buffer size used for sending BPF events to felix. + [Default: 1] + type: integer + bpfExtToServiceConnmark: + description: |- + BPFExtToServiceConnmark in BPF mode, controls a 32bit mark that is set on connections from an + external client to a local service. This mark allows us to control how packets of that + connection are routed within the host and how is routing interpreted by RPF check. [Default: 0] + type: integer + bpfExternalServiceMode: + description: |- + BPFExternalServiceMode in BPF mode, controls how connections from outside the cluster to services (node ports + and cluster IPs) are forwarded to remote workloads. If set to "Tunnel" then both request and response traffic + is tunneled to the remote node. If set to "DSR", the request traffic is tunneled but the response traffic + is sent directly from the remote node. In "DSR" mode, the remote node appears to use the IP of the ingress + node; this requires a permissive L2 network. [Default: Tunnel] + pattern: ^(?i)(Tunnel|DSR)?$ + type: string + bpfForceTrackPacketsFromIfaces: + description: |- + BPFForceTrackPacketsFromIfaces in BPF mode, forces traffic from these interfaces + to skip Calico's iptables NOTRACK rule, allowing traffic from those interfaces to be + tracked by Linux conntrack. Should only be used for interfaces that are not used for + the Calico fabric. For example, a docker bridge device for non-Calico-networked + containers. [Default: docker+] + items: type: string - udpTimeout: - description: |- - UDPTimeout controls how long it takes before considering this entry for - cleanup after the connection became idle. If nil, Calico uses its own - default value. [Default: 60s]. - pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$ + type: array + bpfHostConntrackBypass: + description: |- + BPFHostConntrackBypass Controls whether to bypass Linux conntrack in BPF mode for + workloads and services. [Default: true - bypass Linux conntrack] + type: boolean + bpfHostNetworkedNATWithoutCTLB: + description: |- + BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing + determines the CTLB behavior. [Default: Enabled] + type: string + bpfJITHardening: + allOf: + - enum: + - Auto + - Strict + - enum: + - Auto + - Strict + description: |- + BPFJITHardening controls BPF JIT hardening. When set to "Auto", Felix will set JIT hardening to 1 + if it detects the current value is 2 (strict mode that hurts performance). When set to "Strict", + Felix will not modify the JIT hardening setting. [Default: Auto] + type: string + bpfKubeProxyHealthzPort: + description: |- + BPFKubeProxyHealthzPort, in BPF mode, controls the port that Felix's embedded kube-proxy health check server binds to. + The health check server is used by external load balancers to determine if this node should receive traffic. + Set to 0 to disable the health check server. [Default: 10256] + type: integer + bpfKubeProxyIptablesCleanupEnabled: + description: |- + BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF mode, Felix will proactively clean up the upstream + Kubernetes kube-proxy's iptables chains. Should only be enabled if kube-proxy is not running. [Default: true] + type: boolean + bpfKubeProxyMinSyncPeriod: + description: |- + BPFKubeProxyMinSyncPeriod, in BPF mode, controls the minimum time between updates to the dataplane for Felix's + embedded kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by + batching up more work. [Default: 1s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + bpfL3IfacePattern: + description: |- + BPFL3IfacePattern is a regular expression that allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices) + in addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows + over as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster. + type: string + bpfLogFilters: + additionalProperties: type: string - type: object - bpfDNSPolicyMode: - description: |- - BPFDNSPolicyMode specifies how DNS policy programming will be handled. - Inline - BPF parses DNS response inline with DNS response packet - processing. This guarantees the DNS rules reflect any change immediately. - NoDelay - Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time - the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial - connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. - [Default: Inline] - type: string - bpfDSROptoutCIDRs: - description: |- - BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients - in those CIDRs will access service node ports as if BPFExternalServiceMode was set to - Tunnel. - items: - type: string - type: array - bpfDataIfacePattern: - description: |- - BPFDataIfacePattern is a regular expression that controls which interfaces Felix should attach BPF programs to - in order to catch traffic to/from the network. This needs to match the interfaces that Calico workload traffic - flows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the - cluster. It should not match the workload interfaces (usually named cali...) or any other special device managed - by Calico itself (e.g., tunnels). - type: string - bpfDisableGROForIfaces: - description: |- - BPFDisableGROForIfaces is a regular expression that controls which interfaces Felix should disable the - Generic Receive Offload [GRO] option. It should not match the workload interfaces (usually named cali...). - type: string - bpfDisableUnprivileged: - description: |- - BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable - unprivileged use of BPF. This ensures that unprivileged users cannot access Calico's BPF maps and - cannot insert their own BPF programs to interfere with Calico's. [Default: true] - type: boolean - bpfEnabled: - description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. - [Default: false]' - type: boolean - bpfEnforceRPF: - description: |- - BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of - what is the per-interfaces or global setting. Possible values are Disabled, Strict - or Loose. [Default: Loose] - pattern: ^(?i)(Disabled|Strict|Loose)?$ - type: string - bpfExcludeCIDRsFromNAT: - description: |- - BPFExcludeCIDRsFromNAT is a list of CIDRs that are to be excluded from NAT - resolution so that host can handle them. A typical usecase is node local - DNS cache. - items: - type: string - type: array - bpfExportBufferSizeMB: - description: |- - BPFExportBufferSizeMB in BPF mode, controls the buffer size used for sending BPF events to felix. - [Default: 1] - type: integer - bpfExtToServiceConnmark: - description: |- - BPFExtToServiceConnmark in BPF mode, controls a 32bit mark that is set on connections from an - external client to a local service. This mark allows us to control how packets of that - connection are routed within the host and how is routing interpreted by RPF check. [Default: 0] - type: integer - bpfExternalServiceMode: - description: |- - BPFExternalServiceMode in BPF mode, controls how connections from outside the cluster to services (node ports - and cluster IPs) are forwarded to remote workloads. If set to "Tunnel" then both request and response traffic - is tunneled to the remote node. If set to "DSR", the request traffic is tunneled but the response traffic - is sent directly from the remote node. In "DSR" mode, the remote node appears to use the IP of the ingress - node; this requires a permissive L2 network. [Default: Tunnel] - pattern: ^(?i)(Tunnel|DSR)?$ - type: string - bpfForceTrackPacketsFromIfaces: - description: |- - BPFForceTrackPacketsFromIfaces in BPF mode, forces traffic from these interfaces - to skip Calico's iptables NOTRACK rule, allowing traffic from those interfaces to be - tracked by Linux conntrack. Should only be used for interfaces that are not used for - the Calico fabric. For example, a docker bridge device for non-Calico-networked - containers. [Default: docker+] - items: - type: string - type: array - bpfHostConntrackBypass: - description: |- - BPFHostConntrackBypass Controls whether to bypass Linux conntrack in BPF mode for - workloads and services. [Default: true - bypass Linux conntrack] - type: boolean - bpfHostNetworkedNATWithoutCTLB: - description: |- - BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing - determines the CTLB behavior. [Default: Enabled] - type: string - bpfKubeProxyEndpointSlicesEnabled: - description: |- - BPFKubeProxyEndpointSlicesEnabled is deprecated and has no effect. BPF - kube-proxy always accepts endpoint slices. This option will be removed in - the next release. - type: boolean - bpfKubeProxyIptablesCleanupEnabled: - description: |- - BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF mode, Felix will proactively clean up the upstream - Kubernetes kube-proxy's iptables chains. Should only be enabled if kube-proxy is not running. [Default: true] - type: boolean - bpfKubeProxyMinSyncPeriod: - description: |- - BPFKubeProxyMinSyncPeriod, in BPF mode, controls the minimum time between updates to the dataplane for Felix's - embedded kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by - batching up more work. [Default: 1s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - bpfL3IfacePattern: - description: |- - BPFL3IfacePattern is a regular expression that allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices) - in addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows - over as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster. - type: string - bpfLogFilters: - additionalProperties: - type: string - description: |- - BPFLogFilters is a map of key=values where the value is - a pcap filter expression and the key is an interface name with 'all' - denoting all interfaces, 'weps' all workload endpoints and 'heps' all host - endpoints. + description: |- + BPFLogFilters is a map of key=values where the value is + a pcap filter expression and the key is an interface name with 'all' + denoting all interfaces, 'weps' all workload endpoints and 'heps' all host + endpoints. - When specified as an env var, it accepts a comma-separated list of - key=values. - [Default: unset - means all debug logs are emitted] - type: object - bpfLogLevel: - description: |- - BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of "Off", "Info", or - "Debug". The logs are emitted to the BPF trace pipe, accessible with the command `tc exec bpf debug`. - [Default: Off]. - pattern: ^(?i)(Off|Info|Debug)?$ - type: string - bpfMapSizeConntrack: - description: |- - BPFMapSizeConntrack sets the size for the conntrack map. This map must be large enough to hold - an entry for each active connection. Warning: changing the size of the conntrack map can cause disruption. - type: integer - bpfMapSizeConntrackCleanupQueue: - description: |- - BPFMapSizeConntrackCleanupQueue sets the size for the map used to hold NAT conntrack entries that are queued - for cleanup. This should be big enough to hold all the NAT entries that expire within one cleanup interval. - minimum: 1 - type: integer - bpfMapSizeIPSets: - description: |- - BPFMapSizeIPSets sets the size for ipsets map. The IP sets map must be large enough to hold an entry - for each endpoint matched by every selector in the source/destination matches in network policy. Selectors - such as "all()" can result in large numbers of entries (one entry per endpoint in that case). - type: integer - bpfMapSizeIfState: - description: |- - BPFMapSizeIfState sets the size for ifstate map. The ifstate map must be large enough to hold an entry - for each device (host + workloads) on a host. - type: integer - bpfMapSizeNATAffinity: - description: |- - BPFMapSizeNATAffinity sets the size of the BPF map that stores the affinity of a connection (for services that - enable that feature. - type: integer - bpfMapSizeNATBackend: - description: |- - BPFMapSizeNATBackend sets the size for NAT back end map. - This is the total number of endpoints. This is mostly - more than the size of the number of services. - type: integer - bpfMapSizeNATFrontend: - description: |- - BPFMapSizeNATFrontend sets the size for NAT front end map. - FrontendMap should be large enough to hold an entry for each nodeport, - external IP and each port in each service. - type: integer - bpfMapSizePerCpuConntrack: - description: |- - BPFMapSizePerCPUConntrack determines the size of conntrack map based on the number of CPUs. If set to a - non-zero value, overrides BPFMapSizeConntrack with `BPFMapSizePerCPUConntrack * (Number of CPUs)`. - This map must be large enough to hold an entry for each active connection. Warning: changing the size of the - conntrack map can cause disruption. - type: integer - bpfMapSizeRoute: - description: |- - BPFMapSizeRoute sets the size for the routes map. The routes map should be large enough - to hold one entry per workload and a handful of entries per host (enough to cover its own IPs and - tunnel IPs). - type: integer - bpfPSNATPorts: - anyOf: - - type: integer - - type: string - description: |- - BPFPSNATPorts sets the range from which we randomly pick a port if there is a source port - collision. This should be within the ephemeral range as defined by RFC 6056 (1024–65535) and - preferably outside the ephemeral ranges used by common operating systems. Linux uses - 32768–60999, while others mostly use the IANA defined range 49152–65535. It is not necessarily - a problem if this range overlaps with the operating systems. Both ends of the range are - inclusive. [Default: 20000:29999] - pattern: ^.* - x-kubernetes-int-or-string: true - bpfPolicyDebugEnabled: - description: |- - BPFPolicyDebugEnabled when true, Felix records detailed information - about the BPF policy programs, which can be examined with the calico-bpf command-line tool. - type: boolean - bpfProfiling: - description: |- - BPFProfiling controls profiling of BPF programs. At the monent, it can be - Disabled or Enabled. [Default: Disabled] - enum: - - Enabled - - Disabled - type: string - bpfRedirectToPeer: - description: |- - BPFRedirectToPeer controls which whether it is allowed to forward straight to the - peer side of the workload devices. It is allowed for any host L2 devices by default - (L2Only), but it breaks TCP dump on the host side of workload device as it bypasses - it on ingress. Value of Enabled also allows redirection from L3 host devices like - IPIP tunnel or Wireguard directly to the peer side of the workload's device. This - makes redirection faster, however, it breaks tools like tcpdump on the peer side. - Use Enabled with caution. [Default: Disabled] - enum: - - Enabled - - Disabled - - L2Only - type: string - captureDir: - description: 'CaptureDir controls directory to store file capture. - [Default: /var/log/calico/pcap]' - minLength: 1 - type: string - captureMaxFiles: - description: 'CaptureMaxFiles controls number of rotated capture file - to keep. [Default: 2]' - minimum: 1 - type: integer - captureMaxSizeBytes: - description: 'CaptureMaxSizeBytes controls the max size of a file - capture. [Default: 10000000]' - minimum: 1 - type: integer - captureRotationSeconds: - description: 'CaptureRotationSeconds controls the time rotation of - a packet capture. [Default: 3600]' - minimum: 1 - type: integer - chainInsertMode: - description: |- - ChainInsertMode controls whether Felix hooks the kernel's top-level iptables chains by inserting a rule - at the top of the chain or by appending a rule at the bottom. insert is the safe default since it prevents - Calico's rules from being bypassed. If you switch to append mode, be sure that the other rules in the chains - signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed. - [Default: insert] - pattern: ^(?i)(Insert|Append)?$ - type: string - dataplaneDriver: - description: |- - DataplaneDriver filename of the external dataplane driver to use. Only used if UseInternalDataplaneDriver - is set to false. - type: string - dataplaneWatchdogTimeout: - description: |- - DataplaneWatchdogTimeout is the readiness/liveness timeout used for Felix's (internal) dataplane driver. - Deprecated: replaced by the generic HealthTimeoutOverrides. - type: string - debugDisableLogDropping: - description: |- - DebugDisableLogDropping disables the dropping of log messages when the log buffer is full. This can - significantly impact performance if log write-out is a bottleneck. [Default: false] - type: boolean - debugHost: - description: |- - DebugHost is the host IP or hostname to bind the debug port to. Only used - if DebugPort is set. [Default:localhost] - type: string - debugMemoryProfilePath: - description: DebugMemoryProfilePath is the path to write the memory - profile to when triggered by signal. - type: string - debugPort: - description: |- - DebugPort if set, enables Felix's debug HTTP port, which allows memory and CPU profiles - to be retrieved. The debug port is not secure, it should not be exposed to the internet. - type: integer - debugSimulateCalcGraphHangAfter: - description: |- - DebugSimulateCalcGraphHangAfter is used to simulate a hang in the calculation graph after the specified duration. - This is useful in tests of the watchdog system only! - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - debugSimulateDataplaneApplyDelay: - description: |- - DebugSimulateDataplaneApplyDelay adds an artificial delay to every dataplane operation. This is useful for - simulating a heavily loaded system for test purposes only. - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - debugSimulateDataplaneHangAfter: - description: |- - DebugSimulateDataplaneHangAfter is used to simulate a hang in the dataplane after the specified duration. - This is useful in tests of the watchdog system only! - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - defaultEndpointToHostAction: - description: |- - DefaultEndpointToHostAction controls what happens to traffic that goes from a workload endpoint to the host - itself (after the endpoint's egress policy is applied). By default, Calico blocks traffic from workload - endpoints to the host itself with an iptables "DROP" action. If you want to allow some or all traffic from - endpoint to host, set this parameter to RETURN or ACCEPT. Use RETURN if you have your own rules in the iptables - "INPUT" chain; Calico will insert its rules at the top of that chain, then "RETURN" packets to the "INPUT" chain - once it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets - from workloads after processing workload endpoint egress policy. [Default: Drop] - pattern: ^(?i)(Drop|Accept|Return)?$ - type: string - deletedMetricsRetentionSecs: - description: DeletedMetricsRetentionSecs controls how long metrics - are retianed after the flow is gone. - type: integer - deviceRouteProtocol: - description: |- - DeviceRouteProtocol controls the protocol to set on routes programmed by Felix. The protocol is an 8-bit label - used to identify the owner of the route. - type: integer - deviceRouteSourceAddress: - description: |- - DeviceRouteSourceAddress IPv4 address to set as the source hint for routes programmed by Felix. When not set - the source address for local traffic from host to workload will be determined by the kernel. - type: string - deviceRouteSourceAddressIPv6: - description: |- - DeviceRouteSourceAddressIPv6 IPv6 address to set as the source hint for routes programmed by Felix. When not set - the source address for local traffic from host to workload will be determined by the kernel. - type: string - disableConntrackInvalidCheck: - description: |- - DisableConntrackInvalidCheck disables the check for invalid connections in conntrack. While the conntrack - invalid check helps to detect malicious traffic, it can also cause issues with certain multi-NIC scenarios. - type: boolean - dnsCacheEpoch: - description: |- - An arbitrary number that can be changed, at runtime, to tell Felix to discard all its - learnt DNS information. [Default: 0]. - type: integer - dnsCacheFile: - description: |- - The name of the file that Felix uses to preserve learnt DNS information when restarting. [Default: - "/var/run/calico/felix-dns-cache.txt"]. - type: string - dnsCacheSaveInterval: - description: |- - The periodic interval at which Felix saves learnt DNS information to the cache file. [Default: - 60s]. - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - dnsExtraTTL: - description: |- - Extra time to keep IPs and alias names that are learnt from DNS, in addition to each name - or IP's advertised TTL. [Default: 0s]. - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - dnsLogsFileAggregationKind: - description: |- - DNSLogsFileAggregationKind is used to choose the type of aggregation for DNS log entries. - [Default: 1 - client name prefix aggregation]. - Accepted values are 0 and 1. - 0 - No aggregation. - 1 - Aggregate over clients with the same name prefix. - enum: - - 0 - - 1 - type: integer - dnsLogsFileDirectory: - description: |- - DNSLogsFileDirectory sets the directory where DNS log files are stored. - [Default: /var/log/calico/dnslogs] - type: string - dnsLogsFileEnabled: - description: |- - DNSLogsFileEnabled controls logging DNS logs to a file. If false no DNS logging to file will occur. - [Default: false] - type: boolean - dnsLogsFileIncludeLabels: - description: |- - DNSLogsFileIncludeLabels is used to configure if endpoint labels are included in a DNS log entry written to file. - [Default: true] - type: boolean - dnsLogsFileMaxFileSizeMB: - description: |- - DNSLogsFileMaxFileSizeMB sets the max size in MB of DNS log files before rotation. - [Default: 100] - type: integer - dnsLogsFileMaxFiles: - description: |- - DNSLogsFileMaxFiles sets the number of DNS log files to keep. - [Default: 5] - type: integer - dnsLogsFilePerNodeLimit: - description: |- - Limit on the number of DNS logs that can be emitted within each flush interval. When - this limit has been reached, Felix counts the number of unloggable DNS responses within - the flush interval, and emits a WARNING log with that count at the same time as it - flushes the buffered DNS logs. [Default: 0, meaning no limit] - type: integer - dnsLogsFlushInterval: - description: |- - DNSLogsFlushInterval configures the interval at which Felix exports DNS logs. - [Default: 300s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - dnsLogsLatency: - description: |- - DNSLogsLatency indicates to include measurements of DNS request/response latency in each DNS log. - [Default: true] - type: boolean - dnsPacketsNfqueueID: - description: |- - DNSPacketsNfqueueID is the NFQUEUE ID to use for capturing DNS packets to ensure programming IPSets occurs before - the response is released. Used when DNSPolicyMode is DelayDNSResponse. [Default: 101] - type: integer - dnsPacketsNfqueueMaxHoldDuration: - description: |- - DNSPacketsNfqueueMaxHoldDuration is the max length of time to hold on to a DNS response while waiting for the - the dataplane to be programmed. Used when DNSPolicyMode is DelayDNSResponse. - [Default: 3s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - dnsPacketsNfqueueSize: - description: |- - DNSPacketsNfqueueSize is the size of the NFQUEUE for captured DNS packets. This is the maximum number of DNS - packets that may be queued awaiting programming in the dataplane. Used when DNSPolicyMode is DelayDNSResponse. - [Default: 100] - type: integer - dnsPolicyMode: - description: |- - DNSPolicyMode specifies how DNS policy programming will be handled. - DelayDeniedPacket - Felix delays any denied packet that traversed a policy that included egress domain matches, - but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. - DelayDNSResponse - Felix delays any DNS response until related IPSets are programmed. This introduces some - latency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics - are accurate. This is the recommended setting when you are making use of staged policies or policy rule hit - statistics. - NoDelay - Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time - the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial - connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. + When specified as an env var, it accepts a comma-separated list of + key=values. + [Default: unset - means all debug logs are emitted] + type: object + bpfLogLevel: + description: |- + BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of "Off", "Info", or + "Debug". The logs are emitted to the BPF trace pipe, accessible with the command `tc exec bpf debug`. + [Default: Off]. + pattern: ^(?i)(Off|Info|Debug)?$ + type: string + bpfMaglevMaxEndpointsPerService: + description: |- + BPFMaglevMaxEndpointsPerService is the maximum number of endpoints + expected to be part of a single Maglev-enabled service. - Inline - Parses DNS response inline with DNS response packet processing within IPTables. - This guarantees the DNS rules reflect any change immediately. - This mode works for iptables only and matches the same mode for BPFDNSPolicyMode. - This setting is ignored on Windows and "NoDelay" is always used. + Influences the size of the per-service Maglev lookup-tables generated by Felix + and thus the amount of memory reserved. - This setting is ignored by eBPF and BPFDNSPolicyMode is used instead. + [Default: 100] + type: integer + bpfMaglevMaxServices: + description: |- + BPFMaglevMaxServices is the maximum number of expected Maglev-enabled + services that Felix will allocate lookup-tables for. - This field has no effect in NFTables mode. Please use NFTablesDNSPolicyMode instead. - [Default: Inline] - enum: - - NoDelay - - DelayDeniedPacket - - DelayDNSResponse - - Inline - type: string - dnsPolicyNfqueueID: - description: |- - DNSPolicyNfqueueID is the NFQUEUE ID to use for DNS Policy re-evaluation when the domains IP hasn't been programmed - to ipsets yet. Used when DNSPolicyMode is DelayDeniedPacket. [Default: 100] - type: integer - dnsPolicyNfqueueSize: - description: |- - DNSPolicyNfqueueID is the size of the NFQUEUE for DNS policy re-evaluation. This is the maximum number of denied - packets that may be queued up pending re-evaluation. - Used when DNSPolicyMode is DelayDeniedPacket. [Default: 100] - type: integer - dnsTrustedServers: - description: |- - The DNS servers that Felix should trust. Each entry here must be `[:]` - indicating an - explicit DNS server IP - or `k8s-service:[/][:port]` - indicating a Kubernetes DNS - service. `` defaults to the first service port, or 53 for an IP, and `` to - `kube-system`. An IPv6 address with a port must use the square brackets convention, for example - `[fd00:83a6::12]:5353`.Note that Felix (calico-node) will need RBAC permission to read the details of - each service specified by a `k8s-service:...` form. [Default: "k8s-service:kube-dns"]. - items: - type: string - type: array - dropActionOverride: - description: |- - DropActionOverride overrides the Drop action in Felix, optionally changing the behavior to Accept, and optionally adding Log. - Possible values are Drop, LogAndDrop, Accept, LogAndAccept. [Default: Drop] - pattern: ^(?i)(Drop|LogAndDrop|Accept|LogAndAccept)?$ - type: string - egressGatewayPollFailureCount: - description: |- - EgressGatewayPollFailureCount is the minimum number of poll failures before a remote Egress Gateway is considered - to have failed. - type: integer - egressGatewayPollInterval: - description: |- - EgressGatewayPollInterval is the interval at which Felix will poll remote egress gateways to check their - health. Only Egress Gateways with a named "health" port will be polled in this way. Egress Gateways that - fail the health check will be taken our of use as if they have been deleted. - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - egressIPRoutingRulePriority: - description: 'EgressIPRoutingRulePriority controls the priority value - to use for the egress IP routing rule. [Default: 100]' - type: integer - egressIPSupport: - description: |- - EgressIPSupport defines three different support modes for egress IP function. [Default: Disabled] - - Disabled: Egress IP function is disabled. - - EnabledPerNamespace: Egress IP function is enabled and can be configured on a per-namespace basis; - per-pod egress annotations are ignored. - - EnabledPerNamespaceOrPerPod: Egress IP function is enabled and can be configured per-namespace or per-pod, - with per-pod egress annotations overriding namespace annotations. - pattern: ^(?i)(Disabled|EnabledPerNamespace|EnabledPerNamespaceOrPerPod)?$ - type: string - egressIPVXLANPort: - description: 'EgressIPVXLANPort is the port number of vxlan tunnel - device for egress traffic. [Default: 4790]' - type: integer - egressIPVXLANVNI: - description: 'EgressIPVXLANVNI is the VNI ID of vxlan tunnel device - for egress traffic. [Default: 4097]' - type: integer - endpointReportingDelay: - description: |- - EndpointReportingDelay is the delay before Felix reports endpoint status to the datastore. This is only used - by the OpenStack integration. [Default: 1s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - endpointReportingEnabled: - description: |- - EndpointReportingEnabled controls whether Felix reports endpoint status to the datastore. This is only used - by the OpenStack integration. [Default: false] - type: boolean - endpointStatusPathPrefix: - description: |- - EndpointStatusPathPrefix is the path to the directory where endpoint status will be written. Endpoint status - file reporting is disabled if field is left empty. + [Default: 100] + type: integer + bpfMapSizeConntrack: + description: |- + BPFMapSizeConntrack sets the size for the conntrack map. This map must be large enough to hold + an entry for each active connection. Warning: changing the size of the conntrack map can cause disruption. + type: integer + bpfMapSizeConntrackCleanupQueue: + description: |- + BPFMapSizeConntrackCleanupQueue sets the size for the map used to hold NAT conntrack entries that are queued + for cleanup. This should be big enough to hold all the NAT entries that expire within one cleanup interval. + minimum: 1 + type: integer + bpfMapSizeConntrackScaling: + description: |- + BPFMapSizeConntrackScaling controls whether and how we scale the conntrack map size depending + on its usage. 'Disabled' make the size stay at the default or whatever is set by + BPFMapSizeConntrack*. 'DoubleIfFull' doubles the size when the map is pretty much full even + after cleanups. [Default: DoubleIfFull] + pattern: ^(?i)(Disabled|DoubleIfFull)?$ + type: string + bpfMapSizeIPSets: + description: |- + BPFMapSizeIPSets sets the size for ipsets map. The IP sets map must be large enough to hold an entry + for each endpoint matched by every selector in the source/destination matches in network policy. Selectors + such as "all()" can result in large numbers of entries (one entry per endpoint in that case). + type: integer + bpfMapSizeIfState: + description: |- + BPFMapSizeIfState sets the size for ifstate map. The ifstate map must be large enough to hold an entry + for each device (host + workloads) on a host. + type: integer + bpfMapSizeNATAffinity: + description: |- + BPFMapSizeNATAffinity sets the size of the BPF map that stores the affinity of a connection (for services that + enable that feature. + type: integer + bpfMapSizeNATBackend: + description: |- + BPFMapSizeNATBackend sets the size for NAT back end map. + This is the total number of endpoints. This is mostly + more than the size of the number of services. + type: integer + bpfMapSizeNATFrontend: + description: |- + BPFMapSizeNATFrontend sets the size for NAT front end map. + FrontendMap should be large enough to hold an entry for each nodeport, + external IP and each port in each service. + type: integer + bpfMapSizePerCpuConntrack: + description: |- + BPFMapSizePerCPUConntrack determines the size of conntrack map based on the number of CPUs. If set to a + non-zero value, overrides BPFMapSizeConntrack with `BPFMapSizePerCPUConntrack * (Number of CPUs)`. + This map must be large enough to hold an entry for each active connection. Warning: changing the size of the + conntrack map can cause disruption. + type: integer + bpfMapSizeRoute: + description: |- + BPFMapSizeRoute sets the size for the routes map. The routes map should be large enough + to hold one entry per workload and a handful of entries per host (enough to cover its own IPs and + tunnel IPs). + type: integer + bpfPSNATPorts: + anyOf: + - type: integer + - type: string + description: |- + BPFPSNATPorts sets the range from which we randomly pick a port if there is a source port + collision. This should be within the ephemeral range as defined by RFC 6056 (1024–65535) and + preferably outside the ephemeral ranges used by common operating systems. Linux uses + 32768–60999, while others mostly use the IANA defined range 49152–65535. It is not necessarily + a problem if this range overlaps with the operating systems. Both ends of the range are + inclusive. [Default: 20000:29999] + pattern: ^.* + x-kubernetes-int-or-string: true + bpfPolicyDebugEnabled: + description: |- + BPFPolicyDebugEnabled when true, Felix records detailed information + about the BPF policy programs, which can be examined with the calico-bpf command-line tool. + type: boolean + bpfProfiling: + description: |- + BPFProfiling controls profiling of BPF programs. At the monent, it can be + Disabled or Enabled. [Default: Disabled] + enum: + - Enabled + - Disabled + type: string + bpfRedirectToPeer: + description: |- + BPFRedirectToPeer controls whether traffic may be forwarded directly to the peer side of a workload’s device. + Note that the legacy "L2Only" option is now deprecated and if set it is treated like "Enabled". + Setting this option to "Enabled" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard), + which can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path. + As a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic. [Default: Disabled] + enum: + - Enabled + - Disabled + type: string + captureDir: + description: + "CaptureDir controls directory to store file capture. + [Default: /var/log/calico/pcap]" + minLength: 1 + type: string + captureMaxFiles: + description: + "CaptureMaxFiles controls number of rotated capture file + to keep. [Default: 2]" + minimum: 1 + type: integer + captureMaxSizeBytes: + description: + "CaptureMaxSizeBytes controls the max size of a file + capture. [Default: 10000000]" + minimum: 1 + type: integer + captureRotationSeconds: + description: + "CaptureRotationSeconds controls the time rotation of + a packet capture. [Default: 3600]" + minimum: 1 + type: integer + cgroupV2Path: + description: + CgroupV2Path overrides the default location where to + find the cgroup hierarchy. + type: string + chainInsertMode: + description: |- + ChainInsertMode controls whether Felix hooks the kernel's top-level iptables chains by inserting a rule + at the top of the chain or by appending a rule at the bottom. insert is the safe default since it prevents + Calico's rules from being bypassed. If you switch to append mode, be sure that the other rules in the chains + signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed. + [Default: insert] + pattern: ^(?i)(Insert|Append)?$ + type: string + dataplaneDriver: + description: |- + DataplaneDriver filename of the external dataplane driver to use. Only used if UseInternalDataplaneDriver + is set to false. + type: string + dataplaneWatchdogTimeout: + description: |- + DataplaneWatchdogTimeout is the readiness/liveness timeout used for Felix's (internal) dataplane driver. + Deprecated: replaced by the generic HealthTimeoutOverrides. + type: string + debugDisableLogDropping: + description: |- + DebugDisableLogDropping disables the dropping of log messages when the log buffer is full. This can + significantly impact performance if log write-out is a bottleneck. [Default: false] + type: boolean + debugHost: + description: |- + DebugHost is the host IP or hostname to bind the debug port to. Only used + if DebugPort is set. [Default:localhost] + type: string + debugMemoryProfilePath: + description: + DebugMemoryProfilePath is the path to write the memory + profile to when triggered by signal. + type: string + debugPort: + description: |- + DebugPort if set, enables Felix's debug HTTP port, which allows memory and CPU profiles + to be retrieved. The debug port is not secure, it should not be exposed to the internet. + type: integer + debugSimulateCalcGraphHangAfter: + description: |- + DebugSimulateCalcGraphHangAfter is used to simulate a hang in the calculation graph after the specified duration. + This is useful in tests of the watchdog system only! + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + debugSimulateDataplaneApplyDelay: + description: |- + DebugSimulateDataplaneApplyDelay adds an artificial delay to every dataplane operation. This is useful for + simulating a heavily loaded system for test purposes only. + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + debugSimulateDataplaneHangAfter: + description: |- + DebugSimulateDataplaneHangAfter is used to simulate a hang in the dataplane after the specified duration. + This is useful in tests of the watchdog system only! + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + defaultEndpointToHostAction: + description: |- + DefaultEndpointToHostAction controls what happens to traffic that goes from a workload endpoint to the host + itself (after the endpoint's egress policy is applied). By default, Calico blocks traffic from workload + endpoints to the host itself with an iptables "DROP" action. If you want to allow some or all traffic from + endpoint to host, set this parameter to RETURN or ACCEPT. Use RETURN if you have your own rules in the iptables + "INPUT" chain; Calico will insert its rules at the top of that chain, then "RETURN" packets to the "INPUT" chain + once it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets + from workloads after processing workload endpoint egress policy. [Default: Drop] + pattern: ^(?i)(Drop|Accept|Return)?$ + type: string + deletedMetricsRetentionSecs: + description: + DeletedMetricsRetentionSecs controls how long metrics + are retianed after the flow is gone. + type: integer + deviceRouteProtocol: + description: |- + DeviceRouteProtocol controls the protocol to set on routes programmed by Felix. The protocol is an 8-bit label + used to identify the owner of the route. + type: integer + deviceRouteSourceAddress: + description: |- + DeviceRouteSourceAddress IPv4 address to set as the source hint for routes programmed by Felix. When not set + the source address for local traffic from host to workload will be determined by the kernel. + type: string + deviceRouteSourceAddressIPv6: + description: |- + DeviceRouteSourceAddressIPv6 IPv6 address to set as the source hint for routes programmed by Felix. When not set + the source address for local traffic from host to workload will be determined by the kernel. + type: string + disableConntrackInvalidCheck: + description: |- + DisableConntrackInvalidCheck disables the check for invalid connections in conntrack. While the conntrack + invalid check helps to detect malicious traffic, it can also cause issues with certain multi-NIC scenarios. + type: boolean + dnsCacheEpoch: + description: |- + An arbitrary number that can be changed, at runtime, to tell Felix to discard all its + learnt DNS information. [Default: 0]. + type: integer + dnsCacheFile: + description: |- + The name of the file that Felix uses to preserve learnt DNS information when restarting. [Default: + "/var/run/calico/felix-dns-cache.txt"]. + type: string + dnsCacheSaveInterval: + description: |- + The periodic interval at which Felix saves learnt DNS information to the cache file. [Default: + 60s]. + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + dnsExtraTTL: + description: |- + Extra time to keep IPs and alias names that are learnt from DNS, in addition to each name + or IP's advertised TTL. [Default: 0s]. + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + dnsLogsFileAggregationKind: + description: |- + DNSLogsFileAggregationKind is used to choose the type of aggregation for DNS log entries. + [Default: 1 - client name prefix aggregation]. + Accepted values are 0 and 1. + 0 - No aggregation. + 1 - Aggregate over clients with the same name prefix. + enum: + - 0 + - 1 + type: integer + dnsLogsFileDirectory: + description: |- + DNSLogsFileDirectory sets the directory where DNS log files are stored. + [Default: /var/log/calico/dnslogs] + type: string + dnsLogsFileEnabled: + description: |- + DNSLogsFileEnabled controls logging DNS logs to a file. If false no DNS logging to file will occur. + [Default: false] + type: boolean + dnsLogsFileIncludeLabels: + description: |- + DNSLogsFileIncludeLabels is used to configure if endpoint labels are included in a DNS log entry written to file. + [Default: true] + type: boolean + dnsLogsFileMaxFileSizeMB: + description: |- + DNSLogsFileMaxFileSizeMB sets the max size in MB of DNS log files before rotation. + [Default: 100] + type: integer + dnsLogsFileMaxFiles: + description: |- + DNSLogsFileMaxFiles sets the number of DNS log files to keep. + [Default: 5] + type: integer + dnsLogsFilePerNodeLimit: + description: |- + Limit on the number of DNS logs that can be emitted within each flush interval. When + this limit has been reached, Felix counts the number of unloggable DNS responses within + the flush interval, and emits a WARNING log with that count at the same time as it + flushes the buffered DNS logs. [Default: 0, meaning no limit] + type: integer + dnsLogsFlushInterval: + description: |- + DNSLogsFlushInterval configures the interval at which Felix exports DNS logs. + [Default: 300s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + dnsLogsLatency: + description: |- + DNSLogsLatency indicates to include measurements of DNS request/response latency in each DNS log. + [Default: true] + type: boolean + dnsPacketsNfqueueID: + description: |- + DNSPacketsNfqueueID is the NFQUEUE ID to use for capturing DNS packets to ensure programming IPSets occurs before + the response is released. Used when DNSPolicyMode is DelayDNSResponse. [Default: 101] + type: integer + dnsPacketsNfqueueMaxHoldDuration: + description: |- + DNSPacketsNfqueueMaxHoldDuration is the max length of time to hold on to a DNS response while waiting for the + the dataplane to be programmed. Used when DNSPolicyMode is DelayDNSResponse. + [Default: 3s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + dnsPacketsNfqueueSize: + description: |- + DNSPacketsNfqueueSize is the size of the NFQUEUE for captured DNS packets. This is the maximum number of DNS + packets that may be queued awaiting programming in the dataplane. Used when DNSPolicyMode is DelayDNSResponse. + [Default: 100] + type: integer + dnsPolicyMode: + description: |- + DNSPolicyMode specifies how DNS policy programming will be handled. + DelayDeniedPacket - Felix delays any denied packet that traversed a policy that included egress domain matches, + but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. + DelayDNSResponse - Felix delays any DNS response until related IPSets are programmed. This introduces some + latency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics + are accurate. This is the recommended setting when you are making use of staged policies or policy rule hit + statistics. + NoDelay - Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time + the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial + connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. - Chosen directory should match the directory used by the CNI plugin for PodStartupDelay. - [Default: ""] - type: string - externalNetworkRoutingRulePriority: - description: 'ExternalNetworkRoutingRulePriority controls the priority - value to use for the external network routing rule. [Default: 102]' - type: integer - externalNetworkSupport: - description: |- - ExternalNetworkSupport defines two different support modes for external network function. [Default: Disabled] - - Disabled: External network function is disabled. - - Enabled: External network function is enabled. - pattern: ^(?i)(Disabled|Enabled)?