-
Notifications
You must be signed in to change notification settings - Fork 1.4k
/
Copy pathcrd.projectcalico.org_felixconfigurations.yaml
1114 lines (1113 loc) · 63.3 KB
/
crd.projectcalico.org_felixconfigurations.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: felixconfigurations.crd.projectcalico.org
spec:
group: crd.projectcalico.org
names:
kind: FelixConfiguration
listKind: FelixConfigurationList
plural: felixconfigurations
singular: felixconfiguration
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
schema:
openAPIV3Schema:
description: Felix Configuration contains the configuration for Felix.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: FelixConfigurationSpec contains the values of the Felix configuration.
properties:
allowIPIPPacketsFromWorkloads:
description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
will add a rule to drop IPIP encapsulated traffic from workloads.
[Default: false]'
type: boolean
allowVXLANPacketsFromWorkloads:
description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
will add a rule to drop VXLAN encapsulated traffic from workloads.
[Default: false]'
type: boolean
awsSrcDstCheck:
description: 'AWSSrcDstCheck controls whether Felix will try to change
the "source/dest check" setting on the EC2 instance on which it
is running. A value of "Disable" will try to disable the source/dest
check. Disabling the check allows for sending workload traffic without
encapsulation within the same AWS subnet. [Default: DoNothing]'
enum:
- DoNothing
- Enable
- Disable
type: string
bpfCTLBLogFilter:
description: 'BPFCTLBLogFilter specifies, what is logged by connect
time load balancer when BPFLogLevel is debug. Currently has to be
specified as ''all'' when BPFLogFilters is set to see CTLB logs.
[Default: unset - means logs are emitted when BPFLogLevel id debug
and BPFLogFilters not set.]'
type: string
bpfConnectTimeLoadBalancing:
description: 'BPFConnectTimeLoadBalancing when in BPF mode, controls
whether Felix installs the connect-time load balancer. The connect-time
load balancer is required for the host to be able to reach Kubernetes
services and it improves the performance of pod-to-service connections.When
set to TCP, connect time load balancing is available only for services
with TCP ports. [Default: TCP]'
enum:
- TCP
- Enabled
- Disabled
type: string
bpfConnectTimeLoadBalancingEnabled:
description: "BPFConnectTimeLoadBalancingEnabled when in BPF mode,
controls whether Felix installs the connection-time load balancer.
\ The connect-time load balancer is required for the host to be
able to reach Kubernetes services and it improves the performance
of pod-to-service connections. The only reason to disable it is
for debugging purposes. \n Deprecated: Use BPFConnectTimeLoadBalancing
[Default: true]"
type: boolean
bpfConntrackLogLevel:
description: 'BPFConntrackLogLevel controls the log level of the BPF
conntrack cleanup program, which runs periodically to clean up expired
BPF conntrack entries. [Default: Off].'
enum:
- "Off"
- Debug
type: string
bpfConntrackMode:
description: 'BPFConntrackCleanupMode controls how BPF conntrack entries
are cleaned up. `Auto` will use a BPF program if supported, falling
back to userspace if not. `Userspace` will always use the userspace
cleanup code. `BPFProgram` will always use the BPF program (failing
if not supported). [Default: Auto]'
enum:
- Auto
- Userspace
- BPFProgram
type: string
bpfDSROptoutCIDRs:
description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded
from DSR. That is, clients in those CIDRs will access service node
ports as if BPFExternalServiceMode was set to Tunnel.
items:
type: string
type: array
bpfDataIfacePattern:
description: BPFDataIfacePattern is a regular expression that controls
which interfaces Felix should attach BPF programs to in order to
catch traffic to/from the network. This needs to match the interfaces
that Calico workload traffic flows over as well as any interfaces
that handle incoming traffic to nodeports and services from outside
the cluster. It should not match the workload interfaces (usually
named cali...) or any other special device managed by Calico itself
(e.g., tunnels).
