diff --git a/build-scripts/components/cni/version.sh b/build-scripts/components/cni/version.sh index b50ffb4fc3..0fe7791eaf 100755 --- a/build-scripts/components/cni/version.sh +++ b/build-scripts/components/cni/version.sh @@ -1,4 +1,4 @@ #!/bin/bash # Match https://github.com/kubernetes/kubernetes/blob/master/build/dependencies.yaml#L20 -echo "v1.6.0" +echo "v1.6.2" diff --git a/build-scripts/components/containerd/version.sh b/build-scripts/components/containerd/version.sh index c8707a92fe..dda6d1bd34 100755 --- a/build-scripts/components/containerd/version.sh +++ b/build-scripts/components/containerd/version.sh @@ -1,3 +1,3 @@ #!/bin/bash -echo "v1.6.36" +echo "v1.7.27" diff --git a/build-scripts/components/helm/patches/default/0001-disable-warnings-for-kubeconfig-permissions.patch b/build-scripts/components/helm/patches/default/0001-disable-warnings-for-kubeconfig-permissions.patch deleted file mode 100644 index 8726a62f7a..0000000000 --- a/build-scripts/components/helm/patches/default/0001-disable-warnings-for-kubeconfig-permissions.patch +++ /dev/null @@ -1,24 +0,0 @@ -From d08d2604a9f0f925b93b87d74ee0a2c26c785467 Mon Sep 17 00:00:00 2001 -From: Angelos Kolaitis -Date: Thu, 14 Jul 2022 18:18:09 +0300 -Subject: [PATCH] disable warnings for kubeconfig permissions - ---- - cmd/helm/root.go | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/cmd/helm/root.go b/cmd/helm/root.go -index ef92fea9..512f823f 100644 ---- a/cmd/helm/root.go -+++ b/cmd/helm/root.go -@@ -206,7 +206,7 @@ func newRootCmd(actionConfig *action.Configuration, out io.Writer, args []string - loadPlugins(cmd, out) - - // Check permissions on critical files -- checkPerms() -+ // checkPerms() - - // Check for expired repositories - checkForExpiredRepos(settings.RepositoryConfig) --- -2.25.1 diff --git a/build-scripts/components/helm/version.sh b/build-scripts/components/helm/version.sh index 8609bd8869..97818deaf7 100755 --- a/build-scripts/components/helm/version.sh +++ b/build-scripts/components/helm/version.sh @@ -1,3 +1,3 @@ #!/bin/bash -echo "v3.16.3" +echo "v3.17.2" diff --git a/build-scripts/components/runc/patches/default/0001-Disable-static-PIE-on-arm64.patch b/build-scripts/components/runc/patches/default/0001-Disable-static-PIE-on-arm64.patch index 146c5d5fa3..dae435855a 100644 --- a/build-scripts/components/runc/patches/default/0001-Disable-static-PIE-on-arm64.patch +++ b/build-scripts/components/runc/patches/default/0001-Disable-static-PIE-on-arm64.patch @@ -1,6 +1,6 @@ -From bcf130f097781d162c0461105a12f4c9f412d3e8 Mon Sep 17 00:00:00 2001 -From: Angelos Kolaitis -Date: Tue, 20 Feb 2024 12:32:27 +0200 +From 7b7171f0f5048225e0d914cbffd47295af1fbfc5 Mon Sep 17 00:00:00 2001 +From: Lucian Petrut +Date: Fri, 28 Mar 2025 13:14:34 +0000 Subject: [PATCH] Disable static PIE on arm64 Ubuntu does not currently have the rcrt1.o file on arm64 @@ -9,10 +9,10 @@ Ubuntu does not currently have the rcrt1.o file on arm64 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index e3af9bc1..b2b07720 100644 +index 0a15fd90..d7e6209a 100644 --- a/Makefile +++ b/Makefile -@@ -33,7 +33,7 @@ LDFLAGS_STATIC := -extldflags -static +@@ -45,7 +45,7 @@ LDFLAGS_STATIC := -extldflags -static # Enable static PIE executables on supported platforms. # This (among the other things) requires libc support (rcrt1.o), which seems # to be available only for arm64 and amd64 (Debian Bullseye). @@ -20,6 +20,7 @@ index e3af9bc1..b2b07720 100644 +ifneq (,$(filter $(GOARCH),amd64)) ifeq (,$(findstring -race,$(EXTRA_FLAGS))) GO_BUILDMODE_STATIC := -buildmode=pie - LDFLAGS_STATIC := -linkmode external -extldflags --static-pie --- -2.34.1 + LDFLAGS_STATIC := -linkmode external -extldflags -static-pie +-- +2.43.0 + diff --git a/build-scripts/components/runc/version.sh b/build-scripts/components/runc/version.sh index d2bc2f9256..8fe2ce6f62 100755 --- a/build-scripts/components/runc/version.sh +++ b/build-scripts/components/runc/version.sh @@ -1,3 +1,3 @@ #!