$ - type: string - externalNodesList: - description: |- - ExternalNodesCIDRList is a list of CIDR's of external, non-Calico nodes from which VXLAN/IPIP overlay traffic - will be allowed. By default, external tunneled traffic is blocked to reduce attack surface. - items: - type: string - type: array - failsafeInboundHostPorts: - description: |- - FailsafeInboundHostPorts is a list of ProtoPort struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will - allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally - cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, - it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, - use the value "[]". The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. - [Default: tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667 ] - items: - description: ProtoPort is combination of protocol, port, and CIDR. - Protocol and port must be specified. - properties: - net: - type: string - port: - type: integer - protocol: - type: string - required: - - port - type: object - type: array - failsafeOutboundHostPorts: - description: |- - FailsafeOutboundHostPorts is a list of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix - will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally - cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults - to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, - use the value "[]". The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd - as well as allowing DHCP, DNS, BGP and the Kubernetes API. - [Default: udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667 ] - items: - description: ProtoPort is combination of protocol, port, and CIDR. - Protocol and port must be specified. - properties: - net: - type: string - port: - type: integer - protocol: - type: string - required: - - port - type: object - type: array - featureDetectOverride: - description: |- - FeatureDetectOverride is used to override feature detection based on auto-detected platform - capabilities. Values are specified in a comma separated list with no spaces, example; - "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". A value of "true" or "false" will - force enable/disable feature, empty or omitted values fall back to auto-detection. - pattern: ^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$ - type: string - featureGates: - description: |- - FeatureGates is used to enable or disable tech-preview Calico features. - Values are specified in a comma separated list with no spaces, example; - "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". This is - used to enable features that are not fully production ready. - pattern: ^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$ - type: string - floatingIPs: - description: |- - FloatingIPs configures whether or not Felix will program non-OpenStack floating IP addresses. (OpenStack-derived - floating IPs are always programmed, regardless of this setting.) - enum: - - Enabled - - Disabled - type: string - flowLogsAggregationThresholdBytes: - description: |- - FlowLogsAggregationThresholdBytes is used specify how far behind the external pipeline that reads flow logs can be. Default is 8192 bytes. - This parameter only takes effect when FlowLogsDynamicAggregationEnabled is set to true. - type: integer - flowLogsCollectProcessInfo: - description: 'FlowLogsCollectProcessInfo, if enabled Felix will load - the kprobe BPF programs to collect process info. [Default: false]' - type: boolean - flowLogsCollectProcessPath: - description: |- - When FlowLogsCollectProcessPath and FlowLogsCollectProcessInfo are - both enabled, each flow log will include information about the process - that is sending or receiving the packets in that flow: the - `process_name` field will contain the full path of the process - executable, and the `process_args` field will have the arguments with - which the executable was invoked. Process information will not be - reported for connections which use raw sockets. - type: boolean - flowLogsCollectTcpStats: - description: FlowLogsCollectTcpStats enables flow logs reporting TCP - socket stats - type: boolean - flowLogsCollectorDebugTrace: - description: |- - When FlowLogsCollectorDebugTrace is set to true, enables the logs in the collector to be - printed in their entirety. - type: boolean - flowLogsDestDomainsByClient: - description: |- - FlowLogsDestDomainsByClient is used to configure if the source IP is used in the mapping of top - level destination domains. [Default: true] - type: boolean - flowLogsDynamicAggregationEnabled: - description: FlowLogsDynamicAggregationEnabled is used to enable/disable - dynamically changing aggregation levels. Default is true. - type: boolean - flowLogsEnableHostEndpoint: - description: FlowLogsEnableHostEndpoint enables Flow logs reporting - for HostEndpoints. - type: boolean - flowLogsEnableNetworkSets: - description: FlowLogsEnableNetworkSets enables Flow logs reporting - for GlobalNetworkSets. - type: boolean - flowLogsFileAggregationKindForAllowed: - description: |- - FlowLogsFileAggregationKindForAllowed is used to choose the type of aggregation for flow log entries created for - allowed connections. [Default: 2 - pod prefix name based aggregation]. - Accepted values are 0, 1 and 2. - 0 - No aggregation. - 1 - Source port based aggregation. - 2 - Pod prefix name based aggreagation. - enum: - - 0 - - 1 - - 2 - type: integer - flowLogsFileAggregationKindForDenied: - description: |- - FlowLogsFileAggregationKindForDenied is used to choose the type of aggregation for flow log entries created for - denied connections. [Default: 1 - source port based aggregation]. - Accepted values are 0, 1 and 2. - 0 - No aggregation. - 1 - Source port based aggregation. - 2 - Pod prefix name based aggregation. - 3 - No destination ports based aggregation. - enum: - - 0 - - 1 - - 2 - - 3 - type: integer - flowLogsFileDirectory: - description: FlowLogsFileDirectory sets the directory where flow logs - files are stored. - type: string - flowLogsFileDomainsLimit: - description: |- - FlowLogsFileDomainsLimit is used to configure the number of (destination) domains to include in the flow log. - These are not included for workload or host endpoint destinations. - [Default: 5] - type: integer - flowLogsFileEnabled: - description: FlowLogsFileEnabled when set to true, enables logging - flow logs to a file. If false no flow logging to file will occur. - type: boolean - flowLogsFileEnabledForAllowed: - description: |- - FlowLogsFileEnabledForAllowed is used to enable/disable flow logs entries created for allowed connections. Default is true. - This parameter only takes effect when FlowLogsFileReporterEnabled is set to true. - type: boolean - flowLogsFileEnabledForDenied: - description: |- - FlowLogsFileEnabledForDenied is used to enable/disable flow logs entries created for denied flows. Default is true. - This parameter only takes effect when FlowLogsFileReporterEnabled is set to true. - type: boolean - flowLogsFileIncludeLabels: - description: FlowLogsFileIncludeLabels is used to configure if endpoint - labels are included in a Flow log entry written to file. - type: boolean - flowLogsFileIncludePolicies: - description: FlowLogsFileIncludePolicies is used to configure if policy - information are included in a Flow log entry written to file. - type: boolean - flowLogsFileIncludeService: - description: |- - FlowLogsFileIncludeService is used to configure if the destination service is included in a Flow log entry written to file. - The service information can only be included if the flow was explicitly determined to be directed at the service (e.g. - when the pre-DNAT destination corresponds to the service ClusterIP and port). - type: boolean - flowLogsFileMaxFileSizeMB: - description: FlowLogsFileMaxFileSizeMB sets the max size in MB of - flow logs files before rotation. - type: integer - flowLogsFileMaxFiles: - description: FlowLogsFileMaxFiles sets the number of log files to - keep. - type: integer - flowLogsFileNatOutgoingPortLimit: - description: |- - FlowLogsFileNatOutgoingPortLimit is used to specify the maximum number of distinct post SNAT ports that will appear - in the flowLogs. Default value is 3 - type: integer - flowLogsFilePerFlowProcessArgsLimit: - description: |- - FlowLogsFilePerFlowProcessArgsLimit is used to specify the maximum number of distinct process args that will appear in the flowLogs. - Default value is 5 - type: integer - flowLogsFilePerFlowProcessLimit: - description: |- - FlowLogsFilePerFlowProcessLimit, is used to specify the maximum number of flow log entries with distinct process information - beyond which process information will be aggregated. [Default: 2] - type: integer - flowLogsFlushInterval: - description: FlowLogsFlushInterval configures the interval at which - Felix exports flow logs. - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - flowLogsMaxOriginalIPsIncluded: - description: FlowLogsMaxOriginalIPsIncluded specifies the number of - unique IP addresses (if relevant) that should be included in Flow - logs. - type: integer - flowLogsPositionFilePath: - description: |- - FlowLogsPositionFilePath is used specify the position of the external pipeline that reads flow logs. Default is /var/log/calico/flows.log.pos. - This parameter only takes effect when FlowLogsDynamicAggregationEnabled is set to true. - type: string - genericXDPEnabled: - description: |- - GenericXDPEnabled enables Generic XDP so network cards that don't support XDP offload or driver - modes can use XDP. This is not recommended since it doesn't provide better performance than - iptables. [Default: false] - type: boolean - goGCThreshold: - description: |- - GoGCThreshold Sets the Go runtime's garbage collection threshold. I.e. the percentage that the heap is - allowed to grow before garbage collection is triggered. In general, doubling the value halves the CPU time - spent doing GC, but it also doubles peak GC memory overhead. A special value of -1 can be used - to disable GC entirely; this should only be used in conjunction with the GoMemoryLimitMB setting. + Inline - Parses DNS response inline with DNS response packet processing within IPTables. + This guarantees the DNS rules reflect any change immediately. + This mode works for iptables only and matches the same mode for BPFDNSPolicyMode. + This setting is ignored on Windows and "NoDelay" is always used. - This setting is overridden by the GOGC environment variable. + This setting is ignored by eBPF and BPFDNSPolicyMode is used instead. - [Default: 40] - type: integer - goMaxProcs: - description: |- - GoMaxProcs sets the maximum number of CPUs that the Go runtime will use concurrently. A value of -1 means - "use the system default"; typically the number of real CPUs on the system. + This field has no effect in NFTables mode. Please use NFTablesDNSPolicyMode instead. + [Default: Inline] + enum: + - NoDelay + - DelayDeniedPacket + - DelayDNSResponse + - Inline + type: string + dnsPolicyNfqueueID: + description: |- + DNSPolicyNfqueueID is the NFQUEUE ID to use for DNS Policy re-evaluation when the domains IP hasn't been programmed + to ipsets yet. Used when DNSPolicyMode is DelayDeniedPacket. [Default: 100] + type: integer + dnsPolicyNfqueueSize: + description: |- + DNSPolicyNfqueueID is the size of the NFQUEUE for DNS policy re-evaluation. This is the maximum number of denied + packets that may be queued up pending re-evaluation. + Used when DNSPolicyMode is DelayDeniedPacket. [Default: 100] + type: integer + dnsTrustedServers: + description: |- + The DNS servers that Felix should trust. Each entry here must be `[:]` - indicating an + explicit DNS server IP - or `k8s-service:[/][:port]` - indicating a Kubernetes DNS + service. `` defaults to the first service port, or 53 for an IP, and `` to + `kube-system`. An IPv6 address with a port must use the square brackets convention, for example + `[fd00:83a6::12]:5353`.Note that Felix (calico-node) will need RBAC permission to read the details of + each service specified by a `k8s-service:...` form. [Default: "k8s-service:kube-dns"]. + items: + type: string + type: array + dropActionOverride: + description: |- + DropActionOverride overrides the Drop action in Felix, optionally changing the behavior to Accept, and optionally adding Log. + Possible values are Drop, LogAndDrop, Accept, LogAndAccept. [Default: Drop] + pattern: ^(?i)(Drop|LogAndDrop|Accept|LogAndAccept)?$ + type: string + egressGatewayPollFailureCount: + description: |- + EgressGatewayPollFailureCount is the minimum number of poll failures before a remote Egress Gateway is considered + to have failed. + type: integer + egressGatewayPollInterval: + description: |- + EgressGatewayPollInterval is the interval at which Felix will poll remote egress gateways to check their + health. Only Egress Gateways with a named "health" port will be polled in this way. Egress Gateways that + fail the health check will be taken our of use as if they have been deleted. + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + egressIPHostIfacePattern: + description: |- + EgressIPHostIfacePattern is a comma-separated list of interface names which might send and receive egress traffic + across the cluster boundary, after it has left an Egress Gateway pod. Felix will ensure `src_valid_mark` sysctl flags + are set correctly for matching interfaces. + To target multiple interfaces with a single string, the list supports regular expressions. + For regular expressions, wrap the value with `/`. + Example: `/^bond/,eth0` will match all interfaces that begin with `bond` and also the interface `eth0`. [Default: ""] + type: string + egressIPRoutingRulePriority: + description: + "EgressIPRoutingRulePriority controls the priority value + to use for the egress IP routing rule. [Default: 100]" + type: integer + egressIPSupport: + description: |- + EgressIPSupport defines three different support modes for egress IP function. [Default: Disabled] + - Disabled: Egress IP function is disabled. + - EnabledPerNamespace: Egress IP function is enabled and can be configured on a per-namespace basis; + per-pod egress annotations are ignored. + - EnabledPerNamespaceOrPerPod: Egress IP function is enabled and can be configured per-namespace or per-pod, + with per-pod egress annotations overriding namespace annotations. + pattern: ^(?i)(Disabled|EnabledPerNamespace|EnabledPerNamespaceOrPerPod)?$ + type: string + egressIPVXLANPort: + description: + "EgressIPVXLANPort is the port number of vxlan tunnel + device for egress traffic. [Default: 4790]" + type: integer + egressIPVXLANVNI: + description: + "EgressIPVXLANVNI is the VNI ID of vxlan tunnel device + for egress traffic. [Default: 4097]" + type: integer + endpointReportingDelay: + description: |- + EndpointReportingDelay is the delay before Felix reports endpoint status to the datastore. This is only used + by the OpenStack integration. [Default: 1s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + endpointReportingEnabled: + description: |- + EndpointReportingEnabled controls whether Felix reports endpoint status to the datastore. This is only used + by the OpenStack integration. [Default: false] + type: boolean + endpointStatusPathPrefix: + description: |- + EndpointStatusPathPrefix is the path to the directory where endpoint status will be written. Endpoint status + file reporting is disabled if field is left empty. - this setting is overridden by the GOMAXPROCS environment variable. + Chosen directory should match the directory used by the CNI plugin for PodStartupDelay. + [Default: /var/run/calico] + type: string + externalNetworkRoutingRulePriority: + description: + "ExternalNetworkRoutingRulePriority controls the priority + value to use for the external network routing rule. [Default: 102]" + type: integer + externalNetworkSupport: + description: |- + ExternalNetworkSupport defines two different support modes for external network function. [Default: Disabled] + - Disabled: External network function is disabled. + - Enabled: External network function is enabled. + pattern: ^(?i)(Disabled|Enabled)?$ + type: string + externalNodesList: + description: |- + ExternalNodesCIDRList is a list of CIDR's of external, non-Calico nodes from which VXLAN/IPIP overlay traffic + will be allowed. By default, external tunneled traffic is blocked to reduce attack surface. + items: + type: string + type: array + failsafeInboundHostPorts: + description: |- + FailsafeInboundHostPorts is a list of ProtoPort struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will + allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally + cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, + it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, + use the value "[]". The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. + [Default: tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667 ] + items: + description: + ProtoPort is combination of protocol, port, and CIDR. + Protocol and port must be specified. + properties: + net: + type: string + port: + type: integer + protocol: + type: string + required: + - port + type: object + type: array + failsafeOutboundHostPorts: + description: |- + FailsafeOutboundHostPorts is a list of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix + will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally + cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults + to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, + use the value "[]". The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd + as well as allowing DHCP, DNS, BGP and the Kubernetes API. + [Default: udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667 ] + items: + description: + ProtoPort is combination of protocol, port, and CIDR. + Protocol and port must be specified. + properties: + net: + type: string + port: + type: integer + protocol: + type: string + required: + - port + type: object + type: array + featureDetectOverride: + description: |- + FeatureDetectOverride is used to override feature detection based on auto-detected platform + capabilities. Values are specified in a comma separated list with no spaces, example; + "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". A value of "true" or "false" will + force enable/disable feature, empty or omitted values fall back to auto-detection. + pattern: ^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$ + type: string + featureGates: + description: |- + FeatureGates is used to enable or disable tech-preview Calico features. + Values are specified in a comma separated list with no spaces, example; + "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". This is + used to enable features that are not fully production ready. + pattern: ^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$ + type: string + floatingIPs: + description: |- + FloatingIPs configures whether or not Felix will program non-OpenStack floating IP addresses. (OpenStack-derived + floating IPs are always programmed, regardless of this setting.) + enum: + - Enabled + - Disabled + type: string + flowLogsAggregationThresholdBytes: + description: |- + FlowLogsAggregationThresholdBytes is used specify how far behind the external pipeline that reads flow logs can be. Default is 8192 bytes. + This parameter only takes effect when FlowLogsDynamicAggregationEnabled is set to true. + type: integer + flowLogsCollectProcessInfo: + description: + "FlowLogsCollectProcessInfo, if enabled Felix will load + the kprobe BPF programs to collect process info. [Default: false]" + type: boolean + flowLogsCollectProcessPath: + description: |- + When FlowLogsCollectProcessPath and FlowLogsCollectProcessInfo are + both enabled, each flow log will include information about the process + that is sending or receiving the packets in that flow: the + `process_name` field will contain the full path of the process + executable, and the `process_args` field will have the arguments with + which the executable was invoked. Process information will not be + reported for connections which use raw sockets. + type: boolean + flowLogsCollectTcpStats: + description: + FlowLogsCollectTcpStats enables flow logs reporting TCP + socket stats + type: boolean + flowLogsCollectorDebugTrace: + description: |- + When FlowLogsCollectorDebugTrace is set to true, enables the logs in the collector to be + printed in their entirety. + type: boolean + flowLogsDestDomainsByClient: + description: |- + FlowLogsDestDomainsByClient is used to configure if the source IP is used in the mapping of top + level destination domains. [Default: true] + type: boolean + flowLogsDynamicAggregationEnabled: + description: + FlowLogsDynamicAggregationEnabled is used to enable/disable + dynamically changing aggregation levels. Default is true. + type: boolean + flowLogsEnableHostEndpoint: + description: + FlowLogsEnableHostEndpoint enables Flow logs reporting + for HostEndpoints. + type: boolean + flowLogsEnableNetworkSets: + description: + FlowLogsEnableNetworkSets enables Flow logs reporting + for GlobalNetworkSets. + type: boolean + flowLogsFileAggregationKindForAllowed: + description: |- + FlowLogsFileAggregationKindForAllowed is used to choose the type of aggregation for flow log entries created for + allowed connections. [Default: 2 - pod prefix name based aggregation]. + Accepted values are 0, 1 and 2. + 0 - No aggregation. + 1 - Source port based aggregation. + 2 - Pod prefix name based aggreagation. + enum: + - 0 + - 1 + - 2 + type: integer + flowLogsFileAggregationKindForDenied: + description: |- + FlowLogsFileAggregationKindForDenied is used to choose the type of aggregation for flow log entries created for + denied connections. [Default: 1 - source port based aggregation]. + Accepted values are 0, 1 and 2. + 0 - No aggregation. + 1 - Source port based aggregation. + 2 - Pod prefix name based aggregation. + 3 - No destination ports based aggregation. + enum: + - 0 + - 1 + - 2 + - 3 + type: integer + flowLogsFileDirectory: + description: + FlowLogsFileDirectory sets the directory where flow logs + files are stored. + type: string + flowLogsFileDomainsLimit: + description: |- + FlowLogsFileDomainsLimit is used to configure the number of (destination) domains to include in the flow log. + These are not included for workload or host endpoint destinations. + [Default: 5] + type: integer + flowLogsFileEnabled: + description: + FlowLogsFileEnabled when set to true, enables logging + flow logs to a file. If false no flow logging to file will occur. + type: boolean + flowLogsFileEnabledForAllowed: + description: |- + FlowLogsFileEnabledForAllowed is used to enable/disable flow logs entries created for allowed connections. Default is true. + This parameter only takes effect when FlowLogsFileReporterEnabled is set to true. + type: boolean + flowLogsFileEnabledForDenied: + description: |- + FlowLogsFileEnabledForDenied is used to enable/disable flow logs entries created for denied flows. Default is true. + This parameter only takes effect when FlowLogsFileReporterEnabled is set to true. + type: boolean + flowLogsFileIncludeLabels: + description: + FlowLogsFileIncludeLabels is used to configure if endpoint + labels are included in a Flow log entry written to file. + type: boolean + flowLogsFileIncludePolicies: + description: + FlowLogsFileIncludePolicies is used to configure if policy + information are included in a Flow log entry written to file. + type: boolean + flowLogsFileIncludeService: + description: |- + FlowLogsFileIncludeService is used to configure if the destination service is included in a Flow log entry written to file. + The service information can only be included if the flow was explicitly determined to be directed at the service (e.g. + when the pre-DNAT destination corresponds to the service ClusterIP and port). + type: boolean + flowLogsFileMaxFileSizeMB: + description: + FlowLogsFileMaxFileSizeMB sets the max size in MB of + flow logs files before rotation. + type: integer + flowLogsFileMaxFiles: + description: + FlowLogsFileMaxFiles sets the number of log files to + keep. + type: integer + flowLogsFileNatOutgoingPortLimit: + description: |- + FlowLogsFileNatOutgoingPortLimit is used to specify the maximum number of distinct post SNAT ports that will appear + in the flowLogs. Default value is 3 + type: integer + flowLogsFilePerFlowProcessArgsLimit: + description: |- + FlowLogsFilePerFlowProcessArgsLimit is used to specify the maximum number of distinct process args that will appear in the flowLogs. + Default value is 5 + type: integer + flowLogsFilePerFlowProcessLimit: + description: |- + FlowLogsFilePerFlowProcessLimit, is used to specify the maximum number of flow log entries with distinct process information + beyond which process information will be aggregated. [Default: 2] + type: integer + flowLogsFlushInterval: + description: + FlowLogsFlushInterval configures the interval at which + Felix exports flow logs. + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + flowLogsGoldmaneServer: + description: + FlowLogGoldmaneServer is the flow server endpoint to + which flow data should be published. + type: string + flowLogsLocalReporter: + description: + "FlowLogsLocalReporter configures local unix socket for + reporting flow data from each node. [Default: Disabled]" + enum: + - Disabled + - Enabled + type: string + flowLogsMaxOriginalIPsIncluded: + description: + FlowLogsMaxOriginalIPsIncluded specifies the number of + unique IP addresses (if relevant) that should be included in Flow + logs. + type: integer + flowLogsPolicyEvaluationMode: + description: |- + FlowLogsPolicyEvaluationMode defines how policies are evaluated and reflected in flow logs. + OnNewConnection - In this mode, staged policies are only evaluated when new connections are + made in the dataplane. Staged/active policy changes will not be reflected in the + `pending_policies` field of flow logs for long lived connections. + Continuous - Felix evaluates active flows on a regular basis to determine the rule + traces in the flow logs. Any policy updates that impact a flow will be reflected in the + pending_policies field, offering a near-real-time view of policy changes across flows. + [Default: Continuous] + type: string + flowLogsPolicyScope: + description: |- + FlowLogsPolicyScope controls which policies are included in flow logs. + AllPolicies - Processes both transit policies for the local node and + endpoint policies derived from packet source/destination IPs. Provides comprehensive + visibility into all policy evaluations but increases log volume. + EndpointPolicies - Processes only policies for endpoints identified as the source + or destination of the packet (whether workload or host endpoints). + [Default: EndpointPolicies] + type: string + flowLogsPositionFilePath: + description: |- + FlowLogsPositionFilePath is used specify the position of the external pipeline that reads flow logs. Default is /var/log/calico/flows.log.pos. + This parameter only takes effect when FlowLogsDynamicAggregationEnabled is set to true. + type: string + genericXDPEnabled: + description: |- + GenericXDPEnabled enables Generic XDP so network cards that don't support XDP offload or driver + modes can use XDP. This is not recommended since it doesn't provide better performance than + iptables. [Default: false] + type: boolean + goGCThreshold: + description: |- + GoGCThreshold Sets the Go runtime's garbage collection threshold. I.e. the percentage that the heap is + allowed to grow before garbage collection is triggered. In general, doubling the value halves the CPU time + spent doing GC, but it also doubles peak GC memory overhead. A special value of -1 can be used + to disable GC entirely; this should only be used in conjunction with the GoMemoryLimitMB setting. - [Default: -1] - type: integer - goMemoryLimitMB: - description: |- - GoMemoryLimitMB sets a (soft) memory limit for the Go runtime in MB. The Go runtime will try to keep its memory - usage under the limit by triggering GC as needed. To avoid thrashing, it will exceed the limit if GC starts to - take more than 50% of the process's CPU time. A value of -1 disables the memory limit. + This setting is overridden by the GOGC environment variable. - Note that the memory limit, if used, must be considerably less than any hard resource limit set at the container - or pod level. This is because felix is not the only process that must run in the container or pod. + [Default: 40] + type: integer + goMaxProcs: + description: |- + GoMaxProcs sets the maximum number of CPUs that the Go runtime will use concurrently. A value of -1 means + "use the system default"; typically the number of real CPUs on the system. - This setting is overridden by the GOMEMLIMIT environment variable. + this setting is overridden by the GOMAXPROCS environment variable. - [Default: -1] - type: integer - healthEnabled: - description: |- - HealthEnabled if set to true, enables Felix's health port, which provides readiness and liveness endpoints. - [Default: false] - type: boolean - healthHost: - description: 'HealthHost is the host that the health server should - bind to. [Default: localhost]' - type: string - healthPort: - description: 'HealthPort is the TCP port that the health server should - bind to. [Default: 9099]' - type: integer - healthTimeoutOverrides: - description: |- - HealthTimeoutOverrides allows the internal watchdog timeouts of individual subcomponents to be - overridden. This is useful for working around "false positive" liveness timeouts that can occur - in particularly stressful workloads or if CPU is constrained. For a list of active - subcomponents, see Felix's logs. - items: - properties: - name: - type: string - timeout: - type: string - required: - - name - - timeout - type: object - type: array - interfaceExclude: - description: |- - InterfaceExclude A comma-separated list of interface names that should be excluded when Felix is resolving - host endpoints. The default value ensures that Felix ignores Kubernetes' internal `kube-ipvs0` device. If you - want to exclude multiple interface names using a single value, the list supports regular expressions. For - regular expressions you must wrap the value with `/`. For example having values `/^kube/,veth1` will exclude - all interfaces that begin with `kube` and also the interface `veth1`. [Default: kube-ipvs0] - type: string - interfacePrefix: - description: |- - InterfacePrefix is the interface name prefix that identifies workload endpoints and so distinguishes - them from host endpoint interfaces. Note: in environments other than bare metal, the orchestrators - configure this appropriately. For example our Kubernetes and Docker integrations set the 'cali' value, - and our OpenStack integration sets the 'tap' value. [Default: cali] - type: string - interfaceRefreshInterval: - description: |- - InterfaceRefreshInterval is the period at which Felix rescans local interfaces to verify their state. - The rescan can be disabled by setting the interval to 0. - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - ipForwarding: - description: |- - IPForwarding controls whether Felix sets the host sysctls to enable IP forwarding. IP forwarding is required - when using Calico for workload networking. This should be disabled only on hosts where Calico is used solely for - host protection. In BPF mode, due to a kernel interaction, either IPForwarding must be enabled or BPFEnforceRPF - must be disabled. [Default: Enabled] - enum: - - Enabled - - Disabled - type: string - ipipEnabled: - description: |- - IPIPEnabled overrides whether Felix should configure an IPIP interface on the host. Optional as Felix - determines this based on the existing IP pools. [Default: nil (unset)] - type: boolean - ipipMTU: - description: |- - IPIPMTU controls the MTU to set on the IPIP tunnel device. Optional as Felix auto-detects the MTU based on the - MTU of the host's interfaces. [Default: 0 (auto-detect)] - type: integer - ipsecAllowUnsecuredTraffic: - description: |- - IPSecAllowUnsecuredTraffic controls whether non-IPsec traffic is allowed in addition to IPsec traffic. Enabling this - negates the anti-spoofing protections of IPsec but it is useful when migrating to/from IPsec. [Default: false] - type: boolean - ipsecESPAlgorithm: - description: 'IPSecESAlgorithm sets IPSec ESP algorithm. Default is - NIST suite B recommendation. [Default: aes128gcm16-ecp256]' - type: string - ipsecIKEAlgorithm: - description: 'IPSecIKEAlgorithm sets IPSec IKE algorithm. Default - is NIST suite B recommendation. [Default: aes128gcm16-prfsha256-ecp256]' - type: string - ipsecLogLevel: - description: |- - IPSecLogLevel controls log level for IPSec components. Set to None for no logging. - A generic log level terminology is used [None, Notice, Info, Debug, Verbose]. - [Default: Info] - pattern: ^(?i)(None|Notice|Info|Debug|Verbose)?$ - type: string - ipsecMode: - description: |- - IPSecMode controls which mode IPSec is operating on. - Default value means IPSec is not enabled. [Default: ""] - type: string - ipsecPolicyRefreshInterval: - description: |- - IPSecPolicyRefreshInterval is the interval at which Felix will check the kernel's IPsec policy tables and - repair any inconsistencies. [Default: 600s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - ipsetsRefreshInterval: - description: |- - IpsetsRefreshInterval controls the period at which Felix re-checks all IP sets to look for discrepancies. - Set to 0 to disable the periodic refresh. [Default: 90s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - iptablesBackend: - description: |- - IptablesBackend controls which backend of iptables will be used. The default is `Auto`. + [Default: -1] + type: integer + goMemoryLimitMB: + description: |- + GoMemoryLimitMB sets a (soft) memory limit for the Go runtime in MB. The Go runtime will try to keep its memory + usage under the limit by triggering GC as needed. To avoid thrashing, it will exceed the limit if GC starts to + take more than 50% of the process's CPU time. A value of -1 disables the memory limit. + + Note that the memory limit, if used, must be considerably less than any hard resource limit set at the container + or pod level. This is because felix is not the only process that must run in the container or pod. - Warning: changing this on a running system can leave "orphaned" rules in the "other" backend. These - should be cleaned up to avoid confusing interactions. - pattern: ^(?i)(Auto|Legacy|NFT)?$ - type: string - iptablesFilterAllowAction: - description: |- - IptablesFilterAllowAction controls what happens to traffic that is accepted by a Felix policy chain in the - iptables filter table (which is used for "normal" policy). The default will immediately `Accept` the traffic. Use - `Return` to send the traffic back up to the system chains for further processing. - pattern: ^(?i)(Accept|Return)?$ - type: string - iptablesFilterDenyAction: - description: |- - IptablesFilterDenyAction controls what happens to traffic that is denied by network policy. By default Calico blocks traffic - with an iptables "DROP" action. If you want to use "REJECT" action instead you can configure it in here. - pattern: ^(?i)(Drop|Reject)?$ - type: string - iptablesLockFilePath: - description: |- - IptablesLockFilePath is the location of the iptables lock file. You may need to change this - if the lock file is not in its standard location (for example if you have mapped it into Felix's - container at a different path). [Default: /run/xtables.lock] - type: string - iptablesLockProbeInterval: - description: |- - IptablesLockProbeInterval when IptablesLockTimeout is enabled: the time that Felix will wait between - attempts to acquire the iptables lock if it is not available. Lower values make Felix more - responsive when the lock is contended, but use more CPU. [Default: 50ms] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - iptablesLockTimeout: - description: |- - IptablesLockTimeout is the time that Felix itself will wait for the iptables lock (rather than delegating the - lock handling to the `iptables` command). + This setting is overridden by the GOMEMLIMIT environment variable. + + [Default: -1] + type: integer + healthEnabled: + description: |- + HealthEnabled if set to true, enables Felix's health port, which provides readiness and liveness endpoints. + [Default: false] + type: boolean + healthHost: + description: + "HealthHost is the host that the health server should + bind to. [Default: localhost]" + type: string + healthPort: + description: + "HealthPort is the TCP port that the health server should + bind to. [Default: 9099]" + type: integer + healthTimeoutOverrides: + description: |- + HealthTimeoutOverrides allows the internal watchdog timeouts of individual subcomponents to be + overridden. This is useful for working around "false positive" liveness timeouts that can occur + in particularly stressful workloads or if CPU is constrained. For a list of active + subcomponents, see Felix's logs. + items: + properties: + name: + type: string + timeout: + type: string + required: + - name + - timeout + type: object + type: array + x-kubernetes-list-type: atomic + interfaceExclude: + description: |- + InterfaceExclude A comma-separated list of interface names that should be excluded when Felix is resolving + host endpoints. The default value ensures that Felix ignores Kubernetes' internal `kube-ipvs0` device. If you + want to exclude multiple interface names using a single value, the list supports regular expressions. For + regular expressions you must wrap the value with `/`. For example having values `/^kube/,veth1` will exclude + all interfaces that begin with `kube` and also the interface `veth1`. [Default: kube-ipvs0] + type: string + interfacePrefix: + description: |- + InterfacePrefix is the interface name prefix that identifies workload endpoints and so distinguishes + them from host endpoint interfaces. Note: in environments other than bare metal, the orchestrators + configure this appropriately. For example our Kubernetes and Docker integrations set the 'cali' value, + and our OpenStack integration sets the 'tap' value. [Default: cali] + type: string + interfaceRefreshInterval: + description: |- + InterfaceRefreshInterval is the period at which Felix rescans local interfaces to verify their state. + The rescan can be disabled by setting the interval to 0. + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + ipForwarding: + description: |- + IPForwarding controls whether Felix sets the host sysctls to enable IP forwarding. IP forwarding is required + when using Calico for workload networking. This should be disabled only on hosts where Calico is used solely for + host protection. In BPF mode, due to a kernel interaction, either IPForwarding must be enabled or BPFEnforceRPF + must be disabled. [Default: Enabled] + enum: + - Enabled + - Disabled + type: string + ipipEnabled: + description: |- + IPIPEnabled overrides whether Felix should configure an IPIP interface on the host. Optional as Felix + determines this based on the existing IP pools. [Default: nil (unset)] + type: boolean + ipipMTU: + description: |- + IPIPMTU controls the MTU to set on the IPIP tunnel device. Optional as Felix auto-detects the MTU based on the + MTU of the host's interfaces. [Default: 0 (auto-detect)] + type: integer + ipsecAllowUnsecuredTraffic: + description: |- + IPSecAllowUnsecuredTraffic controls whether non-IPsec traffic is allowed in addition to IPsec traffic. Enabling this + negates the anti-spoofing protections of IPsec but it is useful when migrating to/from IPsec. [Default: false] + type: boolean + ipsecESPAlgorithm: + description: + "IPSecESAlgorithm sets IPSec ESP algorithm. Default is + NIST suite B recommendation. [Default: aes128gcm16-ecp256]" + type: string + ipsecIKEAlgorithm: + description: + "IPSecIKEAlgorithm sets IPSec IKE algorithm. Default + is NIST suite B recommendation. [Default: aes128gcm16-prfsha256-ecp256]" + type: string + ipsecLogLevel: + description: |- + IPSecLogLevel controls log level for IPSec components. Set to None for no logging. + A generic log level terminology is used [None, Notice, Info, Debug, Verbose]. + [Default: Info] + pattern: ^(?i)(None|Notice|Info|Debug|Verbose)?$ + type: string + ipsecMode: + description: |- + IPSecMode controls which mode IPSec is operating on. + Default value means IPSec is not enabled. [Default: ""] + type: string + ipsecPolicyRefreshInterval: + description: |- + IPSecPolicyRefreshInterval is the interval at which Felix will check the kernel's IPsec policy tables and + repair any inconsistencies. [Default: 600s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + ipsetsRefreshInterval: + description: |- + IpsetsRefreshInterval controls the period at which Felix re-checks all IP sets to look for discrepancies. + Set to 0 to disable the periodic refresh. [Default: 90s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + iptablesBackend: + description: |- + IptablesBackend controls which backend of iptables will be used. The default is `Auto`. - Deprecated: `iptables-restore` v1.8+ always takes the lock, so enabling this feature results in deadlock. - [Default: 0s disabled] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - iptablesMangleAllowAction: - description: |- - IptablesMangleAllowAction controls what happens to traffic that is accepted by a Felix policy chain in the - iptables mangle table (which is used for "pre-DNAT" policy). The default will immediately `Accept` the traffic. - Use `Return` to send the traffic back up to the system chains for further processing. - pattern: ^(?i)(Accept|Return)?$ - type: string - iptablesMarkMask: - description: |- - IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal - number with at least 8 bits set, none of which clash with any other mark bits in use on the system. - [Default: 0xffff0000] - format: int32 - type: integer - iptablesNATOutgoingInterfaceFilter: - description: |- - This parameter can be used to limit the host interfaces on which Calico will apply SNAT to traffic leaving a - Calico IPAM pool with "NAT outgoing" enabled. This can be useful if you have a main data interface, where - traffic should be SNATted and a secondary device (such as the docker bridge) which is local to the host and - doesn't require SNAT. This parameter uses the iptables interface matching syntax, which allows + as a - wildcard. Most users will not need to set this. Example: if your data interfaces are eth0 and eth1 and you - want to exclude the docker bridge, you could set this to eth+ - type: string - iptablesPostWriteCheckInterval: - description: |- - IptablesPostWriteCheckInterval is the period after Felix has done a write - to the dataplane that it schedules an extra read back in order to check the write was not - clobbered by another process. This should only occur if another application on the system - doesn't respect the iptables lock. [Default: 1s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - iptablesRefreshInterval: - description: |- - IptablesRefreshInterval is the period at which Felix re-checks the IP sets - in the dataplane to ensure that no other process has accidentally broken Calico's rules. - Set to 0 to disable IP sets refresh. Note: the default for this value is lower than the - other refresh intervals as a workaround for a Linux kernel bug that was fixed in kernel - version 4.11. If you are using v4.11 or greater you may want to set this to, a higher value - to reduce Felix CPU usage. [Default: 10s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - ipv6Support: - description: IPv6Support controls whether Felix enables support for - IPv6 (if supported by the in-use dataplane). - type: boolean - kubeMasqueradeBit: - description: |- - KubeMasqueradeBit should be set to the same value as --iptables-masquerade-bit of kube-proxy - when TPROXY is used. The default is the same as kube-proxy default thus only needs a change - if kube-proxy is using a non-standard setting. Must be within the range of 0-31. [Default: 14] - type: integer - kubeNodePortRanges: - description: |- - KubeNodePortRanges holds list of port ranges used for service node ports. Only used if felix detects kube-proxy running in ipvs mode. - Felix uses these ranges to separate host and workload traffic. [Default: 30000:32767]. - items: + Warning: changing this on a running system can leave "orphaned" rules in the "other" backend. These + should be cleaned up to avoid confusing interactions. + enum: + - Legacy + - NFT + - Auto + pattern: ^(?i)(Auto|Legacy|NFT)?$ + type: string + iptablesFilterAllowAction: + description: |- + IptablesFilterAllowAction controls what happens to traffic that is accepted by a Felix policy chain in the + iptables filter table (which is used for "normal" policy). The default will immediately `Accept` the traffic. Use + `Return` to send the traffic back up to the system chains for further processing. + pattern: ^(?i)(Accept|Return)?$ + type: string + iptablesFilterDenyAction: + description: |- + IptablesFilterDenyAction controls what happens to traffic that is denied by network policy. By default Calico blocks traffic + with an iptables "DROP" action. If you want to use "REJECT" action instead you can configure it in here. + pattern: ^(?i)(Drop|Reject)?$ + type: string + iptablesLockProbeInterval: + description: |- + IptablesLockProbeInterval configures the interval between attempts to claim + the xtables lock. Shorter intervals are more responsive but use more CPU. [Default: 50ms] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + iptablesMangleAllowAction: + description: |- + IptablesMangleAllowAction controls what happens to traffic that is accepted by a Felix policy chain in the + iptables mangle table (which is used for "pre-DNAT" policy). The default will immediately `Accept` the traffic. + Use `Return` to send the traffic back up to the system chains for further processing. + pattern: ^(?i)(Accept|Return)?$ + type: string + iptablesMarkMask: + description: |- + IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal + number with at least 8 bits set, none of which clash with any other mark bits in use on the system. + [Default: 0xffff0000] + format: int32 + type: integer + iptablesNATOutgoingInterfaceFilter: + description: |- + This parameter can be used to limit the host interfaces on which Calico will apply SNAT to traffic leaving a + Calico IPAM pool with "NAT outgoing" enabled. This can be useful if you have a main data interface, where + traffic should be SNATted and a secondary device (such as the docker bridge) which is local to the host and + doesn't require SNAT. This parameter uses the iptables interface matching syntax, which allows + as a + wildcard. Most users will not need to set this. Example: if your data interfaces are eth0 and eth1 and you + want to exclude the docker bridge, you could set this to eth+ + type: string + iptablesPostWriteCheckInterval: + description: |- + IptablesPostWriteCheckInterval is the period after Felix has done a write + to the dataplane that it schedules an extra read back in order to check the write was not + clobbered by another process. This should only occur if another application on the system + doesn't respect the iptables lock. [Default: 1s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + iptablesRefreshInterval: + description: |- + IptablesRefreshInterval is the period at which Felix re-checks the IP sets + in the dataplane to ensure that no other process has accidentally broken Calico's rules. + Set to 0 to disable IP sets refresh. Note: the default for this value is lower than the + other refresh intervals as a workaround for a Linux kernel bug that was fixed in kernel + version 4.11. If you are using v4.11 or greater you may want to set this to, a higher value + to reduce Felix CPU usage. [Default: 10s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + ipv4ElevatedRoutePriority: + description: |- + Route Priority value for an elevated priority Calico-programmed IPv4 route. Note, higher + values mean lower priority. Elevated priority is used during VM live migration, and for + optimal behaviour IPv4ElevatedRoutePriority must be less than IPv4NormalRoutePriority + [Default: 512] + type: integer + ipv4NormalRoutePriority: + description: |- + Route Priority value for a normal priority Calico-programmed IPv4 route. Note, higher + values mean lower priority. [Default: 1024] + type: integer + ipv6ElevatedRoutePriority: + description: |- + Route Priority value for an elevated priority Calico-programmed IPv6 route. Note, higher + values mean lower priority. Elevated priority is used during VM live migration, and for + optimal behaviour IPv6ElevatedRoutePriority must be less than IPv6NormalRoutePriority + [Default: 512] + type: integer + ipv6NormalRoutePriority: + description: |- + Route Priority value for a normal priority Calico-programmed IPv6 route. Note, higher + values mean lower priority. [Default: 1024] + type: integer + ipv6Support: + description: + IPv6Support controls whether Felix enables support for + IPv6 (if supported by the in-use dataplane). + type: boolean + istioAmbientMode: + description: |- + IstioAmbientMode configures Felix to work together with Tigera's Istio distribution. + [Default: Disabled] + enum: + - Enabled + - Disabled + type: string + istioDSCPMark: + description: |- + IstioDSCPMark sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on + SYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used + with other Istio installation. [Default: 23] + pattern: ^.* + type: integer + x-kubernetes-int-or-string: true + kubeMasqueradeBit: + description: |- + KubeMasqueradeBit should be set to the same value as --iptables-masquerade-bit of kube-proxy + when TPROXY is used. The default is the same as kube-proxy default thus only needs a change + if kube-proxy is using a non-standard setting. Must be within the range of 0-31. [Default: 14] + type: integer + kubeNodePortRanges: + description: |- + KubeNodePortRanges holds list of port ranges used for service node ports. Only used if felix detects kube-proxy running in ipvs mode. + Felix uses these ranges to separate host and workload traffic. [Default: 30000:32767]. + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + l7LogsFileAggregationDestinationInfo: + description: |- + L7LogsFileAggregationDestinationInfo is used to choose the type of aggregation for the destination metadata on L7 log entries. + [Default: IncludeL7DestinationInfo - include destination metadata]. + Accepted values are IncludeL7DestinationInfo and ExcludeL7DestinationInfo. + IncludeL7DestinationInfo - Include destination metadata in the logs. + ExcludeL7DestinationInfo - Aggregate over all other fields ignoring the destination aggregated name, namespace, and type. + pattern: ^(?i)(IncludeL7DestinationInfo|ExcludeL7DestinationInfo)?$ + type: string + l7LogsFileAggregationHTTPHeaderInfo: + description: |- + L7LogsFileAggregationHTTPHeaderInfo is used to choose the type of aggregation for HTTP header data on L7 log entries. + [Default: ExcludeL7HTTPHeaderInfo - http header info removal]. + Accepted values are IncludeL7HTTPHeaderInfo and ExcludeL7HTTPHeaderInfo. + IncludeL7HTTPHeaderInfo - Include HTTP header data in the logs. + ExcludeL7HTTPHeaderInfo - Aggregate over all other fields ignoring the user agent and log type. + pattern: ^(?i)(IncludeL7HTTPHeaderInfo|ExcludeL7HTTPHeaderInfo)?$ + type: string + l7LogsFileAggregationHTTPMethod: + description: |- + L7LogsFileAggregationHTTPMethod is used to choose the type of aggregation for the HTTP request method on L7 log entries. + [Default: IncludeL7HTTPMethod - include the HTTP method]. + Accepted values are IncludeL7HTTPMethod and ExcludeL7HTTPMethod. + IncludeL7HTTPMethod - Include HTTP method in the logs. + ExcludeL7HTTPMethod - Aggregate over all other fields ignoring the HTTP method. + pattern: ^(?i)(IncludeL7HTTPMethod|ExcludeL7HTTPMethod)?$ + type: string + l7LogsFileAggregationNumURLPath: + description: |- + L7LogsFileAggregationNumURLPath is used to choose the number of components in the url path to display. + This allows for the url to be truncated in case parts of the path provide no value. Setting this value + to negative will allow all parts of the path to be displayed. + [Default: 5]. + type: integer + l7LogsFileAggregationResponseCode: + description: |- + L7LogsFileAggregationResponseCode is used to choose the type of aggregation for the response code on L7 log entries. + [Default: IncludeL7ResponseCode - include the response code]. + Accepted values are IncludeL7ResponseCode and ExcludeL7ResponseCode. + IncludeL7ResponseCode - Include the response code in the logs. + ExcludeL7ResponseCode - Aggregate over all other fields ignoring the response code. + pattern: ^(?i)(IncludeL7ResponseCode|ExcludeL7ResponseCode)?$ + type: string + l7LogsFileAggregationServiceInfo: + description: |- + L7LogsFileAggregationServiceInfo is used to choose the type of aggregation for the service data on L7 log entries. + [Default: IncludeL7ServiceInfo - include service data]. + Accepted values are IncludeL7ServiceInfo and ExcludeL7ServiceInfo. + IncludeL7ServiceInfo - Include service data in the logs. + ExcludeL7ServiceInfo - Aggregate over all other fields ignoring the service name, namespace, and port. + pattern: ^(?i)(IncludeL7ServiceInfo|ExcludeL7ServiceInfo)?$ + type: string + l7LogsFileAggregationSourceInfo: + description: |- + L7LogsFileAggregationExcludeSourceInfo is used to choose the type of aggregation for the source metadata on L7 log entries. + [Default: IncludeL7SourceInfoNoPort - include all source metadata except for the source port]. + Accepted values are IncludeL7SourceInfo, IncludeL7SourceInfoNoPort, and ExcludeL7SourceInfo. + IncludeL7SourceInfo - Include source metadata in the logs. + IncludeL7SourceInfoNoPort - Include source metadata in the logs excluding the source port. + ExcludeL7SourceInfo - Aggregate over all other fields ignoring the source aggregated name, namespace, and type. + pattern: ^(?i)(IncludeL7SourceInfo|IncludeL7SourceInfoNoPort|ExcludeL7SourceInfo)?$ + type: string + l7LogsFileAggregationTrimURL: + description: |- + L7LogsFileAggregationTrimURL is used to choose the type of aggregation for the url on L7 log entries. + [Default: IncludeL7FullURL - include the full URL up to however many path components are allowed by L7LogsFileAggregationNumURLPath]. + Accepted values: + IncludeL7FullURL - Include the full URL up to however many path components are allowed by L7LogsFileAggregationNumURLPath. + TrimURLQuery - Aggregate over all other fields ignoring the query parameters on the URL. + TrimURLQueryAndPath - Aggregate over all other fields and the base URL only. + ExcludeL7URL - Aggregate over all other fields ignoring the URL entirely. + pattern: ^(?i)(IncludeL7FullURL|TrimURLQuery|TrimURLQueryAndPath|ExcludeL7URL)?