type: string
bpfDisableGROForIfaces:
description: BPFDisableGROForIfaces is a regular expression that controls
which interfaces Felix should disable the Generic Receive Offload
[GRO] option. It should not match the workload interfaces (usually
named cali...).
type: string
bpfDisableUnprivileged:
description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
sysctl to disable unprivileged use of BPF. This ensures that unprivileged
users cannot access Calico''s BPF maps and cannot insert their own
BPF programs to interfere with Calico''s. [Default: true]'
type: boolean
bpfEnabled:
description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
[Default: false]'
type: boolean
bpfEnforceRPF:
description: 'BPFEnforceRPF enforce strict RPF on all host interfaces
with BPF programs regardless of what is the per-interfaces or global
setting. Possible values are Disabled, Strict or Loose. [Default:
Loose]'
pattern: ^(?i)(Disabled|Strict|Loose)?$
type: string
bpfExcludeCIDRsFromNAT:
description: BPFExcludeCIDRsFromNAT is a list of CIDRs that are to
be excluded from NAT resolution so that host can handle them. A
typical usecase is node local DNS cache.
items:
type: string
type: array
bpfExtToServiceConnmark:
description: 'BPFExtToServiceConnmark in BPF mode, controls a 32bit
mark that is set on connections from an external client to a local
service. This mark allows us to control how packets of that connection
are routed within the host and how is routing interpreted by RPF
check. [Default: 0]'
type: integer
bpfExternalServiceMode:
description: 'BPFExternalServiceMode in BPF mode, controls how connections
from outside the cluster to services (node ports and cluster IPs)
are forwarded to remote workloads. If set to "Tunnel" then both
request and response traffic is tunneled to the remote node. If
set to "DSR", the request traffic is tunneled but the response traffic
is sent directly from the remote node. In "DSR" mode, the remote
node appears to use the IP of the ingress node; this requires a
permissive L2 network. [Default: Tunnel]'
pattern: ^(?i)(Tunnel|DSR)?$
type: string
bpfForceTrackPacketsFromIfaces:
description: 'BPFForceTrackPacketsFromIfaces in BPF mode, forces traffic
from these interfaces to skip Calico''s iptables NOTRACK rule, allowing
traffic from those interfaces to be tracked by Linux conntrack. Should
only be used for interfaces that are not used for the Calico fabric. For
example, a docker bridge device for non-Calico-networked containers.
[Default: docker+]'
items:
type: string
type: array
bpfHostConntrackBypass:
description: 'BPFHostConntrackBypass Controls whether to bypass Linux
conntrack in BPF mode for workloads and services. [Default: true
- bypass Linux conntrack]'
type: boolean
bpfHostNetworkedNATWithoutCTLB:
description: 'BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls
whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing
determines the CTLB behavior. [Default: Enabled]'
enum:
- Enabled
- Disabled
type: string
bpfKubeProxyEndpointSlicesEnabled:
description: BPFKubeProxyEndpointSlicesEnabled is deprecated and has
no effect. BPF kube-proxy always accepts endpoint slices. This option
will be removed in the next release.
type: boolean
bpfKubeProxyIptablesCleanupEnabled:
description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
iptables chains. Should only be enabled if kube-proxy is not running. [Default:
true]'
type: boolean
bpfKubeProxyMinSyncPeriod:
description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
minimum time between updates to the dataplane for Felix''s embedded
kube-proxy. Lower values give reduced set-up latency. Higher values
reduce Felix CPU usage by batching up more work. [Default: 1s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
bpfL3IfacePattern:
description: BPFL3IfacePattern is a regular expression that allows
to list tunnel devices like wireguard or vxlan (i.e., L3 devices)
in addition to BPFDataIfacePattern. That is, tunnel interfaces not
created by Calico, that Calico workload traffic flows over as well
as any interfaces that handle incoming traffic to nodeports and
services from outside the cluster.