/bin/bash -echo "v1.1.15" +echo "v1.2.6" diff --git a/build-scripts/images.txt b/build-scripts/images.txt index ec97cc64d6..fe369b3f5c 100644 --- a/build-scripts/images.txt +++ b/build-scripts/images.txt @@ -1,6 +1,6 @@ -docker.io/calico/cni:v3.28.1 -docker.io/calico/kube-controllers:v3.28.1 -docker.io/calico/node:v3.28.1 +docker.io/calico/cni:v3.29.3 +docker.io/calico/kube-controllers:v3.29.3 +docker.io/calico/node:v3.29.3 docker.io/cdkbot/hostpath-provisioner:1.5.0 docker.io/coredns/coredns:1.12.0 docker.io/library/busybox:1.28.4 diff --git a/tox.ini b/tox.ini index b9e455c73e..5ea5b4bbf5 100644 --- a/tox.ini +++ b/tox.ini @@ -20,7 +20,7 @@ deps = [testenv:lint] commands = flake8 --max-line-length=120 --ignore=C901,N801,N802,N803,N806,N816,W503,E203 - codespell --ignore-words-list="aks,ccompiler" --quiet-level=2 --skip="*.patch,*.spec,.tox_env,.git,*.nsi" + codespell --ignore-words-list="aks,ccompiler,NotIn" --quiet-level=2 --skip="*.patch,*.spec,.tox_env,.git,*.nsi" black --diff --check --exclude "/(\.eggs|\.git|\.tox|\.venv|\.build|dist|charmhelpers|mod)/" . [testenv:scripts] diff --git a/upgrade-scripts/000-switch-to-calico/resources/calico.yaml b/upgrade-scripts/000-switch-to-calico/resources/calico.yaml index 0b75cce05e..2a4da7c921 100644 --- a/upgrade-scripts/000-switch-to-calico/resources/calico.yaml +++ b/upgrade-scripts/000-switch-to-calico/resources/calico.yaml @@ -194,8 +194,14 @@ spec: a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + default: "" + description: 'Name of the referent. This field is effectively + required, but due to backwards compatibility is allowed + to be empty. Instances of this type with an empty value + here are almost certainly wrong. TODO: Add other useful + fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn''t + need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.' type: string optional: description: Specify whether the Secret or its key must be @@ -331,6 +337,19 @@ spec: type: string matchOperator: type: string + prefixLength: + properties: + max: + format: int32 + maximum: 32 + minimum: 0 + type: integer + min: + format: int32 + maximum: 32 + minimum: 0 + type: integer + type: object source: type: string required: @@ -352,6 +371,19 @@ spec: type: string matchOperator: type: string + prefixLength: + properties: + max: + format: int32 + maximum: 128 + minimum: 0 + type: integer + min: + format: int32 + maximum: 128 + minimum: 0 + type: integer + type: object source: type: string required: @@ -373,6 +405,19 @@ spec: type: string matchOperator: type: string + prefixLength: + properties: + max: + format: int32 + maximum: 32 + minimum: 0 + type: integer + min: + format: int32 + maximum: 32 + minimum: 0 + type: integer + type: object source: type: string required: @@ -394,6 +439,19 @@ spec: type: string matchOperator: type: string + prefixLength: + properties: + max: + format: int32 + maximum: 128 + minimum: 0 + type: integer + min: + format: int32 + maximum: 128 + minimum: 0 + type: integer + type: object source: type: string required: @@ -492,8 +550,14 @@ spec: a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + default: "" + description: 'Name of the referent. This field is effectively + required, but due to backwards compatibility is allowed + to be empty. Instances of this type with an empty value + here are almost certainly wrong. TODO: Add other useful + fields. apiVersion, kind, uid? More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Drop `kubebuilder:default` when controller-gen doesn''t + need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.' type: string optional: description: Specify whether the Secret or its key must be @@ -1205,6 +1269,17 @@ spec: information about the BPF policy programs, which can be examined with the calico-bpf command-line tool. type: boolean + bpfRedirectToPeer: + description: 'BPFRedirectToPeer controls which whether it is allowed + to forward straight to the peer side of the workload devices. It + is allowed for any host L2 devices by default (L2Only), but it breaks + TCP dump on the host side of workload device as it bypasses it on + ingress. Value of Enabled also allows redirection from L3 host devices + like IPIP tunnel or Wireguard directly to the peer side of the workload''s + device. This makes redirection faster, however, it breaks tools + like tcpdump on the peer side. Use Enabled with caution. [Default: + L2Only]' + type: string chainInsertMode: description: 'ChainInsertMode controls whether Felix hooks the kernel''s top-level iptables chains by inserting a rule at the top of the @@ -1299,15 +1374,17 @@ spec: type: string type: array failsafeInboundHostPorts: - description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports - and CIDRs that Felix will allow incoming traffic to host endpoints - on irrespective of the security policy. This is useful to avoid - accidentally cutting off a host with incorrect configuration. For - back-compatibility, if the protocol is not specified, it defaults - to "tcp". If a CIDR is not specified, it will allow traffic from - all addresses. To disable all inbound host ports, use the value - none. The default value allows ssh access and DHCP. [Default: tcp:22, - udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' + description: 'FailsafeInboundHostPorts is a list of PortProto struct + objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow + incoming traffic to host endpoints on irrespective of the security + policy. This is useful to avoid accidentally cutting off a host + with incorrect configuration. For backwards compatibility, if the + protocol is not specified, it defaults to "tcp". If a CIDR is not + specified, it will allow traffic from all addresses. To disable + all inbound host ports, use the value "[]". The default value allows + ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: tcp:22, + udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, + tcp:6667 ]' items: description: ProtoPort is combination of protocol, port, and CIDR. Protocol and port must be specified. @@ -1324,17 +1401,18 @@ spec: type: object type: array failsafeOutboundHostPorts: - description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports - and CIDRs that Felix will allow outgoing traffic from host endpoints - to irrespective of the security policy. This is useful to avoid - accidentally cutting off a host with incorrect configuration. For - back-compatibility, if the protocol is not specified, it defaults - to "tcp". If a CIDR is not specified, it will allow traffic from - all addresses. To disable all outbound host ports, use the value - none. The default value opens etcd''s standard ports to ensure that - Felix does not get cut off from etcd as well as allowing DHCP and - DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, - tcp:6667, udp:53, udp:67]' + description: 'FailsafeOutboundHostPorts is a list of List of PortProto + struct objects including UDP/TCP/SCTP ports and CIDRs that Felix + will allow outgoing traffic from host endpoints to irrespective + of the security policy. This is useful to avoid accidentally cutting + off a host with incorrect configuration. For backwards compatibility, + if the protocol is not specified, it defaults to "tcp". If a CIDR + is not specified, it will allow traffic from all addresses. To disable + all outbound host ports, use the value "[]". The default value opens + etcd''s standard ports to ensure that Felix does not get cut off + from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes + API. [Default: udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, + tcp:6443, tcp:6666, tcp:6667 ]' items: description: ProtoPort is combination of protocol, port, and CIDR. Protocol and port must be specified. @@ -1378,6 +1456,35 @@ spec: is not recommended since it doesn''t provide better performance than iptables. [Default: false]' type: boolean + goGCThreshold: + description: "GoGCThreshold Sets the Go runtime's garbage collection + threshold. I.e. the percentage that the heap is allowed to grow + before garbage collection is triggered. In general, doubling the + value halves the CPU time spent doing GC, but it also doubles peak + GC memory overhead. A special value of -1 can be used to disable + GC entirely; this should only be used in conjunction with the GoMemoryLimitMB + setting. \n This setting is overridden by the GOGC environment variable. + \n [Default: 40]" + type: integer + goMaxProcs: + description: "GoMaxProcs sets the maximum number of CPUs that the + Go runtime will use concurrently. A value of -1 means \"use the + system default\"; typically the number of real CPUs on the system. + \n this setting is overridden by the GOMAXPROCS environment variable. + \n [Default: -1]" + type: integer + goMemoryLimitMB: + description: "GoMemoryLimitMB sets a (soft) memory limit for the Go + runtime in MB. The Go runtime will try to keep its memory usage + under the limit by triggering GC as needed. To avoid thrashing, + it will exceed the limit if GC starts to take more than 50% of the + process's CPU time. A value of -1 disables the memory limit. \n + Note that the memory limit, if used, must be considerably less than + any hard resource limit set at the container or pod level. This + is because felix is not the only process that must run in the container + or pod. \n This setting is overridden by the GOMEMLIMIT environment + variable. \n [Default: -1]" + type: integer healthEnabled: type: boolean healthHost: @@ -1426,6 +1533,15 @@ spec: disabled by setting the interval to 0. pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string + ipForwarding: + description: 'IPForwarding controls whether Felix sets the host sysctls + to enable IP forwarding. IP forwarding is required when using Calico + for workload networking. This should only be disabled