$ + type: string + l7LogsFileAggregationURLCharLimit: + description: |- + Limit on the length of the URL collected in L7 logs. When a URL length reaches this limit + it is sliced off, and the sliced URL is sent to log storage. [Default: 250] + type: integer + l7LogsFileDirectory: + description: |- + L7LogsFileDirectory sets the directory where L7 log files are stored. + [Default: /var/log/calico/l7logs] + type: string + l7LogsFileEnabled: + description: |- + L7LogsFileEnabled controls logging L7 logs to a file. If false no L7 logging to file will occur. + [Default: true] + type: boolean + l7LogsFileMaxFileSizeMB: + description: |- + L7LogsFileMaxFileSizeMB sets the max size in MB of L7 log files before rotation. + [Default: 100] + type: integer + l7LogsFileMaxFiles: + description: |- + L7LogsFileMaxFiles sets the number of L7 log files to keep. + [Default: 5] + type: integer + l7LogsFilePerNodeLimit: + description: |- + Limit on the number of L7 logs that can be emitted within each flush interval. When + this limit has been reached, Felix counts the number of unloggable L7 responses within + the flush interval, and emits a WARNING log with that count at the same time as it + flushes the buffered L7 logs. A value of 0 means no limit. [Default: 1500] + type: integer + l7LogsFlushInterval: + description: |- + L7LogsFlushInterval configures the interval at which Felix exports L7 logs. + [Default: 300s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + liveMigrationRouteConvergenceTime: + description: |- + LiveMigrationRouteConvergenceTime is the time to keep elevated route priority after a + VM live migration completes. This allows routes to converge across the cluster before + reverting to normal priority. [Default: 30s] + pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))*$ + type: string + logActionRateLimit: + description: |- + LogActionRateLimit sets the rate of hitting a Log action. The value must be in the format "N/unit", + where N is a number and unit is one of: second, minute, hour, or day. For example: "10/second" or "100/hour". + pattern: ^[1-9]\d{0,3}/(?:second|minute|hour|day)$ + type: string + logActionRateLimitBurst: + description: + LogActionRateLimitBurst sets the rate limit burst of + hitting a Log action when LogActionRateLimit is enabled. + maximum: 9999 + minimum: 0 + type: integer + logDebugFilenameRegex: + description: |- + LogDebugFilenameRegex controls which source code files have their Debug log output included in the logs. + Only logs from files with names that match the given regular expression are included. The filter only applies + to Debug level logs. + type: string + logDropActionOverride: + description: + LogDropActionOverride specifies whether or not to include + the DropActionOverride in the logs when it is triggered. + type: boolean + logFilePath: + description: + "LogFilePath is the full path to the Felix log. Set to + none to disable file logging. [Default: /var/log/calico/felix.log]" + type: string + logPrefix: + description: |- + LogPrefix is the log prefix that Felix uses when rendering LOG rules. It is possible to use the following specifiers + to include extra information in the log prefix. + - %t: Tier name. + - %k: Kind (short names). + - %n: Policy or profile name. + - %p: Policy or profile name (namespace/name for namespaced kinds or just name for non namespaced kinds). + Calico includes ": " characters at the end of the generated log prefix. + Note that iptables shows up to 29 characters for the log prefix and nftables up to 127 characters. Extra characters are truncated. + [Default: calico-packet] + pattern: "^([a-zA-Z0-9%: /_-])*$" + type: string + logSeverityFile: + description: + "LogSeverityFile is the log severity above which logs + are sent to the log file. [Default: Info]" + pattern: ^(?i)(Trace|Debug|Info|Warning|Error|Fatal)?$ + type: string + logSeverityScreen: + description: + "LogSeverityScreen is the log severity above which logs + are sent to the stdout. [Default: Info]" + pattern: ^(?i)(Trace|Debug|Info|Warning|Error|Fatal)?$ + type: string + logSeveritySys: + description: |- + LogSeveritySys is the log severity above which logs are sent to the syslog. Set to None for no logging to syslog. + [Default: Info] + pattern: ^(?i)(Trace|Debug|Info|Warning|Error|Fatal)?$ + type: string + maxIpsetSize: + description: |- + MaxIpsetSize is the maximum number of IP addresses that can be stored in an IP set. Not applicable + if using the nftables backend. + type: integer + metadataAddr: + description: |- + MetadataAddr is the IP address or domain name of the server that can answer VM queries for + cloud-init metadata. In OpenStack, this corresponds to the machine running nova-api (or in + Ubuntu, nova-api-metadata). A value of none (case-insensitive) means that Felix should not + set up any NAT rule for the metadata path. [Default: 127.0.0.1] + type: string + metadataPort: + description: |- + MetadataPort is the port of the metadata server. This, combined with global.MetadataAddr (if + not 'None'), is used to set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. + In most cases this should not need to be changed [Default: 8775]. + type: integer + mtuIfacePattern: + description: |- + MTUIfacePattern is a regular expression that controls which interfaces Felix should scan in order + to calculate the host's MTU. + This should not match workload interfaces (usually named cali...). + type: string + natOutgoingAddress: + description: |- + NATOutgoingAddress specifies an address to use when performing source NAT for traffic in a natOutgoing pool that + is leaving the network. By default the address used is an address on the interface the traffic is leaving on + (i.e. it uses the iptables MASQUERADE target). + type: string + natOutgoingExclusions: + description: |- + When a IP pool setting `natOutgoing` is true, packets sent from Calico networked containers in this IP pool to destinations will be masqueraded. + Configure which type of destinations is excluded from being masqueraded. + - IPPoolsOnly: destinations outside of this IP pool will be masqueraded. + - IPPoolsAndHostIPs: destinations outside of this IP pool and all hosts will be masqueraded. + [Default: IPPoolsOnly] + enum: + - IPPoolsOnly + - IPPoolsAndHostIPs + type: string + natPortRange: anyOf: - - type: integer - - type: string + - type: integer + - type: string + description: |- + NATPortRange specifies the range of ports that is used for port mapping when doing outgoing NAT. When unset the default behavior of the + network stack is used. pattern: ^.* x-kubernetes-int-or-string: true - type: array - l7LogsFileAggregationDestinationInfo: - description: |- - L7LogsFileAggregationDestinationInfo is used to choose the type of aggregation for the destination metadata on L7 log entries. - [Default: IncludeL7DestinationInfo - include destination metadata]. - Accepted values are IncludeL7DestinationInfo and ExcludeL7DestinationInfo. - IncludeL7DestinationInfo - Include destination metadata in the logs. - ExcludeL7DestinationInfo - Aggregate over all other fields ignoring the destination aggregated name, namespace, and type. - pattern: ^(?i)(IncludeL7DestinationInfo|ExcludeL7DestinationInfo)?$ - type: string - l7LogsFileAggregationHTTPHeaderInfo: - description: |- - L7LogsFileAggregationHTTPHeaderInfo is used to choose the type of aggregation for HTTP header data on L7 log entries. - [Default: ExcludeL7HTTPHeaderInfo - http header info removal]. - Accepted values are IncludeL7HTTPHeaderInfo and ExcludeL7HTTPHeaderInfo. - IncludeL7HTTPHeaderInfo - Include HTTP header data in the logs. - ExcludeL7HTTPHeaderInfo - Aggregate over all other fields ignoring the user agent and log type. - pattern: ^(?i)(IncludeL7HTTPHeaderInfo|ExcludeL7HTTPHeaderInfo)?$ - type: string - l7LogsFileAggregationHTTPMethod: - description: |- - L7LogsFileAggregationHTTPMethod is used to choose the type of aggregation for the HTTP request method on L7 log entries. - [Default: IncludeL7HTTPMethod - include the HTTP method]. - Accepted values are IncludeL7HTTPMethod and ExcludeL7HTTPMethod. - IncludeL7HTTPMethod - Include HTTP method in the logs. - ExcludeL7HTTPMethod - Aggregate over all other fields ignoring the HTTP method. - pattern: ^(?i)(IncludeL7HTTPMethod|ExcludeL7HTTPMethod)?$ - type: string - l7LogsFileAggregationNumURLPath: - description: |- - L7LogsFileAggregationNumURLPath is used to choose the number of components in the url path to display. - This allows for the url to be truncated in case parts of the path provide no value. Setting this value - to negative will allow all parts of the path to be displayed. - [Default: 5]. - type: integer - l7LogsFileAggregationResponseCode: - description: |- - L7LogsFileAggregationResponseCode is used to choose the type of aggregation for the response code on L7 log entries. - [Default: IncludeL7ResponseCode - include the response code]. - Accepted values are IncludeL7ResponseCode and ExcludeL7ResponseCode. - IncludeL7ResponseCode - Include the response code in the logs. - ExcludeL7ResponseCode - Aggregate over all other fields ignoring the response code. - pattern: ^(?i)(IncludeL7ResponseCode|ExcludeL7ResponseCode)?$ - type: string - l7LogsFileAggregationServiceInfo: - description: |- - L7LogsFileAggregationServiceInfo is used to choose the type of aggregation for the service data on L7 log entries. - [Default: IncludeL7ServiceInfo - include service data]. - Accepted values are IncludeL7ServiceInfo and ExcludeL7ServiceInfo. - IncludeL7ServiceInfo - Include service data in the logs. - ExcludeL7ServiceInfo - Aggregate over all other fields ignoring the service name, namespace, and port. - pattern: ^(?i)(IncludeL7ServiceInfo|ExcludeL7ServiceInfo)?$ - type: string - l7LogsFileAggregationSourceInfo: - description: |- - L7LogsFileAggregationExcludeSourceInfo is used to choose the type of aggregation for the source metadata on L7 log entries. - [Default: IncludeL7SourceInfoNoPort - include all source metadata except for the source port]. - Accepted values are IncludeL7SourceInfo, IncludeL7SourceInfoNoPort, and ExcludeL7SourceInfo. - IncludeL7SourceInfo - Include source metadata in the logs. - IncludeL7SourceInfoNoPort - Include source metadata in the logs excluding the source port. - ExcludeL7SourceInfo - Aggregate over all other fields ignoring the source aggregated name, namespace, and type. - pattern: ^(?i)(IncludeL7SourceInfo|IncludeL7SourceInfoNoPort|ExcludeL7SourceInfo)?$ - type: string - l7LogsFileAggregationTrimURL: - description: |- - L7LogsFileAggregationTrimURL is used to choose the type of aggregation for the url on L7 log entries. - [Default: IncludeL7FullURL - include the full URL up to however many path components are allowed by L7LogsFileAggregationNumURLPath]. - Accepted values: - IncludeL7FullURL - Include the full URL up to however many path components are allowed by L7LogsFileAggregationNumURLPath. - TrimURLQuery - Aggregate over all other fields ignoring the query parameters on the URL. - TrimURLQueryAndPath - Aggregate over all other fields and the base URL only. - ExcludeL7URL - Aggregate over all other fields ignoring the URL entirely. - pattern: ^(?i)(IncludeL7FullURL|TrimURLQuery|TrimURLQueryAndPath|ExcludeL7URL)?$ - type: string - l7LogsFileAggregationURLCharLimit: - description: |- - Limit on the length of the URL collected in L7 logs. When a URL length reaches this limit - it is sliced off, and the sliced URL is sent to log storage. [Default: 250] - type: integer - l7LogsFileDirectory: - description: |- - L7LogsFileDirectory sets the directory where L7 log files are stored. - [Default: /var/log/calico/l7logs] - type: string - l7LogsFileEnabled: - description: |- - L7LogsFileEnabled controls logging L7 logs to a file. If false no L7 logging to file will occur. - [Default: true] - type: boolean - l7LogsFileMaxFileSizeMB: - description: |- - L7LogsFileMaxFileSizeMB sets the max size in MB of L7 log files before rotation. - [Default: 100] - type: integer - l7LogsFileMaxFiles: - description: |- - L7LogsFileMaxFiles sets the number of L7 log files to keep. - [Default: 5] - type: integer - l7LogsFilePerNodeLimit: - description: |- - Limit on the number of L7 logs that can be emitted within each flush interval. When - this limit has been reached, Felix counts the number of unloggable L7 responses within - the flush interval, and emits a WARNING log with that count at the same time as it - flushes the buffered L7 logs. A value of 0 means no limit. [Default: 1500] - type: integer - l7LogsFlushInterval: - description: |- - L7LogsFlushInterval configures the interval at which Felix exports L7 logs. - [Default: 300s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - logDebugFilenameRegex: - description: |- - LogDebugFilenameRegex controls which source code files have their Debug log output included in the logs. - Only logs from files with names that match the given regular expression are included. The filter only applies - to Debug level logs. - type: string - logDropActionOverride: - description: LogDropActionOverride specifies whether or not to include - the DropActionOverride in the logs when it is triggered. - type: boolean - logFilePath: - description: 'LogFilePath is the full path to the Felix log. Set to - none to disable file logging. [Default: /var/log/calico/felix.log]' - type: string - logPrefix: - description: 'LogPrefix is the log prefix that Felix uses when rendering - LOG rules. [Default: calico-packet]' - type: string - logSeverityFile: - description: 'LogSeverityFile is the log severity above which logs - are sent to the log file. [Default: Info]' - pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$ - type: string - logSeverityScreen: - description: 'LogSeverityScreen is the log severity above which logs - are sent to the stdout. [Default: Info]' - pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$ - type: string - logSeveritySys: - description: |- - LogSeveritySys is the log severity above which logs are sent to the syslog. Set to None for no logging to syslog. - [Default: Info] - pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$ - type: string - maxIpsetSize: - description: |- - MaxIpsetSize is the maximum number of IP addresses that can be stored in an IP set. Not applicable - if using the nftables backend. - type: integer - metadataAddr: - description: |- - MetadataAddr is the IP address or domain name of the server that can answer VM queries for - cloud-init metadata. In OpenStack, this corresponds to the machine running nova-api (or in - Ubuntu, nova-api-metadata). A value of none (case-insensitive) means that Felix should not - set up any NAT rule for the metadata path. [Default: 127.0.0.1] - type: string - metadataPort: - description: |- - MetadataPort is the port of the metadata server. This, combined with global.MetadataAddr (if - not 'None'), is used to set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. - In most cases this should not need to be changed [Default: 8775]. - type: integer - mtuIfacePattern: - description: |- - MTUIfacePattern is a regular expression that controls which interfaces Felix should scan in order - to calculate the host's MTU. - This should not match workload interfaces (usually named cali...). - type: string - natOutgoingAddress: - description: |- - NATOutgoingAddress specifies an address to use when performing source NAT for traffic in a natOutgoing pool that - is leaving the network. By default the address used is an address on the interface the traffic is leaving on - (i.e. it uses the iptables MASQUERADE target). - type: string - natPortRange: - anyOf: - - type: integer - - type: string - description: |- - NATPortRange specifies the range of ports that is used for port mapping when doing outgoing NAT. When unset the default behavior of the - network stack is used. - pattern: ^.* - x-kubernetes-int-or-string: true - netlinkTimeout: - description: |- - NetlinkTimeout is the timeout when talking to the kernel over the netlink protocol, used for programming - routes, rules, and other kernel objects. [Default: 10s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - nfNetlinkBufSize: - description: |- - NfNetlinkBufSize controls the size of NFLOG messages that the kernel will try to send to Felix. NFLOG messages - are used to report flow verdicts from the kernel. Warning: currently increasing the value may cause errors - due to a bug in the netlink library. - type: string - nftablesDNSPolicyMode: - description: |- - NFTablesDNSPolicyMode specifies how DNS policy programming will be handled for NFTables. - DelayDeniedPacket - Felix delays any denied packet that traversed a policy that included egress domain matches, - but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. - DelayDNSResponse - Felix delays any DNS response until related IPSets are programmed. This introduces some - latency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics - are accurate. This is the recommended setting when you are making use of staged policies or policy rule hit - statistics. - NoDelay - Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time - the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial - connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. - [Default: DelayDeniedPacket] - enum: - - NoDelay - - DelayDeniedPacket - - DelayDNSResponse - type: string - nftablesFilterAllowAction: - description: |- - NftablesFilterAllowAction controls the nftables action that Felix uses to represent the "allow" policy verdict - in the filter table. The default is to `ACCEPT` the traffic, which is a terminal action. Alternatively, - `RETURN` can be used to return the traffic back to the top-level chain for further processing by your rules. - pattern: ^(?i)(Accept|Return)?$ - type: string - nftablesFilterDenyAction: - description: |- - NftablesFilterDenyAction controls what happens to traffic that is denied by network policy. By default, Calico - blocks traffic with a "drop" action. If you want to use a "reject" action instead you can configure it here. - pattern: ^(?i)(Drop|Reject)?$ - type: string - nftablesMangleAllowAction: - description: |- - NftablesMangleAllowAction controls the nftables action that Felix uses to represent the "allow" policy verdict - in the mangle table. The default is to `ACCEPT` the traffic, which is a terminal action. Alternatively, - `RETURN` can be used to return the traffic back to the top-level chain for further processing by your rules. - pattern: ^(?i)(Accept|Return)?$ - type: string - nftablesMarkMask: - description: |- - NftablesMarkMask is the mask that Felix selects its nftables Mark bits from. Should be a 32 bit hexadecimal - number with at least 8 bits set, none of which clash with any other mark bits in use on the system. - [Default: 0xffff0000] - format: int32 - type: integer - nftablesMode: - description: 'NFTablesMode configures nftables support in Felix. [Default: - Disabled]' - enum: - - Disabled - - Enabled - - Auto - type: string - nftablesRefreshInterval: - description: 'NftablesRefreshInterval controls the interval at which - Felix periodically refreshes the nftables rules. [Default: 90s]' - type: string - openstackRegion: - description: |- - OpenstackRegion is the name of the region that a particular Felix belongs to. In a multi-region - Calico/OpenStack deployment, this must be configured somehow for each Felix (here in the datamodel, - or in felix.cfg or the environment on each compute node), and must match the [calico] - openstack_region value configured in neutron.conf on each node. [Default: Empty] - type: string - policySyncPathPrefix: - description: |- - PolicySyncPathPrefix is used to by Felix to communicate policy changes to external services, - like Application layer policy. [Default: Empty] - type: string - prometheusGoMetricsEnabled: - description: |- - PrometheusGoMetricsEnabled disables Go runtime metrics collection, which the Prometheus client does by default, when - set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true] - type: boolean - prometheusMetricsCAFile: - description: 'PrometheusMetricsCAFile is the path to the TLS CA file - for the Prometheus metrics server. [Default: empty]' - type: string - prometheusMetricsCertFile: - description: 'PrometheusMetricsCertFile is the path to the TLS certificate - file for the Prometheus metrics server. [Default: empty]' - type: string - prometheusMetricsEnabled: - description: 'PrometheusMetricsEnabled enables the Prometheus metrics - server in Felix if set to true. [Default: false]' - type: boolean - prometheusMetricsHost: - description: 'PrometheusMetricsHost is the host that the Prometheus - metrics server should bind to. [Default: empty]' - type: string - prometheusMetricsKeyFile: - description: 'PrometheusMetricsKeyFile is the path to the TLS private - key file for the Prometheus metrics server. [Default: empty]' - type: string - prometheusMetricsPort: - description: 'PrometheusMetricsPort is the TCP port that the Prometheus - metrics server should bind to. [Default: 9091]' - type: integer - prometheusProcessMetricsEnabled: - description: |- - PrometheusProcessMetricsEnabled disables process metrics collection, which the Prometheus client does by default, when - set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true] - type: boolean - prometheusReporterCAFile: - description: PrometheusReporterCAFile is the path to the TLS CA file - for the Prometheus per-flow metrics reporter. - type: string - prometheusReporterCertFile: - description: PrometheusReporterCertFile is the path to the TLS certificate - file for the Prometheus per-flow metrics reporter. - type: string - prometheusReporterEnabled: - description: |- - PrometheusReporterEnabled controls whether the Prometheus per-flow metrics reporter is enabled. This is - used to show real-time flow metrics in the UI. - type: boolean - prometheusReporterKeyFile: - description: PrometheusReporterKeyFile is the path to the TLS private - key file for the Prometheus per-flow metrics reporter. - type: string - prometheusReporterPort: - description: PrometheusReporterPort is the port that the Prometheus - per-flow metrics reporter should bind to. - type: integer - prometheusWireGuardMetricsEnabled: - description: |- - PrometheusWireGuardMetricsEnabled disables wireguard metrics collection, which the Prometheus client does by default, when - set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true] - type: boolean - removeExternalRoutes: - description: |- - RemoveExternalRoutes Controls whether Felix will remove unexpected routes to workload interfaces. Felix will - always clean up expected routes that use the configured DeviceRouteProtocol. To add your own routes, you must - use a distinct protocol (in addition to setting this field to false). - type: boolean - reportingInterval: - description: |- - ReportingInterval is the interval at which Felix reports its status into the datastore or 0 to disable. - Must be non-zero in OpenStack deployments. [Default: 30s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - reportingTTL: - description: 'ReportingTTL is the time-to-live setting for process-wide - status reports. [Default: 90s]' - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - routeRefreshInterval: - description: |- - RouteRefreshInterval is the period at which Felix re-checks the routes - in the dataplane to ensure that no other process has accidentally broken Calico's rules. - Set to 0 to disable route refresh. [Default: 90s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - routeSource: - description: |- - RouteSource configures where Felix gets its routing information. - - WorkloadIPs: use workload endpoints to construct routes. - - CalicoIPAM: the default - use IPAM data to construct routes. - pattern: ^(?i)(WorkloadIPs|CalicoIPAM)?$ - type: string - routeSyncDisabled: - description: |- - RouteSyncDisabled will disable all operations performed on the route table. Set to true to - run in network-policy mode only. - type: boolean - routeTableRange: - description: |- - Deprecated in favor of RouteTableRanges. - Calico programs additional Linux route tables for various purposes. - RouteTableRange specifies the indices of the route tables that Calico should use. - properties: - max: - type: integer - min: - type: integer - required: - - max - - min - type: object - routeTableRanges: - description: |- - Calico programs additional Linux route tables for various purposes. - RouteTableRanges specifies a set of table index ranges that Calico should use. - Deprecates`RouteTableRange`, overrides `RouteTableRange`. - items: + netlinkTimeout: + description: |- + NetlinkTimeout is the timeout when talking to the kernel over the netlink protocol, used for programming + routes, rules, and other kernel objects. [Default: 10s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + nfNetlinkBufSize: + description: |- + NfNetlinkBufSize controls the size of NFLOG messages that the kernel will try to send to Felix. NFLOG messages + are used to report flow verdicts from the kernel. Warning: currently increasing the value may cause errors + due to a bug in the netlink library. + type: string + nftablesDNSPolicyMode: + description: |- + NFTablesDNSPolicyMode specifies how DNS policy programming will be handled for NFTables. + DelayDeniedPacket - Felix delays any denied packet that traversed a policy that included egress domain matches, + but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. + DelayDNSResponse - Felix delays any DNS response until related IPSets are programmed. This introduces some + latency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics + are accurate. This is the recommended setting when you are making use of staged policies or policy rule hit + statistics. + NoDelay - Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time + the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial + connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. + [Default: DelayDeniedPacket] + enum: + - NoDelay + - DelayDeniedPacket + - DelayDNSResponse + type: string + nftablesFilterAllowAction: + description: |- + NftablesFilterAllowAction controls the nftables action that Felix uses to represent the "allow" policy verdict + in the filter table. The default is to `ACCEPT` the traffic, which is a terminal action. Alternatively, + `RETURN` can be used to return the traffic back to the top-level chain for further processing by your rules. + pattern: ^(?i)(Accept|Return)?$ + type: string + nftablesFilterDenyAction: + description: |- + NftablesFilterDenyAction controls what happens to traffic that is denied by network policy. By default, Calico + blocks traffic with a "drop" action. If you want to use a "reject" action instead you can configure it here. + pattern: ^(?i)(Drop|Reject)?$ + type: string + nftablesMangleAllowAction: + description: |- + NftablesMangleAllowAction controls the nftables action that Felix uses to represent the "allow" policy verdict + in the mangle table. The default is to `ACCEPT` the traffic, which is a terminal action. Alternatively, + `RETURN` can be used to return the traffic back to the top-level chain for further processing by your rules. + pattern: ^(?i)(Accept|Return)?$ + type: string + nftablesMarkMask: + description: |- + NftablesMarkMask is the mask that Felix selects its nftables Mark bits from. Should be a 32 bit hexadecimal + number with at least 8 bits set, none of which clash with any other mark bits in use on the system. + [Default: 0xffff0000] + format: int32 + type: integer + nftablesMode: + default: Auto + description: + "NFTablesMode configures nftables support in Felix. [Default: + Auto]" + enum: + - Disabled + - Enabled + - Auto + type: string + nftablesRefreshInterval: + description: + "NftablesRefreshInterval controls the interval at which + Felix periodically refreshes the nftables rules. [Default: 90s]" + type: string + openstackRegion: + description: |- + OpenstackRegion is the name of the region that a particular Felix belongs to. In a multi-region + Calico/OpenStack deployment, this must be configured somehow for each Felix (here in the datamodel, + or in felix.cfg or the environment on each compute node), and must match the [calico] + openstack_region value configured in neutron.conf on each node. [Default: Empty] + type: string + policyActivityLogsFileDirectory: + description: |- + PolicyActivityLogsFileDirectory sets the directory where policy activity log files are stored. + [Default: /var/log/calico/policy] + type: string + policyActivityLogsFileEnabled: + description: |- + PolicyActivityLogsFileEnabled controls logging policy activity logs to a file. If false no policy activity logging to file will occur. + [Default: true] + type: boolean + policyActivityLogsFileMaxFileSizeMB: + description: |- + PolicyActivityLogsFileMaxFileSizeMB sets the max size in MB of policy activity log files before rotation. + [Default: 100] + type: integer + policyActivityLogsFileMaxFiles: + description: |- + PolicyActivityLogsFileMaxFiles sets the number of policy activity log files to keep. + [Default: 5] + type: integer + policyActivityLogsFlushInterval: + description: |- + PolicyActivityLogsFlushInterval configures the interval at which Felix exports policy activity logs. + [Default: 15s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + policySyncPathPrefix: + description: |- + PolicySyncPathPrefix is used to by Felix to communicate policy changes to external services, + like Application layer policy. [Default: Empty] + type: string + programClusterRoutes: + description: |- + ProgramClusterRoutes controls how a cluster node gets a route to a workload on another node, + when that workload's IP comes from an IP Pool with vxlanMode: Never. When ProgramClusterRoutes is Disabled, + it is expected that confd and BIRD will program that route. When ProgramClusterRoutes is Enabled, Felix program that route. + Felix always programs such routes for IP Pools with vxlanMode: Always or vxlanMode: CrossSubnet. [Default: Disabled] + enum: + - Enabled + - Disabled + type: string + prometheusGoMetricsEnabled: + description: |- + PrometheusGoMetricsEnabled disables Go runtime metrics collection, which the Prometheus client does by default, when + set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true] + type: boolean + prometheusMetricsCAFile: + description: |- + PrometheusMetricsCAFile defines the absolute path to the TLS CA certificate file used for securing the /metrics endpoint. + This certificate must be valid and accessible by the calico-node process. + type: string + prometheusMetricsCertFile: + description: |- + PrometheusMetricsCertFile defines the absolute path to the TLS certificate file used for securing the /metrics endpoint. + This certificate must be valid and accessible by the calico-node process. + type: string + prometheusMetricsClientAuth: + description: |- + PrometheusMetricsClientAuth specifies the client authentication type for the /metrics endpoint. + This determines how the server validates client certificates. Default is "RequireAndVerifyClientCert". + type: string + prometheusMetricsEnabled: + description: + "PrometheusMetricsEnabled enables the Prometheus metrics + server in Felix if set to true. [Default: false]" + type: boolean + prometheusMetricsHost: + description: + "PrometheusMetricsHost is the host that the Prometheus + metrics server should bind to. [Default: empty]" + type: string + prometheusMetricsKeyFile: + description: |- + PrometheusMetricsKeyFile defines the absolute path to the private key file corresponding to the TLS certificate + used for securing the /metrics endpoint. The private key must be valid and accessible by the calico-node process. + type: string + prometheusMetricsPort: + description: + "PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. [Default: 9091]" + type: integer + prometheusProcessMetricsEnabled: + description: |- + PrometheusProcessMetricsEnabled disables process metrics collection, which the Prometheus client does by default, when + set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true] + type: boolean + prometheusReporterCAFile: + description: + PrometheusReporterCAFile is the path to the TLS CA file + for the Prometheus per-flow metrics reporter. + type: string + prometheusReporterCertFile: + description: + PrometheusReporterCertFile is the path to the TLS certificate + file for the Prometheus per-flow metrics reporter. + type: string + prometheusReporterEnabled: + description: |- + PrometheusReporterEnabled controls whether the Prometheus per-flow metrics reporter is enabled. This is + used to show real-time flow metrics in the UI. + type: boolean + prometheusReporterKeyFile: + description: + PrometheusReporterKeyFile is the path to the TLS private + key file for the Prometheus per-flow metrics reporter. + type: string + prometheusReporterPort: + description: + PrometheusReporterPort is the port that the Prometheus + per-flow metrics reporter should bind to. + type: integer + prometheusWireGuardMetricsEnabled: + description: |- + PrometheusWireGuardMetricsEnabled disables wireguard metrics collection, which the Prometheus client does by default, when + set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true] + type: boolean + removeExternalRoutes: + description: |- + RemoveExternalRoutes Controls whether Felix will remove unexpected routes to workload interfaces. Felix will + always clean up expected routes that use the configured DeviceRouteProtocol. To add your own routes, you must + use a distinct protocol (in addition to setting this field to false). + type: boolean + reportingInterval: + description: |- + ReportingInterval is the interval at which Felix reports its status into the datastore or 0 to disable. + Must be non-zero in OpenStack deployments. [Default: 30s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + reportingTTL: + description: + "ReportingTTL is the time-to-live setting for process-wide + status reports. [Default: 90s]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + requireMTUFile: + description: |- + RequireMTUFile specifies whether mtu file is required to start the felix. + Optional as to keep the same as previous behavior. [Default: false] + type: boolean + routeRefreshInterval: + description: |- + RouteRefreshInterval is the period at which Felix re-checks the routes + in the dataplane to ensure that no other process has accidentally broken Calico's rules. + Set to 0 to disable route refresh. [Default: 90s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + routeSource: + description: |- + RouteSource configures where Felix gets its routing information. + - WorkloadIPs: use workload endpoints to construct routes. + - CalicoIPAM: the default - use IPAM data to construct routes. + pattern: ^(?i)(WorkloadIPs|CalicoIPAM)?$ + type: string + routeSyncDisabled: + description: |- + RouteSyncDisabled will disable all operations performed on the route table. Set to true to + run in network-policy mode only. + type: boolean + routeTableRange: + description: |- + Deprecated in favor of RouteTableRanges. + Calico programs additional Linux route tables for various purposes. + RouteTableRange specifies the indices of the route tables that Calico should use. properties: max: type: integer min: type: integer required: - - max - - min + - max + - min type: object - type: array - serviceLoopPrevention: - description: |- - When service IP advertisement is enabled, prevent routing loops to service IPs that are - not in use, by dropping or rejecting packets that do not get DNAT'd by kube-proxy. - Unless set to "Disabled", in which case such routing loops continue to be allowed. - [Default: Drop] - pattern: ^(?i)(Drop|Reject|Disabled)?$ - type: string - sidecarAccelerationEnabled: - description: 'SidecarAccelerationEnabled enables experimental sidecar - acceleration [Default: false]' - type: boolean - statsDumpFilePath: - description: StatsDumpFilePath is the path to write a diagnostic flow - logs statistics dump to when triggered by signal. - type: string - syslogReporterAddress: - description: |- - SyslogReporterAddress is the address to dial to when writing to Syslog. For TCP and UDP networks, the address has - the form "host:port". The host must be a literal IP address, or a host name that can be resolved to IP addresses. - The port must be a literal port number or a service name. For more, see: https://pkg.go.dev/net#Dial - type: string - syslogReporterEnabled: - description: |- - SyslogReporterEnabled turns on the feature to write logs to Syslog. Please note that this can incur significant - disk space usage when running felix on non-cluster hosts. - type: boolean - syslogReporterNetwork: - description: |- - SyslogReporterNetwork is the network to dial to when writing to Syslog. Known networks are "tcp", "tcp4" - (IPv4-only), "tcp6" (IPv6-only), "udp", "udp4" (IPv4-only), "udp6" (IPv6-only), "ip", "ip4" (IPv4-only), "ip6" - (IPv6-only), "unix", "unixgram" and "unixpacket". For more, see: https://pkg.go.dev/net#Dial - type: string - tproxyMode: - description: |- - TPROXYMode sets whether traffic is directed through a transparent proxy - for further processing or not and how is the proxying done. - [Default: Disabled] - pattern: ^(?i)(Disabled|Enabled|EnabledAllServices)?$ - type: string - tproxyPort: - description: |- - TPROXYPort sets to which port proxied traffic should be redirected. - [Default: 16001] - type: integer - tproxyUpstreamConnMark: - description: |- - TPROXYUpstreamConnMark tells Felix which mark is used by the proxy for its upstream - connections so that Felix can program the dataplane correctly. [Default: 0x17] - format: int32 - type: integer - usageReportingEnabled: - description: UsageReportingEnabled is unused in Calico Enterprise, - usage reporting is permanently disabled. - type: boolean - usageReportingInitialDelay: - description: 'UsageReportingInitialDelay is unused in Calico Enterprise, - usage reporting is permanently disabled. [Default: 300s]' - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - usageReportingInterval: - description: 'UsageReportingInterval is unused in Calico Enterprise, - usage reporting is permanently disabled. [Default: 86400s]' - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - useInternalDataplaneDriver: - description: |- - UseInternalDataplaneDriver, if true, Felix will use its internal dataplane programming logic. If false, it - will launch an external dataplane driver and communicate with it over protobuf. - type: boolean - vxlanEnabled: - description: |- - VXLANEnabled overrides whether Felix should create the VXLAN tunnel device for IPv4 VXLAN networking. - Optional as Felix determines this based on the existing IP pools. [Default: nil (unset)] - type: boolean - vxlanMTU: - description: |- - VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the - MTU of the host's interfaces. [Default: 0 (auto-detect)] - type: integer - vxlanMTUV6: - description: |- - VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the - MTU of the host's interfaces. [Default: 0 (auto-detect)] - type: integer - vxlanPort: - description: 'VXLANPort is the UDP port number to use for VXLAN traffic. - [Default: 4789]' - type: integer - vxlanVNI: - description: |- - VXLANVNI is the VXLAN VNI to use for VXLAN traffic. You may need to change this if the default value is - in use on your system. [Default: 4096] - type: integer - wafEventLogsFileDirectory: - description: |- - WAFEventLogsFileDirectory sets the directory where WAFEvent log files are stored. - [Default: /var/log/calico/waf] - type: string - wafEventLogsFileEnabled: - description: |- - WAFEventLogsFileEnabled controls logging WAFEvent logs to a file. If false no WAFEvent logging to file will occur. - [Default: false] - type: boolean - wafEventLogsFileMaxFileSizeMB: - description: |- - WAFEventLogsFileMaxFileSizeMB sets the max size in MB of WAFEvent log files before rotation. - [Default: 100] - type: integer - wafEventLogsFileMaxFiles: - description: |- - WAFEventLogsFileMaxFiles sets the number of WAFEvent log files to keep. - [Default: 5] - type: integer - wafEventLogsFlushInterval: - description: |- - WAFEventLogsFlushInterval configures the interval at which Felix exports WAFEvent logs. - [Default: 15s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - windowsDnsCacheFile: - description: |- - The name of the file that Felix uses to preserve learnt DNS information when restarting. [Default: - "c:\\TigeraCalico\\felix-dns-cache.txt"]. - type: string - windowsDnsExtraTTL: - description: |- - Extra time to keep IPs and alias names that are learnt from DNS, in addition to each name - or IP's advertised TTL. The default value is 120s which is same as the default value of - ServicePointManager.DnsRefreshTimeout on .net framework. [Default: 120s]. - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - windowsFlowLogsFileDirectory: - description: 'WindowsFlowLogsFileDirectory sets the directory where - flow logs files are stored on Windows nodes. [Default: "c:\\TigeraCalico\\flowlogs"].' - type: string - windowsFlowLogsPositionFilePath: - description: |- - WindowsFlowLogsPositionFilePath is used to specify the position of the external pipeline that reads flow logs on Windows nodes. - [Default: "c:\\TigeraCalico\\flowlogs\\flows.log.pos"]. - This parameter only takes effect when FlowLogsDynamicAggregationEnabled is set to true. - type: string - windowsManageFirewallRules: - description: 'WindowsManageFirewallRules configures whether or not - Felix will program Windows Firewall rules (to allow inbound access - to its own metrics ports). [Default: Disabled]' - enum: - - Enabled - - Disabled - type: string - windowsNetworkName: - description: |- - WindowsNetworkName specifies which Windows HNS networks Felix should operate on. The default is to match - networks that start with "calico". Supports regular expression syntax. - type: string - windowsStatsDumpFilePath: - description: 'WindowsStatsDumpFilePath is used to specify the path - of the stats dump file on Windows nodes. [Default: "c:\\TigeraCalico\\stats\\dump"]' - type: string - wireguardEnabled: - description: 'WireguardEnabled controls whether Wireguard is enabled - for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network). - [Default: false]' - type: boolean - wireguardEnabledV6: - description: 'WireguardEnabledV6 controls whether Wireguard is enabled - for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network). - [Default: false]' - type: boolean - wireguardHostEncryptionEnabled: - description: 'WireguardHostEncryptionEnabled controls whether Wireguard - host-to-host encryption is enabled. [Default: false]' - type: boolean - wireguardInterfaceName: - description: 'WireguardInterfaceName specifies the name to use for - the IPv4 Wireguard interface. [Default: wireguard.cali]' - type: string - wireguardInterfaceNameV6: - description: 'WireguardInterfaceNameV6 specifies the name to use for - the IPv6 Wireguard interface. [Default: wg-v6.cali]' - type: string - wireguardKeepAlive: - description: 'WireguardPersistentKeepAlive controls Wireguard PersistentKeepalive - option. Set 0 to disable. [Default: 0]' - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - wireguardListeningPort: - description: 'WireguardListeningPort controls the listening port used - by IPv4 Wireguard. [Default: 51820]' - type: integer - wireguardListeningPortV6: - description: 'WireguardListeningPortV6 controls the listening port - used by IPv6 Wireguard. [Default: 51821]' - type: integer - wireguardMTU: - description: 'WireguardMTU controls the MTU on the IPv4 Wireguard - interface. See Configuring MTU [Default: 1440]' - type: integer - wireguardMTUV6: - description: 'WireguardMTUV6 controls the MTU on the IPv6 Wireguard - interface. See Configuring MTU [Default: 1420]' - type: integer - wireguardRoutingRulePriority: - description: 'WireguardRoutingRulePriority controls the priority value - to use for the Wireguard routing rule. [Default: 99]' - type: integer - wireguardThreadingEnabled: - description: |- - WireguardThreadingEnabled controls whether Wireguard has Threaded NAPI enabled. [Default: false] - This increases the maximum number of packets a Wireguard interface can process. - Consider threaded NAPI only if you have high packets per second workloads that are causing dropping packets due to a saturated `softirq` CPU core. - There is a [known issue](https://lore.kernel.org/netdev/CALrw=nEoT2emQ0OAYCjM1d_6Xe_kNLSZ6dhjb5FxrLFYh4kozA@mail.gmail.com/T/) with this setting - that may cause NAPI to get stuck holding the global `rtnl_mutex` when a peer is removed. - Workaround: Make sure your Linux kernel [includes this patch](https://github.com/torvalds/linux/commit/56364c910691f6d10ba88c964c9041b9ab777bd6) to unwedge NAPI. - type: boolean - workloadSourceSpoofing: - description: |- - WorkloadSourceSpoofing controls whether pods can use the allowedSourcePrefixes annotation to send traffic with a source IP - address that is not theirs. This is disabled by default. When set to "Any", pods can request any prefix. - pattern: ^(?i)(Disabled|Any)?$ - type: string - xdpEnabled: - description: 'XDPEnabled enables XDP acceleration for suitable untracked - incoming deny rules. [Default: true]' - type: boolean - xdpRefreshInterval: - description: |- - XDPRefreshInterval is the period at which Felix re-checks all XDP state to ensure that no - other process has accidentally broken Calico's BPF maps or attached programs. Set to 0 to - disable XDP refresh. [Default: 90s] - pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ - type: string - type: object - type: object - served: true - storage: true + routeTableRanges: + description: |- + Calico programs additional Linux route tables for various purposes. + RouteTableRanges specifies a set of table index ranges that Calico should use. + Deprecates`RouteTableRange`, overrides `RouteTableRange`. + items: + properties: + max: + type: integer + min: + type: integer + required: + - max + - min + type: object + type: array + serviceLoopPrevention: + description: |- + When service IP advertisement is enabled, prevent routing loops to service IPs that are + not in use, by dropping or rejecting packets that do not get DNAT'd by kube-proxy. + Unless set to "Disabled", in which case such routing loops continue to be allowed. + [Default: Drop] + pattern: ^(?i)(Drop|Reject|Disabled)?$ + type: string + sidecarAccelerationEnabled: + description: + "SidecarAccelerationEnabled enables experimental sidecar + acceleration [Default: false]" + type: boolean + statsDumpFilePath: + description: + StatsDumpFilePath is the path to write a diagnostic flow + logs statistics dump to when triggered by signal. + type: string + syslogReporterAddress: + description: |- + SyslogReporterAddress is the address to dial to when writing to Syslog. For TCP and UDP networks, the address has + the form "host:port". The host must be a literal IP address, or a host name that can be resolved to IP addresses. + The port must be a literal port number or a service name. For more, see: https://pkg.go.dev/net#Dial + type: string + syslogReporterEnabled: + description: |- + SyslogReporterEnabled turns on the feature to write logs to Syslog. Please note that this can incur significant + disk space usage when running felix on non-cluster hosts. + type: boolean + syslogReporterNetwork: + description: |- + SyslogReporterNetwork is the network to dial to when writing to Syslog. Known networks are "tcp", "tcp4" + (IPv4-only), "tcp6" (IPv6-only), "udp", "udp4" (IPv4-only), "udp6" (IPv6-only), "ip", "ip4" (IPv4-only), "ip6" + (IPv6-only), "unix", "unixgram" and "unixpacket". For more, see: https://pkg.go.dev/net#Dial + type: string + tproxyMode: + description: |- + TPROXYMode sets whether traffic is directed through a transparent proxy + for further processing or not and how is the proxying done. + [Default: Disabled] + pattern: ^(?i)(Disabled|Enabled|EnabledAllServices)?