type: string
bpfLogFilters:
additionalProperties:
type: string
description: "BPFLogFilters is a map of key=values where the value
is a pcap filter expression and the key is an interface name with
'all' denoting all interfaces, 'weps' all workload endpoints and
'heps' all host endpoints. \n When specified as an env var, it accepts
a comma-separated list of key=values. [Default: unset - means all
debug logs are emitted]"
type: object
bpfLogLevel:
description: 'BPFLogLevel controls the log level of the BPF programs
when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
logs are emitted to the BPF trace pipe, accessible with the command
`tc exec bpf debug`. [Default: Off].'
pattern: ^(?i)(Off|Info|Debug)?$
type: string
bpfMapSizeConntrack:
description: 'BPFMapSizeConntrack sets the size for the conntrack
map. This map must be large enough to hold an entry for each active
connection. Warning: changing the size of the conntrack map can
cause disruption.'
type: integer
bpfMapSizeConntrackCleanupQueue:
description: BPFMapSizeConntrackCleanupQueue sets the size for the
map used to hold NAT conntrack entries that are queued for cleanup. This
should be big enough to hold all the NAT entries that expire within
one cleanup interval.
minimum: 1
type: integer
bpfMapSizeIPSets:
description: BPFMapSizeIPSets sets the size for ipsets map. The IP
sets map must be large enough to hold an entry for each endpoint
matched by every selector in the source/destination matches in network
policy. Selectors such as "all()" can result in large numbers of
entries (one entry per endpoint in that case).
type: integer
bpfMapSizeIfState:
description: BPFMapSizeIfState sets the size for ifstate map. The
ifstate map must be large enough to hold an entry for each device
(host + workloads) on a host.
type: integer
bpfMapSizeNATAffinity:
description: BPFMapSizeNATAffinity sets the size of the BPF map that
stores the affinity of a connection (for services that enable that
feature.
type: integer
bpfMapSizeNATBackend:
description: BPFMapSizeNATBackend sets the size for NAT back end map.
This is the total number of endpoints. This is mostly more than
the size of the number of services.
type: integer
bpfMapSizeNATFrontend:
description: BPFMapSizeNATFrontend sets the size for NAT front end
map. FrontendMap should be large enough to hold an entry for each
nodeport, external IP and each port in each service.
type: integer
bpfMapSizeRoute:
description: BPFMapSizeRoute sets the size for the routes map. The
routes map should be large enough to hold one entry per workload
and a handful of entries per host (enough to cover its own IPs and
tunnel IPs).
type: integer
bpfPSNATPorts:
anyOf:
- type: integer
- type: string
description: 'BPFPSNATPorts sets the range from which we randomly
pick a port if there is a source port collision. This should be
within the ephemeral range as defined by RFC 6056 (1024–65535) and
preferably outside the ephemeral ranges used by common operating
systems. Linux uses 32768–60999, while others mostly use the IANA
defined range 49152–65535. It is not necessarily a problem if this
range overlaps with the operating systems. Both ends of the range
are inclusive. [Default: 20000:29999]'
pattern: ^.*
x-kubernetes-int-or-string: true
bpfPolicyDebugEnabled:
description: BPFPolicyDebugEnabled when true, Felix records detailed
information about the BPF policy programs, which can be examined
with the calico-bpf command-line tool.
type: boolean
bpfProfiling:
description: 'BPFProfiling controls profiling of BPF programs. At
the monent, it can be Disabled or Enabled. [Default: Disabled]'
enum:
- Enabled
- Disabled
type: string
bpfRedirectToPeer:
description: 'BPFRedirectToPeer controls which whether it is allowed
to forward straight to the peer side of the workload devices. It
is allowed for any host L2 devices by default (L2Only), but it breaks
TCP dump on the host side of workload device as it bypasses it on
ingress. Value of Enabled also allows redirection from L3 host devices
like IPIP tunnel or Wireguard directly to the peer side of the workload''s
device. This makes redirection faster, however, it breaks tools
like tcpdump on the peer side. Use Enabled with caution. [Default:
L2Only]'
enum:
- Enabled
- Disabled
- L2Only
type: string
chainInsertMode:
description: 'ChainInsertMode controls whether Felix hooks the kernel''s
top-level iptables chains by inserting a rule at the top of the
chain or by appending a rule at the bottom. insert is the safe default
since it prevents Calico''s rules from being bypassed. If you switch
to append mode, be sure that the other rules in the chains signal
acceptance by falling through to the Calico rules, otherwise the
Calico policy will be bypassed. [Default: insert]'
pattern: ^(?i)(Insert|Append)?$
type: string
dataplaneDriver:
description: DataplaneDriver filename of the external dataplane driver
to use. Only used if UseInternalDataplaneDriver is set to false.