on hosts + where Calico is used for host protection. [Default: Enabled]' + enum: + - Enabled + - Disabled + type: string ipipEnabled: description: 'IPIPEnabled overrides whether Felix should configure an IPIP interface on the host. Optional as Felix determines this @@ -1557,6 +1673,9 @@ spec: pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$ type: string maxIpsetSize: + description: MaxIpsetSize is the maximum number of IP addresses that + can be stored in an IP set. Not applicable if using the nftables + backend. type: integer metadataAddr: description: 'MetadataAddr is the IP address or domain name of the @@ -1595,6 +1714,34 @@ spec: netlinkTimeout: pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string + nftablesFilterAllowAction: + pattern: ^(?i)(Accept|Return)?$ + type: string + nftablesFilterDenyAction: + description: FilterDenyAction controls what happens to traffic that + is denied by network policy. By default Calico blocks traffic with + a "drop" action. If you want to use a "reject" action instead you + can configure it here. + pattern: ^(?i)(Drop|Reject)?$ + type: string + nftablesMangleAllowAction: + pattern: ^(?i)(Accept|Return)?$ + type: string + nftablesMarkMask: + description: 'MarkMask is the mask that Felix selects its nftables + Mark bits from. Should be a 32 bit hexadecimal number with at least + 8 bits set, none of which clash with any other mark bits in use + on the system. [Default: 0xffff0000]' + format: int32 + type: integer + nftablesMode: + description: 'NFTablesMode configures nftables support in Felix. [Default: + Disabled]' + type: string + nftablesRefreshInterval: + description: 'NftablesRefreshInterval controls the interval at which + Felix periodically refreshes the nftables rules. [Default: 90s]' + type: string openstackRegion: description: 'OpenstackRegion is the name of the region that a particular Felix belongs to. In a multi-region Calico/OpenStack deployment, @@ -1806,6 +1953,10 @@ spec: description: 'WireguardRoutingRulePriority controls the priority value to use for the Wireguard routing rule. [Default: 99]' type: integer + wireguardThreadingEnabled: + description: 'WireguardThreadingEnabled controls whether Wireguard + has NAPI threading enabled. [Default: false]' + type: boolean workloadSourceSpoofing: description: WorkloadSourceSpoofing controls whether pods can use the allowedSourcePrefixes annotation to send traffic with a source @@ -2632,10 +2783,10 @@ spec: order: description: Order is an optional field that specifies the order in which the policy is applied. Policies with higher "order" are applied - after those with lower order. If the order is omitted, it may be - considered to be "infinite" - i.e. the policy will be applied last. Policies - with identical order will be applied in alphanumerical order based - on the Policy "Name". + after those with lower order within the same tier. If the order + is omitted, it may be considered to be "infinite" - i.e. the policy + will be applied last. Policies with identical order will be applied + in alphanumerical order based on the Policy "Name" within the tier. type: number performanceHints: description: "PerformanceHints contains a list of hints to Calico's @@ -2677,6 +2828,14 @@ spec: description: ServiceAccountSelector is an optional field for an expression used to select a pod based on service accounts. type: string + tier: + description: The name of the tier that this policy belongs to. If + this is omitted, the default tier (name is "default") is assumed. The + specified tier must exist in order to create security policies within + the tier, the "default" tier is created automatically if it does + not exist, this means for deployments requiring only a single Tier, + the tier name may be omitted on all policy management requests. + type: string types: description: "Types indicates whether this policy applies to ingress, or to egress, or to both. When not explicitly specified (and so @@ -4304,10 +4463,10 @@ spec: order: description: Order is an optional field that specifies the order in which the policy is applied. Policies with higher "order" are applied - after those with lower order. If the order is omitted, it may be - considered to be "infinite" - i.e. the policy will be applied last. Policies - with identical order will be applied in alphanumerical order based - on the Policy "Name". + after those with lower order within the same tier. If the order + is omitted, it may be considered to be "infinite" - i.e. the policy + will be applied last. Policies with identical order will be applied + in