$ + type: string + tproxyPort: + description: |- + TPROXYPort sets to which port proxied traffic should be redirected. + [Default: 16001] + type: integer + tproxyUpstreamConnMark: + description: |- + TPROXYUpstreamConnMark tells Felix which mark is used by the proxy for its upstream + connections so that Felix can program the dataplane correctly. [Default: 0x17] + format: int32 + type: integer + usageReportingEnabled: + description: + UsageReportingEnabled is unused in Calico Enterprise, + usage reporting is permanently disabled. + type: boolean + usageReportingInitialDelay: + description: + "UsageReportingInitialDelay is unused in Calico Enterprise, + usage reporting is permanently disabled. [Default: 300s]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + usageReportingInterval: + description: + "UsageReportingInterval is unused in Calico Enterprise, + usage reporting is permanently disabled. [Default: 86400s]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + useInternalDataplaneDriver: + description: |- + UseInternalDataplaneDriver, if true, Felix will use its internal dataplane programming logic. If false, it + will launch an external dataplane driver and communicate with it over protobuf. + type: boolean + vxlanEnabled: + description: |- + VXLANEnabled overrides whether Felix should create the VXLAN tunnel device for IPv4 VXLAN networking. + Optional as Felix determines this based on the existing IP pools. [Default: nil (unset)] + type: boolean + vxlanMTU: + description: |- + VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the + MTU of the host's interfaces. [Default: 0 (auto-detect)] + type: integer + vxlanMTUV6: + description: |- + VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the + MTU of the host's interfaces. [Default: 0 (auto-detect)] + type: integer + vxlanPort: + description: + "VXLANPort is the UDP port number to use for VXLAN traffic. + [Default: 4789]" + type: integer + vxlanVNI: + description: |- + VXLANVNI is the VXLAN VNI to use for VXLAN traffic. You may need to change this if the default value is + in use on your system. [Default: 4096] + type: integer + wafEventLogsFileDirectory: + description: |- + WAFEventLogsFileDirectory sets the directory where WAFEvent log files are stored. + [Default: /var/log/calico/waf] + type: string + wafEventLogsFileEnabled: + description: |- + WAFEventLogsFileEnabled controls logging WAFEvent logs to a file. If false no WAFEvent logging to file will occur. + [Default: false] + type: boolean + wafEventLogsFileMaxFileSizeMB: + description: |- + WAFEventLogsFileMaxFileSizeMB sets the max size in MB of WAFEvent log files before rotation. + [Default: 100] + type: integer + wafEventLogsFileMaxFiles: + description: |- + WAFEventLogsFileMaxFiles sets the number of WAFEvent log files to keep. + [Default: 5] + type: integer + wafEventLogsFlushInterval: + description: |- + WAFEventLogsFlushInterval configures the interval at which Felix exports WAFEvent logs. + [Default: 15s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + windowsDnsCacheFile: + description: |- + The name of the file that Felix uses to preserve learnt DNS information when restarting. [Default: + "c:\\TigeraCalico\\felix-dns-cache.txt"]. + type: string + windowsDnsExtraTTL: + description: |- + Extra time to keep IPs and alias names that are learnt from DNS, in addition to each name + or IP's advertised TTL. The default value is 120s which is same as the default value of + ServicePointManager.DnsRefreshTimeout on .net framework. [Default: 120s]. + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + windowsFlowLogsFileDirectory: + description: + 'WindowsFlowLogsFileDirectory sets the directory where + flow logs files are stored on Windows nodes. [Default: "c:\\TigeraCalico\\flowlogs"].' + type: string + windowsFlowLogsPositionFilePath: + description: |- + WindowsFlowLogsPositionFilePath is used to specify the position of the external pipeline that reads flow logs on Windows nodes. + [Default: "c:\\TigeraCalico\\flowlogs\\flows.log.pos"]. + This parameter only takes effect when FlowLogsDynamicAggregationEnabled is set to true. + type: string + windowsManageFirewallRules: + description: + "WindowsManageFirewallRules configures whether or not + Felix will program Windows Firewall rules (to allow inbound access + to its own metrics ports). [Default: Disabled]" + enum: + - Enabled + - Disabled + type: string + windowsNetworkName: + description: |- + WindowsNetworkName specifies which Windows HNS networks Felix should operate on. The default is to match + networks that start with "calico". Supports regular expression syntax. + type: string + windowsStatsDumpFilePath: + description: + 'WindowsStatsDumpFilePath is used to specify the path + of the stats dump file on Windows nodes. [Default: "c:\\TigeraCalico\\stats\\dump"]' + type: string + wireguardEnabled: + description: + "WireguardEnabled controls whether Wireguard is enabled + for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network). + [Default: false]" + type: boolean + wireguardEnabledV6: + description: + "WireguardEnabledV6 controls whether Wireguard is enabled + for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network). + [Default: false]" + type: boolean + wireguardHostEncryptionEnabled: + description: + "WireguardHostEncryptionEnabled controls whether Wireguard + host-to-host encryption is enabled. [Default: false]" + type: boolean + wireguardInterfaceName: + description: + "WireguardInterfaceName specifies the name to use for + the IPv4 Wireguard interface. [Default: wireguard.cali]" + type: string + wireguardInterfaceNameV6: + description: + "WireguardInterfaceNameV6 specifies the name to use for + the IPv6 Wireguard interface. [Default: wg-v6.cali]" + type: string + wireguardKeepAlive: + description: + "WireguardPersistentKeepAlive controls Wireguard PersistentKeepalive + option. Set 0 to disable. [Default: 0]" + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + wireguardListeningPort: + description: + "WireguardListeningPort controls the listening port used + by IPv4 Wireguard. [Default: 51820]" + type: integer + wireguardListeningPortV6: + description: + "WireguardListeningPortV6 controls the listening port + used by IPv6 Wireguard. [Default: 51821]" + type: integer + wireguardMTU: + description: + "WireguardMTU controls the MTU on the IPv4 Wireguard + interface. See Configuring MTU [Default: 1440]" + type: integer + wireguardMTUV6: + description: + "WireguardMTUV6 controls the MTU on the IPv6 Wireguard + interface. See Configuring MTU [Default: 1420]" + type: integer + wireguardRoutingRulePriority: + description: + "WireguardRoutingRulePriority controls the priority value + to use for the Wireguard routing rule. [Default: 99]" + type: integer + wireguardThreadingEnabled: + description: |- + WireguardThreadingEnabled controls whether Wireguard has Threaded NAPI enabled. [Default: false] + This increases the maximum number of packets a Wireguard interface can process. + Consider threaded NAPI only if you have high packets per second workloads that are causing dropping packets due to a saturated `softirq` CPU core. + There is a [known issue](https://lore.kernel.org/netdev/CALrw=nEoT2emQ0OAYCjM1d_6Xe_kNLSZ6dhjb5FxrLFYh4kozA@mail.gmail.com/T/) with this setting + that may cause NAPI to get stuck holding the global `rtnl_mutex` when a peer is removed. + Workaround: Make sure your Linux kernel [includes this patch](https://github.com/torvalds/linux/commit/56364c910691f6d10ba88c964c9041b9ab777bd6) to unwedge NAPI. + type: boolean + workloadSourceSpoofing: + description: |- + WorkloadSourceSpoofing controls whether pods can use the allowedSourcePrefixes annotation to send traffic with a source IP + address that is not theirs. This is disabled by default. When set to "Any", pods can request any prefix. + pattern: ^(?i)(Disabled|Any)?$ + type: string + xdpEnabled: + description: + "XDPEnabled enables XDP acceleration for suitable untracked + incoming deny rules. [Default: true]" + type: boolean + xdpRefreshInterval: + description: |- + XDPRefreshInterval is the period at which Felix re-checks all XDP state to ensure that no + other process has accidentally broken Calico's BPF maps or attached programs. Set to 0 to + disable XDP refresh. [Default: 90s] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + type: object + x-kubernetes-validations: + - message: routeTableRange and routeTableRanges cannot both be set + reason: FieldValueForbidden + rule: "!has(self.routeTableRange) || !has(self.routeTableRanges)" + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_globalalerts.yaml b/pkg/crds/enterprise/crd.projectcalico.org_globalalerts.yaml index 8d73c25d2f..7feaff01b1 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_globalalerts.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_globalalerts.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: globalalerts.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,155 +14,105 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - aggregateBy: - description: |- - An optional list of fields to aggregate results. - Only used if Type is RuleBased. - items: - type: string - type: array - condition: - description: |- - Compare the value of the metric to the threshold using this condition. - Only used if Type is RuleBased. - type: string - dataSet: - description: |- - DataSet determines which dataset type the Query will use. - Required and used only if Type is RuleBased. - type: string - description: - description: Human-readable description of the template. - type: string - detector: - description: |- - Parameters for configuring an AnomalyDetection run. - Only used if Type is AnomalyDetection. - properties: - name: - description: Name specifies the AnomalyDetection Detector to run. + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + aggregateBy: + items: type: string - required: - - name - type: object - field: - description: |- - Which field to aggregate results by if using a metric other than count. - Only used if Type is RuleBased. - type: string - lookback: - description: |- - How much data to gather at once. - If Type is RuleBased, it must exceed audit log flush interval, dnsLogsFlushInterval, or flowLogsFlushInterval as appropriate. - type: string - metric: - description: |- - A metric to apply to aggregated results. count is the number of log entries matching the aggregation pattern. - Others are applied only to numeric fields in the logs. - Only used if Type is RuleBased. - type: string - period: - description: |- - If Type is RuleBased, it is how often the query defined will run. - If Type is AnomalyDetection it is how often the detector will be run. - type: string - query: - description: Which data to include from the source data set. Written - in a domain-specific query language. Only used if Type is RuleBased. - type: string - severity: - description: Severity of the alert for display in Manager. - type: integer - substitutions: - description: |- - An optional list of values to replace variable names in query. - Only used if Type is RuleBased. - items: - description: GlobalAlertSubstitution substitutes for the variables - in the set operators of a Query. + type: array + x-kubernetes-list-type: atomic + condition: + type: string + dataSet: + type: string + description: + type: string + detector: properties: name: type: string - values: - items: - type: string - type: array - required: - - name - type: object - type: array - summary: - description: Template for the description field in generated events, - description is used if this is omitted. - type: string - threshold: - description: |- - A numeric value to compare the value of the metric against. - Only used if Type is RuleBased. - type: number - type: - description: |- - Type will dictate how the fields of the GlobalAlert will be utilized. - Each Type will have different usages and defaults for the fields. [Default: RuleBased] - type: string - required: - - description - - severity - type: object - status: - properties: - active: - type: boolean - errorConditions: - items: - properties: - message: - type: string - type: - type: string required: - - message - - type + - name type: object - type: array - healthy: - type: boolean - lastEvent: - format: date-time - type: string - lastExecuted: - format: date-time - type: string - lastUpdate: - format: date-time - type: string - required: - - active - - healthy - type: object - type: object - served: true - storage: true + field: + type: string + lookback: + type: string + metric: + type: string + period: + type: string + query: + type: string + severity: + type: integer + substitutions: + items: + properties: + name: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - name + type: object + type: array + x-kubernetes-list-type: atomic + summary: + type: string + threshold: + type: number + type: + type: string + required: + - description + - severity + type: object + status: + properties: + active: + type: boolean + errorConditions: + items: + properties: + message: + type: string + type: + type: string + required: + - message + - type + type: object + type: array + x-kubernetes-list-type: atomic + healthy: + type: boolean + lastEvent: + format: date-time + type: string + lastExecuted: + format: date-time + type: string + lastUpdate: + format: date-time + type: string + required: + - active + - healthy + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_globalalerttemplates.yaml b/pkg/crds/enterprise/crd.projectcalico.org_globalalerttemplates.yaml index ce0c860243..c5923cfcc4 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_globalalerttemplates.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_globalalerttemplates.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: globalalerttemplates.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,124 +14,73 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - aggregateBy: - description: |- - An optional list of fields to aggregate results. - Only used if Type is RuleBased. - items: - type: string - type: array - condition: - description: |- - Compare the value of the metric to the threshold using this condition. - Only used if Type is RuleBased. - type: string - dataSet: - description: |- - DataSet determines which dataset type the Query will use. - Required and used only if Type is RuleBased. - type: string - description: - description: Human-readable description of the template. - type: string - detector: - description: |- - Parameters for configuring an AnomalyDetection run. - Only used if Type is AnomalyDetection. - properties: - name: - description: Name specifies the AnomalyDetection Detector to run. + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + aggregateBy: + items: type: string - required: - - name - type: object - field: - description: |- - Which field to aggregate results by if using a metric other than count. - Only used if Type is RuleBased. - type: string - lookback: - description: |- - How much data to gather at once. - If Type is RuleBased, it must exceed audit log flush interval, dnsLogsFlushInterval, or flowLogsFlushInterval as appropriate. - type: string - metric: - description: |- - A metric to apply to aggregated results. count is the number of log entries matching the aggregation pattern. - Others are applied only to numeric fields in the logs. - Only used if Type is RuleBased. - type: string - period: - description: |- - If Type is RuleBased, it is how often the query defined will run. - If Type is AnomalyDetection it is how often the detector will be run. - type: string - query: - description: Which data to include from the source data set. Written - in a domain-specific query language. Only used if Type is RuleBased. - type: string - severity: - description: Severity of the alert for display in Manager. - type: integer - substitutions: - description: |- - An optional list of values to replace variable names in query. - Only used if Type is RuleBased. - items: - description: GlobalAlertSubstitution substitutes for the variables - in the set operators of a Query. + type: array + x-kubernetes-list-type: atomic + condition: + type: string + dataSet: + type: string + description: + type: string + detector: properties: name: type: string - values: - items: - type: string - type: array required: - - name + - name type: object - type: array - summary: - description: Template for the description field in generated events, - description is used if this is omitted. - type: string - threshold: - description: |- - A numeric value to compare the value of the metric against. - Only used if Type is RuleBased. - type: number - type: - description: |- - Type will dictate how the fields of the GlobalAlert will be utilized. - Each Type will have different usages and defaults for the fields. [Default: RuleBased] - type: string - required: - - description - - severity - type: object - type: object - served: true - storage: true + field: + type: string + lookback: + type: string + metric: + type: string + period: + type: string + query: + type: string + severity: + type: integer + substitutions: + items: + properties: + name: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - name + type: object + type: array + x-kubernetes-list-type: atomic + summary: + type: string + threshold: + type: number + type: + type: string + required: + - description + - severity + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_globalnetworkpolicies.yaml b/pkg/crds/enterprise/crd.projectcalico.org_globalnetworkpolicies.yaml index 7fcf2ae9ca..00a62c6583 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_globalnetworkpolicies.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_globalnetworkpolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: globalnetworkpolicies.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,899 +14,564 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - applyOnForward: - description: ApplyOnForward indicates to apply the rules in this policy - on forward traffic. - type: boolean - doNotTrack: - description: |- - DoNotTrack indicates whether packets matched by the rules in this policy should go through - the data plane's connection tracking, such as Linux conntrack. If True, the rules in - this policy are applied before any data plane connection tracking, and packets allowed by - this policy are marked as not to be tracked. - type: boolean - egress: - description: |- - The ordered set of egress rules. Each rule contains a set of packet match criteria and - a corresponding action to apply. - items: - description: |- - A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy - and security Profiles reference rules - separated out as a list of rules for both - ingress and egress packet matching. - - Each positive match criteria has a negated version, prefixed with "Not". All the match - criteria within a rule must be satisfied for a packet to match. A single rule can contain - the positive and negative version of a match and both must be satisfied for the rule to match. - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - domains: - description: |- - Domains is an optional field, valid for egress Allow rules only, that restricts the rule - to apply only to traffic to one of the specified domains. If this field is specified, - Action must be Allow, and Nets and Selector must both be left empty. - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: - type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + applyOnForward: + type: boolean + doNotTrack: + type: boolean + egress: + items: + properties: + action: + enum: + - Allow + - Deny + - Log + - Pass + type: string + destination: + properties: + domains: + items: type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + type: string + nets: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: array + x-kubernetes-list-type: set + notNets: + items: type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: |- - Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed - HTTP Methods (e.g. GET, PUT, etc.) - Multiple methods are OR'd together. - items: + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: + type: string + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - paths: - description: |- - Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed - HTTP Paths. - Multiple paths are OR'd together. - e.g: - - exact: /foo - - prefix: /bar - NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. - items: - description: |- - HTTPPath specifies an HTTP path to match. It may be either of the form: - exact: : which matches the path exactly or - prefix: : which matches the path prefix + serviceAccounts: properties: - exact: - type: string - prefix: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string type: object - type: array - type: object - icmp: - description: |- - ICMP is an optional field that restricts the rule to apply to a specific type and - code of ICMP traffic. This should only be specified if the Protocol field is set to - "ICMP" or "ICMPv6". - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - ipVersion: - description: |- - IPVersion is an optional field that restricts the rule to only match a specific IP - version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: |- - Protocol is an optional field that restricts the rule to only apply to traffic of - a specific IP protocol. Required if any of the EntityRules contain Ports - (because ports only apply to certain protocols). - - Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" - or an integer in the range 1-255. - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - domains: - description: |- - Domains is an optional field, valid for egress Allow rules only, that restricts the rule - to apply only to traffic to one of the specified domains. If this field is specified, - Action must be Allow, and Nets and Selector must both be left empty. - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + services: + properties: + name: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. + namespace: + type: string + type: object + type: object + http: + properties: + headers: + items: + properties: + header: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - header + - operator + - values + type: object + type: array + x-kubernetes-list-type: atomic + methods: + items: type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + paths: + items: + properties: + exact: + maxLength: 1024 + type: string + prefix: + maxLength: 1024 + type: string + type: object + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + type: object + icmp: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + ipVersion: + enum: + - 4 + - 6 + type: integer + metadata: + properties: + annotations: + additionalProperties: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: object + type: object + notICMP: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + notProtocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + source: + properties: + domains: + items: type: string - type: object - type: object - required: - - action - type: object - type: array - ingress: - description: |- - The ordered set of ingress rules. Each rule contains a set of packet match criteria and - a corresponding action to apply. - items: - description: |- - A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy - and security Profiles reference rules - separated out as a list of rules for both - ingress and egress packet matching. - - Each positive match criteria has a negated version, prefixed with "Not". All the match - criteria within a rule must be satisfied for a packet to match. A single rule can contain - the positive and negative version of a match and both must be satisfied for the rule to match. - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - domains: - description: |- - Domains is an optional field, valid for egress Allow rules only, that restricts the rule - to apply only to traffic to one of the specified domains. If this field is specified, - Action must be Allow, and Nets and Selector must both be left empty. - items: + type: array + x-kubernetes-list-type: atomic + namespaceSelector: type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: + nets: + items: + type: string + type: array + x-kubernetes-list-type: set + notNets: + items: + type: string + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. + type: object + services: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + required: + - action + type: object + x-kubernetes-validations: + - message: rules with HTTP match must have protocol TCP or unset + reason: FieldValueInvalid + rule: + "!has(self.http) || !has(self.protocol) || self.protocol + == 'TCP' || self.protocol == 6" + - message: HTTP match is only valid on Allow rules + reason: FieldValueForbidden + rule: self.action == 'Allow' || !has(self.http) + - message: ports and notPorts cannot be specified with services + reason: FieldValueForbidden + rule: + "!has(self.destination) || !has(self.destination.services) + || (!has(self.destination.ports) || size(self.destination.ports) + == 0) && (!has(self.destination.notPorts) || size(self.destination.notPorts) + == 0)" + type: array + x-kubernetes-list-type: atomic + ingress: + items: + properties: + action: + enum: + - Allow + - Deny + - Log + - Pass + type: string + destination: + properties: + domains: + items: type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + type: string + nets: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: array + x-kubernetes-list-type: set + notNets: + items: type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: |- - Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed - HTTP Methods (e.g. GET, PUT, etc.) - Multiple methods are OR'd together. - items: + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: + type: string + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - paths: - description: |- - Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed - HTTP Paths. - Multiple paths are OR'd together. - e.g: - - exact: /foo - - prefix: /bar - NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. - items: - description: |- - HTTPPath specifies an HTTP path to match. It may be either of the form: - exact: : which matches the path exactly or - prefix: : which matches the path prefix + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: + type: string + type: object + services: properties: - exact: + name: type: string - prefix: + namespace: type: string type: object - type: array - type: object - icmp: - description: |- - ICMP is an optional field that restricts the rule to apply to a specific type and - code of ICMP traffic. This should only be specified if the Protocol field is set to - "ICMP" or "ICMPv6". - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - ipVersion: - description: |- - IPVersion is an optional field that restricts the rule to only match a specific IP - version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: |- - Protocol is an optional field that restricts the rule to only apply to traffic of - a specific IP protocol. Required if any of the EntityRules contain Ports - (because ports only apply to certain protocols). - - Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" - or an integer in the range 1-255. - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - domains: - description: |- - Domains is an optional field, valid for egress Allow rules only, that restricts the rule - to apply only to traffic to one of the specified domains. If this field is specified, - Action must be Allow, and Nets and Selector must both be left empty. - items: + type: object + http: + properties: + headers: + items: + properties: + header: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - header + - operator + - values + type: object + type: array + x-kubernetes-list-type: atomic + methods: + items: + type: string + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + paths: + items: + properties: + exact: + maxLength: 1024 + type: string + prefix: + maxLength: 1024 + type: string + type: object + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + type: object + icmp: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + ipVersion: + enum: + - 4 + - 6 + type: integer + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + type: object + notICMP: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + notProtocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + source: + properties: + domains: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: + nets: + items: + type: string + type: array + x-kubernetes-list-type: set + notNets: + items: + type: string + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. - type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. - type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. - type: string - type: object - type: object - required: - - action - type: object - type: array - namespaceSelector: - description: NamespaceSelector is an optional field for an expression - used to select a pod based on namespaces. - type: string - order: - description: |- - Order is an optional field that specifies the order in which the policy is applied. - Policies with higher "order" are applied after those with lower - order within the same tier. If the order is omitted, it may be considered to be "infinite" - i.e. the - policy will be applied last. Policies with identical order will be applied in - alphanumerical order based on the Policy "Name" within the tier. - type: number - performanceHints: - description: |- - PerformanceHints contains a list of hints to Calico's policy engine to - help process the policy more efficiently. Hints never change the - enforcement behaviour of the policy. - - Currently, the only available hint is "AssumeNeededOnEveryNode". When - that hint is set on a policy, Felix will act as if the policy matches - a local endpoint even if it does not. This is useful for "preloading" - any large static policies that are known to be used on every node. - If the policy is _not_ used on a particular node then the work - done to preload the policy (and to maintain it) is wasted. - items: + type: object + services: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + required: + - action + type: object + x-kubernetes-validations: + - message: rules with HTTP match must have protocol TCP or unset + reason: FieldValueInvalid + rule: + "!has(self.http) || !has(self.protocol) || self.protocol + == 'TCP' || self.protocol == 6" + - message: HTTP match is only valid on Allow rules + reason: FieldValueForbidden + rule: self.action == 'Allow' || !has(self.http) + - message: ports and notPorts cannot be specified with services + reason: FieldValueForbidden + rule: + "!has(self.destination) || !has(self.destination.services) + || (!has(self.destination.ports) || size(self.destination.ports) + == 0) && (!has(self.destination.notPorts) || size(self.destination.notPorts) + == 0)" + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + type: string + order: + type: number + performanceHints: + items: + enum: + - AssumeNeededOnEveryNode + type: string + type: array + x-kubernetes-list-type: set + preDNAT: + type: boolean + selector: + type: string + serviceAccountSelector: type: string - type: array - preDNAT: - description: PreDNAT indicates to apply the rules in this policy before - any DNAT. - type: boolean - selector: - description: "The selector is an expression used to pick out the endpoints - that the policy should\nbe applied to.\n\nSelector expressions follow - this syntax:\n\n\tlabel == \"string_literal\" -> comparison, e.g. - my_label == \"foo bar\"\n\tlabel != \"string_literal\" -> not - equal; also matches if label is not present\n\tlabel in { \"a\", - \"b\", \"c\", ... } -> true if the value of label X is one of - \"a\", \"b\", \"c\"\n\tlabel not in { \"a\", \"b\", \"c\", ... } - \ -> true if the value of label X is not one of \"a\", \"b\", \"c\"\n\thas(label_name) - \ -> True if that label is present\n\t! expr -> negation of expr\n\texpr - && expr -> Short-circuit and\n\texpr || expr -> Short-circuit - or\n\t( expr ) -> parens for grouping\n\tall() or the empty selector - -> matches all endpoints.\n\nLabel names are allowed to contain - alphanumerics, -, _ and /. String literals are more permissive\nbut - they do not support escape characters.\n\nExamples (with made-up - labels):\n\n\ttype == \"webserver\" && deployment == \"prod\"\n\ttype - in {\"frontend\", \"backend\"}\n\tdeployment != \"dev\"\n\t! has(label_name)" - type: string - serviceAccountSelector: - description: ServiceAccountSelector is an optional field for an expression - used to select a pod based on service accounts. - type: string - tier: - description: |- - The name of the tier that this policy belongs to. If this is omitted, the default - tier (name is "default") is assumed. The specified tier must exist in order to create - security policies within the tier, the "default" tier is created automatically if it - does not exist, this means for deployments requiring only a single Tier, the tier name - may be omitted on all policy management requests. - type: string - types: - description: |- - Types indicates whether this policy applies to ingress, or to egress, or to both. When - not explicitly specified (and so the value on creation is empty or nil), Calico defaults - Types according to what Ingress and Egress rules are present in the policy. The - default is: - - - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are - also no Ingress rules) - - - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules - - - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. - - When the policy is read back again, Types will always be one of these values, never empty - or nil. - items: - description: PolicyType enumerates the possible values of the PolicySpec - Types field. + tier: + default: default type: string - type: array - type: object - type: object - served: true - storage: true + types: + items: + enum: + - Ingress + - Egress + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + type: object + x-kubernetes-validations: + - message: preDNAT and doNotTrack cannot both be true + reason: FieldValueForbidden + rule: + "!((has(self.doNotTrack) && self.doNotTrack) && (has(self.preDNAT) + && self.preDNAT))" + - message: preDNAT policy cannot have any egress rules + reason: FieldValueForbidden + rule: + (!has(self.preDNAT) || !self.preDNAT) || !has(self.egress) || + size(self.egress) == 0 + - message: preDNAT policy cannot have 'Egress' type + reason: FieldValueForbidden + rule: + (!has(self.preDNAT) || !self.preDNAT) || !has(self.types) || !self.types.exists(t, + t == 'Egress') + - message: + applyOnForward must be true if either preDNAT or doNotTrack + is true + reason: FieldValueInvalid + rule: + (has(self.applyOnForward) && self.applyOnForward) || ((!has(self.doNotTrack) + || !self.doNotTrack) && (!has(self.preDNAT) || !self.preDNAT)) + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_globalnetworksets.yaml b/pkg/crds/enterprise/crd.projectcalico.org_globalnetworksets.yaml index d70874da2b..7deb0ba003 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_globalnetworksets.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_globalnetworksets.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: globalnetworksets.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,49 +14,29 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs that share labels to - allow rules to refer to them via selectors. The labels of GlobalNetworkSet are not namespaced. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GlobalNetworkSetSpec contains the specification for a NetworkSet - resource. - properties: - allowedEgressDomains: - description: |- - The list of domain names that belong to this set and are honored in egress allow rules - only. Domain names specified here only work to allow egress traffic from the cluster to - external destinations. They don't work to _deny_ traffic to destinations specified by - domain name, or to allow ingress traffic from _sources_ specified by domain name. - items: - type: string - type: array - nets: - description: The list of IP networks that belong to this set. - items: - type: string - type: array - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + allowedEgressDomains: + items: + type: string + type: array + x-kubernetes-list-type: atomic + nets: + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_globalreports.yaml b/pkg/crds/enterprise/crd.projectcalico.org_globalreports.yaml index deb492383d..820f455b7b 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_globalreports.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_globalreports.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: globalreports.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,422 +14,230 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ReportSpec contains the values of the GlobalReport. - properties: - cis: - description: This field contain all the parameters for configuring - a CIS benchmark report. - properties: - highThreshold: - description: |- - Interpretted as a percentage to indicate at what levels of passing tests a node should be considered - HIGH, MED, and LOW. - - If >= HighThreshold flag as high - - Otherwise, if > MedThreshold flag as med - - Otherwise flag as low. - type: integer - includeUnscoredTests: - description: Specifies if the report should also show results - for scored/not-scored tests. - type: boolean - medThreshold: - type: integer - numFailedTests: - description: Configure the number of top failed tests to show - up on the report. - type: integer - resultsFilters: - description: |- - Benchmark results filters. The first matching set of filters is applied to each set of benchmark results. - If there are no matching filters, the full set of benchmark results will be included in the report. - items: - description: CISBenchmarkFilter provides filters for a set of - benchmarks that match particular selection criteria. - properties: - benchmarkSelection: - description: BenchmarkSelection specifies which benchmarks - this filter applies to. If not specified, applies to all. - properties: - kubernetesVersion: - description: |- - KubernetesVersion is used select nodes that are running a specific version of kubelet. The full version need not - be fully specified down to the patch level, in which case the significant parts of the version are matched. - e.g. "1.0" will match versions "1.0.1" and "1.0.2" - If not specified, matches all versions. + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + cis: + properties: + highThreshold: + type: integer + includeUnscoredTests: + type: boolean + medThreshold: + type: integer + numFailedTests: + type: integer + resultsFilters: + items: + properties: + benchmarkSelection: + properties: + kubernetesVersion: + type: string + type: object + exclude: + items: type: string - type: object - exclude: - description: Exclude is an array of test indices to exclude - from the report. - items: - type: string - type: array - include: - description: |- - Include is an array of test indices to show in the report. - Is additive if IncludeUnscoredTests is true. - Takes precedence over Exclude. + type: array + x-kubernetes-list-type: atomic + include: + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + type: object + endpoints: + properties: + namespaces: + properties: + names: items: type: string type: array - type: object - type: array - type: object - endpoints: - description: |- - Endpoints is used to specify which endpoints are in-scope and stored in the generated report data. - Only used if endpoints data and/or audit logs are gathered in the report. If omitted, treated as everything - in-scope. - properties: - namespaces: - description: Namespace match restricts endpoint selection to those - in the selected namespaces. - properties: - names: - description: Names is an optional field that specifies a set - of resources by name. - items: - type: string - type: array - selector: - description: |- - Selector is an optional field that selects a set of resources by label. - If both Names and Selector are specified then they are AND'ed. - type: string - type: object - selector: - description: |- - Selector, selects endpoints by endpoint labels. If omitted, all endpoints are included in the report - data. - type: string - serviceAccounts: - description: ServiceAccount match restricts endpoint selection - to those in the selected service accounts. - properties: - names: - description: Names is an optional field that specifies a set - of resources by name. - items: - type: string - type: array - selector: - description: |- - Selector is an optional field that selects a set of resources by label. - If both Names and Selector are specified then they are AND'ed. - type: string - type: object - type: object - jobNodeSelector: - additionalProperties: - type: string - description: The node selector used to specify which nodes the report - job may be scheduled on. - type: object - reportType: - description: The name of the report type. - type: string - schedule: - description: |- - The report schedule specified in cron format. This specifies both the start and end times of each report, - where the end time of one report becomes the start time of the next report. - Separate jobs are created to generate a report, and the job generates the report data from archived audit - and traffic data. To ensure this data is actually archived, the jobs to generate each report starts at a - configurable time *after* the end time of the report that is being generated. The default job start delay is - 30m, but is configurable through the compliance-controller environments. - The cron format has minute accuracy, but only up to two values may be configured for the minute column which - means you may only have at most two reports for each hour period. - type: string - suspend: - description: |- - This flag tells the controller to suspend subsequent jobs for generating reports, it does not apply to already - started jobs. If jobs are resumed then the controller will start creating jobs for any reports that were missed - while the job was suspended. - type: boolean - required: - - reportType - type: object - status: - description: ReportStatus contains the status of the automated report - generation. - properties: - activeReportJobs: - description: The set of active report jobs. - items: - description: ReportJob contains - properties: - end: - description: The end time of the report. - format: date-time - type: string - job: - description: A reference to the report creation job if known. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + x-kubernetes-list-type: atomic + selector: type: string type: object - x-kubernetes-map-type: atomic - start: - description: The start time of the report. - format: date-time - type: string - required: - - end - - job - - start - type: object - type: array - lastFailedReportJobs: - description: The configured report jobs that have failed. - items: - description: CompletedReportJob augments the ReportJob with completion - details. - properties: - end: - description: The end time of the report. - format: date-time + selector: type: string - job: - description: A reference to the report creation job if known. + serviceAccounts: properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + names: + items: + type: string + type: array + x-kubernetes-list-type: atomic + selector: type: string type: object - x-kubernetes-map-type: atomic - jobCompletionTime: - description: The time the report job completed. - format: date-time - type: string - start: - description: The start time of the report. - format: date-time - type: string - required: - - end - - job - - start type: object - type: array - lastScheduledReportJob: - description: The last scheduled report job. - properties: - end: - description: The end time of the report. - format: date-time + jobNodeSelector: + additionalProperties: type: string - job: - description: A reference to the report creation job if known. + type: object + reportType: + type: string + schedule: + type: string + suspend: + type: boolean + required: + - reportType + type: object + status: + properties: + activeReportJobs: + items: properties: - apiVersion: - description: API version of the referent. + end: + format: date-time type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + job: + properties: + apiVersion: + type: string + fieldPath: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + resourceVersion: + type: string + uid: + type: string + type: object + x-kubernetes-map-type: atomic + start: + format: date-time type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + required: + - end + - job + - start + type: object + type: array + x-kubernetes-list-type: atomic + lastFailedReportJobs: + items: + properties: + end: + format: date-time type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + job: + properties: + apiVersion: + type: string + fieldPath: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + resourceVersion: + type: string + uid: + type: string + type: object + x-kubernetes-map-type: atomic + jobCompletionTime: + format: date-time type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + start: + format: date-time type: string + required: + - end + - job + - start type: object - x-kubernetes-map-type: atomic - start: - description: The start time of the report. - format: date-time - type: string - required: - - end - - job - - start - type: object - lastSuccessfulReportJobs: - description: The configured report jobs that have completed successfully. - items: - description: CompletedReportJob augments the ReportJob with completion - details. + type: array + x-kubernetes-list-type: atomic + lastScheduledReportJob: properties: end: - description: The end time of the report. format: date-time type: string job: - description: A reference to the report creation job if known. properties: apiVersion: - description: API version of the referent. type: string fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. type: string kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic - jobCompletionTime: - description: The time the report job completed. - format: date-time - type: string start: - description: The start time of the report. format: date-time type: string required: - - end - - job - - start + - end + - job + - start type: object - type: array - type: object - type: object - served: true - storage: true + lastSuccessfulReportJobs: + items: + properties: + end: + format: date-time + type: string + job: + properties: + apiVersion: + type: string + fieldPath: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + resourceVersion: + type: string + uid: + type: string + type: object + x-kubernetes-map-type: atomic + jobCompletionTime: + format: date-time + type: string + start: + format: date-time + type: string + required: + - end + - job + - start + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_globalreporttypes.yaml b/pkg/crds/enterprise/crd.projectcalico.org_globalreporttypes.yaml index 6226fa1d37..0e2c561afb 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_globalreporttypes.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_globalreporttypes.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: globalreporttypes.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,122 +14,65 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ReportTypeSpec contains the various templates, and configuration - used to render a specific type of report. - properties: - auditEventsSelection: - description: |- - What audit log data should be included in the report. If not specified, the report will contain no audit log - data. The selection may be further filtered by the Report. - properties: - resources: - description: |- - Resources lists the resources that will be included in the audit logs in the ReportData. Blank fields in the - listed ResourceID structs are treated as wildcards. - items: - description: |- - AuditResource is used to filter Audit events in the Report configuration. - - An empty field value indicates a wildcard. For example, if Resource is set to "networkpolicies" and all other - fields are blank then this filter would include all NetworkPolicy resources across all namespaces, and would include - both Calico and Kubernetes resource types. - properties: - apiGroup: - description: APIGroup is the name of the API group that - contains the referred object (e.g. projectcalico.org). - type: string - apiVersion: - description: APIVersion is the version of the API group - that contains the referred object (e.g. v3). - type: string - name: - description: The resource name. - type: string - namespace: - description: The resource namespace. - type: string - resource: - description: The resource type. The format is the lowercase - plural as used in audit event selection and RBAC configuration. - type: string - type: object - type: array - type: object - downloadTemplates: - description: The set of templates used to render the report for downloads. - items: - description: ReportTemplate defines a template used to render a - report into downloadable or UI compatible format. + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + auditEventsSelection: + properties: + resources: + items: + properties: + apiGroup: + type: string + apiVersion: + type: string + name: + type: string + namespace: + type: string + resource: + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + downloadTemplates: + items: + properties: + description: + type: string + name: + type: string + template: + type: string + type: object + type: array + x-kubernetes-list-type: atomic + includeCISBenchmarkData: + type: boolean + includeEndpointData: + type: boolean + includeEndpointFlowLogData: + type: boolean + uiSummaryTemplate: properties: description: - description: A user-facing description of the template. type: string name: - description: |- - The name of this template. This should be unique across all template names within a ReportType. This will be used - by the UI as the suffix of the downloadable file name. type: string template: - description: The base-64 encoded go template used to render - the report data. type: string type: object - type: array - includeCISBenchmarkData: - description: Whether to include the full cis benchmark test results - in the report. - type: boolean - includeEndpointData: - description: |- - Whether to include endpoint data in the report. The actual endpoints included may be filtered by the Report, - but will otherwise contain the full set of endpoints. - type: boolean - includeEndpointFlowLogData: - description: Whether to include endpoint-to-endpoint flow log data - in the report. - type: boolean - uiSummaryTemplate: - description: |- - The summary template, explicitly used by the UI to render a summary version of the report. This should render - to json containing a sets of widgets that the UI can use to render the summary. The rendered data is returned - on the list query of the reports. - properties: - description: - description: A user-facing description of the template. - type: string - name: - description: |- - The name of this template. This should be unique across all template names within a ReportType. This will be used - by the UI as the suffix of the downloadable file name. - type: string - template: - description: The base-64 encoded go template used to render the - report data. - type: string - type: object - type: object - type: object - served: true - storage: true + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_globalthreatfeeds.yaml b/pkg/crds/enterprise/crd.projectcalico.org_globalthreatfeeds.yaml index f0b96ed6c7..b604c29b05 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_globalthreatfeeds.