type: string
dataplaneWatchdogTimeout:
description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout
used for Felix''s (internal) dataplane driver. Deprecated: replaced
by the generic HealthTimeoutOverrides.'
type: string
debugDisableLogDropping:
description: 'DebugDisableLogDropping disables the dropping of log
messages when the log buffer is full. This can significantly impact
performance if log write-out is a bottleneck. [Default: false]'
type: boolean
debugHost:
description: DebugHost is the host IP or hostname to bind the debug
port to. Only used if DebugPort is set. [Default:localhost]
type: string
debugMemoryProfilePath:
description: DebugMemoryProfilePath is the path to write the memory
profile to when triggered by signal.
type: string
debugPort:
description: DebugPort if set, enables Felix's debug HTTP port, which
allows memory and CPU profiles to be retrieved. The debug port
is not secure, it should not be exposed to the internet.
type: integer
debugSimulateCalcGraphHangAfter:
description: DebugSimulateCalcGraphHangAfter is used to simulate a
hang in the calculation graph after the specified duration. This
is useful in tests of the watchdog system only!
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
debugSimulateDataplaneApplyDelay:
description: DebugSimulateDataplaneApplyDelay adds an artificial delay
to every dataplane operation. This is useful for simulating a heavily
loaded system for test purposes only.
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
debugSimulateDataplaneHangAfter:
description: DebugSimulateDataplaneHangAfter is used to simulate a
hang in the dataplane after the specified duration. This is useful
in tests of the watchdog system only!
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
defaultEndpointToHostAction:
description: 'DefaultEndpointToHostAction controls what happens to
traffic that goes from a workload endpoint to the host itself (after
the endpoint''s egress policy is applied). By default, Calico blocks
traffic from workload endpoints to the host itself with an iptables
"DROP" action. If you want to allow some or all traffic from endpoint
to host, set this parameter to RETURN or ACCEPT. Use RETURN if you
have your own rules in the iptables "INPUT" chain; Calico will insert
its rules at the top of that chain, then "RETURN" packets to the
"INPUT" chain once it has completed processing workload endpoint
egress policy. Use ACCEPT to unconditionally accept packets from
workloads after processing workload endpoint egress policy. [Default:
Drop]'
pattern: ^(?i)(Drop|Accept|Return)?$
type: string
deviceRouteProtocol:
description: DeviceRouteProtocol controls the protocol to set on routes
programmed by Felix. The protocol is an 8-bit label used to identify
the owner of the route.
type: integer
deviceRouteSourceAddress:
description: DeviceRouteSourceAddress IPv4 address to set as the source
hint for routes programmed by Felix. When not set the source address
for local traffic from host to workload will be determined by the
kernel.
type: string
deviceRouteSourceAddressIPv6:
description: DeviceRouteSourceAddressIPv6 IPv6 address to set as the
source hint for routes programmed by Felix. When not set the source
address for local traffic from host to workload will be determined
by the kernel.
type: string
disableConntrackInvalidCheck:
description: DisableConntrackInvalidCheck disables the check for invalid
connections in conntrack. While the conntrack invalid check helps
to detect malicious traffic, it can also cause issues with certain
multi-NIC scenarios.