alphanumerical order based on the Policy "Name" within the tier. type: number performanceHints: description: "PerformanceHints contains a list of hints to Calico's @@ -4345,6 +4504,14 @@ spec: description: ServiceAccountSelector is an optional field for an expression used to select a pod based on service accounts. type: string + tier: + description: The name of the tier that this policy belongs to. If + this is omitted, the default tier (name is "default") is assumed. The + specified tier must exist in order to create security policies within + the tier, the "default" tier is created automatically if it does + not exist, this means for deployments requiring only a single Tier, + the tier name may be omitted on all policy management requests. + type: string types: description: "Types indicates whether this policy applies to ingress, or to egress, or to both. When not explicitly specified (and so @@ -4424,6 +4591,1154 @@ status: conditions: [] storedVersions: [] --- +# Source: calico/templates/kdd-crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: tiers.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: Tier + listKind: TierList + plural: tiers + singular: tier + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TierSpec contains the specification for a security policy + tier resource. + properties: + defaultAction: + description: 'DefaultAction specifies the action applied to workloads + selected by a policy in the tier, but not rule matched the workload''s + traffic. [Default: Deny]' + enum: + - Pass + - Deny + type: string + order: + description: Order is an optional field that specifies the order in + which the tier is applied. Tiers with higher "order" are applied + after those with lower order. If the order is omitted, it may be + considered to be "infinite" - i.e. the tier will be applied last. Tiers + with identical order will be applied in alphanumerical order based + on the Tier "Name". + type: number + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +# Source: calico/templates/kdd-crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/30 + policy.networking.k8s.io/bundle-version: v0.1.1 + policy.networking.k8s.io/channel: experimental + creationTimestamp: null + name: adminnetworkpolicies.policy.networking.k8s.io +spec: + group: policy.networking.k8s.io + names: + kind: AdminNetworkPolicy + listKind: AdminNetworkPolicyList + plural: adminnetworkpolicies + shortNames: + - anp + singular: adminnetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.priority + name: Priority + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + AdminNetworkPolicy is a cluster level resource that is part of the + AdminNetworkPolicy API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the desired behavior of AdminNetworkPolicy. + properties: + egress: + description: |- + Egress is the list of Egress rules to be applied to the selected pods. + A total of 100 rules will be allowed in each ANP instance. + The relative precedence of egress rules within a single ANP object (all of + which share the priority) will be determined by the order in which the rule + is written. Thus, a rule that appears at the top of the egress rules + would take the highest precedence. + ANPs with no egress rules do not affect egress traffic. + + + Support: Core + items: + description: |- + AdminNetworkPolicyEgressRule describes an action to take on a particular + set of traffic originating from pods selected by a AdminNetworkPolicy's + Subject field. + + properties: + action: + description: |- + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy) + Deny: denies the selected traffic + Pass: instructs the selected traffic to skip any remaining ANP rules, and + then pass execution to any NetworkPolicies that select the pod. + If the pod is not selected by any NetworkPolicies then execution + is passed to any BaselineAdminNetworkPolicies that select the pod. + + + Support: Core + enum: + - Allow + - Deny + - Pass + type: string + name: + description: |- + Name is an identifier for this rule, that may be no more than 100 characters + in length. This field should be used by the implementation to help + improve observability, readability and error-reporting for any applied + AdminNetworkPolicies. + + + Support: Core + maxLength: 100 + type: string + ports: + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of destination ports for the outgoing egress traffic. + If Ports is not set then the rule does not filter traffic via port. + + + Support: Core + items: + description: |- + AdminNetworkPolicyPort describes how to select network ports on pod(s). + Exactly one field must be set. + maxProperties: 1 + minProperties: 1 + properties: + namedPort: + description: |- + NamedPort selects a port on a pod(s) based on name. + + + Support: Extended + + + + type: string + portNumber: + description: |- + Port selects a port on a pod(s) based on number. + + + Support: Core + properties: + port: + description: |- + Number defines a network port value. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core + type: string + required: + - port + - protocol + type: object + portRange: + description: |- + PortRange selects a port range on a pod(s) based on provided start and end + values. + + + Support: Core + properties: + end: + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core + type: string + start: + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start + type: object + type: object + maxItems: 100 + type: array + to: + description: |- + To is the List of destinations whose traffic this rule applies to. + If any AdminNetworkPolicyEgressPeer matches the destination of outgoing + traffic then the specified action is applied. + This field must be defined and contain at least one item. + + + Support: Core + items: + description: |- + AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. + Exactly one of the selector pointers must be set for a given peer. If a + consumer observes none of its fields are set, they must assume an unknown + option has been specified and fail closed. + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + + + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + networks: + description: |- + Networks defines a way to select peers via CIDR blocks. + This is intended for representing entities that live outside the cluster, + which can't be selected by pods, namespaces and nodes peers, but note + that cluster-internal traffic will be checked against the rule as + well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow + or deny all IPv4 pod-to-pod traffic as well. If you don't want that, + add a rule that Passes all pod traffic before the Networks rule. + + + Each item in Networks should be provided in the CIDR format and should be + IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". + + + Networks can have upto 25 CIDRs specified. + + + Support: Extended + + + + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). + This string must be validated by implementations using net.ParseCIDR + TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available. + maxLength: 43 + type: string + x-kubernetes-validations: + - message: CIDR must be either an IPv4 or IPv6 address. + IPv4 address embedded in IPv6 addresses are not + supported + rule: self.contains(':') != self.contains('.') + maxItems: 25 + minItems: 1 + type: array + x-kubernetes-list-type: set + nodes: + description: |- + Nodes defines a way to select a set of nodes in + the cluster. This field follows standard label selector + semantics; if present but empty, it selects all Nodes. + + + Support: Extended + + + + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + pods: + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + + + Support: Core + properties: + namespaceSelector: + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; if empty, + it selects all Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - namespaceSelector + - podSelector + type: object + type: object + maxItems: 100 + minItems: 1 + type: array + required: + - action + - to + type: object + x-kubernetes-validations: + - message: networks/nodes peer cannot be set with namedPorts since + there are no namedPorts for networks/nodes + rule: '!(self.to.exists(peer, has(peer.networks) || has(peer.nodes)) + && has(self.ports) && self.ports.exists(port, has(port.namedPort)))' + maxItems: 100 + type: array + ingress: + description: |- + Ingress is the list of Ingress rules to be applied to the selected pods. + A total of 100 rules will be allowed in each ANP instance. + The relative precedence of ingress rules within a single ANP object (all of + which share the priority) will be determined by the order in which the rule + is written. Thus, a rule that appears at the top of the ingress rules + would take the highest precedence. + ANPs with no ingress rules do not affect ingress traffic. + + + Support: Core + items: + description: |- + AdminNetworkPolicyIngressRule describes an action to take on a particular + set of traffic destined for pods selected by an AdminNetworkPolicy's + Subject field. + properties: + action: + description: |- + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy) + Deny: denies the selected traffic + Pass: instructs the selected traffic to skip any remaining ANP rules, and + then pass execution to any NetworkPolicies that select the pod. + If the pod is not selected by any NetworkPolicies then execution + is passed to any BaselineAdminNetworkPolicies that select the pod. + + + Support: Core + enum: + - Allow + - Deny + - Pass + type: string + from: + description: |- + From is the list of sources whose traffic this rule applies to. + If any AdminNetworkPolicyIngressPeer matches the source of incoming + traffic then the specified action is applied. + This field must be defined and contain at least one item. + + + Support: Core + items: + description: |- + AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from. + Exactly one of the selector pointers must be set for a given peer. If a + consumer observes none of its fields are set, they must assume an unknown + option has been specified and fail closed. + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + + + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + pods: + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + + + Support: Core + properties: + namespaceSelector: + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; if empty, + it selects all Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - namespaceSelector + - podSelector + type: object + type: object + maxItems: 100 + minItems: 1 + type: array + name: + description: |- + Name is an identifier for this rule, that may be no more than 100 characters + in length. This field should be used by the implementation to help + improve observability, readability and error-reporting for any applied + AdminNetworkPolicies. + + + Support: Core + maxLength: 100 + type: string + ports: + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of ports which should be matched on + the pods selected for this policy i.e the subject of the policy. + So it matches on the destination port for the ingress traffic. + If Ports is not set then the rule does not filter traffic via port. + + + Support: Core + items: + description: |- + AdminNetworkPolicyPort describes how to select network ports on pod(s). + Exactly one field must be set. + maxProperties: 1 + minProperties: 1 + properties: + namedPort: + description: |- + NamedPort selects a port on a pod(s) based on name. + + + Support: Extended + + + + type: string + portNumber: + description: |- + Port selects a port on a pod(s) based on number. + + + Support: Core + properties: + port: + description: |- + Number defines a network port value. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core + type: string + required: + - port + - protocol + type: object + portRange: + description: |- + PortRange selects a port range on a pod(s) based on provided start and end + values. + + + Support: Core + properties: + end: + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core + type: string + start: + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start + type: object + type: object + maxItems: 100 + type: array + required: + - action + - from + type: object + maxItems: 100 + type: array + priority: + description: |- + Priority is a value from 0 to 1000. Rules with lower priority values have + higher precedence, and are checked before rules with higher priority values. + All AdminNetworkPolicy rules have higher precedence than NetworkPolicy or + BaselineAdminNetworkPolicy rules + The behavior is undefined if two ANP objects have same priority. + + + Support: Core + format: int32 + maximum: 1000 + minimum: 0 + type: integer + subject: + description: |- + Subject defines the pods to which this AdminNetworkPolicy applies. + Note that host-networked pods are not included in subject selection. + + + Support: Core + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: Namespaces is used to select pods via namespace selectors. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + pods: + description: Pods is used to select pods via namespace AND pod + selectors. + properties: + namespaceSelector: + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; if empty, + it selects all Pods. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - namespaceSelector + - podSelector + type: object + type: object + required: + - priority + - subject + type: object + status: + description: Status is the status to be reported by the implementation. + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + required: + - conditions + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- # Source: calico/templates/calico-kube-controllers-rbac.yaml # Include a clusterrole for the kube-controllers component, # and bind it to the calico-kube-controllers serviceaccount. @@ -4459,6 +5774,7 @@ rules: - blockaffinities - ipamblocks - ipamhandles + - tiers verbs: - get - list @@ -4500,6 +5816,7 @@ rules: verbs: # read its own config - get + - list # create a default if none exists - create # update status @@ -4570,6 +5887,13 @@ rules: verbs: - watch - list + # Watch for changes to Kubernetes AdminNetworkPolicies. + - apiGroups: ["policy.networking.k8s.io"] + resources: + - adminnetworkpolicies + verbs: + - watch + - list # Used by Calico for policy information. - apiGroups: [""] resources: @@ -4605,10 +5929,17 @@ rules: - hostendpoints - blockaffinities - caliconodestatuses + - tiers verbs: - get - list - watch + # Calico creates some tiers on startup. + - apiGroups: ["crd.projectcalico.org"] + resources: + - tiers + verbs: + - create # Calico must create and update some CRDs on startup. - apiGroups: ["crd.projectcalico.org"] resources: @@ -4619,7 +5950,7 @@ rules: - create - update # Calico must update some CRDs. - - apiGroups: [ "crd.projectcalico.org" ] + - apiGroups: ["crd.projectcalico.org"] resources: - caliconodestatuses verbs: @@ -4789,6 +6120,9 @@ spec: - effect: NoExecute operator: Exists serviceAccountName: calico-node + securityContext: + seccompProfile: + type: RuntimeDefault # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. terminationGracePeriodSeconds: 0 @@ -4798,7 +6132,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: docker.io/calico/cni:v3.28.1 + image: docker.io/calico/cni:v3.29.3 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: @@ -4826,7 +6160,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:v3.28.1 + image: docker.io/calico/cni:v3.29.3 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -4867,37 +6201,37 @@ spec: name: cni-net-dir securityContext: privileged: true -# # This init container mounts the necessary filesystems needed by the BPF data plane -# # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed -# # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. -# - name: "mount-bpffs" -# image: docker.io/calico/node:v3.28.1 -# imagePullPolicy: IfNotPresent -# command: ["calico-node", "-init", "-best-effort"] -# volumeMounts: -# - mountPath: /sys/fs -# name: sys-fs -# # Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host -# # so that it outlives the init container. -# mountPropagation: Bidirectional -# - mountPath: /var/run/calico -# name: var-run-calico -# # Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host -# # so that it outlives the init container. -# mountPropagation: Bidirectional -# # Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary, -# # executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly. -# - mountPath: /nodeproc -# name: nodeproc -# readOnly: true -# securityContext: -# privileged: true + # # This init container mounts the necessary filesystems needed by the BPF data plane + # # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed + # # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. + # - name: "mount-bpffs" + # image: docker.io/calico/node:v3.29.3 + # imagePullPolicy: IfNotPresent + # command: ["calico-node", "-init", "-best-effort"] + # volumeMounts: + # - mountPath: /sys/fs + # name: sys-fs + # # Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host + # # so that it outlives the init container. + # mountPropagation: Bidirectional + # - mountPath: /var/run/calico + # name: var-run-calico + # # Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host + # # so that it outlives the init container. + # mountPropagation: Bidirectional + # # Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary, + # # executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly. + # - mountPath: /nodeproc + # name: nodeproc + # readOnly: true + # securityContext: + # privileged: true containers: # Runs calico-node container on each Kubernetes node. This # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:v3.28.1 + image: docker.io/calico/node:v3.29.3 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -5116,10 +6450,13 @@ spec: - key: node-role.kubernetes.io/control-plane effect: NoSchedule serviceAccountName: calico-kube-controllers + securityContext: + seccompProfile: + type: RuntimeDefault priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:v3.28.1 + image: docker.io/calico/kube-controllers:v3.29.3 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. @@ -5142,3 +6479,5 @@ spec: - /usr/bin/check-status - -r periodSeconds: 10 + securityContext: + runAsNonRoot: true