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_globalthreatfeeds.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: globalthreatfeeds.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,192 +14,153 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: GlobalThreatFeedSpec contains the specification of a GlobalThreatFeed - resource. - properties: - content: - default: IPSet - description: Content describes the kind of data the data feed provides. - enum: - - IPSet - - DomainNameSet - type: string - description: - description: Human-readable description of the template. - maxLength: 256 - type: string - feedType: - default: Custom - description: Distinguishes between Builtin Global Threat Feeds and - Custom feed types. - enum: - - Builtin - - Custom - type: string - globalNetworkSet: - properties: - labels: - additionalProperties: - type: string - type: object - type: object - mode: - default: Enabled - description: Determines whether the Global Threat Feed is Enabled - or Disabled. - enum: - - Enabled - - Disabled - type: string - pull: - properties: - http: - properties: - format: - properties: - csv: - properties: - columnDelimiter: - type: string - commentDelimiter: - type: string - disableRecordSizeValidation: - type: boolean - fieldName: - type: string - fieldNum: - type: integer - header: - type: boolean - recordSize: - type: integer - type: object - json: - properties: - path: - type: string - type: object - newlineDelimited: - type: object - type: object - headers: - items: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + content: + default: IPSet + enum: + - IPSet + - DomainNameSet + type: string + description: + maxLength: 256 + type: string + feedType: + default: Custom + enum: + - Builtin + - Custom + type: string + globalNetworkSet: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + mode: + default: Enabled + enum: + - Enabled + - Disabled + type: string + pull: + properties: + http: + properties: + format: properties: - name: - type: string - value: - type: string - valueFrom: + csv: properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select - from. Must be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic + columnDelimiter: + type: string + commentDelimiter: + type: string + disableRecordSizeValidation: + type: boolean + fieldName: + type: string + fieldNum: + type: integer + header: + type: boolean + recordSize: + type: integer + type: object + json: + properties: + path: + type: string + type: object + newlineDelimited: type: object - required: - - name type: object - type: array - url: - type: string - required: - - url - type: object - period: - type: string - required: - - http - type: object - type: object - status: - properties: - errorConditions: - items: - properties: - message: - type: string - type: + headers: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-type: atomic + url: + type: string + required: + - url + type: object + period: type: string required: - - message - - type + - http type: object - type: array - lastSuccessfulSearch: - format: date-time - type: string - lastSuccessfulSync: - format: date-time - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} + type: object + status: + properties: + errorConditions: + items: + properties: + message: + type: string + type: + type: string + required: + - message + - type + type: object + type: array + x-kubernetes-list-type: atomic + lastSuccessfulSearch: + format: date-time + type: string + lastSuccessfulSync: + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/pkg/crds/enterprise/crd.projectcalico.org_hostendpoints.yaml b/pkg/crds/enterprise/crd.projectcalico.org_hostendpoints.yaml index 90bbcb7b8a..9c942a3a0f 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_hostendpoints.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_hostendpoints.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: hostendpoints.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,93 +14,66 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: HostEndpointSpec contains the specification for a HostEndpoint - resource. - properties: - expectedIPs: - description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.\nIf - \"InterfaceName\" is not present, Calico will look for an interface - matching any\nof the IPs in the list and apply policy to that.\nNote:\n\tWhen - using the selector match criteria in an ingress or egress security - Policy\n\tor Profile, Calico converts the selector into a set of - IP addresses. For host\n\tendpoints, the ExpectedIPs field is used - for that purpose. (If only the interface\n\tname is specified, Calico - does not learn the IPs of the interface for use in match\n\tcriteria.)" - items: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + expectedIPs: + items: + type: string + type: array + x-kubernetes-list-type: set + interfaceName: + maxLength: 15 type: string - type: array - interfaceName: - description: |- - Either "*", or the name of a specific Linux interface to apply policy to; or empty. "*" - indicates that this HostEndpoint governs all traffic to, from or through the default - network namespace of the host named by the "Node" field; entering and leaving that - namespace via any interface, including those from/to non-host-networked local workloads. - - If InterfaceName is not "*", this HostEndpoint only governs traffic that enters or leaves - the host through the specific interface named by InterfaceName, or - when InterfaceName - is empty - through the specific interface that has one of the IPs in ExpectedIPs. - Therefore, when InterfaceName is empty, at least one expected IP must be specified. Only - external interfaces (such as "eth0") are supported here; it isn't possible for a - HostEndpoint to protect traffic through a specific local workload interface. - - Note: Only some kinds of policy are implemented for "*" HostEndpoints; initially just - pre-DNAT policy. Please check Calico documentation for the latest position. - type: string - node: - description: The node name identifying the Calico node instance. - type: string - ports: - description: Ports contains the endpoint's named ports, which may - be referenced in security policy rules. - items: - properties: - name: - type: string - port: - type: integer - protocol: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - required: - - name - - port - - protocol - type: object - type: array - profiles: - description: |- - A list of identifiers of security Profile objects that apply to this endpoint. Each - profile is applied in the order that they appear in this list. Profile rules are applied - after the selector-based security policy. - items: + node: + maxLength: 253 type: string - type: array - type: object - type: object - served: true - storage: true + ports: + items: + properties: + name: + type: string + port: + maximum: 65535 + minimum: 1 + type: integer + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + required: + - name + - port + - protocol + type: object + type: array + x-kubernetes-list-type: atomic + profiles: + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + x-kubernetes-validations: + - message: at least one of interfaceName or expectedIPs must be specified + reason: FieldValueInvalid + rule: + (has(self.interfaceName) && size(self.interfaceName) > 0) || (has(self.expectedIPs) + && size(self.expectedIPs) > 0) + - message: node must be specified + reason: FieldValueInvalid + rule: has(self.node) && size(self.node) > 0 + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_ipamblocks.yaml b/pkg/crds/enterprise/crd.projectcalico.org_ipamblocks.yaml index 6159addb9a..33210937b9 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_ipamblocks.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_ipamblocks.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: ipamblocks.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,106 +14,71 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IPAMBlockSpec contains the specification for an IPAMBlock - resource. - properties: - affinity: - description: |- - Affinity of the block, if this block has one. If set, it will be of the form - "host:". If not set, this block is not affine to a host. - type: string - allocations: - description: |- - Array of allocations in-use within this block. nil entries mean the allocation is free. - For non-nil entries at index i, the index is the ordinal of the allocation within this block - and the value is the index of the associated attributes in the Attributes array. - items: - type: integer - # TODO: This nullable is manually added in. We should update controller-gen - # to handle []*int properly itself. - nullable: true - type: array - attributes: - description: |- - Attributes is an array of arbitrary metadata associated with allocations in the block. To find - attributes for a given allocation, use the value of the allocation's entry in the Allocations array - as the index of the element in this array. - items: - properties: - handle_id: - type: string - secondary: - additionalProperties: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + affinity: + type: string + affinityClaimTime: + format: date-time + type: string + allocations: + items: + type: integer + # TODO: This nullable is manually added in. We should update controller-gen + # to handle []*int properly itself. + nullable: true + type: array + attributes: + items: + properties: + alternateOwnerAttrs: + additionalProperties: + type: string + type: object + handle_id: type: string - type: object - type: object - type: array - cidr: - description: The block's CIDR. - type: string - deleted: - description: |- - Deleted is an internal boolean used to workaround a limitation in the Kubernetes API whereby - deletion will not return a conflict error if the block has been updated. It should not be set manually. - type: boolean - sequenceNumber: - default: 0 - description: |- - We store a sequence number that is updated each time the block is written. - Each allocation will also store the sequence number of the block at the time of its creation. - When releasing an IP, passing the sequence number associated with the allocation allows us - to protect against a race condition and ensure the IP hasn't been released and re-allocated - since the release request. - format: int64 - type: integer - sequenceNumberForAllocation: - additionalProperties: + secondary: + additionalProperties: + type: string + type: object + type: object + type: array + cidr: + type: string + deleted: + type: boolean + sequenceNumber: + default: 0 format: int64 type: integer - description: |- - Map of allocated ordinal within the block to sequence number of the block at - the time of allocation. Kubernetes does not allow numerical keys for maps, so - the key is cast to a string. - type: object - strictAffinity: - description: StrictAffinity on the IPAMBlock is deprecated and no - longer used by the code. Use IPAMConfig StrictAffinity instead. - type: boolean - unallocated: - description: Unallocated is an ordered list of allocations which are - free in the block. - items: - type: integer - type: array - required: - - allocations - - attributes - - cidr - - strictAffinity - - unallocated - type: object - type: object - served: true - storage: true + sequenceNumberForAllocation: + additionalProperties: + format: int64 + type: integer + type: object + strictAffinity: + type: boolean + unallocated: + items: + type: integer + type: array + required: + - allocations + - attributes + - cidr + - strictAffinity + - unallocated + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_ipamconfigs.yaml b/pkg/crds/enterprise/crd.projectcalico.org_ipamconfigs.yaml index fe82385ce4..5cbb52cb2c 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_ipamconfigs.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_ipamconfigs.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: ipamconfigs.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,46 +14,35 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IPAMConfigSpec contains the specification for an IPAMConfig - resource. - properties: - autoAllocateBlocks: - type: boolean - maxBlocksPerHost: - description: |- - MaxBlocksPerHost, if non-zero, is the max number of blocks that can be - affine to each host. - maximum: 2147483647 - minimum: 0 - type: integer - strictAffinity: - type: boolean - required: - - autoAllocateBlocks - - strictAffinity - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + autoAllocateBlocks: + type: boolean + kubeVirtVMAddressPersistence: + enum: + - Enabled + - Disabled + type: string + maxBlocksPerHost: + maximum: 2147483647 + minimum: 0 + type: integer + strictAffinity: + type: boolean + required: + - autoAllocateBlocks + - strictAffinity + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_ipamhandles.yaml b/pkg/crds/enterprise/crd.projectcalico.org_ipamhandles.yaml index 342fe33e62..d2305fe418 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_ipamhandles.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_ipamhandles.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: ipamhandles.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,43 +14,30 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IPAMHandleSpec contains the specification for an IPAMHandle - resource. - properties: - block: - additionalProperties: - type: integer - type: object - deleted: - type: boolean - handleID: - type: string - required: - - block - - handleID - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + block: + additionalProperties: + type: integer + type: object + deleted: + type: boolean + handleID: + type: string + required: + - block + - handleID + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_ippools.yaml b/pkg/crds/enterprise/crd.projectcalico.org_ippools.yaml index 49c1f61cce..a292abd474 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_ippools.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_ippools.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: ippools.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,114 +14,107 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IPPoolSpec contains the specification for an IPPool resource. - properties: - allowedUses: - description: |- - AllowedUse controls what the IP pool will be used for. If not specified or empty, defaults to - ["Tunnel", "Workload"] for back-compatibility - items: - type: string - type: array - assignmentMode: - description: Determines the mode how IP addresses should be assigned - from this pool - enum: - - Automatic - - Manual - type: string - awsSubnetID: - description: |- - AWSSubnetID if specified Calico will attempt to ensure that IPs chosen from this IP pool are routed - to the corresponding node by adding one or more secondary ENIs to the node and explicitly assigning - the IP to one of the secondary ENIs. Important: since subnets cannot cross availability zones, - it's important to use Kubernetes node selectors to avoid scheduling pods to one availability zone - using an IP pool that is backed by a subnet that belongs to another availability zone. If AWSSubnetID - is specified, then the CIDR of the IP pool must be contained within the specified AWS subnet. - type: string - blockSize: - description: The block size to use for IP address assignments from - this pool. Defaults to 26 for IPv4 and 122 for IPv6. - type: integer - cidr: - description: The pool CIDR. - type: string - disableBGPExport: - description: 'Disable exporting routes from this IP Pool''s CIDR over - BGP. [Default: false]' - type: boolean - disabled: - description: When disabled is true, Calico IPAM will not assign addresses - from this pool. - type: boolean - ipip: - description: |- - Deprecated: this field is only used for APIv1 backwards compatibility. - Setting this field is not allowed, this field is for internal use only. - properties: - enabled: - description: |- - When enabled is true, ipip tunneling will be used to deliver packets to - destinations within this pool. - type: boolean - mode: - description: |- - The IPIP mode. This can be one of "always" or "cross-subnet". A mode - of "always" will also use IPIP tunneling for routing to destination IP - addresses within this pool. A mode of "cross-subnet" will only use IPIP - tunneling when the destination node is on a different subnet to the - originating node. The default value (if not specified) is "always". + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + allowedUses: + items: + enum: + - Workload + - Tunnel + - LoadBalancer type: string - type: object - ipipMode: - description: |- - Contains configuration for IPIP tunneling for this pool. If not specified, - then this is defaulted to "Never" (i.e. IPIP tunneling is disabled). - type: string - nat-outgoing: - description: |- - Deprecated: this field is only used for APIv1 backwards compatibility. - Setting this field is not allowed, this field is for internal use only. - type: boolean - natOutgoing: - description: |- - When natOutgoing is true, packets sent from Calico networked containers in - this pool to destinations outside of this pool will be masqueraded. - type: boolean - nodeSelector: - description: Allows IPPool to allocate for a specific node by label - selector. - type: string - vxlanMode: - description: |- - Contains configuration for VXLAN tunneling for this pool. If not specified, - then this is defaulted to "Never" (i.e. VXLAN tunneling is disabled). - type: string - required: - - cidr - type: object - type: object - served: true - storage: true + maxItems: 10 + type: array + x-kubernetes-list-type: set + assignmentMode: + default: Automatic + enum: + - Automatic + - Manual + type: string + awsSubnetID: + type: string + blockSize: + maximum: 128 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: + Block size cannot be changed; follow IP pool migration + guide to avoid corruption. + reason: FieldValueInvalid + rule: self == oldSelf + cidr: + format: cidr + maxLength: 48 + type: string + x-kubernetes-validations: + - message: + CIDR cannot be changed; follow IP pool migration guide + to avoid corruption. + reason: FieldValueInvalid + rule: self == oldSelf + disableBGPExport: + type: boolean + disabled: + type: boolean + ipipMode: + enum: + - Never + - Always + - CrossSubnet + type: string + namespaceSelector: + type: string + natOutgoing: + type: boolean + nodeSelector: + type: string + vxlanMode: + enum: + - Never + - Always + - CrossSubnet + type: string + required: + - cidr + type: object + x-kubernetes-validations: + - message: ipipMode and vxlanMode cannot both be enabled + reason: FieldValueForbidden + rule: + "!has(self.ipipMode) || !has(self.vxlanMode) || self.ipipMode + == 'Never' || self.vxlanMode == 'Never' || size(self.ipipMode) + == 0 || size(self.vxlanMode) == 0" + - message: LoadBalancer IP pool cannot have IPIP or VXLAN enabled + reason: FieldValueForbidden + rule: + "!has(self.allowedUses) || !self.allowedUses.exists(u, u == 'LoadBalancer') + || (!has(self.ipipMode) || size(self.ipipMode) == 0 || self.ipipMode + == 'Never') && (!has(self.vxlanMode) || size(self.vxlanMode) == + 0 || self.vxlanMode == 'Never')" + - message: + LoadBalancer cannot be combined with Workload or Tunnel allowed + uses + reason: FieldValueForbidden + rule: + "!has(self.allowedUses) || !self.allowedUses.exists(u, u == 'LoadBalancer') + || !self.allowedUses.exists(u, u == 'Workload' || u == 'Tunnel')" + - message: IPIP is not supported on IPv6 pools + reason: FieldValueForbidden + rule: + "!self.cidr.contains(':') || !has(self.ipipMode) || self.ipipMode + == 'Never' || size(self.ipipMode) == 0" + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_ipreservations.yaml b/pkg/crds/enterprise/crd.projectcalico.org_ipreservations.yaml index 6942d6fe0c..251ba2b7be 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_ipreservations.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_ipreservations.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: ipreservations.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,38 +14,25 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: IPReservationSpec contains the specification for an IPReservation - resource. - properties: - reservedCIDRs: - description: ReservedCIDRs is a list of CIDRs and/or IP addresses - that Calico IPAM will exclude from new allocations. - items: - type: string - type: array - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + reservedCIDRs: + format: cidr + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_kubecontrollersconfigurations.yaml b/pkg/crds/enterprise/crd.projectcalico.org_kubecontrollersconfigurations.yaml index 6df02cdf29..3c9c8aaae3 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_kubecontrollersconfigurations.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_kubecontrollersconfigurations.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: kubecontrollersconfigurations.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,274 +14,269 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: KubeControllersConfigurationSpec contains the values of the - Kubernetes controllers configuration. - properties: - controllers: - description: Controllers enables and configures individual Kubernetes - controllers - properties: - federatedServices: - description: FederatedServices enables and configures the federatedservices - controller. Disabled by default. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation. - [Default: 5m]' - type: string - type: object - loadBalancer: - description: LoadBalancer enables and configures the LoadBalancer - controller. Enabled by default, set to nil to disable. - properties: - assignIPs: - type: string - type: object - namespace: - description: Namespace enables and configures the namespace controller. - Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - type: object - node: - description: Node enables and configures the node controller. - Enabled by default, set to nil to disable. - properties: - hostEndpoint: - description: HostEndpoint controls syncing nodes to host endpoints. - Disabled by default, set to nil to disable. - properties: - autoCreate: - description: 'AutoCreate enables automatic creation of - host endpoints for every node. [Default: Disabled]' - type: string - type: object - leakGracePeriod: - description: |- - LeakGracePeriod is the period used by the controller to determine if an IP address has been leaked. - Set to 0 to disable IP garbage collection. [Default: 15m] - type: string - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - syncLabels: - description: 'SyncLabels controls whether to copy Kubernetes - node labels to Calico nodes. [Default: Enabled]' - type: string - type: object - policy: - description: Policy enables and configures the policy controller. - Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - type: object - serviceAccount: - description: ServiceAccount enables and configures the service - account controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - type: object - workloadEndpoint: - description: WorkloadEndpoint enables and configures the workload - endpoint controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - type: object - type: object - debugProfilePort: - description: |- - DebugProfilePort configures the port to serve memory and cpu profiles on. If not specified, profiling - is disabled. - format: int32 - type: integer - etcdV3CompactionPeriod: - description: 'EtcdV3CompactionPeriod is the period between etcdv3 - compaction requests. Set to 0 to disable. [Default: 10m]' - type: string - healthChecks: - description: 'HealthChecks enables or disables support for health - checks [Default: Enabled]' - type: string - logSeverityScreen: - description: 'LogSeverityScreen is the log severity above which logs - are sent to the stdout. [Default: Info]' - type: string - prometheusMetricsPort: - description: 'PrometheusMetricsPort is the TCP port that the Prometheus - metrics server should bind to. Set to 0 to disable. [Default: 9094]' - type: integer - required: - - controllers - type: object - status: - description: |- - KubeControllersConfigurationStatus represents the status of the configuration. It's useful for admins to - be able to see the actual config that was applied, which can be modified by environment variables on the - kube-controllers process. - properties: - environmentVars: - additionalProperties: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + controllers: + properties: + federatedServices: + properties: + reconcilerPeriod: + type: string + type: object + loadBalancer: + properties: + assignIPs: + default: AllServices + enum: + - AllServices + - RequestedServicesOnly + type: string + type: object + migration: + properties: + policyNameMigrator: + default: Enabled + enum: + - Disabled + - Enabled + type: string + type: object + namespace: + properties: + reconcilerPeriod: + type: string + type: object + node: + properties: + hostEndpoint: + properties: + autoCreate: + enum: + - Enabled + - Disabled + type: string + createDefaultHostEndpoint: + type: string + templates: + items: + properties: + generateName: + maxLength: 253 + type: string + interfaceCIDRs: + items: + type: string + type: array + x-kubernetes-list-type: set + interfacePattern: + type: string + labels: + additionalProperties: + type: string + type: object + nodeSelector: + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + leakGracePeriod: + type: string + reconcilerPeriod: + type: string + syncLabels: + enum: + - Enabled + - Disabled + type: string + type: object + policy: + properties: + reconcilerPeriod: + type: string + type: object + serviceAccount: + properties: + reconcilerPeriod: + type: string + type: object + workloadEndpoint: + properties: + reconcilerPeriod: + type: string + type: object + type: object + debugProfilePort: + format: int32 + maximum: 65535 + minimum: 0 + type: integer + etcdV3CompactionPeriod: type: string - description: |- - EnvironmentVars contains the environment variables on the kube-controllers that influenced - the RunningConfig. - type: object - runningConfig: - description: |- - RunningConfig contains the effective config that is running in the kube-controllers pod, after - merging the API resource with any environment variables. - properties: - controllers: - description: Controllers enables and configures individual Kubernetes - controllers - properties: - federatedServices: - description: FederatedServices enables and configures the - federatedservices controller. Disabled by default. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation. [Default: 5m]' - type: string - type: object - loadBalancer: - description: LoadBalancer enables and configures the LoadBalancer - controller. Enabled by default, set to nil to disable. - properties: - assignIPs: - type: string - type: object - namespace: - description: Namespace enables and configures the namespace - controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - type: object - node: - description: Node enables and configures the node controller. - Enabled by default, set to nil to disable. - properties: - hostEndpoint: - description: HostEndpoint controls syncing nodes to host - endpoints. Disabled by default, set to nil to disable. - properties: - autoCreate: - description: 'AutoCreate enables automatic creation - of host endpoints for every node. [Default: Disabled]' - type: string - type: object - leakGracePeriod: - description: |- - LeakGracePeriod is the period used by the controller to determine if an IP address has been leaked. - Set to 0 to disable IP garbage collection. [Default: 15m] - type: string - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - syncLabels: - description: 'SyncLabels controls whether to copy Kubernetes - node labels to Calico nodes. [Default: Enabled]' - type: string - type: object - policy: - description: Policy enables and configures the policy controller. - Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - type: object - serviceAccount: - description: ServiceAccount enables and configures the service - account controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - type: object - workloadEndpoint: - description: WorkloadEndpoint enables and configures the workload - endpoint controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - type: object - type: object - debugProfilePort: - description: |- - DebugProfilePort configures the port to serve memory and cpu profiles on. If not specified, profiling - is disabled. - format: int32 - type: integer - etcdV3CompactionPeriod: - description: 'EtcdV3CompactionPeriod is the period between etcdv3 - compaction requests. Set to 0 to disable. [Default: 10m]' - type: string - healthChecks: - description: 'HealthChecks enables or disables support for health - checks [Default: Enabled]' - type: string - logSeverityScreen: - description: 'LogSeverityScreen is the log severity above which - logs are sent to the stdout. [Default: Info]' - type: string - prometheusMetricsPort: - description: 'PrometheusMetricsPort is the TCP port that the Prometheus - metrics server should bind to. Set to 0 to disable. [Default: - 9094]' - type: integer - required: + healthChecks: + default: Enabled + enum: + - Enabled + - Disabled + type: string + logSeverityScreen: + enum: + - None + - Debug + - Info + - Warning + - Error + - Fatal + - Panic + type: string + prometheusMetricsPort: + maximum: 65535 + minimum: 0 + type: integer + required: - controllers - type: object - type: object - type: object - served: true - storage: true + type: object + status: + properties: + environmentVars: + additionalProperties: + type: string + type: object + runningConfig: + properties: + controllers: + properties: + federatedServices: + properties: + reconcilerPeriod: + type: string + type: object + loadBalancer: + properties: + assignIPs: + default: AllServices + enum: + - AllServices + - RequestedServicesOnly + type: string + type: object + migration: + properties: + policyNameMigrator: + default: Enabled + enum: + - Disabled + - Enabled + type: string + type: object + namespace: + properties: + reconcilerPeriod: + type: string + type: object + node: + properties: + hostEndpoint: + properties: + autoCreate: + enum: + - Enabled + - Disabled + type: string + createDefaultHostEndpoint: + type: string + templates: + items: + properties: + generateName: + maxLength: 253 + type: string + interfaceCIDRs: + items: + type: string + type: array + x-kubernetes-list-type: set + interfacePattern: + type: string + labels: + additionalProperties: + type: string + type: object + nodeSelector: + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + leakGracePeriod: + type: string + reconcilerPeriod: + type: string + syncLabels: + enum: + - Enabled + - Disabled + type: string + type: object + policy: + properties: + reconcilerPeriod: + type: string + type: object + serviceAccount: + properties: + reconcilerPeriod: + type: string + type: object + workloadEndpoint: + properties: + reconcilerPeriod: + type: string + type: object + type: object + debugProfilePort: + format: int32 + maximum: 65535 + minimum: 0 + type: integer + etcdV3CompactionPeriod: + type: string + healthChecks: + default: Enabled + enum: + - Enabled + - Disabled + type: string + logSeverityScreen: + enum: + - None + - Debug + - Info + - Warning + - Error + - Fatal + - Panic + type: string + prometheusMetricsPort: + maximum: 65535 + minimum: 0 + type: integer + required: + - controllers + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/pkg/crds/enterprise/crd.projectcalico.org_licensekeys.yaml b/pkg/crds/enterprise/crd.projectcalico.org_licensekeys.yaml index 57958c2ab9..cbb2b917af 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_licensekeys.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_licensekeys.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: licensekeys.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,65 +14,87 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: LicenseKeySpec contains the license key itself. - properties: - certificate: - description: Certificate is used to validate the token. - type: string - token: - description: Token is the JWT containing the license claims - type: string - required: - - token - type: object - status: - description: LicenseKeyStatus contains the license key information. - properties: - expiry: - description: Expiry is the expiry date of License - format: date-time - nullable: true - type: string - features: - description: List of features that are available via the applied license - items: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + certificate: type: string - type: array - maxnodes: - description: Maximum Number of Allowed Nodes - type: integer - package: - description: License package defines type of Calico license that is - being enforced - enum: - - CloudCommunity - - CloudStarter - - CloudPro - - Enterprise - type: string - type: object - type: object - served: true - storage: true + token: + type: string + required: + - token + type: object + status: + properties: + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + message: + maxLength: 32768 + type: string + observedGeneration: + format: int64 + minimum: 0 + type: integer + reason: + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + enum: + - "True" + - "False" + - Unknown + type: string + type: + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + expiry: + format: date-time + nullable: true + type: string + features: + items: + type: string + type: array + x-kubernetes-list-type: atomic + gracePeriod: + type: string + maxnodes: + type: integer + package: + enum: + - CloudCommunity + - CloudStarter + - CloudPro + - Enterprise + type: string + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_managedclusters.yaml b/pkg/crds/enterprise/crd.projectcalico.org_managedclusters.yaml index 05a7c6ef85..90cac7905d 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_managedclusters.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_managedclusters.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: managedclusters.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,67 +14,46 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ManagedClusterSpec contains the specification of a ManagedCluster - resource. - properties: - certificate: - description: The certificate used to authenticate the managed cluster - to the management cluster. - format: byte - type: string - installationManifest: - description: |- - Field to store dynamically generated manifest for installing component into - the actual application cluster corresponding to this Managed Cluster - type: string - operatorNamespace: - description: |- - The namespace of the managed cluster's operator. This value is used in - the generation of the InstallationManifest. - type: string - type: object - status: - properties: - conditions: - items: - description: Condition contains various status information - properties: - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + certificate: + format: byte + type: string + installationManifest: + type: string + operatorNamespace: + type: string + type: object + status: + properties: + conditions: + items: + properties: + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_networkpolicies.yaml b/pkg/crds/enterprise/crd.projectcalico.org_networkpolicies.yaml index c3c28214a6..5d55af6fa3 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_networkpolicies.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_networkpolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: networkpolicies.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,880 +14,533 @@ spec: preserveUnknownFields: false scope: Namespaced versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - egress: - description: |- - The ordered set of egress rules. Each rule contains a set of packet match criteria and - a corresponding action to apply. - items: - description: |- - A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy - and security Profiles reference rules - separated out as a list of rules for both - ingress and egress packet matching. - - Each positive match criteria has a negated version, prefixed with "Not". All the match - criteria within a rule must be satisfied for a packet to match. A single rule can contain - the positive and negative version of a match and both must be satisfied for the rule to match. - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - domains: - description: |- - Domains is an optional field, valid for egress Allow rules only, that restricts the rule - to apply only to traffic to one of the specified domains. If this field is specified, - Action must be Allow, and Nets and Selector must both be left empty. - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: - type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + egress: + items: + properties: + action: + enum: + - Allow + - Deny + - Log + - Pass + type: string + destination: + properties: + domains: + items: type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + type: string + nets: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: array + x-kubernetes-list-type: set + notNets: + items: type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: |- - Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed - HTTP Methods (e.g. GET, PUT, etc.) - Multiple methods are OR'd together. - items: + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: + type: string + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - paths: - description: |- - Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed - HTTP Paths. - Multiple paths are OR'd together. - e.g: - - exact: /foo - - prefix: /bar - NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. - items: - description: |- - HTTPPath specifies an HTTP path to match. It may be either of the form: - exact: : which matches the path exactly or - prefix: : which matches the path prefix + serviceAccounts: properties: - exact: - type: string - prefix: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string type: object - type: array - type: object - icmp: - description: |- - ICMP is an optional field that restricts the rule to apply to a specific type and - code of ICMP traffic. This should only be specified if the Protocol field is set to - "ICMP" or "ICMPv6". - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - ipVersion: - description: |- - IPVersion is an optional field that restricts the rule to only match a specific IP - version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: |- - Protocol is an optional field that restricts the rule to only apply to traffic of - a specific IP protocol. Required if any of the EntityRules contain Ports - (because ports only apply to certain protocols). - - Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" - or an integer in the range 1-255. - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - domains: - description: |- - Domains is an optional field, valid for egress Allow rules only, that restricts the rule - to apply only to traffic to one of the specified domains. If this field is specified, - Action must be Allow, and Nets and Selector must both be left empty. - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + services: + properties: + name: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. + namespace: + type: string + type: object + type: object + http: + properties: + headers: + items: + properties: + header: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - header + - operator + - values + type: object + type: array + x-kubernetes-list-type: atomic + methods: + items: type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + paths: + items: + properties: + exact: + maxLength: 1024 + type: string + prefix: + maxLength: 1024 + type: string + type: object + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + type: object + icmp: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + ipVersion: + enum: + - 4 + - 6 + type: integer + metadata: + properties: + annotations: + additionalProperties: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: object + type: object + notICMP: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + notProtocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + source: + properties: + domains: + items: type: string - type: object - type: object - required: - - action - type: object - type: array - ingress: - description: |- - The ordered set of ingress rules. Each rule contains a set of packet match criteria and - a corresponding action to apply. - items: - description: |- - A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy - and security Profiles reference rules - separated out as a list of rules for both - ingress and egress packet matching. - - Each positive match criteria has a negated version, prefixed with "Not". All the match - criteria within a rule must be satisfied for a packet to match. A single rule can contain - the positive and negative version of a match and both must be satisfied for the rule to match. - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - domains: - description: |- - Domains is an optional field, valid for egress Allow rules only, that restricts the rule - to apply only to traffic to one of the specified domains. If this field is specified, - Action must be Allow, and Nets and Selector must both be left empty. - items: + type: array + x-kubernetes-list-type: atomic + namespaceSelector: type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: + nets: + items: + type: string + type: array + x-kubernetes-list-type: set + notNets: + items: + type: string + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. + type: object + services: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + required: + - action + type: object + x-kubernetes-validations: + - message: rules with HTTP match must have protocol TCP or unset + reason: FieldValueInvalid + rule: + "!has(self.http) || !has(self.protocol) || self.protocol + == 'TCP' || self.protocol == 6" + - message: HTTP match is only valid on Allow rules + reason: FieldValueForbidden + rule: self.action == 'Allow' || !has(self.http) + - message: ports and notPorts cannot be specified with services + reason: FieldValueForbidden + rule: + "!has(self.destination) || !has(self.destination.services) + || (!has(self.destination.ports) || size(self.destination.ports) + == 0) && (!has(self.destination.notPorts) || size(self.destination.notPorts) + == 0)" + type: array + x-kubernetes-list-type: atomic + ingress: + items: + properties: + action: + enum: + - Allow + - Deny + - Log + - Pass + type: string + destination: + properties: + domains: + items: type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + type: string + nets: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: array + x-kubernetes-list-type: set + notNets: + items: type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: |- - Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed - HTTP Methods (e.g. GET, PUT, etc.) - Multiple methods are OR'd together. - items: + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: + type: string + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - paths: - description: |- - Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed - HTTP Paths. - Multiple paths are OR'd together. - e.g: - - exact: /foo - - prefix: /bar - NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. - items: - description: |- - HTTPPath specifies an HTTP path to match. It may be either of the form: - exact: : which matches the path exactly or - prefix: : which matches the path prefix + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: + type: string + type: object + services: properties: - exact: + name: type: string - prefix: + namespace: type: string type: object - type: array - type: object - icmp: - description: |- - ICMP is an optional field that restricts the rule to apply to a specific type and - code of ICMP traffic. This should only be specified if the Protocol field is set to - "ICMP" or "ICMPv6". - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - ipVersion: - description: |- - IPVersion is an optional field that restricts the rule to only match a specific IP - version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: |- - Protocol is an optional field that restricts the rule to only apply to traffic of - a specific IP protocol. Required if any of the EntityRules contain Ports - (because ports only apply to certain protocols). - - Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" - or an integer in the range 1-255. - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - domains: - description: |- - Domains is an optional field, valid for egress Allow rules only, that restricts the rule - to apply only to traffic to one of the specified domains. If this field is specified, - Action must be Allow, and Nets and Selector must both be left empty. - items: + type: object + http: + properties: + headers: + items: + properties: + header: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - header + - operator + - values + type: object + type: array + x-kubernetes-list-type: atomic + methods: + items: + type: string + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + paths: + items: + properties: + exact: + maxLength: 1024 + type: string + prefix: + maxLength: 1024 + type: string + type: object + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + type: object + icmp: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + ipVersion: + enum: + - 4 + - 6 + type: integer + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + type: object + notICMP: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + notProtocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + source: + properties: + domains: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: + nets: + items: + type: string + type: array + x-kubernetes-list-type: set + notNets: + items: + type: string + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. - type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. - type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. - type: string - type: object - type: object - required: - - action - type: object - type: array - order: - description: |- - Order is an optional field that specifies the order in which the policy is applied. - Policies with higher "order" are applied after those with lower - order within the same tier. If the order is omitted, it may be considered to be "infinite" - i.e. the - policy will be applied last. Policies with identical order will be applied in - alphanumerical order based on the Policy "Name" within the tier. - type: number - performanceHints: - description: |- - PerformanceHints contains a list of hints to Calico's policy engine to - help process the policy more efficiently. Hints never change the - enforcement behaviour of the policy. - - Currently, the only available hint is "AssumeNeededOnEveryNode". When - that hint is set on a policy, Felix will act as if the policy matches - a local endpoint even if it does not. This is useful for "preloading" - any large static policies that are known to be used on every node. - If the policy is _not_ used on a particular node then the work - done to preload the policy (and to maintain it) is wasted. - items: + type: object + services: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + required: + - action + type: object + x-kubernetes-validations: + - message: rules with HTTP match must have protocol TCP or unset + reason: FieldValueInvalid + rule: + "!has(self.http) || !has(self.protocol) || self.protocol + == 'TCP' || self.protocol == 6" + - message: HTTP match is only valid on Allow rules + reason: FieldValueForbidden + rule: self.action == 'Allow' || !has(self.http) + - message: ports and notPorts cannot be specified with services + reason: FieldValueForbidden + rule: + "!has(self.destination) || !has(self.destination.services) + || (!has(self.destination.ports) || size(self.destination.ports) + == 0) && (!has(self.destination.notPorts) || size(self.destination.notPorts) + == 0)" + type: array + x-kubernetes-list-type: atomic + order: + type: number + performanceHints: + items: + enum: + - AssumeNeededOnEveryNode + type: string + type: array + x-kubernetes-list-type: set + selector: + type: string + serviceAccountSelector: type: string - type: array - selector: - description: "The selector is an expression used to pick out the endpoints - that the policy should\nbe applied to.