type: boolean
endpointReportingDelay:
description: 'EndpointReportingDelay is the delay before Felix reports
endpoint status to the datastore. This is only used by the OpenStack
integration. [Default: 1s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
endpointReportingEnabled:
description: 'EndpointReportingEnabled controls whether Felix reports
endpoint status to the datastore. This is only used by the OpenStack
integration. [Default: false]'
type: boolean
endpointStatusPathPrefix:
description: "EndpointStatusPathPrefix is the path to the directory
where endpoint status will be written. Endpoint status file reporting
is disabled if field is left empty. \n Chosen directory should match
the directory used by the CNI plugin for PodStartupDelay. [Default:
/var/run/calico]"
type: string
externalNodesList:
description: ExternalNodesCIDRList is a list of CIDR's of external,
non-Calico nodes from which VXLAN/IPIP overlay traffic will be allowed. By
default, external tunneled traffic is blocked to reduce attack surface.
items:
type: string
type: array
failsafeInboundHostPorts:
description: 'FailsafeInboundHostPorts is a list of ProtoPort struct
objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow
incoming traffic to host endpoints on irrespective of the security
policy. This is useful to avoid accidentally cutting off a host
with incorrect configuration. For backwards compatibility, if the
protocol is not specified, it defaults to "tcp". If a CIDR is not
specified, it will allow traffic from all addresses. To disable
all inbound host ports, use the value "[]". The default value allows
ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: tcp:22,
udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666,
tcp:6667 ]'
items:
description: ProtoPort is combination of protocol, port, and CIDR.
Protocol and port must be specified.
properties:
net:
type: string
port:
type: integer
protocol:
type: string
required:
- port
type: object
type: array
failsafeOutboundHostPorts:
description: 'FailsafeOutboundHostPorts is a list of PortProto struct
objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow
outgoing traffic from host endpoints to irrespective of the security
policy. This is useful to avoid accidentally cutting off a host
with incorrect configuration. For backwards compatibility, if the
protocol is not specified, it defaults to "tcp". If a CIDR is not
specified, it will allow traffic from all addresses. To disable
all outbound host ports, use the value "[]". The default value opens
etcd''s standard ports to ensure that Felix does not get cut off
from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes
API. [Default: udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473,
tcp:6443, tcp:6666, tcp:6667 ]'
items:
description: ProtoPort is combination of protocol, port, and CIDR.
Protocol and port must be specified.
properties:
net:
type: string
port:
type: integer
protocol:
type: string
required:
- port
type: object
type: array
featureDetectOverride:
description: FeatureDetectOverride is used to override feature detection
based on auto-detected platform capabilities. Values are specified
in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
A value of "true" or "false" will force enable/disable feature,
empty or omitted values fall back to auto-detection.
pattern: ^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$
type: string
featureGates:
description: FeatureGates is used to enable or disable tech-preview
Calico features. Values are specified in a comma separated list
with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false".
This is used to enable features that are not fully production ready.
pattern: ^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$
type: string
floatingIPs:
description: FloatingIPs configures whether or not Felix will program
non-OpenStack floating IP addresses. (OpenStack-derived floating
IPs are always programmed, regardless of this setting.)
enum:
- Enabled
- Disabled
type: string
genericXDPEnabled:
description: 'GenericXDPEnabled enables Generic XDP so network cards
that don''t support XDP offload or driver modes can use XDP. This
is not recommended since it doesn''t provide better performance
than iptables. [Default: false]'
type: boolean
goGCThreshold:
description: "GoGCThreshold Sets the Go runtime's garbage collection
threshold. I.e. the percentage that the heap is allowed to grow
before garbage collection is triggered. In general, doubling the
value halves the CPU time spent doing GC, but it also doubles peak
GC memory overhead. A special value of -1 can be used to disable
GC entirely; this should only be used in conjunction with the GoMemoryLimitMB
setting. \n This setting is overridden by the GOGC environment variable.
\n [Default: 40]"
type: integer
goMaxProcs:
description: "GoMaxProcs sets the maximum number of CPUs that the
Go runtime will use concurrently. A value of -1 means \"use the
system default\"; typically the number of real CPUs on the system.
\n this setting is overridden by the GOMAXPROCS environment variable.
\n [Default: -1]"
type: integer
goMemoryLimitMB:
description: "GoMemoryLimitMB sets a (soft) memory limit for the Go
runtime in MB. The Go runtime will try to keep its memory usage
under the limit by triggering GC as needed. To avoid thrashing,
it will exceed the limit if GC starts to take more than 50% of the
process's CPU time. A value of -1 disables the memory limit. \n
Note that the memory limit, if used, must be considerably less than
any hard resource limit set at the container or pod level. This
is because felix is not the only process that must run in the container
or pod. \n This setting is overridden by the GOMEMLIMIT environment
variable. \n [Default: -1]"
type: integer
healthEnabled:
description: 'HealthEnabled if set to true, enables Felix''s health
port, which provides readiness and liveness endpoints. [Default:
false]'
type: boolean
healthHost:
description: 'HealthHost is the host that the health server should
bind to. [Default: localhost]'
type: string
healthPort:
description: 'HealthPort is the TCP port that the health server should
bind to. [Default: 9099]'
type: integer
healthTimeoutOverrides:
description: HealthTimeoutOverrides allows the internal watchdog timeouts
of individual subcomponents to be overridden. This is useful for
working around "false positive" liveness timeouts that can occur
in particularly stressful workloads or if CPU is constrained. For
a list of active subcomponents, see Felix's logs.
items:
properties:
name:
type: string
timeout:
type: string
required:
- name
- timeout
type: object
type: array
interfaceExclude:
description: 'InterfaceExclude A comma-separated list of interface
names that should be excluded when Felix is resolving host endpoints.
The default value ensures that Felix ignores Kubernetes'' internal
`kube-ipvs0` device. If you want to exclude multiple interface names
using a single value, the list supports regular expressions. For
regular expressions you must wrap the value with `/`. For example
having values `/^kube/,veth1` will exclude all interfaces that begin
with `kube` and also the interface `veth1`. [Default: kube-ipvs0]'
type: string
interfacePrefix:
description: 'InterfacePrefix is the interface name prefix that identifies
workload endpoints and so distinguishes them from host endpoint
interfaces. Note: in environments other than bare metal, the orchestrators
configure this appropriately. For example our Kubernetes and Docker
integrations set the ''cali'' value, and our OpenStack integration
sets the ''tap'' value. [Default: cali]'
type: string
interfaceRefreshInterval:
description: InterfaceRefreshInterval is the period at which Felix
rescans local interfaces to verify their state. The rescan can be
disabled by setting the interval to 0.
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
ipForwarding:
description: 'IPForwarding controls whether Felix sets the host sysctls
to enable IP forwarding. IP forwarding is required when using Calico
for workload networking. This should be disabled only on hosts
where Calico is used solely for host protection. In BPF mode, due
to a kernel interaction, either IPForwarding must be enabled or
BPFEnforceRPF must be disabled. [Default: Enabled]'
enum:
- Enabled
- Disabled
type: string
ipipEnabled:
description: 'IPIPEnabled overrides whether Felix should configure
an IPIP interface on the host. Optional as Felix determines this
based on the existing IP pools. [Default: nil (unset)]'
type: boolean
ipipMTU:
description: 'IPIPMTU controls the MTU to set on the IPIP tunnel device. Optional
as Felix auto-detects the MTU based on the MTU of the host''s interfaces.