\n\nSelector expressions follow - this syntax:\n\n\tlabel == \"string_literal\" -> comparison, e.g. - my_label == \"foo bar\"\n\tlabel != \"string_literal\" -> not - equal; also matches if label is not present\n\tlabel in { \"a\", - \"b\", \"c\", ... } -> true if the value of label X is one of - \"a\", \"b\", \"c\"\n\tlabel not in { \"a\", \"b\", \"c\", ... } - \ -> true if the value of label X is not one of \"a\", \"b\", \"c\"\n\thas(label_name) - \ -> True if that label is present\n\t! expr -> negation of expr\n\texpr - && expr -> Short-circuit and\n\texpr || expr -> Short-circuit - or\n\t( expr ) -> parens for grouping\n\tall() or the empty selector - -> matches all endpoints.\n\nLabel names are allowed to contain - alphanumerics, -, _ and /. String literals are more permissive\nbut - they do not support escape characters.\n\nExamples (with made-up - labels):\n\n\ttype == \"webserver\" && deployment == \"prod\"\n\ttype - in {\"frontend\", \"backend\"}\n\tdeployment != \"dev\"\n\t! has(label_name)" - type: string - serviceAccountSelector: - description: ServiceAccountSelector is an optional field for an expression - used to select a pod based on service accounts. - type: string - tier: - description: |- - The name of the tier that this policy belongs to. If this is omitted, the default - tier (name is "default") is assumed. The specified tier must exist in order to create - security policies within the tier, the "default" tier is created automatically if it - does not exist, this means for deployments requiring only a single Tier, the tier name - may be omitted on all policy management requests. - type: string - types: - description: |- - Types indicates whether this policy applies to ingress, or to egress, or to both. When - not explicitly specified (and so the value on creation is empty or nil), Calico defaults - Types according to what Ingress and Egress are present in the policy. The - default is: - - - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are - also no Ingress rules) - - - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules - - - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. - - When the policy is read back again, Types will always be one of these values, never empty - or nil. - items: - description: PolicyType enumerates the possible values of the PolicySpec - Types field. + tier: + default: default type: string - type: array - type: object - type: object - served: true - storage: true + types: + items: + enum: + - Ingress + - Egress + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_networksets.yaml b/pkg/crds/enterprise/crd.projectcalico.org_networksets.yaml index 5efde852ec..8192a50ae3 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_networksets.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_networksets.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: networksets.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,47 +14,29 @@ spec: preserveUnknownFields: false scope: Namespaced versions: - - name: v1 - schema: - openAPIV3Schema: - description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: NetworkSetSpec contains the specification for a NetworkSet - resource. - properties: - allowedEgressDomains: - description: |- - The list of domain names that belong to this set and are honored in egress allow rules - only. Domain names specified here only work to allow egress traffic from the cluster to - external destinations. They don't work to _deny_ traffic to destinations specified by - domain name, or to allow ingress traffic from _sources_ specified by domain name. - items: - type: string - type: array - nets: - description: The list of IP networks that belong to this set. - items: - type: string - type: array - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + allowedEgressDomains: + items: + type: string + type: array + x-kubernetes-list-type: atomic + nets: + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_packetcaptures.yaml b/pkg/crds/enterprise/crd.projectcalico.org_packetcaptures.yaml index 8100106cf2..94dc2307b1 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_packetcaptures.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_packetcaptures.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: packetcaptures.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,141 +14,75 @@ spec: preserveUnknownFields: false scope: Namespaced versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PacketCaptureSpec contains the values of the packet capture. - properties: - endTime: - description: |- - Defines the end time at which this PacketCapture will stop capturing packets. - If omitted the capture will continue indefinitely. - If the value is changed to the past, capture will stop immediately. - format: date-time - type: string - filters: - description: |- - The ordered set of filters applied to traffic captured from an interface. Each rule contains a set of - packet match criteria. - items: - description: A PacketCaptureRule encapsulates a set of match criteria - for traffic captured from an interface. - properties: - ports: - description: |- - Ports is an optional field that defines a filter for all traffic that has a - source or destination port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - items: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + endTime: + format: date-time + type: string + filters: + items: + properties: + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + protocol: anyOf: - - type: integer - - type: string + - type: integer + - type: string pattern: ^.* x-kubernetes-int-or-string: true - type: array - protocol: - anyOf: - - type: integer - - type: string - description: |- - Protocol is an optional field that defines a filter for all traffic for - a specific IP protocol. - - Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" - or an integer in the range 1-255. - pattern: ^.* - x-kubernetes-int-or-string: true - type: object - type: array - selector: - default: all() - description: "The selector is an expression used to pick out the endpoints - that the policy should\nbe applied to. The selector will only match - endpoints in the same namespace as the\nPacketCapture resource.\n\nSelector - expressions follow this syntax:\n\n\tlabel == \"string_literal\" - \ -> comparison, e.g. my_label == \"foo bar\"\n\tlabel != \"string_literal\" - \ -> not equal; also matches if label is not present\n\tlabel - in { \"a\", \"b\", \"c\", ... } -> true if the value of label - X is one of \"a\", \"b\", \"c\"\n\tlabel not in { \"a\", \"b\", - \"c\", ... } -> true if the value of label X is not one of \"a\", - \"b\", \"c\"\n\thas(label_name) -> True if that label is present\n\t! - expr -> negation of expr\n\texpr && expr -> Short-circuit and\n\texpr - || expr -> Short-circuit or\n\t( expr ) -> parens for grouping\n\tall() - -> matches all endpoints.\n\tan empty selector will default to all\n\nLabel - names are allowed to contain alphanumerics, -, _ and /. String literals - are more permissive\nbut they do not support escape characters.\n\nExamples - (with made-up labels):\n\n\ttype == \"webserver\" && deployment - == \"prod\"\n\ttype in {\"frontend\", \"backend\"}\n\tdeployment - != \"dev\"\n\t! has(label_name)" - type: string - startTime: - description: |- - Defines the start time from which this PacketCapture will capture packets. - If omitted or the value is in the past, the capture will start immediately. - If the value is changed to a future time, capture will stop immediately and restart at that time - format: date-time - type: string - type: object - status: - description: |- - PacketCaptureStatus describes the files that have been captured, for a given PacketCapture, on each node - that generates packet capture files - properties: - files: - items: - description: |- - PacketCaptureFile describes files generated by a PacketCapture. It describes the location of the packet capture files - that is identified via a node, its directory and the file names generated. - properties: - directory: - description: Directory represents the path inside the calico-node - container for the the generated files - type: string - fileNames: - description: |- - FileNames represents the name of the generated file for a PacketCapture ordered alphanumerically. - The active packet capture file will be identified using the following schema: - "{workload endpoint name}_{host network interface}.pcap" . - Rotated capture files name will contain an index matching the rotation timestamp. - items: + type: object + type: array + x-kubernetes-list-type: atomic + selector: + default: all() + type: string + startTime: + format: date-time + type: string + type: object + status: + properties: + files: + items: + properties: + directory: type: string - type: array - node: - description: Node identifies with a physical node from the cluster - via its hostname - type: string - state: - description: PacketCaptureState represents the state of the - PacketCapture - enum: - - Capturing - - Finished - - Scheduled - - Error - - WaitingForTraffic - type: string - type: object - type: array - type: object - type: object - served: true - storage: true + fileNames: + items: + type: string + type: array + x-kubernetes-list-type: atomic + node: + type: string + state: + enum: + - Capturing + - Finished + - Scheduled + - Error + - WaitingForTraffic + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_policyrecommendationscopes.yaml b/pkg/crds/enterprise/crd.projectcalico.org_policyrecommendationscopes.yaml index cba469191f..8bc19b0102 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_policyrecommendationscopes.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_policyrecommendationscopes.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: policyrecommendationscopes.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,108 +14,64 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - initialLookback: - description: |- - How far back to look in flow logs when first creating a recommended policy. - [Default: 24h] - type: string - interval: - description: |- - How frequently to run the recommendation engine to create and refine recommended policies. - [Default: 150s] - type: string - maxRules: - description: |- - The maximum number of rules that are permitted in the ingress or egress set. For egress rules, - any egress domain rules will be simplified by contracting all domains into a single egress - domain NetworkSet. If the number of rules exceeds this limit, the recommendation engine will - treat this as an error condition. - [Default: 20] - type: integer - namespaceSpec: - description: The namespace spec contains the namespace relative recommendation - vars. - properties: - intraNamespacePassThroughTraffic: - description: |- - Pass intra-namespace traffic. - [Default: false] - type: boolean - recStatus: - description: Recommendation status. One of Enabled, Disabled. - type: string - selector: - description: |- - The namespace selector is an expression used to pick out the namespaces that the policy - recommendation engine should create policies for. The syntax is the same as the - NetworkPolicy.projectcalico.org resource selectors. - type: string - tierName: - description: |- - The name of the policy recommendation tier for namespace-isolated policies. - [Default: "namespace-isolation"] - type: string - required: - - selector - type: object - policiesLearningCutOff: - description: |- - The number of staged policies that are actively learning at any one time, after which the - policy recommendation engine will stop adding new recommendations. - [Default: 20] - type: integer - stabilizationPeriod: - description: |- - StabilizationPeriod is the amount of time a recommended policy should remain unchanged to be - deemed stable and ready to be enforced. - [Default: 10m] - type: string - type: object - status: - properties: - conditions: - items: - description: Condition contains various status information + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + initialLookback: + type: string + interval: + type: string + maxRules: + type: integer + namespaceSpec: properties: - message: + intraNamespacePassThroughTraffic: + type: boolean + recStatus: type: string - reason: + selector: type: string - status: - type: string - type: + tierName: type: string required: - - status - - type + - selector type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} + policiesLearningCutOff: + type: integer + stabilizationPeriod: + type: string + type: object + status: + properties: + conditions: + items: + properties: + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/pkg/crds/enterprise/crd.projectcalico.org_remoteclusterconfigurations.yaml b/pkg/crds/enterprise/crd.projectcalico.org_remoteclusterconfigurations.yaml index a746fd2a74..325f95d920 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_remoteclusterconfigurations.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_remoteclusterconfigurations.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: remoteclusterconfigurations.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,161 +14,81 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: RemoteClusterConfigurationSpec contains the values of describing - the cluster. - properties: - clusterAccessSecret: - description: |- - Specifies a Secret to read for the RemoteClusterconfiguration. - If defined all datastore configuration in this struct will be cleared - and overwritten with the appropriate fields in the Secret. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: |- - If referring to a piece of an object instead of an entire object, this string - should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within a pod, this would take on a value like: - "spec.containers{name}" (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined way of - referencing a part of an object. - type: string - kind: - description: |- - Kind of the referent. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - name: - description: |- - Name of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - namespace: - description: |- - Namespace of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ - type: string - resourceVersion: - description: |- - Specific resourceVersion to which this reference is made, if any. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency - type: string - uid: - description: |- - UID of the referent. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids - type: string - type: object - x-kubernetes-map-type: atomic - datastoreType: - description: Indicates the datastore to use. If unspecified, defaults - to etcdv3 - type: string - etcdCACert: - type: string - etcdCACertFile: - description: Path to the etcd Certificate Authority file. Valid if - DatastoreType is etcdv3. - type: string - etcdCert: - type: string - etcdCertFile: - description: Path to the etcd client certificate. Valid if DatastoreType - is etcdv3. - type: string - etcdEndpoints: - description: 'A comma separated list of etcd endpoints. Valid if DatastoreType - is etcdv3. [Default: ]' - type: string - etcdKey: - description: These config file parameters are to support inline certificates, - keys and CA / Trusted certificate. - type: string - etcdKeyFile: - description: Path to the etcd key file. Valid if DatastoreType is - etcdv3. - type: string - etcdPassword: - description: Password for the given user name. Valid if DatastoreType - is etcdv3. - type: string - etcdUsername: - description: User name for RBAC. Valid if DatastoreType is etcdv3. - type: string - k8sAPIEndpoint: - description: Location of the Kubernetes API. Not required if using - kubeconfig. Valid if DatastoreType is kubernetes. - type: string - k8sAPIToken: - description: Token to be used for accessing the Kubernetes API. Valid - if DatastoreType is kubernetes. - type: string - k8sCAFile: - description: Location of a CA for accessing the Kubernetes API. Valid - if DatastoreType is kubernetes. - type: string - k8sCertFile: - description: Location of a client certificate for accessing the Kubernetes - API. Valid if DatastoreType is kubernetes. - type: string - k8sInsecureSkipTLSVerify: - type: boolean - k8sKeyFile: - description: Location of a client key for accessing the Kubernetes - API. Valid if DatastoreType is kubernetes. - type: string - kubeconfig: - description: When using the Kubernetes datastore, the location of - a kubeconfig file. Valid if DatastoreType is kubernetes. - type: string - kubeconfigInline: - description: |- - This is an alternative to Kubeconfig and if specified overrides Kubeconfig. - This contains the contents that would normally be in the file pointed at by Kubeconfig. - type: string - syncOptions: - default: - overlayRoutingMode: Disabled - description: |- - Configuration options that do not relate to the underlying datastore connection. These fields relate to the - syncing of resources once the connection is established. These fields can be set independent of the other - connection-oriented fields, e.g. they can be set when ClusterAccessSecret is non-nil. - properties: - overlayRoutingMode: - default: Disabled - description: |- - Determines whether overlay routing will be established between federated clusters. If unspecified during create or - update of RemoteClusterConfiguration, this field will default based on the encapsulation mode of the local cluster - at the time of RemoteClusterConfiguration application: "Enabled" if VXLAN, "Disabled" otherwise. If upgrading from - a version that predates this field, this field will default to "Disabled". - type: string - type: object - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + clusterAccessSecret: + properties: + apiVersion: + type: string + fieldPath: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + resourceVersion: + type: string + uid: + type: string + type: object + x-kubernetes-map-type: atomic + datastoreType: + type: string + etcdCACert: + type: string + etcdCACertFile: + type: string + etcdCert: + type: string + etcdCertFile: + type: string + etcdEndpoints: + type: string + etcdKey: + type: string + etcdKeyFile: + type: string + etcdPassword: + type: string + etcdUsername: + type: string + k8sAPIEndpoint: + type: string + k8sAPIToken: + type: string + k8sCAFile: + type: string + k8sCertFile: + type: string + k8sInsecureSkipTLSVerify: + type: boolean + k8sKeyFile: + type: string + kubeconfig: + type: string + kubeconfigInline: + type: string + syncOptions: + default: + overlayRoutingMode: Disabled + properties: + overlayRoutingMode: + default: Disabled + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_securityeventwebhooks.yaml b/pkg/crds/enterprise/crd.projectcalico.org_securityeventwebhooks.yaml index 58c3208af9..2e4d7bc907 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_securityeventwebhooks.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_securityeventwebhooks.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: securityeventwebhooks.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,166 +14,107 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - config: - description: contains the SecurityEventWebhook's configuration associated - with the intended Consumer - items: - properties: - name: - type: string - value: - type: string - valueFrom: - properties: - configMapKeyRef: - description: Selects a key from a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: SecretKeySelector selects a key of a Secret. - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - consumer: - description: 'indicates the SecurityEventWebhook intended consumer, - one of: Slack, Jira, Generic, AlertManager' - type: string - query: - description: defines the SecurityEventWebhook query to be executed - against fields of SecurityEvents - type: string - state: - description: 'defines the webhook desired state, one of: Enabled, - Disabled, Test or Debug' - type: string - required: - - config - - consumer - - query - - state - type: object - status: - items: - description: Condition contains details for one aspect of the current - state of this API Resource. + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + config: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + x-kubernetes-list-type: atomic + consumer: type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown + query: type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + state: type: string required: - - lastTransitionTime - - message - - reason - - status - - type + - config + - consumer + - query + - state type: object - type: array - type: object - served: true - storage: true + status: + items: + properties: + lastTransitionTime: + format: date-time + type: string + message: + maxLength: 32768 + type: string + observedGeneration: + format: int64 + minimum: 0 + type: integer + reason: + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + enum: + - "True" + - "False" + - Unknown + type: string + type: + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_stagedglobalnetworkpolicies.yaml b/pkg/crds/enterprise/crd.projectcalico.org_stagedglobalnetworkpolicies.yaml index 30aad5d266..bf9b24f4d2 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_stagedglobalnetworkpolicies.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_stagedglobalnetworkpolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: stagedglobalnetworkpolicies.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,904 +14,572 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - applyOnForward: - description: ApplyOnForward indicates to apply the rules in this policy - on forward traffic. - type: boolean - doNotTrack: - description: |- - DoNotTrack indicates whether packets matched by the rules in this policy should go through - the data plane's connection tracking, such as Linux conntrack. If True, the rules in - this policy are applied before any data plane connection tracking, and packets allowed by - this policy are marked as not to be tracked. - type: boolean - egress: - description: |- - The ordered set of egress rules. Each rule contains a set of packet match criteria and - a corresponding action to apply. - items: - description: |- - A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy - and security Profiles reference rules - separated out as a list of rules for both - ingress and egress packet matching. - - Each positive match criteria has a negated version, prefixed with "Not". All the match - criteria within a rule must be satisfied for a packet to match. A single rule can contain - the positive and negative version of a match and both must be satisfied for the rule to match. - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - domains: - description: |- - Domains is an optional field, valid for egress Allow rules only, that restricts the rule - to apply only to traffic to one of the specified domains. If this field is specified, - Action must be Allow, and Nets and Selector must both be left empty. - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: - type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + applyOnForward: + type: boolean + doNotTrack: + type: boolean + egress: + items: + properties: + action: + enum: + - Allow + - Deny + - Log + - Pass + type: string + destination: + properties: + domains: + items: type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + type: string + nets: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: array + x-kubernetes-list-type: set + notNets: + items: type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: |- - Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed - HTTP Methods (e.g. GET, PUT, etc.) - Multiple methods are OR'd together. - items: + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: + type: string + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - paths: - description: |- - Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed - HTTP Paths. - Multiple paths are OR'd together. - e.g: - - exact: /foo - - prefix: /bar - NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. - items: - description: |- - HTTPPath specifies an HTTP path to match. It may be either of the form: - exact: : which matches the path exactly or - prefix: : which matches the path prefix + serviceAccounts: properties: - exact: - type: string - prefix: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string type: object - type: array - type: object - icmp: - description: |- - ICMP is an optional field that restricts the rule to apply to a specific type and - code of ICMP traffic. This should only be specified if the Protocol field is set to - "ICMP" or "ICMPv6". - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - ipVersion: - description: |- - IPVersion is an optional field that restricts the rule to only match a specific IP - version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: |- - Protocol is an optional field that restricts the rule to only apply to traffic of - a specific IP protocol. Required if any of the EntityRules contain Ports - (because ports only apply to certain protocols). - - Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" - or an integer in the range 1-255. - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - domains: - description: |- - Domains is an optional field, valid for egress Allow rules only, that restricts the rule - to apply only to traffic to one of the specified domains. If this field is specified, - Action must be Allow, and Nets and Selector must both be left empty. - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + services: + properties: + name: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. + namespace: + type: string + type: object + type: object + http: + properties: + headers: + items: + properties: + header: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - header + - operator + - values + type: object + type: array + x-kubernetes-list-type: atomic + methods: + items: type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + paths: + items: + properties: + exact: + maxLength: 1024 + type: string + prefix: + maxLength: 1024 + type: string + type: object + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + type: object + icmp: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + ipVersion: + enum: + - 4 + - 6 + type: integer + metadata: + properties: + annotations: + additionalProperties: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: object + type: object + notICMP: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + notProtocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + source: + properties: + domains: + items: type: string - type: object - type: object - required: - - action - type: object - type: array - ingress: - description: |- - The ordered set of ingress rules. Each rule contains a set of packet match criteria and - a corresponding action to apply. - items: - description: |- - A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy - and security Profiles reference rules - separated out as a list of rules for both - ingress and egress packet matching. - - Each positive match criteria has a negated version, prefixed with "Not". All the match - criteria within a rule must be satisfied for a packet to match. A single rule can contain - the positive and negative version of a match and both must be satisfied for the rule to match. - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - domains: - description: |- - Domains is an optional field, valid for egress Allow rules only, that restricts the rule - to apply only to traffic to one of the specified domains. If this field is specified, - Action must be Allow, and Nets and Selector must both be left empty. - items: + type: array + x-kubernetes-list-type: atomic + namespaceSelector: type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: + nets: + items: + type: string + type: array + x-kubernetes-list-type: set + notNets: + items: + type: string + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. + type: object + services: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + required: + - action + type: object + x-kubernetes-validations: + - message: rules with HTTP match must have protocol TCP or unset + reason: FieldValueInvalid + rule: + "!has(self.http) || !has(self.protocol) || self.protocol + == 'TCP' || self.protocol == 6" + - message: HTTP match is only valid on Allow rules + reason: FieldValueForbidden + rule: self.action == 'Allow' || !has(self.http) + - message: ports and notPorts cannot be specified with services + reason: FieldValueForbidden + rule: + "!has(self.destination) || !has(self.destination.services) + || (!has(self.destination.ports) || size(self.destination.ports) + == 0) && (!has(self.destination.notPorts) || size(self.destination.notPorts) + == 0)" + type: array + x-kubernetes-list-type: atomic + ingress: + items: + properties: + action: + enum: + - Allow + - Deny + - Log + - Pass + type: string + destination: + properties: + domains: + items: type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + type: string + nets: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: array + x-kubernetes-list-type: set + notNets: + items: type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: |- - Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed - HTTP Methods (e.g. GET, PUT, etc.) - Multiple methods are OR'd together. - items: + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - paths: - description: |- - Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed - HTTP Paths. - Multiple paths are OR'd together. - e.g: - - exact: /foo - - prefix: /bar - NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. - items: - description: |- - HTTPPath specifies an HTTP path to match. It may be either of the form: - exact: : which matches the path exactly or - prefix: : which matches the path prefix + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: + type: string + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: + type: string + type: object + services: properties: - exact: + name: type: string - prefix: + namespace: type: string type: object - type: array - type: object - icmp: - description: |- - ICMP is an optional field that restricts the rule to apply to a specific type and - code of ICMP traffic. This should only be specified if the Protocol field is set to - "ICMP" or "ICMPv6". - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - ipVersion: - description: |- - IPVersion is an optional field that restricts the rule to only match a specific IP - version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: |- - Protocol is an optional field that restricts the rule to only apply to traffic of - a specific IP protocol. Required if any of the EntityRules contain Ports - (because ports only apply to certain protocols). - - Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" - or an integer in the range 1-255. - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - domains: - description: |- - Domains is an optional field, valid for egress Allow rules only, that restricts the rule - to apply only to traffic to one of the specified domains. If this field is specified, - Action must be Allow, and Nets and Selector must both be left empty. - items: + type: object + http: + properties: + headers: + items: + properties: + header: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - header + - operator + - values + type: object + type: array + x-kubernetes-list-type: atomic + methods: + items: + type: string + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + paths: + items: + properties: + exact: + maxLength: 1024 + type: string + prefix: + maxLength: 1024 + type: string + type: object + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + type: object + icmp: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + ipVersion: + enum: + - 4 + - 6 + type: integer + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + type: object + notICMP: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + notProtocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + source: + properties: + domains: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: + nets: + items: + type: string + type: array + x-kubernetes-list-type: set + notNets: + items: + type: string + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. - type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. - type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. - type: string - type: object - type: object - required: - - action - type: object - type: array - namespaceSelector: - description: NamespaceSelector is an optional field for an expression - used to select a pod based on namespaces. - type: string - order: - description: |- - Order is an optional field that specifies the order in which the policy is applied. - Policies with higher "order" are applied after those with lower - order within the same tier. If the order is omitted, it may be considered to be "infinite" - i.e. the - policy will be applied last. Policies with identical order will be applied in - alphanumerical order based on the Policy "Name" within the tier. - type: number - performanceHints: - description: |- - PerformanceHints contains a list of hints to Calico's policy engine to - help process the policy more efficiently. Hints never change the - enforcement behaviour of the policy. - - Currently, the only available hint is "AssumeNeededOnEveryNode". When - that hint is set on a policy, Felix will act as if the policy matches - a local endpoint even if it does not. This is useful for "preloading" - any large static policies that are known to be used on every node. - If the policy is _not_ used on a particular node then the work - done to preload the policy (and to maintain it) is wasted. - items: + type: object + services: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + required: + - action + type: object + x-kubernetes-validations: + - message: rules with HTTP match must have protocol TCP or unset + reason: FieldValueInvalid + rule: + "!has(self.http) || !has(self.protocol) || self.protocol + == 'TCP' || self.protocol == 6" + - message: HTTP match is only valid on Allow rules + reason: FieldValueForbidden + rule: self.action == 'Allow' || !has(self.http) + - message: ports and notPorts cannot be specified with services + reason: FieldValueForbidden + rule: + "!has(self.destination) || !has(self.destination.services) + || (!has(self.destination.ports) || size(self.destination.ports) + == 0) && (!has(self.destination.notPorts) || size(self.destination.notPorts) + == 0)" + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + type: string + order: + type: number + performanceHints: + items: + enum: + - AssumeNeededOnEveryNode + type: string + type: array + x-kubernetes-list-type: set + preDNAT: + type: boolean + selector: + type: string + serviceAccountSelector: + type: string + stagedAction: + default: Set + enum: + - Set + - Delete + - Learn + - Ignore type: string - type: array - preDNAT: - description: PreDNAT indicates to apply the rules in this policy before - any DNAT. - type: boolean - selector: - description: "The selector is an expression used to pick pick out - the endpoints that the policy should\nbe applied to.\n\nSelector - expressions follow this syntax:\n\n\tlabel == \"string_literal\" - \ -> comparison, e.g. my_label == \"foo bar\"\n\tlabel != \"string_literal\" - \ -> not equal; also matches if label is not present\n\tlabel - in { \"a\", \"b\", \"c\", ... } -> true if the value of label - X is one of \"a\", \"b\", \"c\"\n\tlabel not in { \"a\", \"b\", - \"c\", ... } -> true if the value of label X is not one of \"a\", - \"b\", \"c\"\n\thas(label_name) -> True if that label is present\n\t! - expr -> negation of expr\n\texpr && expr -> Short-circuit and\n\texpr - || expr -> Short-circuit or\n\t( expr ) -> parens for grouping\n\tall() - or the empty selector -> matches all endpoints.\n\nLabel names are - allowed to contain alphanumerics, -, _ and /. String literals are - more permissive\nbut they do not support escape characters.\n\nExamples - (with made-up labels):\n\n\ttype == \"webserver\" && deployment - == \"prod\"\n\ttype in {\"frontend\", \"backend\"}\n\tdeployment - != \"dev\"\n\t! has(label_name)" - type: string - serviceAccountSelector: - description: ServiceAccountSelector is an optional field for an expression - used to select a pod based on service accounts. - type: string - stagedAction: - description: The staged action. If this is omitted, the default is - Set. - type: string - tier: - description: |- - The name of the tier that this policy belongs to. If this is omitted, the default - tier (name is "default") is assumed. The specified tier must exist in order to create - security policies within the tier, the "default" tier is created automatically if it - does not exist, this means for deployments requiring only a single Tier, the tier name - may be omitted on all policy management requests. - type: string - types: - description: |- - Types indicates whether this policy applies to ingress, or to egress, or to both. When - not explicitly specified (and so the value on creation is empty or nil), Calico defaults - Types according to what Ingress and Egress rules are present in the policy. The - default is: - - - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are - also no Ingress rules) - - - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules - - - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. - - When the policy is read back again, Types will always be one of these values, never empty - or nil. - items: - description: PolicyType enumerates the possible values of the PolicySpec - Types field. + tier: + default: default type: string - type: array - type: object - type: object - served: true - storage: true + types: + items: + enum: + - Ingress + - Egress + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + type: object + x-kubernetes-validations: + - message: preDNAT and doNotTrack cannot both be true + reason: FieldValueForbidden + rule: + "!((has(self.doNotTrack) && self.doNotTrack) && (has(self.preDNAT) + && self.preDNAT))" + - message: preDNAT policy cannot have any egress rules + reason: FieldValueForbidden + rule: + (!has(self.preDNAT) || !self.preDNAT) || !has(self.egress) || + size(self.egress) == 0 + - message: preDNAT policy cannot have 'Egress' type + reason: FieldValueForbidden + rule: + (!has(self.preDNAT) || !self.preDNAT) || !has(self.types) || !self.types.exists(t, + t == 'Egress') + - message: + applyOnForward must be true if either preDNAT or doNotTrack + is true + reason: FieldValueInvalid + rule: + (has(self.applyOnForward) && self.applyOnForward) || ((!has(self.doNotTrack) + || !self.doNotTrack) && (!has(self.preDNAT) || !self.preDNAT)) + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_stagedkubernetesnetworkpolicies.yaml b/pkg/crds/enterprise/crd.projectcalico.org_stagedkubernetesnetworkpolicies.yaml index a55ed2e991..6eb1129cde 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_stagedkubernetesnetworkpolicies.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_stagedkubernetesnetworkpolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: stagedkubernetesnetworkpolicies.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,493 +14,244 @@ spec: preserveUnknownFields: false scope: Namespaced versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - egress: - description: |- - List of egress rules to be applied to the selected pods. Outgoing traffic is - allowed if there are no NetworkPolicies selecting the pod (and cluster policy - otherwise allows the traffic), OR if the traffic matches at least one egress rule - across all of the NetworkPolicy objects whose podSelector matches the pod. If - this field is empty then this NetworkPolicy limits all outgoing traffic (and serves - solely to ensure that the pods it selects are isolated by default). - This field is beta-level in 1.8 - items: - description: |- - NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods - matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. - This type is beta-level in 1.8 - properties: - ports: - description: |- - ports is a list of destination ports for outgoing traffic. - Each item in this list is combined using a logical OR. If this field is - empty or missing, this rule matches all ports (traffic not restricted by port). - If this field is present and contains at least one item, then this rule allows - traffic only if the traffic matches at least one port in the list. - items: - description: NetworkPolicyPort describes a port to allow traffic - on - properties: - endPort: - description: |- - endPort indicates that the range of ports from port to endPort if set, inclusive, - should be allowed by the policy. This field cannot be defined if the port field - is not defined or if the port field is defined as a named (string) port. - The endPort must be equal or greater than port. - format: int32 - type: integer - port: - anyOf: - - type: integer - - type: string - description: |- - port represents the port on the given protocol. This can either be a numerical or named - port on a pod. If this field is not provided, this matches all port names and - numbers. - If present, only traffic on the specified protocol AND port will be matched. - x-kubernetes-int-or-string: true - protocol: - description: |- - protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. - If not specified, this field defaults to TCP. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - to: - description: |- - to is a list of destinations for outgoing traffic of pods selected for this rule. - Items in this list are combined using a logical OR operation. If this field is - empty or missing, this rule matches all destinations (traffic not restricted by - destination). If this field is present and contains at least one item, this rule - allows traffic only if the traffic matches at least one item in the to list. - items: - description: |- - NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of - fields are allowed - properties: - ipBlock: - description: |- - ipBlock defines policy on a particular IPBlock. If this field is set then - neither of the other fields can be. - properties: - cidr: - description: |- - cidr is a string representing the IPBlock - Valid examples are "192.168.1.0/24" or "2001:db8::/64" - type: string - except: - description: |- - except is a slice of CIDRs that should not be included within an IPBlock - Valid examples are "192.168.1.0/24" or "2001:db8::/64" - Except values will be rejected if they are outside the cidr range - items: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + egress: + items: + properties: + ports: + items: + properties: + endPort: + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + x-kubernetes-list-type: atomic + to: + items: + properties: + ipBlock: + properties: + cidr: type: string - type: array - x-kubernetes-list-type: atomic - required: - - cidr - type: object - namespaceSelector: - description: |- - namespaceSelector selects namespaces using cluster-scoped labels. This field follows - standard label selector semantics; if present but empty, it selects all namespaces. - - If podSelector is also set, then the NetworkPolicyPeer as a whole selects - the pods matching podSelector in the namespaces selected by namespaceSelector. - Otherwise it selects all pods in the namespaces selected by namespaceSelector. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: + except: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - cidr + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - podSelector is a label selector which selects pods. This field follows standard label - selector semantics; if present but empty, it selects all pods. - - If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects - the pods matching podSelector in the Namespaces selected by NamespaceSelector. - Otherwise it selects the pods matching podSelector in the policy's own namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: + type: object + x-kubernetes-map-type: atomic + podSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: array - ingress: - description: |- - List of ingress rules to be applied to the selected pods. Traffic is allowed to - a pod if there are no NetworkPolicies selecting the pod - (and cluster policy otherwise allows the traffic), OR if the traffic source is - the pod's local node, OR if the traffic matches at least one ingress rule - across all of the NetworkPolicy objects whose podSelector matches the pod. If - this field is empty then this NetworkPolicy does not allow any traffic (and serves - solely to ensure that the pods it selects are isolated by default) - items: - description: |- - NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods - matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from. - properties: - from: - description: |- - from is a list of sources which should be able to access the pods selected for this rule. - Items in this list are combined using a logical OR operation. If this field is - empty or missing, this rule matches all sources (traffic not restricted by - source). If this field is present and contains at least one item, this rule - allows traffic only if the traffic matches at least one item in the from list. - items: - description: |- - NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of - fields are allowed - properties: - ipBlock: - description: |- - ipBlock defines policy on a particular IPBlock. If this field is set then - neither of the other fields can be. - properties: - cidr: - description: |- - cidr is a string representing the IPBlock - Valid examples are "192.168.1.0/24" or "2001:db8::/64" - type: string - except: - description: |- - except is a slice of CIDRs that should not be included within an IPBlock - Valid examples are "192.168.1.0/24" or "2001:db8::/64" - Except values will be rejected if they are outside the cidr range - items: + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + ingress: + items: + properties: + from: + items: + properties: + ipBlock: + properties: + cidr: type: string - type: array - x-kubernetes-list-type: atomic - required: - - cidr - type: object - namespaceSelector: - description: |- - namespaceSelector selects namespaces using cluster-scoped labels. This field follows - standard label selector semantics; if present but empty, it selects all namespaces. - - If podSelector is also set, then the NetworkPolicyPeer as a whole selects - the pods matching podSelector in the namespaces selected by namespaceSelector. - Otherwise it selects all pods in the namespaces selected by namespaceSelector. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: + except: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - cidr + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - podSelector is a label selector which selects pods. This field follows standard label - selector semantics; if present but empty, it selects all pods. - - If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects - the pods matching podSelector in the Namespaces selected by NamespaceSelector. - Otherwise it selects the pods matching podSelector in the policy's own namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: + type: object + x-kubernetes-map-type: atomic + podSelector: + properties: + matchExpressions: + items: + properties: + key: type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: array - x-kubernetes-list-type: atomic - ports: - description: |- - ports is a list of ports which should be made accessible on the pods selected for - this rule. Each item in this list is combined using a logical OR. If this field is - empty or missing, this rule matches all ports (traffic not restricted by port). - If this field is present and contains at least one item, then this rule allows - traffic only if the traffic matches at least one port in the list. + type: object + x-kubernetes-map-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + ports: + items: + properties: + endPort: + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + protocol: + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + podSelector: + properties: + matchExpressions: items: - description: NetworkPolicyPort describes a port to allow traffic - on properties: - endPort: - description: |- - endPort indicates that the range of ports from port to endPort if set, inclusive, - should be allowed by the policy. This field cannot be defined if the port field - is not defined or if the port field is defined as a named (string) port. - The endPort must be equal or greater than port. - format: int32 - type: integer - port: - anyOf: - - type: integer - - type: string - description: |- - port represents the port on the given protocol. This can either be a numerical or named - port on a pod. If this field is not provided, this matches all port names and - numbers. - If present, only traffic on the specified protocol AND port will be matched. - x-kubernetes-int-or-string: true - protocol: - description: |- - protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. - If not specified, this field defaults to TCP. + key: + type: string + operator: type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator type: object type: array x-kubernetes-list-type: atomic - type: object - type: array - podSelector: - description: |- - Selects the pods to which this NetworkPolicy object applies. The array of - ingress rules is applied to any pods selected by this field. Multiple network - policies can select the same set of pods. In this case, the ingress rules for - each are combined additively. This field is NOT optional and follows standard - label selector semantics. An empty podSelector matches all pods in this - namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator + matchLabels: + additionalProperties: + type: string type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - policyTypes: - description: |- - List of rule types that the NetworkPolicy relates to. - Valid options are Ingress, Egress, or Ingress,Egress. - If this field is not specified, it will default based on the existence of Ingress or Egress rules; - policies that contain an Egress section are assumed to affect Egress, and all policies - (whether or not they contain an Ingress section) are assumed to affect Ingress. - If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. - Likewise, if you want to write a policy that specifies that no egress is allowed, - you must specify a policyTypes value that include "Egress" (since such a policy would not include - an Egress section and would otherwise default to just [ "Ingress" ]). - This field is beta-level in 1.8 - items: - description: |- - PolicyType string describes the NetworkPolicy type - This type is beta-level in 1.8 + type: object + x-kubernetes-map-type: atomic + policyTypes: + items: + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + stagedAction: + default: Set + enum: + - Set + - Delete + - Learn + - Ignore type: string - type: array - stagedAction: - description: The staged action. If this is omitted, the default is - Set. - type: string - type: object - type: object - served: true - storage: true + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_stagednetworkpolicies.yaml b/pkg/crds/enterprise/crd.projectcalico.org_stagednetworkpolicies.yaml index 73149475bd..555d2183e1 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_stagednetworkpolicies.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_stagednetworkpolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: stagednetworkpolicies.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,885 +14,541 @@ spec: preserveUnknownFields: false scope: Namespaced versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - egress: - description: |- - The ordered set of egress rules. Each rule contains a set of packet match criteria and - a corresponding action to apply. - items: - description: |- - A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy - and security Profiles reference rules - separated out as a list of rules for both - ingress and egress packet matching. - - Each positive match criteria has a negated version, prefixed with "Not". All the match - criteria within a rule must be satisfied for a packet to match. A single rule can contain - the positive and negative version of a match and both must be satisfied for the rule to match. - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - domains: - description: |- - Domains is an optional field, valid for egress Allow rules only, that restricts the rule - to apply only to traffic to one of the specified domains. If this field is specified, - Action must be Allow, and Nets and Selector must both be left empty. - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: - type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + egress: + items: + properties: + action: + enum: + - Allow + - Deny + - Log + - Pass + type: string + destination: + properties: + domains: + items: type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + type: string + nets: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: array + x-kubernetes-list-type: set + notNets: + items: type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: |- - Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed - HTTP Methods (e.g. GET, PUT, etc.) - Multiple methods are OR'd together. - items: + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: + type: string + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - paths: - description: |- - Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed - HTTP Paths. - Multiple paths are OR'd together. - e.g: - - exact: /foo - - prefix: /bar - NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. - items: - description: |- - HTTPPath specifies an HTTP path to match. It may be either of the form: - exact: : which matches the path exactly or - prefix: : which matches the path prefix + serviceAccounts: properties: - exact: - type: string - prefix: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string type: object - type: array - type: object - icmp: - description: |- - ICMP is an optional field that restricts the rule to apply to a specific type and - code of ICMP traffic. This should only be specified if the Protocol field is set to - "ICMP" or "ICMPv6". - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - ipVersion: - description: |- - IPVersion is an optional field that restricts the rule to only match a specific IP - version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: |- - Protocol is an optional field that restricts the rule to only apply to traffic of - a specific IP protocol. Required if any of the EntityRules contain Ports - (because ports only apply to certain protocols). - - Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" - or an integer in the range 1-255. - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - domains: - description: |- - Domains is an optional field, valid for egress Allow rules only, that restricts the rule - to apply only to traffic to one of the specified domains. If this field is specified, - Action must be Allow, and Nets and Selector must both be left empty. - items: - type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + services: + properties: + name: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. + namespace: + type: string + type: object + type: object + http: + properties: + headers: + items: + properties: + header: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - header + - operator + - values + type: object + type: array + x-kubernetes-list-type: atomic + methods: + items: type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + paths: + items: + properties: + exact: + maxLength: 1024 + type: string + prefix: + maxLength: 1024 + type: string + type: object + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + type: object + icmp: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + ipVersion: + enum: + - 4 + - 6 + type: integer + metadata: + properties: + annotations: + additionalProperties: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: object + type: object + notICMP: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + notProtocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + source: + properties: + domains: + items: type: string - type: object - type: object - required: - - action - type: object - type: array - ingress: - description: |- - The ordered set of ingress rules. Each rule contains a set of packet match criteria and - a corresponding action to apply. - items: - description: |- - A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy - and security Profiles reference rules - separated out as a list of rules for both - ingress and egress packet matching. - - Each positive match criteria has a negated version, prefixed with "Not". All the match - criteria within a rule must be satisfied for a packet to match. A single rule can contain - the positive and negative version of a match and both must be satisfied for the rule to match. - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - domains: - description: |- - Domains is an optional field, valid for egress Allow rules only, that restricts the rule - to apply only to traffic to one of the specified domains. If this field is specified, - Action must be Allow, and Nets and Selector must both be left empty. - items: + type: array + x-kubernetes-list-type: atomic + namespaceSelector: type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: + nets: + items: + type: string + type: array + x-kubernetes-list-type: set + notNets: + items: + type: string + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. + type: object + services: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + required: + - action + type: object + x-kubernetes-validations: + - message: rules with HTTP match must have protocol TCP or unset + reason: FieldValueInvalid + rule: + "!has(self.http) || !has(self.protocol) || self.protocol + == 'TCP' || self.protocol == 6" + - message: HTTP match is only valid on Allow rules + reason: FieldValueForbidden + rule: self.action == 'Allow' || !has(self.http) + - message: ports and notPorts cannot be specified with services + reason: FieldValueForbidden + rule: + "!has(self.destination) || !has(self.destination.services) + || (!has(self.destination.ports) || size(self.destination.ports) + == 0) && (!has(self.destination.notPorts) || size(self.destination.notPorts) + == 0)" + type: array + x-kubernetes-list-type: atomic + ingress: + items: + properties: + action: + enum: + - Allow + - Deny + - Log + - Pass + type: string + destination: + properties: + domains: + items: type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + type: string + nets: + items: type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. + type: array + x-kubernetes-list-type: set + notNets: + items: type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: |- - Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed - HTTP Methods (e.g. GET, PUT, etc.) - Multiple methods are OR'd together. - items: + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: + type: string + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - paths: - description: |- - Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed - HTTP Paths. - Multiple paths are OR'd together. - e.g: - - exact: /foo - - prefix: /bar - NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. - items: - description: |- - HTTPPath specifies an HTTP path to match. It may be either of the form: - exact: : which matches the path exactly or - prefix: : which matches the path prefix + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: + type: string + type: object + services: properties: - exact: + name: type: string - prefix: + namespace: type: string type: object - type: array - type: object - icmp: - description: |- - ICMP is an optional field that restricts the rule to apply to a specific type and - code of ICMP traffic. This should only be specified if the Protocol field is set to - "ICMP" or "ICMPv6". - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - ipVersion: - description: |- - IPVersion is an optional field that restricts the rule to only match a specific IP - version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: |- - Match on a specific ICMP code. If specified, the Type value must also be specified. - This is a technical limitation imposed by the kernel's iptables firewall, which - Calico uses to enforce the rule. - type: integer - type: - description: |- - Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request - (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: |- - Protocol is an optional field that restricts the rule to only apply to traffic of - a specific IP protocol. Required if any of the EntityRules contain Ports - (because ports only apply to certain protocols). - - Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" - or an integer in the range 1-255. - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - domains: - description: |- - Domains is an optional field, valid for egress Allow rules only, that restricts the rule - to apply only to traffic to one of the specified domains. If this field is specified, - Action must be Allow, and Nets and Selector must both be left empty. - items: + type: object + http: + properties: + headers: + items: + properties: + header: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - header + - operator + - values + type: object + type: array + x-kubernetes-list-type: atomic + methods: + items: + type: string + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + paths: + items: + properties: + exact: + maxLength: 1024 + type: string + prefix: + maxLength: 1024 + type: string + type: object + maxItems: 20 + type: array + x-kubernetes-list-type: atomic + type: object + icmp: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + ipVersion: + enum: + - 4 + - 6 + type: integer + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + type: object + notICMP: + properties: + code: + maximum: 255 + minimum: 0 + type: integer + type: + maximum: 254 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: ICMP code specified without an ICMP type + reason: FieldValueInvalid + rule: "!has(self.code) || has(self.type)" + notProtocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + source: + properties: + domains: + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: type: string - type: array - namespaceSelector: - description: |- - NamespaceSelector is an optional field that contains a selector expression. Only traffic - that originates from (or terminates at) endpoints within the selected namespaces will be - matched. When both NamespaceSelector and another selector are defined on the same rule, then only - workload endpoints that are matched by both selectors will be selected by the rule. - - For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting - only workload endpoints in the same namespace as the NetworkPolicy. - - For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting - only GlobalNetworkSet or HostEndpoint. - - For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces. - type: string - nets: - description: |- - Nets is an optional field that restricts the rule to only apply to traffic that - originates from (or terminates at) IP addresses in any of the given subnets. - items: + nets: + items: + type: string + type: array + x-kubernetes-list-type: set + notNets: + items: + type: string + type: array + x-kubernetes-list-type: set + notPorts: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + notSelector: type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: + ports: + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + x-kubernetes-list-type: atomic + selector: type: string - type: array - notPorts: - description: |- - NotPorts is the negated version of the Ports field. - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: |- - NotSelector is the negated version of the Selector field. See Selector field for - subtleties with negated selectors. - type: string - ports: - description: |- - Ports is an optional field that restricts the rule to only apply to traffic that has a - source (destination) port that matches one of these ranges/values. This value is a - list of integers or strings that represent ranges of ports. - - Since only some protocols have ports, if any ports are specified it requires the - Protocol match in the Rule to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for\nsample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching\nthe selector will be matched.\n\nNote that: - in addition to the negated version of the Selector (see - NotSelector below), the\nselector expression syntax itself - supports negation. The two types of negation are subtly\ndifferent. - One negates the set of matched endpoints, the other negates - the whole match:\n\n\tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled\n\tendpoints - that do not have the label \"my_label\".\n\n\tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled\n\tendpoints that do have the label - \"my_label\".\n\nThe effect is that the latter will accept - packets from non-Calico sources whereas the\nformer is - limited to packets from Calico-controlled endpoints." - type: string - serviceAccounts: - description: |- - ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or - terminates at) a pod running as a matching service account. - properties: - names: - description: |- - Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates - at) a pod running as a service account whose name is in the list. - items: + serviceAccounts: + properties: + names: + items: + type: string + type: array + x-kubernetes-list-type: set + selector: type: string - type: array - selector: - description: |- - Selector is an optional field that restricts the rule to only apply to traffic that originates from - (or terminates at) a pod running as a service account that matches the given label selector. - If both Names and Selector are specified then they are AND'ed. - type: string - type: object - services: - description: |- - Services is an optional field that contains options for matching Kubernetes Services. - If specified, only traffic that originates from or terminates at endpoints within the selected - service(s) will be matched, and only to/from each endpoint's port. - - Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, - NotNets or ServiceAccounts. - - Ports and NotPorts can only be specified with Services on ingress rules. - properties: - name: - description: Name specifies the name of a Kubernetes - Service to match. - type: string - namespace: - description: |- - Namespace specifies the namespace of the given Service. If left empty, the rule - will match within this policy's namespace. - type: string - type: object - type: object - required: - - action - type: object - type: array - order: - description: |- - Order is an optional field that specifies the order in which the policy is applied. - Policies with higher "order" are applied after those with lower - order within the same tier. If the order is omitted, it may be considered to be "infinite" - i.e. the - policy will be applied last. Policies with identical order will be applied in - alphanumerical order based on the Policy "Name" within the tier. - type: number - performanceHints: - description: |- - PerformanceHints contains a list of hints to Calico's policy engine to - help process the policy more efficiently. Hints never change the - enforcement behaviour of the policy. - - Currently, the only available hint is "AssumeNeededOnEveryNode". When - that hint is set on a policy, Felix will act as if the policy matches - a local endpoint even if it does not. This is useful for "preloading" - any large static policies that are known to be used on every node. - If the policy is _not_ used on a particular node then the work - done to preload the policy (and to maintain it) is wasted. - items: + type: object + services: + properties: + name: + type: string + namespace: + type: string + type: object + type: object + required: + - action + type: object + x-kubernetes-validations: + - message: rules with HTTP match must have protocol TCP or unset + reason: FieldValueInvalid + rule: + "!has(self.http) || !has(self.protocol) || self.protocol + == 'TCP' || self.protocol == 6" + - message: HTTP match is only valid on Allow rules + reason: FieldValueForbidden + rule: self.action == 'Allow' || !has(self.http) + - message: ports and notPorts cannot be specified with services + reason: FieldValueForbidden + rule: + "!has(self.destination) || !has(self.destination.services) + || (!has(self.destination.ports) || size(self.destination.ports) + == 0) && (!has(self.destination.notPorts) || size(self.destination.notPorts) + == 0)" + type: array + x-kubernetes-list-type: atomic + order: + type: number + performanceHints: + items: + enum: + - AssumeNeededOnEveryNode + type: string + type: array + x-kubernetes-list-type: set + selector: + type: string + serviceAccountSelector: + type: string + stagedAction: + default: Set + enum: + - Set + - Delete + - Learn + - Ignore type: string - type: array - selector: - description: "The selector is an expression used to pick pick out - the endpoints that the policy should\nbe applied to.\n\nSelector - expressions follow this syntax:\n\n\tlabel == \"string_literal\" - \ -> comparison, e.g. my_label == \"foo bar\"\n\tlabel != \"string_literal\" - \ -> not equal; also matches if label is not present\n\tlabel - in { \"a\", \"b\", \"c\", ... } -> true if the value of label - X is one of \"a\", \"b\", \"c\"\n\tlabel not in { \"a\", \"b\", - \"c\", ... } -> true if the value of label X is not one of \"a\", - \"b\", \"c\"\n\thas(label_name) -> True if that label is present\n\t! - expr -> negation of expr\n\texpr && expr -> Short-circuit and\n\texpr - || expr -> Short-circuit or\n\t( expr ) -> parens for grouping\n\tall() - or the empty selector -> matches all endpoints.\n\nLabel names are - allowed to contain alphanumerics, -, _ and /. String literals are - more permissive\nbut they do not support escape characters.\n\nExamples - (with made-up labels):\n\n\ttype == \"webserver\" && deployment - == \"prod\"\n\ttype in {\"frontend\", \"backend\"}\n\tdeployment - != \"dev\"\n\t! has(label_name)" - type: string - serviceAccountSelector: - description: ServiceAccountSelector is an optional field for an expression - used to select a pod based on service accounts. - type: string - stagedAction: - description: The staged action. If this is omitted, the default is - Set. - type: string - tier: - description: |- - The name of the tier that this policy belongs to. If this is omitted, the default - tier (name is "default") is assumed. The specified tier must exist in order to create - security policies within the tier, the "default" tier is created automatically if it - does not exist, this means for deployments requiring only a single Tier, the tier name - may be omitted on all policy management requests. - type: string - types: - description: |- - Types indicates whether this policy applies to ingress, or to egress, or to both. When - not explicitly specified (and so the value on creation is empty or nil), Calico defaults - Types according to what Ingress and Egress are present in the policy. The - default is: - - - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are - also no Ingress rules) - - - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules - - - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. - - When the policy is read back again, Types will always be one of these values, never empty - or nil. - items: - description: PolicyType enumerates the possible values of the PolicySpec - Types field. + tier: + default: default type: string - type: array - type: object - type: object - served: true - storage: true + types: + items: + enum: + - Ingress + - Egress + type: string + maxItems: 2 + minItems: 1 + type: array + x-kubernetes-list-type: set + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_tiers.yaml b/pkg/crds/enterprise/crd.projectcalico.org_tiers.yaml index c7911c7d00..ec40a19200 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_tiers.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_tiers.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: tiers.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,49 +14,49 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: TierSpec contains the specification for a security policy - tier resource. - properties: - defaultAction: - description: |- - DefaultAction specifies the action applied to workloads selected by a policy in the tier, - but not rule matched the workload's traffic. - [Default: Deny] - enum: - - Pass - - Deny - type: string - order: - description: |- - Order is an optional field that specifies the order in which the tier is applied. - Tiers with higher "order" are applied after those with lower order. If the order - is omitted, it may be considered to be "infinite" - i.e. the tier will be applied - last. Tiers with identical order will be applied in alphanumerical order based - on the Tier "Name". - type: number - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + defaultAction: + allOf: + - enum: + - Allow + - Deny + - Log + - Pass + - enum: + - Pass + - Deny + default: Deny + type: string + order: + type: number + type: object + required: + - metadata + - spec + type: object + x-kubernetes-validations: + - message: The 'kube-admin' tier must have default action 'Pass' + rule: + "self.metadata.name == 'kube-admin' ? self.spec.defaultAction == + 'Pass' : true" + - message: The 'kube-baseline' tier must have default action 'Pass' + rule: + "self.metadata.name == 'kube-baseline' ? self.spec.defaultAction + == 'Pass' : true" + - message: The 'default' tier must have default action 'Deny' + rule: + "self.metadata.name == 'default' ? self.spec.defaultAction == 'Deny' + : true" + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_uisettings.yaml b/pkg/crds/enterprise/crd.projectcalico.org_uisettings.yaml index 017ce643a7..f5cdd97d8a 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_uisettings.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_uisettings.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: uisettings.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,293 +14,188 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: UISettingsSpec contains the specification for a UISettings - resource. - properties: - dashboard: - description: Dashboard data. One of View, Layer or Dashboard should - be specified. - properties: - dashboardData: - description: Array of dashboard data - items: - properties: - layout: - description: Layout information of the dashboard card - properties: - height: - description: Height of the dashboard card - format: int32 - type: integer - index: - description: Index of the dashboard - type: string - isInNamespaceView: - description: Whether this dashboard is in namespace - view or not - type: boolean - isResizable: - description: Whether this dashboard card should be re-sizeable - or not - type: boolean - isVisible: - description: Whether this dashboard card should be visible - or not - type: boolean - maxHeight: - description: Maximum limit set for the size of the dashboard - card height - format: int32 - type: integer - maxWidth: - description: Maximum limit set for the size of the dashboard - card width - format: int32 - type: integer - minHeight: - description: Minimum limit set for the size of the dashboard - card height - format: int32 - type: integer - minWidth: - description: Minimum limit set for the size of the dashboard - card width - format: int32 - type: integer - width: - description: Width of the dashboard card - format: int32 - type: integer - xPos: - description: X coordinate of the top-left corner of - the dashboard card - format: int32 - type: integer - yPos: - description: Y coordinate of the top-left corner of - the dashboard card - format: int32 - type: integer - required: - - height - - width + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + dashboard: + properties: + dashboardData: + items: + properties: + layout: + properties: + height: + format: int32 + type: integer + index: + type: string + isInNamespaceView: + type: boolean + isResizable: + type: boolean + isVisible: + type: boolean + maxHeight: + format: int32 + type: integer + maxWidth: + format: int32 + type: integer + minHeight: + format: int32 + type: integer + minWidth: + format: int32 + type: integer + width: + format: int32 + type: integer + xPos: + format: int32 + type: integer + yPos: + format: int32 + type: integer + required: + - height + - width + - xPos + - yPos + type: object + selectedNamespace: + type: string + type: + type: string + type: object + type: array + x-kubernetes-list-type: atomic + type: object + description: + type: string + group: + type: string + layer: + properties: + color: + type: string + icon: + type: string + nodes: + items: + properties: + id: + type: string + name: + type: string + namespace: + type: string + type: + type: string + required: + - id + - name + - type + type: object + type: array + x-kubernetes-list-type: atomic + required: + - nodes + type: object + user: + type: string + view: + properties: + expandPorts: + type: boolean + followConnectionDirection: + type: boolean + hostAggregationSelectors: + items: + properties: + name: + type: string + selector: + type: string + required: + - name + - selector + type: object + type: array + x-kubernetes-list-type: atomic + layers: + items: + type: string + type: array + x-kubernetes-list-type: atomic + layoutType: + type: string + nodes: + items: + properties: + deemphasize: + type: boolean + expanded: + type: boolean + followEgress: + type: boolean + followIngress: + type: boolean + hide: + type: boolean + hideUnrelated: + type: boolean + id: + type: string + inFocus: + type: boolean + name: + type: string + namespace: + type: string + type: + type: string + required: + - id + - name + - type + type: object + type: array + x-kubernetes-list-type: atomic + positions: + items: + properties: + id: + type: string + xPos: + type: integer + yPos: + type: integer + zPos: + type: integer + required: + - id - xPos - yPos - type: object - selectedNamespace: - description: Namespace user selected for the dashboard - type: string - type: - description: Type of the dashboard - type: string - type: object - type: array - type: object - description: - description: This description is displayed by the UI. - type: string - group: - description: The settings group. Once configured this cannot be modified. - The group must exist. - type: string - layer: - description: Layer data. One of View, Layer or Dashboard should be - specified. - properties: - color: - description: The color used to represent the layer when an Icon - has not been specified. - type: string - icon: - description: A user-configurable icon. If not specified, the default - layer icon is used for this layer node. - type: string - nodes: - description: The nodes that are aggregated into a single layer. - items: - description: UIGraphNode contains details about a graph node - so that the UI can render it correctly. - properties: - id: - description: The node ID. - type: string - name: - description: The node name. - type: string - namespace: - description: The node namespace. - type: string - type: - description: The node type. - type: string - required: - - id - - name - - type - type: object - type: array - required: - - nodes - type: object - user: - description: |- - The user associated with these settings. This is filled in by the APIServer on a create request if the owning - group is filtered by user. Cannot be modified. - type: string - view: - description: View data. One of View, Layer or Dashboard should be - specified. - properties: - expandPorts: - description: Whether ports are expanded. If false, port information - is aggregated. - type: boolean - followConnectionDirection: - description: Whether or not to automatically follow directly connected - nodes. - type: boolean - hostAggregationSelectors: - description: |- - The set of selectors used to aggregate hosts (Kubernetes nodes). Nodes are aggregated based on the supplied set - of selectors. In the case of overlapping selectors, the order specified in the slice is the order checked and so - the first selector to match is used. The nodes will be aggregated into a graph node with the name specified in - the NamedSelector. - items: - description: A Calico format label selector with an associated - name. - properties: - name: - type: string - selector: - type: string - required: - - name - - selector - type: object - type: array - layers: - description: |- - The set of layer names that are active in this view. Note that layers may be defined, but it is not necessary - to have each layer "active". Corresponds directly to the name of the UISettings resource that contains a layer - definition. - items: - type: string - type: array - layoutType: - description: |- - Layout type. Semi-arbitrary value used to specify the layout-type/algorithm. For example could specify - different layout algorithms, or click-to-grid. Mostly here for future use. - type: string - nodes: - description: |- - Graph node specific view data. This provides information about what is in focus, expanded, hidden, - deemphasized etc. at a per-node level. - items: - description: UIGraphNodeView contains the view configuration - for a specific graph node. - properties: - deemphasize: - description: |- - Whether the UI should de-emphasize the node when visible. This is just a UI directive and does not correspond to - a backend parameter. - type: boolean - expanded: - description: |- - This node is expanded to the next level. This node can, for example, be a layer that is expanded into its - constituent parts. - type: boolean - followEgress: - type: boolean - followIngress: - description: |- - Whether the ingress/egress connections to/from this node are included in the graph. This effectively brings - more nodes into focus. - type: boolean - hide: - description: Whether the UI should hide the node. This is - just a UI directive and does not correspond to a backend - parameter. - type: boolean - hideUnrelated: - description: |- - Whether the UI should hide unrelated nodes. This is just a UI directive and does not correspond to a backend - parameter. - type: boolean - id: - description: The node ID. - type: string - inFocus: - description: This node is a primary focus of the graph (i.e. - the graph contains this node and connected nodes). - type: boolean - name: - description: The node name. - type: string - namespace: - description: The node namespace. - type: string - type: - description: The node type. - type: string - required: - - id - - name - - type - type: object - type: array - positions: - description: Positions of graph nodes. - items: - description: UI screen position. - properties: - id: - type: string - xPos: - type: integer - yPos: - type: integer - zPos: - type: integer - required: - - id - - xPos - - yPos - - zPos - type: object - type: array - splitIngressEgress: - description: |- - Whether to split HostEndpoints, NetworkSets and Networks into separate ingress and egress nodes or to combine - them. In a service-centric view, splitting these makes the graph clearer. This never splits pods which represent - a true microservice which has ingress and egress connections. - type: boolean - type: object - required: - - description - - group - type: object - type: object - served: true - storage: true + - zPos + type: object + type: array + x-kubernetes-list-type: atomic + splitIngressEgress: + type: boolean + type: object + required: + - description + - group + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/crd.projectcalico.org_uisettingsgroups.yaml b/pkg/crds/enterprise/crd.projectcalico.org_uisettingsgroups.yaml index c0efb7da95..780a321c17 100644 --- a/pkg/crds/enterprise/crd.projectcalico.org_uisettingsgroups.yaml +++ b/pkg/crds/enterprise/crd.projectcalico.org_uisettingsgroups.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: uisettingsgroups.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -14,63 +14,28 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: UISettingsGroupSpec contains the specification for a UISettingsGroup - resource. - properties: - description: - description: |- - This description is displayed by the UI when asking where to store any UI-specific settings - such as views, layers, dashboards etc. This name should be a short description that relates - the settings to the set of clusters defined below, the set of users or groups that are able to - access to these settings (defined via RBAC) or the set of applications common to the set of - users or groups that can access these settings. - Examples might be: - - "cluster" when these settings apply to the whole cluster - - "global" when these settings apply to all clusters (in an Multi-Cluster environment) - - "security team" if these settings are accessible only to the security group and therefore - applicable to the applications accessible by that team - - "storefront" if these settings are accessible to all users and groups that can access the - storefront set of applications - - "user" if these settings are accessible to only a single user - type: string - filterType: - description: |- - The type of filter to use when listing and watching the UISettings associated with this group. If set to None - a List/watch of UISettings in this group will return all UISettings. If set to User a list/watch of UISettings - in this group will return only UISettings created by the user making the request. - For settings groups that are specific to users and where multiple users may access the settings in this group - we recommend setting this to "User" to avoid cluttering up the UI with settings for other users. - Note this is only a filter. Full lockdown of UISettings for specific users should be handled using appropriate - RBAC. - enum: - - None - - User - type: string - required: - - description - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + description: + type: string + filterType: + enum: + - None + - User + type: string + required: + - description + type: object + type: object + served: true + storage: true diff --git a/pkg/crds/enterprise/policy.networking.k8s.io_adminnetworkpolicies.yaml b/pkg/crds/enterprise/policy.networking.k8s.io_adminnetworkpolicies.yaml index 174d4c1ace..3fd0b0f5a9 100644 --- a/pkg/crds/enterprise/policy.networking.k8s.io_adminnetworkpolicies.yaml +++ b/pkg/crds/enterprise/policy.networking.k8s.io_adminnetworkpolicies.yaml @@ -14,1066 +14,1091 @@ spec: listKind: AdminNetworkPolicyList plural: adminnetworkpolicies shortNames: - - anp + - anp singular: adminnetworkpolicy scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .spec.priority - name: Priority - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - AdminNetworkPolicy is a cluster level resource that is part of the - AdminNetworkPolicy API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired behavior of AdminNetworkPolicy. - properties: - egress: - description: |- - Egress is the list of Egress rules to be applied to the selected pods. - A total of 100 rules will be allowed in each ANP instance. - The relative precedence of egress rules within a single ANP object (all of - which share the priority) will be determined by the order in which the rule - is written. Thus, a rule that appears at the top of the egress rules - would take the highest precedence. - ANPs with no egress rules do not affect egress traffic. - - - Support: Core - items: + - additionalPrinterColumns: + - jsonPath: .spec.priority + name: Priority + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + AdminNetworkPolicy is a cluster level resource that is part of the + AdminNetworkPolicy API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the desired behavior of AdminNetworkPolicy. + properties: + egress: description: |- - AdminNetworkPolicyEgressRule describes an action to take on a particular - set of traffic originating from pods selected by a AdminNetworkPolicy's - Subject field. - - properties: - action: - description: |- - Action specifies the effect this rule will have on matching traffic. - Currently the following actions are supported: - Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy) - Deny: denies the selected traffic - Pass: instructs the selected traffic to skip any remaining ANP rules, and - then pass execution to any NetworkPolicies that select the pod. - If the pod is not selected by any NetworkPolicies then execution - is passed to any BaselineAdminNetworkPolicies that select the pod. - - - Support: Core - enum: - - Allow - - Deny - - Pass - type: string - name: - description: |- - Name is an identifier for this rule, that may be no more than 100 characters - in length. This field should be used by the implementation to help - improve observability, readability and error-reporting for any applied - AdminNetworkPolicies. - - - Support: Core - maxLength: 100 - type: string - ports: - description: |- - Ports allows for matching traffic based on port and protocols. - This field is a list of destination ports for the outgoing egress traffic. - If Ports is not set then the rule does not filter traffic via port. - - - Support: Core - items: + Egress is the list of Egress rules to be applied to the selected pods. + A total of 100 rules will be allowed in each ANP instance. + The relative precedence of egress rules within a single ANP object (all of + which share the priority) will be determined by the order in which the rule + is written. Thus, a rule that appears at the top of the egress rules + would take the highest precedence. + ANPs with no egress rules do not affect egress traffic. + + + Support: Core + items: + description: |- + AdminNetworkPolicyEgressRule describes an action to take on a particular + set of traffic originating from pods selected by a AdminNetworkPolicy's + Subject field. + + properties: + action: description: |- - AdminNetworkPolicyPort describes how to select network ports on pod(s). - Exactly one field must be set. - maxProperties: 1 - minProperties: 1 - properties: - namedPort: - description: |- - NamedPort selects a port on a pod(s) based on name. + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy) + Deny: denies the selected traffic + Pass: instructs the selected traffic to skip any remaining ANP rules, and + then pass execution to any NetworkPolicies that select the pod. + If the pod is not selected by any NetworkPolicies then execution + is passed to any BaselineAdminNetworkPolicies that select the pod. + + + Support: Core + enum: + - Allow + - Deny + - Pass + type: string + name: + description: |- + Name is an identifier for this rule, that may be no more than 100 characters + in length. This field should be used by the implementation to help + improve observability, readability and error-reporting for any applied + AdminNetworkPolicies. - Support: Extended + Support: Core + maxLength: 100 + type: string + ports: + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of destination ports for the outgoing egress traffic. + If Ports is not set then the rule does not filter traffic via port. - - type: string - portNumber: - description: |- - Port selects a port on a pod(s) based on number. + Support: Core + items: + description: |- + AdminNetworkPolicyPort describes how to select network ports on pod(s). + Exactly one field must be set. + maxProperties: 1 + minProperties: 1 + properties: + namedPort: + description: |- + NamedPort selects a port on a pod(s) based on name. - Support: Core - properties: - port: - description: |- - Number defines a network port value. + Support: Extended - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. + + type: string + portNumber: + description: |- + Port selects a port on a pod(s) based on number. - Support: Core - type: string - required: - - port - - protocol - type: object - portRange: - description: |- - PortRange selects a port range on a pod(s) based on provided start and end - values. + Support: Core + properties: + port: + description: |- + Number defines a network port value. - Support: Core - properties: - end: - description: |- - End defines a network port that is the end of a port range, the End value - must be greater than Start. + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. + Support: Core + type: string + required: + - port + - protocol + type: object + portRange: + description: |- + PortRange selects a port range on a pod(s) based on provided start and end + values. - Support: Core - type: string - start: - description: |- - Start defines a network port that is the start of a port range, the Start - value must be less than End. + Support: Core + properties: + end: + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - type: object - maxItems: 100 - type: array - to: - description: |- - To is the List of destinations whose traffic this rule applies to. - If any AdminNetworkPolicyEgressPeer matches the destination of outgoing - traffic then the specified action is applied. - This field must be defined and contain at least one item. - - - Support: Core - items: - description: |- - AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. - Exactly one of the selector pointers must be set for a given peer. If a - consumer observes none of its fields are set, they must assume an unknown - option has been specified and fail closed. - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: |- - Namespaces defines a way to select all pods within a set of Namespaces. - Note that host-networked pods are not included in this type of peer. + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. - Support: Core - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: + Support: Core + type: string + start: description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: + Start defines a network port that is the start of a port range, the Start + value must be less than End. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start + type: object + type: object + maxItems: 100 + type: array + to: + description: |- + To is the List of destinations whose traffic this rule applies to. + If any AdminNetworkPolicyEgressPeer matches the destination of outgoing + traffic then the specified action is applied. + This field must be defined and contain at least one item. + + + Support: Core + items: + description: |- + AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. + Exactly one of the selector pointers must be set for a given peer. If a + consumer observes none of its fields are set, they must assume an unknown + option has been specified and fail closed. + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + + + Support: Core + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. type: string - type: array - required: - - key - - operator + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - networks: - description: |- - Networks defines a way to select peers via CIDR blocks. - This is intended for representing entities that live outside the cluster, - which can't be selected by pods, namespaces and nodes peers, but note - that cluster-internal traffic will be checked against the rule as - well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow - or deny all IPv4 pod-to-pod traffic as well. If you don't want that, - add a rule that Passes all pod traffic before the Networks rule. + type: object + x-kubernetes-map-type: atomic + networks: + description: |- + Networks defines a way to select peers via CIDR blocks. + This is intended for representing entities that live outside the cluster, + which can't be selected by pods, namespaces and nodes peers, but note + that cluster-internal traffic will be checked against the rule as + well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow + or deny all IPv4 pod-to-pod traffic as well. If you don't want that, + add a rule that Passes all pod traffic before the Networks rule. - Each item in Networks should be provided in the CIDR format and should be - IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". + Each item in Networks should be provided in the CIDR format and should be + IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - Networks can have upto 25 CIDRs specified. + Networks can have upto 25 CIDRs specified. - Support: Extended + Support: Extended - - items: + + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). + This string must be validated by implementations using net.ParseCIDR + TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available. + maxLength: 43 + type: string + x-kubernetes-validations: + - message: + CIDR must be either an IPv4 or IPv6 address. + IPv4 address embedded in IPv6 addresses are not + supported + rule: self.contains(':') != self.contains('.') + maxItems: 25 + minItems: 1 + type: array + x-kubernetes-list-type: set + nodes: description: |- - CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - This string must be validated by implementations using net.ParseCIDR - TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available. - maxLength: 43 - type: string - x-kubernetes-validations: - - message: CIDR must be either an IPv4 or IPv6 address. - IPv4 address embedded in IPv6 addresses are not - supported - rule: self.contains(':') != self.contains('.') - maxItems: 25 - minItems: 1 - type: array - x-kubernetes-list-type: set - nodes: - description: |- - Nodes defines a way to select a set of nodes in - the cluster. This field follows standard label selector - semantics; if present but empty, it selects all Nodes. + Nodes defines a way to select a set of nodes in + the cluster. This field follows standard label selector + semantics; if present but empty, it selects all Nodes. - Support: Extended + Support: Extended - - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: + + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + pods: + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + + + Support: Core + properties: + namespaceSelector: + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; if empty, + it selects all Pods. + properties: + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object type: array - required: - - key - - operator + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: |- - Pods defines a way to select a set of pods in - a set of namespaces. Note that host-networked pods - are not included in this type of peer. + x-kubernetes-map-type: atomic + required: + - namespaceSelector + - podSelector + type: object + type: object + maxItems: 100 + minItems: 1 + type: array + required: + - action + - to + type: object + x-kubernetes-validations: + - message: + networks/nodes peer cannot be set with namedPorts since + there are no namedPorts for networks/nodes + rule: + "!