[Default: 0 (auto-detect)]'
type: integer
ipsetsRefreshInterval:
description: 'IpsetsRefreshInterval controls the period at which Felix
re-checks all IP sets to look for discrepancies. Set to 0 to disable
the periodic refresh. [Default: 90s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
iptablesBackend:
description: "IptablesBackend controls which backend of iptables will
be used. The default is `Auto`. \n Warning: changing this on a running
system can leave \"orphaned\" rules in the \"other\" backend. These
should be cleaned up to avoid confusing interactions."
pattern: ^(?i)(Auto|Legacy|NFT)?$
type: string
iptablesFilterAllowAction:
description: IptablesFilterAllowAction controls what happens to traffic
that is accepted by a Felix policy chain in the iptables filter
table (which is used for "normal" policy). The default will immediately
`Accept` the traffic. Use `Return` to send the traffic back up to
the system chains for further processing.
pattern: ^(?i)(Accept|Return)?$
type: string
iptablesFilterDenyAction:
description: IptablesFilterDenyAction controls what happens to traffic
that is denied by network policy. By default Calico blocks traffic
with an iptables "DROP" action. If you want to use "REJECT" action
instead you can configure it in here.
pattern: ^(?i)(Drop|Reject)?$
type: string
iptablesLockFilePath:
description: 'IptablesLockFilePath is the location of the iptables
lock file. You may need to change this if the lock file is not in
its standard location (for example if you have mapped it into Felix''s
container at a different path). [Default: /run/xtables.lock]'
type: string
iptablesLockProbeInterval:
description: 'IptablesLockProbeInterval when IptablesLockTimeout is
enabled: the time that Felix will wait between attempts to acquire
the iptables lock if it is not available. Lower values make Felix
more responsive when the lock is contended, but use more CPU. [Default:
50ms]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
iptablesLockTimeout:
description: "IptablesLockTimeout is the time that Felix itself will
wait for the iptables lock (rather than delegating the lock handling
to the `iptables` command). \n Deprecated: `iptables-restore` v1.8+
always takes the lock, so enabling this feature results in deadlock.
[Default: 0s disabled]"
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
iptablesMangleAllowAction:
description: IptablesMangleAllowAction controls what happens to traffic
that is accepted by a Felix policy chain in the iptables mangle
table (which is used for "pre-DNAT" policy). The default will immediately
`Accept` the traffic. Use `Return` to send the traffic back up to
the system chains for further processing.
pattern: ^(?i)(Accept|Return)?$
type: string
iptablesMarkMask:
description: 'IptablesMarkMask is the mask that Felix selects its
IPTables Mark bits from. Should be a 32 bit hexadecimal number with
at least 8 bits set, none of which clash with any other mark bits
in use on the system. [Default: 0xffff0000]'
format: int32
type: integer
iptablesNATOutgoingInterfaceFilter:
description: 'This parameter can be used to limit the host interfaces
on which Calico will apply SNAT to traffic leaving a Calico IPAM
pool with "NAT outgoing" enabled. This can be useful if you have
a main data interface, where traffic should be SNATted and a secondary
device (such as the docker bridge) which is local to the host and
doesn''t require SNAT. This parameter uses the iptables interface
matching syntax, which allows + as a wildcard. Most users will not
need to set this. Example: if your data interfaces are eth0 and
eth1 and you want to exclude the docker bridge, you could set this
to eth+'
type: string
iptablesPostWriteCheckInterval:
description: 'IptablesPostWriteCheckInterval is the period after Felix
has done a write to the dataplane that it schedules an extra read
back in order to check the write was not clobbered by another process.
This should only occur if another application on the system doesn''t
respect the iptables lock. [Default: 1s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
iptablesRefreshInterval:
description: 'IptablesRefreshInterval is the period at which Felix
re-checks the IP sets in the dataplane to ensure that no other process
has accidentally broken Calico''s rules. Set to 0 to disable IP
sets refresh. Note: the default for this value is lower than the
other refresh intervals as a workaround for a Linux kernel bug that
was fixed in kernel version 4.11. If you are using v4.11 or greater
you may want to set this to, a higher value to reduce Felix CPU
usage. [Default: 10s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
ipv6Support:
description: IPv6Support controls whether Felix enables support for
IPv6 (if supported by the in-use dataplane).
type: boolean
kubeNodePortRanges:
description: 'KubeNodePortRanges holds list of port ranges used for
service node ports. Only used if felix detects kube-proxy running
in ipvs mode. Felix uses these ranges to separate host and workload
traffic. [Default: 30000:32767].'