(self.to.exists(peer, has(peer.networks) || has(peer.nodes)) + && has(self.ports) && self.ports.exists(port, has(port.namedPort)))" + maxItems: 100 + type: array + ingress: + description: |- + Ingress is the list of Ingress rules to be applied to the selected pods. + A total of 100 rules will be allowed in each ANP instance. + The relative precedence of ingress rules within a single ANP object (all of + which share the priority) will be determined by the order in which the rule + is written. Thus, a rule that appears at the top of the ingress rules + would take the highest precedence. + ANPs with no ingress rules do not affect ingress traffic. + + + Support: Core + items: + description: |- + AdminNetworkPolicyIngressRule describes an action to take on a particular + set of traffic destined for pods selected by an AdminNetworkPolicy's + Subject field. + properties: + action: + description: |- + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy) + Deny: denies the selected traffic + Pass: instructs the selected traffic to skip any remaining ANP rules, and + then pass execution to any NetworkPolicies that select the pod. + If the pod is not selected by any NetworkPolicies then execution + is passed to any BaselineAdminNetworkPolicies that select the pod. + + + Support: Core + enum: + - Allow + - Deny + - Pass + type: string + from: + description: |- + From is the list of sources whose traffic this rule applies to. + If any AdminNetworkPolicyIngressPeer matches the source of incoming + traffic then the specified action is applied. + This field must be defined and contain at least one item. - Support: Core - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string + Support: Core + items: + description: |- + AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from. + Exactly one of the selector pointers must be set for a given peer. If a + consumer observes none of its fields are set, they must assume an unknown + option has been specified and fail closed. + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + + + Support: Core + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: + type: array + required: - key - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - required: - - action - - to - type: object - x-kubernetes-validations: - - message: networks/nodes peer cannot be set with namedPorts since - there are no namedPorts for networks/nodes - rule: '!(self.to.exists(peer, has(peer.networks) || has(peer.nodes)) - && has(self.ports) && self.ports.exists(port, has(port.namedPort)))' - maxItems: 100 - type: array - ingress: - description: |- - Ingress is the list of Ingress rules to be applied to the selected pods. - A total of 100 rules will be allowed in each ANP instance. - The relative precedence of ingress rules within a single ANP object (all of - which share the priority) will be determined by the order in which the rule - is written. Thus, a rule that appears at the top of the ingress rules - would take the highest precedence. - ANPs with no ingress rules do not affect ingress traffic. - - - Support: Core - items: - description: |- - AdminNetworkPolicyIngressRule describes an action to take on a particular - set of traffic destined for pods selected by an AdminNetworkPolicy's - Subject field. - properties: - action: - description: |- - Action specifies the effect this rule will have on matching traffic. - Currently the following actions are supported: - Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy) - Deny: denies the selected traffic - Pass: instructs the selected traffic to skip any remaining ANP rules, and - then pass execution to any NetworkPolicies that select the pod. - If the pod is not selected by any NetworkPolicies then execution - is passed to any BaselineAdminNetworkPolicies that select the pod. - - - Support: Core - enum: - - Allow - - Deny - - Pass - type: string - from: - description: |- - From is the list of sources whose traffic this rule applies to. - If any AdminNetworkPolicyIngressPeer matches the source of incoming - traffic then the specified action is applied. - This field must be defined and contain at least one item. - - - Support: Core - items: - description: |- - AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from. - Exactly one of the selector pointers must be set for a given peer. If a - consumer observes none of its fields are set, they must assume an unknown - option has been specified and fail closed. - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: |- - Namespaces defines a way to select all pods within a set of Namespaces. - Note that host-networked pods are not included in this type of peer. + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + pods: + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. - Support: Core - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: + Support: Core + properties: + namespaceSelector: description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - type: string + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: |- - Pods defines a way to select a set of pods in - a set of namespaces. Note that host-networked pods - are not included in this type of peer. - - - Support: Core - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: + matchLabels: + additionalProperties: + type: string description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; if empty, + it selects all Pods. + properties: + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the + selector applies to. type: string - type: array - required: - - key - - operator + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - name: - description: |- - Name is an identifier for this rule, that may be no more than 100 characters - in length. This field should be used by the implementation to help - improve observability, readability and error-reporting for any applied - AdminNetworkPolicies. - - - Support: Core - maxLength: 100 - type: string - ports: - description: |- - Ports allows for matching traffic based on port and protocols. - This field is a list of ports which should be matched on - the pods selected for this policy i.e the subject of the policy. - So it matches on the destination port for the ingress traffic. - If Ports is not set then the rule does not filter traffic via port. - - - Support: Core - items: + type: object + x-kubernetes-map-type: atomic + required: + - namespaceSelector + - podSelector + type: object + type: object + maxItems: 100 + minItems: 1 + type: array + name: description: |- - AdminNetworkPolicyPort describes how to select network ports on pod(s). - Exactly one field must be set. - maxProperties: 1 - minProperties: 1 - properties: - namedPort: - description: |- - NamedPort selects a port on a pod(s) based on name. + Name is an identifier for this rule, that may be no more than 100 characters + in length. This field should be used by the implementation to help + improve observability, readability and error-reporting for any applied + AdminNetworkPolicies. - Support: Extended + Support: Core + maxLength: 100 + type: string + ports: + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of ports which should be matched on + the pods selected for this policy i.e the subject of the policy. + So it matches on the destination port for the ingress traffic. + If Ports is not set then the rule does not filter traffic via port. - - type: string - portNumber: - description: |- - Port selects a port on a pod(s) based on number. + Support: Core + items: + description: |- + AdminNetworkPolicyPort describes how to select network ports on pod(s). + Exactly one field must be set. + maxProperties: 1 + minProperties: 1 + properties: + namedPort: + description: |- + NamedPort selects a port on a pod(s) based on name. - Support: Core - properties: - port: - description: |- - Number defines a network port value. + Support: Extended - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. + + type: string + portNumber: + description: |- + Port selects a port on a pod(s) based on number. - Support: Core - type: string - required: - - port - - protocol - type: object - portRange: - description: |- - PortRange selects a port range on a pod(s) based on provided start and end - values. + Support: Core + properties: + port: + description: |- + Number defines a network port value. - Support: Core - properties: - end: - description: |- - End defines a network port that is the end of a port range, the End value - must be greater than Start. + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. + Support: Core + type: string + required: + - port + - protocol + type: object + portRange: + description: |- + PortRange selects a port range on a pod(s) based on provided start and end + values. - Support: Core - type: string - start: - description: |- - Start defines a network port that is the start of a port range, the Start - value must be less than End. + Support: Core + properties: + end: + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core + type: string + start: + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start + type: object + type: object + maxItems: 100 + type: array + required: + - action + - from + type: object + maxItems: 100 + type: array + priority: + description: |- + Priority is a value from 0 to 1000. Rules with lower priority values have + higher precedence, and are checked before rules with higher priority values. + All AdminNetworkPolicy rules have higher precedence than NetworkPolicy or + BaselineAdminNetworkPolicy rules + The behavior is undefined if two ANP objects have same priority. + + + Support: Core + format: int32 + maximum: 1000 + minimum: 0 + type: integer + subject: + description: |- + Subject defines the pods to which this AdminNetworkPolicy applies. + Note that host-networked pods are not included in subject selection. - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer + Support: Core + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: Namespaces is used to select pods via namespace selectors. + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array required: - - end - - start + - key + - operator type: object - type: object - maxItems: 100 - type: array - required: - - action - - from - type: object - maxItems: 100 - type: array - priority: - description: |- - Priority is a value from 0 to 1000. Rules with lower priority values have - higher precedence, and are checked before rules with higher priority values. - All AdminNetworkPolicy rules have higher precedence than NetworkPolicy or - BaselineAdminNetworkPolicy rules - The behavior is undefined if two ANP objects have same priority. - - - Support: Core - format: int32 - maximum: 1000 - minimum: 0 - type: integer - subject: - description: |- - Subject defines the pods to which this AdminNetworkPolicy applies. - Note that host-networked pods are not included in subject selection. - - - Support: Core - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: Namespaces is used to select pods via namespace selectors. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: + type: array + matchLabels: + additionalProperties: + type: string description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + pods: + description: + Pods is used to select pods via namespace AND pod + selectors. + properties: + namespaceSelector: + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; if empty, + it selects all Pods. + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object type: array - required: - - key - - operator + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: Pods is used to select pods via namespace AND pod - selectors. + x-kubernetes-map-type: atomic + required: + - namespaceSelector + - podSelector + type: object + type: object + required: + - priority + - subject + type: object + status: + description: Status is the status to be reported by the implementation. + properties: + conditions: + items: + description: + "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: - namespaceSelector: + lastTransitionTime: description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string required: - - namespaceSelector - - podSelector + - lastTransitionTime + - message + - reason + - status + - type type: object - type: object - required: - - priority - - subject - type: object - status: - description: Status is the status to be reported by the implementation. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - required: - - conditions - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + required: + - conditions + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} status: acceptedNames: kind: "" diff --git a/pkg/crds/enterprise/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml b/pkg/crds/enterprise/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml index 587e27ac65..fddc29a85f 100644 --- a/pkg/crds/enterprise/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml +++ b/pkg/crds/enterprise/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml @@ -14,1041 +14,1067 @@ spec: listKind: BaselineAdminNetworkPolicyList plural: baselineadminnetworkpolicies shortNames: - - banp + - banp singular: baselineadminnetworkpolicy scope: Cluster versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - BaselineAdminNetworkPolicy is a cluster level resource that is part of the - AdminNetworkPolicy API. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired behavior of BaselineAdminNetworkPolicy. - properties: - egress: - description: |- - Egress is the list of Egress rules to be applied to the selected pods if - they are not matched by any AdminNetworkPolicy or NetworkPolicy rules. - A total of 100 Egress rules will be allowed in each BANP instance. - The relative precedence of egress rules within a single BANP object - will be determined by the order in which the rule is written. - Thus, a rule that appears at the top of the egress rules - would take the highest precedence. - BANPs with no egress rules do not affect egress traffic. - - - Support: Core - items: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + BaselineAdminNetworkPolicy is a cluster level resource that is part of the + AdminNetworkPolicy API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the desired behavior of BaselineAdminNetworkPolicy. + properties: + egress: description: |- - BaselineAdminNetworkPolicyEgressRule describes an action to take on a particular - set of traffic originating from pods selected by a BaselineAdminNetworkPolicy's - Subject field. - - properties: - action: - description: |- - Action specifies the effect this rule will have on matching traffic. - Currently the following actions are supported: - Allow: allows the selected traffic - Deny: denies the selected traffic - - - Support: Core - enum: - - Allow - - Deny - type: string - name: - description: |- - Name is an identifier for this rule, that may be no more than 100 characters - in length. This field should be used by the implementation to help - improve observability, readability and error-reporting for any applied - BaselineAdminNetworkPolicies. - - - Support: Core - maxLength: 100 - type: string - ports: - description: |- - Ports allows for matching traffic based on port and protocols. - This field is a list of destination ports for the outgoing egress traffic. - If Ports is not set then the rule does not filter traffic via port. - items: + Egress is the list of Egress rules to be applied to the selected pods if + they are not matched by any AdminNetworkPolicy or NetworkPolicy rules. + A total of 100 Egress rules will be allowed in each BANP instance. + The relative precedence of egress rules within a single BANP object + will be determined by the order in which the rule is written. + Thus, a rule that appears at the top of the egress rules + would take the highest precedence. + BANPs with no egress rules do not affect egress traffic. + + + Support: Core + items: + description: |- + BaselineAdminNetworkPolicyEgressRule describes an action to take on a particular + set of traffic originating from pods selected by a BaselineAdminNetworkPolicy's + Subject field. + + properties: + action: description: |- - AdminNetworkPolicyPort describes how to select network ports on pod(s). - Exactly one field must be set. - maxProperties: 1 - minProperties: 1 - properties: - namedPort: - description: |- - NamedPort selects a port on a pod(s) based on name. + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: allows the selected traffic + Deny: denies the selected traffic + + + Support: Core + enum: + - Allow + - Deny + type: string + name: + description: |- + Name is an identifier for this rule, that may be no more than 100 characters + in length. This field should be used by the implementation to help + improve observability, readability and error-reporting for any applied + BaselineAdminNetworkPolicies. - Support: Extended + Support: Core + maxLength: 100 + type: string + ports: + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of destination ports for the outgoing egress traffic. + If Ports is not set then the rule does not filter traffic via port. + items: + description: |- + AdminNetworkPolicyPort describes how to select network ports on pod(s). + Exactly one field must be set. + maxProperties: 1 + minProperties: 1 + properties: + namedPort: + description: |- + NamedPort selects a port on a pod(s) based on name. - - type: string - portNumber: - description: |- - Port selects a port on a pod(s) based on number. + Support: Extended - Support: Core - properties: - port: - description: |- - Number defines a network port value. + + type: string + portNumber: + description: |- + Port selects a port on a pod(s) based on number. - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. + Support: Core + properties: + port: + description: |- + Number defines a network port value. - Support: Core - type: string - required: - - port - - protocol - type: object - portRange: - description: |- - PortRange selects a port range on a pod(s) based on provided start and end - values. + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. - Support: Core - properties: - end: - description: |- - End defines a network port that is the end of a port range, the End value - must be greater than Start. + Support: Core + type: string + required: + - port + - protocol + type: object + portRange: + description: |- + PortRange selects a port range on a pod(s) based on provided start and end + values. - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. + Support: Core + properties: + end: + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. - Support: Core - type: string - start: - description: |- - Start defines a network port that is the start of a port range, the Start - value must be less than End. + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - type: object - maxItems: 100 - type: array - to: - description: |- - To is the list of destinations whose traffic this rule applies to. - If any AdminNetworkPolicyEgressPeer matches the destination of outgoing - traffic then the specified action is applied. - This field must be defined and contain at least one item. - - - Support: Core - items: + Support: Core + type: string + start: + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start + type: object + type: object + maxItems: 100 + type: array + to: description: |- - AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. - Exactly one of the selector pointers must be set for a given peer. If a - consumer observes none of its fields are set, they must assume an unknown - option has been specified and fail closed. - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: |- - Namespaces defines a way to select all pods within a set of Namespaces. - Note that host-networked pods are not included in this type of peer. + To is the list of destinations whose traffic this rule applies to. + If any AdminNetworkPolicyEgressPeer matches the destination of outgoing + traffic then the specified action is applied. + This field must be defined and contain at least one item. - Support: Core - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: + Support: Core + items: + description: |- + AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. + Exactly one of the selector pointers must be set for a given peer. If a + consumer observes none of its fields are set, they must assume an unknown + option has been specified and fail closed. + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + + + Support: Core + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. type: string - type: array - required: - - key - - operator + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - networks: - description: |- - Networks defines a way to select peers via CIDR blocks. - This is intended for representing entities that live outside the cluster, - which can't be selected by pods, namespaces and nodes peers, but note - that cluster-internal traffic will be checked against the rule as - well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow - or deny all IPv4 pod-to-pod traffic as well. If you don't want that, - add a rule that Passes all pod traffic before the Networks rule. + type: object + x-kubernetes-map-type: atomic + networks: + description: |- + Networks defines a way to select peers via CIDR blocks. + This is intended for representing entities that live outside the cluster, + which can't be selected by pods, namespaces and nodes peers, but note + that cluster-internal traffic will be checked against the rule as + well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow + or deny all IPv4 pod-to-pod traffic as well. If you don't want that, + add a rule that Passes all pod traffic before the Networks rule. - Each item in Networks should be provided in the CIDR format and should be - IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". + Each item in Networks should be provided in the CIDR format and should be + IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - Networks can have upto 25 CIDRs specified. + Networks can have upto 25 CIDRs specified. - Support: Extended + Support: Extended - - items: + + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). + This string must be validated by implementations using net.ParseCIDR + TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available. + maxLength: 43 + type: string + x-kubernetes-validations: + - message: + CIDR must be either an IPv4 or IPv6 address. + IPv4 address embedded in IPv6 addresses are not + supported + rule: self.contains(':') != self.contains('.') + maxItems: 25 + minItems: 1 + type: array + x-kubernetes-list-type: set + nodes: description: |- - CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). - This string must be validated by implementations using net.ParseCIDR - TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available. - maxLength: 43 - type: string - x-kubernetes-validations: - - message: CIDR must be either an IPv4 or IPv6 address. - IPv4 address embedded in IPv6 addresses are not - supported - rule: self.contains(':') != self.contains('.') - maxItems: 25 - minItems: 1 - type: array - x-kubernetes-list-type: set - nodes: - description: |- - Nodes defines a way to select a set of nodes in - the cluster. This field follows standard label selector - semantics; if present but empty, it selects all Nodes. + Nodes defines a way to select a set of nodes in + the cluster. This field follows standard label selector + semantics; if present but empty, it selects all Nodes. - Support: Extended + Support: Extended - - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: + + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + pods: + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + + + Support: Core + properties: + namespaceSelector: + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; if empty, + it selects all Pods. + properties: + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object type: array - required: - - key - - operator + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: |- - Pods defines a way to select a set of pods in - a set of namespaces. Note that host-networked pods - are not included in this type of peer. + x-kubernetes-map-type: atomic + required: + - namespaceSelector + - podSelector + type: object + type: object + maxItems: 100 + minItems: 1 + type: array + required: + - action + - to + type: object + x-kubernetes-validations: + - message: + networks/nodes peer cannot be set with namedPorts since + there are no namedPorts for networks/nodes + rule: + "!(self.to.exists(peer, has(peer.networks) || has(peer.nodes)) + && has(self.ports) && self.ports.exists(port, has(port.namedPort)))" + maxItems: 100 + type: array + ingress: + description: |- + Ingress is the list of Ingress rules to be applied to the selected pods + if they are not matched by any AdminNetworkPolicy or NetworkPolicy rules. + A total of 100 Ingress rules will be allowed in each BANP instance. + The relative precedence of ingress rules within a single BANP object + will be determined by the order in which the rule is written. + Thus, a rule that appears at the top of the ingress rules + would take the highest precedence. + BANPs with no ingress rules do not affect ingress traffic. + + + Support: Core + items: + description: |- + BaselineAdminNetworkPolicyIngressRule describes an action to take on a particular + set of traffic destined for pods selected by a BaselineAdminNetworkPolicy's + Subject field. + properties: + action: + description: |- + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: allows the selected traffic + Deny: denies the selected traffic + + + Support: Core + enum: + - Allow + - Deny + type: string + from: + description: |- + From is the list of sources whose traffic this rule applies to. + If any AdminNetworkPolicyIngressPeer matches the source of incoming + traffic then the specified action is applied. + This field must be defined and contain at least one item. - Support: Core - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string + Support: Core + items: + description: |- + AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from. + Exactly one of the selector pointers must be set for a given peer. If a + consumer observes none of its fields are set, they must assume an unknown + option has been specified and fail closed. + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + + + Support: Core + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: + type: array + required: - key - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - required: - - action - - to - type: object - x-kubernetes-validations: - - message: networks/nodes peer cannot be set with namedPorts since - there are no namedPorts for networks/nodes - rule: '!(self.to.exists(peer, has(peer.networks) || has(peer.nodes)) - && has(self.ports) && self.ports.exists(port, has(port.namedPort)))' - maxItems: 100 - type: array - ingress: - description: |- - Ingress is the list of Ingress rules to be applied to the selected pods - if they are not matched by any AdminNetworkPolicy or NetworkPolicy rules. - A total of 100 Ingress rules will be allowed in each BANP instance. - The relative precedence of ingress rules within a single BANP object - will be determined by the order in which the rule is written. - Thus, a rule that appears at the top of the ingress rules - would take the highest precedence. - BANPs with no ingress rules do not affect ingress traffic. - - - Support: Core - items: - description: |- - BaselineAdminNetworkPolicyIngressRule describes an action to take on a particular - set of traffic destined for pods selected by a BaselineAdminNetworkPolicy's - Subject field. - properties: - action: - description: |- - Action specifies the effect this rule will have on matching traffic. - Currently the following actions are supported: - Allow: allows the selected traffic - Deny: denies the selected traffic - - - Support: Core - enum: - - Allow - - Deny - type: string - from: - description: |- - From is the list of sources whose traffic this rule applies to. - If any AdminNetworkPolicyIngressPeer matches the source of incoming - traffic then the specified action is applied. - This field must be defined and contain at least one item. - - - Support: Core - items: - description: |- - AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from. - Exactly one of the selector pointers must be set for a given peer. If a - consumer observes none of its fields are set, they must assume an unknown - option has been specified and fail closed. - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: |- - Namespaces defines a way to select all pods within a set of Namespaces. - Note that host-networked pods are not included in this type of peer. + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + pods: + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. - Support: Core - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: + Support: Core + properties: + namespaceSelector: description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - type: string + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: |- - Pods defines a way to select a set of pods in - a set of namespaces. Note that host-networked pods - are not included in this type of peer. - - - Support: Core - properties: - namespaceSelector: - description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: + matchLabels: + additionalProperties: + type: string description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; if empty, + it selects all Pods. + properties: + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the + selector applies to. type: string - type: array - required: - - key - - operator + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - namespaceSelector - - podSelector - type: object - type: object - maxItems: 100 - minItems: 1 - type: array - name: - description: |- - Name is an identifier for this rule, that may be no more than 100 characters - in length. This field should be used by the implementation to help - improve observability, readability and error-reporting for any applied - BaselineAdminNetworkPolicies. - - - Support: Core - maxLength: 100 - type: string - ports: - description: |- - Ports allows for matching traffic based on port and protocols. - This field is a list of ports which should be matched on - the pods selected for this policy i.e the subject of the policy. - So it matches on the destination port for the ingress traffic. - If Ports is not set then the rule does not filter traffic via port. - - - Support: Core - items: + type: object + x-kubernetes-map-type: atomic + required: + - namespaceSelector + - podSelector + type: object + type: object + maxItems: 100 + minItems: 1 + type: array + name: description: |- - AdminNetworkPolicyPort describes how to select network ports on pod(s). - Exactly one field must be set. - maxProperties: 1 - minProperties: 1 - properties: - namedPort: - description: |- - NamedPort selects a port on a pod(s) based on name. + Name is an identifier for this rule, that may be no more than 100 characters + in length. This field should be used by the implementation to help + improve observability, readability and error-reporting for any applied + BaselineAdminNetworkPolicies. - Support: Extended + Support: Core + maxLength: 100 + type: string + ports: + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of ports which should be matched on + the pods selected for this policy i.e the subject of the policy. + So it matches on the destination port for the ingress traffic. + If Ports is not set then the rule does not filter traffic via port. - - type: string - portNumber: - description: |- - Port selects a port on a pod(s) based on number. + Support: Core + items: + description: |- + AdminNetworkPolicyPort describes how to select network ports on pod(s). + Exactly one field must be set. + maxProperties: 1 + minProperties: 1 + properties: + namedPort: + description: |- + NamedPort selects a port on a pod(s) based on name. - Support: Core - properties: - port: - description: |- - Number defines a network port value. + Support: Extended - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. + + type: string + portNumber: + description: |- + Port selects a port on a pod(s) based on number. - Support: Core - type: string - required: - - port - - protocol - type: object - portRange: - description: |- - PortRange selects a port range on a pod(s) based on provided start and end - values. + Support: Core + properties: + port: + description: |- + Number defines a network port value. - Support: Core - properties: - end: - description: |- - End defines a network port that is the end of a port range, the End value - must be greater than Start. + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer - protocol: - default: TCP - description: |- - Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must - match. If not specified, this field defaults to TCP. + Support: Core + type: string + required: + - port + - protocol + type: object + portRange: + description: |- + PortRange selects a port range on a pod(s) based on provided start and end + values. - Support: Core - type: string - start: - description: |- - Start defines a network port that is the start of a port range, the Start - value must be less than End. + Support: Core + properties: + end: + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. - Support: Core - format: int32 - maximum: 65535 - minimum: 1 - type: integer + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core + type: string + start: + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start + type: object + type: object + maxItems: 100 + type: array + required: + - action + - from + type: object + maxItems: 100 + type: array + subject: + description: |- + Subject defines the pods to which this BaselineAdminNetworkPolicy applies. + Note that host-networked pods are not included in subject selection. + + + Support: Core + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: Namespaces is used to select pods via namespace selectors. + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array required: - - end - - start + - key + - operator type: object - type: object - maxItems: 100 - type: array - required: - - action - - from - type: object - maxItems: 100 - type: array - subject: - description: |- - Subject defines the pods to which this BaselineAdminNetworkPolicy applies. - Note that host-networked pods are not included in subject selection. - - - Support: Core - maxProperties: 1 - minProperties: 1 - properties: - namespaces: - description: Namespaces is used to select pods via namespace selectors. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: + type: array + matchLabels: + additionalProperties: + type: string description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + pods: + description: + Pods is used to select pods via namespace AND pod + selectors. + properties: + namespaceSelector: + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; if empty, + it selects all Pods. + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object type: array - required: - - key - - operator + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - pods: - description: Pods is used to select pods via namespace AND pod - selectors. + x-kubernetes-map-type: atomic + required: + - namespaceSelector + - podSelector + type: object + type: object + required: + - subject + type: object + status: + description: Status is the status to be reported by the implementation. + properties: + conditions: + items: + description: + "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: - namespaceSelector: + lastTransitionTime: description: |- - NamespaceSelector follows standard label selector semantics; if empty, - it selects all Namespaces. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - podSelector: + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: description: |- - PodSelector is used to explicitly select pods within a namespace; if empty, - it selects all Pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string required: - - namespaceSelector - - podSelector + - lastTransitionTime + - message + - reason + - status + - type type: object - type: object - required: - - subject - type: object - status: - description: Status is the status to be reported by the implementation. - properties: - conditions: - items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - required: - - conditions - type: object - required: - - metadata - - spec - type: object - x-kubernetes-validations: - - message: Only one baseline admin network policy with metadata.name="default" - can be created in the cluster - rule: self.metadata.name == 'default' - served: true - storage: true - subresources: - status: {} + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + required: + - conditions + type: object + required: + - metadata + - spec + type: object + x-kubernetes-validations: + - message: + Only one baseline admin network policy with metadata.name="default" + can be created in the cluster + rule: self.metadata.name == 'default' + served: true + storage: true + subresources: + status: {} status: acceptedNames: kind: "" diff --git a/pkg/crds/enterprise/usage.tigera.io_licenseusagereports.yaml b/pkg/crds/enterprise/usage.tigera.io_licenseusagereports.yaml index ce4e8de986..8438b1721e 100644 --- a/pkg/crds/enterprise/usage.tigera.io_licenseusagereports.yaml +++ b/pkg/crds/enterprise/usage.tigera.io_licenseusagereports.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.5 + controller-gen.kubebuilder.io/version: v0.18.0 name: licenseusagereports.usage.tigera.io spec: group: usage.tigera.io @@ -14,40 +14,29 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - properties: - hmac: - type: string - reportData: - description: |- - The base64-encoded JSON data for this report. The data represents an interval of time when license usage was - monitored in the cluster, along with data that binds the report to its cluster context. - type: string - required: - - hmac - - reportData - type: object - type: object - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + hmac: + type: string + reportData: + type: string + required: + - hmac + - reportData + type: object + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/pkg/render/common/components/components.go b/pkg/render/common/components/components.go index d66fb13f00..491b635d83 100644 --- a/pkg/render/common/components/components.go +++ b/pkg/render/common/components/components.go @@ -1,4 +1,4 @@ -// Copyright (c) 2022-2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2022-2026 Tigera, Inc. All rights reserved. // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -108,15 +108,54 @@ func GetContainers(overrides any) []corev1.Container { return valueToContainers(value) } -func valueToContainers(value reflect.Value) []corev1.Container { - cs := make([]corev1.Container, 0, value.Len()) +// GetContainerOverrides returns the full container overrides including probe timing. +func GetContainerOverrides(overrides any) []containerOverride { + value := getField(overrides, "Spec", "Template", "Spec", "Containers") + if !value.IsValid() || value.IsNil() { + return nil + } + return valueToContainerOverrides(value) +} + +// containerOverride holds override values extracted from a container override struct. +type containerOverride struct { + Name string + Resources *corev1.ResourceRequirements + ReadinessProbe *operator.ProbeOverride + LivenessProbe *operator.ProbeOverride +} + +func valueToContainerOverrides(value reflect.Value) []containerOverride { + cs := make([]containerOverride, 0, value.Len()) for _, v := range value.Seq2() { name := v.FieldByName("Name") - resources := v.FieldByName("Resources") - if !resources.IsNil() { + co := containerOverride{Name: name.String()} + + if resources := v.FieldByName("Resources"); resources.IsValid() && !resources.IsNil() { + co.Resources = resources.Interface().(*corev1.ResourceRequirements) + } + if rp := v.FieldByName("ReadinessProbe"); rp.IsValid() && !rp.IsNil() { + co.ReadinessProbe = rp.Interface().(*operator.ProbeOverride) + } + if lp := v.FieldByName("LivenessProbe"); lp.IsValid() && !lp.IsNil() { + co.LivenessProbe = lp.Interface().(*operator.ProbeOverride) + } + + if co.Resources != nil || co.ReadinessProbe != nil || co.LivenessProbe != nil { + cs = append(cs, co) + } + } + return cs +} + +// valueToContainers converts override structs to corev1.Container for backward compat. +func valueToContainers(value reflect.Value) []corev1.Container { + cs := make([]corev1.Container, 0, value.Len()) + for _, co := range valueToContainerOverrides(value) { + if co.Resources != nil { cs = append(cs, corev1.Container{ - Name: name.String(), - Resources: *(resources.Interface().(*corev1.ResourceRequirements)), + Name: co.Name, + Resources: *co.Resources, }) } } @@ -262,11 +301,10 @@ func applyReplicatedPodResourceOverrides(r *replicatedPodResource, overrides any } // If `overrides` has a Spec.Template.Spec.Containers field, and it includes containers with - // the same name as those in `r.podTemplateSpec.Spec.InitContainers`, and with non-nil - // `Resources`, those resources replace those for the corresponding container in - // `r.podTemplateSpec.Spec.Containers`. - if containers := GetContainers(overrides); containers != nil { - mergeContainers(r.podTemplateSpec.Spec.Containers, containers) + // the same name as those in `r.podTemplateSpec.Spec.Containers`, resources and probe timing + // overrides are applied to the corresponding container. + if cos := GetContainerOverrides(overrides); cos != nil { + mergeContainerOverrides(r.podTemplateSpec.Spec.Containers, cos) } // If `overrides` has a Spec.Template.Spec.Affinity field, and it's non-nil, it sets @@ -481,7 +519,8 @@ func ApplyPrometheusOverrides(prom *monitoringv1.Prometheus, overrides *operator } // mergeContainers copies the ResourceRequirements from the provided containers -// to the current corev1.Containers. +// to the current corev1.Containers. Used for init containers which only support +// resource overrides. func mergeContainers(current []corev1.Container, provided []corev1.Container) { providedMap := make(map[string]corev1.Container) for _, c := range provided { @@ -497,6 +536,47 @@ func mergeContainers(current []corev1.Container, provided []corev1.Container) { } } +// mergeContainerOverrides applies resource and probe timing overrides from the +// Installation API to the rendered containers. This is the main container +// override path — init containers use mergeContainers instead. +func mergeContainerOverrides(current []corev1.Container, overrides []containerOverride) { + overrideMap := make(map[string]containerOverride) + for _, co := range overrides { + overrideMap[co.Name] = co + } + + for i, c := range current { + co, ok := overrideMap[c.Name] + if !ok { + continue + } + if co.Resources != nil { + current[i].Resources = *co.Resources + } + if co.ReadinessProbe != nil && current[i].ReadinessProbe != nil { + applyProbeOverride(current[i].ReadinessProbe, co.ReadinessProbe) + } + if co.LivenessProbe != nil && current[i].LivenessProbe != nil { + applyProbeOverride(current[i].LivenessProbe, co.LivenessProbe) + } + } +} + +func applyProbeOverride(probe *corev1.Probe, override *operator.ProbeOverride) { + if override.PeriodSeconds != nil { + probe.PeriodSeconds = *override.PeriodSeconds + } + if override.TimeoutSeconds != nil { + probe.TimeoutSeconds = *override.TimeoutSeconds + } + if override.FailureThreshold != nil { + probe.FailureThreshold = *override.FailureThreshold + } + if override.InitialDelaySeconds != nil { + probe.InitialDelaySeconds = *override.InitialDelaySeconds + } +} + // ClusterRoleBinding returns a cluster role binding with the given name, that binds the given cluster role // to the service account in each of the provided namespaces. func ClusterRoleBinding(name, clusterRole, sa string, namespaces []string) *rbacv1.ClusterRoleBinding { diff --git a/pkg/render/common/components/components_test.go b/pkg/render/common/components/components_test.go index 2695c231e1..0879ece7cb 100644 --- a/pkg/render/common/components/components_test.go +++ b/pkg/render/common/components/components_test.go @@ -1,4 +1,4 @@ -// Copyright (c) 2022-2024 Tigera, Inc. All rights reserved. +// Copyright (c) 2022-2026 Tigera, Inc. All rights reserved. // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -575,6 +575,40 @@ var _ = Describe("Common components render tests", func() { Expect(result.Spec.Template.Spec.Containers).To(ContainElements(expected.Spec.Template.Spec.Containers)) Expect(result).To(Equal(expected)) }), + Entry("container probe overrides", + defaultedDaemonSet, + func() *v1.CalicoNodeDaemonSet { + period := int32(10) + timeout := int32(2) + return &v1.CalicoNodeDaemonSet{ + Spec: &v1.CalicoNodeDaemonSetSpec{ + Template: &v1.CalicoNodeDaemonSetPodTemplateSpec{ + Spec: &v1.CalicoNodeDaemonSetPodSpec{ + Containers: []v1.CalicoNodeDaemonSetContainer{ + { + Name: "not-zero1", + ReadinessProbe: &v1.ProbeOverride{ + PeriodSeconds: &period, + TimeoutSeconds: &timeout, + }, + LivenessProbe: &v1.ProbeOverride{ + PeriodSeconds: &period, + }, + }, + }, + }, + }, + }, + } + }, + func(result appsv1.DaemonSet) { + expected := defaultedDaemonSet() + Expect(expected.Spec.Template.Spec.Containers).To(HaveLen(2)) + expected.Spec.Template.Spec.Containers[0].ReadinessProbe.PeriodSeconds = 10 + expected.Spec.Template.Spec.Containers[0].ReadinessProbe.TimeoutSeconds = 2 + expected.Spec.Template.Spec.Containers[0].LivenessProbe.PeriodSeconds = 10 + Expect(result).To(Equal(expected)) + }), Entry("empty containers", defaultedDaemonSet, func() *v1.CalicoNodeDaemonSet { diff --git a/pkg/render/common/probes/probes_test.go b/pkg/render/common/probes/probes_test.go new file mode 100644 index 0000000000..c1670d7618 --- /dev/null +++ b/pkg/render/common/probes/probes_test.go @@ -0,0 +1,107 @@ +// Copyright (c) 2026 Tigera, Inc. All rights reserved. + +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package probes + +import ( + "testing" + + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/util/intstr" + + operatorv1 "github.com/tigera/operator/api/v1" + "github.com/tigera/operator/pkg/ptr" +) + +func TestApplyOverride_NilOverride(t *testing.T) { + probe := &corev1.Probe{ + ProbeHandler: corev1.ProbeHandler{ + HTTPGet: &corev1.HTTPGetAction{Path: "/readiness", Port: intstr.FromInt(8080)}, + }, + PeriodSeconds: 30, + } + result := ApplyOverride(probe, nil) + if result.PeriodSeconds != 30 { + t.Errorf("expected PeriodSeconds=30, got %d", result.PeriodSeconds) + } +} + +func TestApplyOverride_NilProbe(t *testing.T) { + override := &operatorv1.ProbeOverride{PeriodSeconds: ptr.Int32ToPtr(10)} + result := ApplyOverride(nil, override) + if result != nil { + t.Error("expected nil probe to remain nil") + } +} + +func TestApplyOverride_AllFields(t *testing.T) { + probe := &corev1.Probe{ + ProbeHandler: corev1.ProbeHandler{ + HTTPGet: &corev1.HTTPGetAction{Path: "/readiness", Port: intstr.FromInt(8080)}, + }, + PeriodSeconds: 30, + TimeoutSeconds: 5, + FailureThreshold: 3, + InitialDelaySeconds: 0, + } + override := &operatorv1.ProbeOverride{ + PeriodSeconds: ptr.Int32ToPtr(10), + TimeoutSeconds: ptr.Int32ToPtr(2), + FailureThreshold: ptr.Int32ToPtr(5), + InitialDelaySeconds: ptr.Int32ToPtr(15), + } + result := ApplyOverride(probe, override) + + if result.PeriodSeconds != 10 { + t.Errorf("PeriodSeconds: expected 10, got %d", result.PeriodSeconds) + } + if result.TimeoutSeconds != 2 { + t.Errorf("TimeoutSeconds: expected 2, got %d", result.TimeoutSeconds) + } + if result.FailureThreshold != 5 { + t.Errorf("FailureThreshold: expected 5, got %d", result.FailureThreshold) + } + if result.InitialDelaySeconds != 15 { + t.Errorf("InitialDelaySeconds: expected 15, got %d", result.InitialDelaySeconds) + } + // Handler should be unchanged. + if result.HTTPGet == nil || result.HTTPGet.Path != "/readiness" { + t.Error("probe handler was modified") + } +} + +func TestApplyOverride_PartialFields(t *testing.T) { + probe := &corev1.Probe{ + ProbeHandler: corev1.ProbeHandler{ + Exec: &corev1.ExecAction{Command: []string{"calico", "health"}}, + }, + PeriodSeconds: 30, + TimeoutSeconds: 5, + FailureThreshold: 3, + } + override := &operatorv1.ProbeOverride{ + PeriodSeconds: ptr.Int32ToPtr(10), + } + result := ApplyOverride(probe, override) + + if result.PeriodSeconds != 10 { + t.Errorf("PeriodSeconds: expected 10, got %d", result.PeriodSeconds) + } + if result.TimeoutSeconds != 5 { + t.Errorf("TimeoutSeconds should be unchanged: expected 5, got %d", result.TimeoutSeconds) + } + if result.FailureThreshold != 3 { + t.Errorf("FailureThreshold should be unchanged: expected 3, got %d", result.FailureThreshold) + } +}