items:
anyOf:
- type: integer
- type: string
pattern: ^.*
x-kubernetes-int-or-string: true
type: array
logDebugFilenameRegex:
description: LogDebugFilenameRegex controls which source code files
have their Debug log output included in the logs. Only logs from
files with names that match the given regular expression are included. The
filter only applies to Debug level logs.
type: string
logFilePath:
description: 'LogFilePath is the full path to the Felix log. Set to
none to disable file logging. [Default: /var/log/calico/felix.log]'
type: string
logPrefix:
description: 'LogPrefix is the log prefix that Felix uses when rendering
LOG rules. [Default: calico-packet]'
type: string
logSeverityFile:
description: 'LogSeverityFile is the log severity above which logs
are sent to the log file. [Default: Info]'
pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
type: string
logSeverityScreen:
description: 'LogSeverityScreen is the log severity above which logs
are sent to the stdout. [Default: Info]'
pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
type: string
logSeveritySys:
description: 'LogSeveritySys is the log severity above which logs
are sent to the syslog. Set to None for no logging to syslog. [Default:
Info]'
pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
type: string
maxIpsetSize:
description: MaxIpsetSize is the maximum number of IP addresses that
can be stored in an IP set. Not applicable if using the nftables
backend.
type: integer
metadataAddr:
description: 'MetadataAddr is the IP address or domain name of the
server that can answer VM queries for cloud-init metadata. In OpenStack,
this corresponds to the machine running nova-api (or in Ubuntu,
nova-api-metadata). A value of none (case-insensitive) means that
Felix should not set up any NAT rule for the metadata path. [Default:
127.0.0.1]'
type: string
metadataPort:
description: 'MetadataPort is the port of the metadata server. This,
combined with global.MetadataAddr (if not ''None''), is used to
set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
In most cases this should not need to be changed [Default: 8775].'
type: integer
mtuIfacePattern:
description: MTUIfacePattern is a regular expression that controls
which interfaces Felix should scan in order to calculate the host's
MTU. This should not match workload interfaces (usually named cali...).
type: string
natOutgoingAddress:
description: NATOutgoingAddress specifies an address to use when performing
source NAT for traffic in a natOutgoing pool that is leaving the
network. By default the address used is an address on the interface
the traffic is leaving on (i.e. it uses the iptables MASQUERADE
target).
type: string
natPortRange:
anyOf:
- type: integer
- type: string
description: NATPortRange specifies the range of ports that is used
for port mapping when doing outgoing NAT. When unset the default
behavior of the network stack is used.
pattern: ^.*
x-kubernetes-int-or-string: true
netlinkTimeout:
description: 'NetlinkTimeout is the timeout when talking to the kernel
over the netlink protocol, used for programming routes, rules, and
other kernel objects. [Default: 10s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
nftablesFilterAllowAction:
description: NftablesFilterAllowAction controls the nftables action
that Felix uses to represent the "allow" policy verdict in the filter
table. The default is to `ACCEPT` the traffic, which is a terminal
action. Alternatively, `RETURN` can be used to return the traffic
back to the top-level chain for further processing by your rules.
pattern: ^(?i)(Accept|Return)?$
type: string
nftablesFilterDenyAction:
description: NftablesFilterDenyAction controls what happens to traffic
that is denied by network policy. By default, Calico blocks traffic
with a "drop" action. If you want to use a "reject" action instead
you can configure it here.
pattern: ^(?i)(Drop|Reject)?$
type: string
nftablesMangleAllowAction:
description: NftablesMangleAllowAction controls the nftables action
that Felix uses to represent the "allow" policy verdict in the mangle
table. The default is to `ACCEPT` the traffic, which is a terminal
action. Alternatively, `RETURN` can be used to return the traffic
back to the top-level chain for further processing by your rules.
pattern: ^(?i)(Accept|Return)?$
type: string
nftablesMarkMask:
description: 'NftablesMarkMask is the mask that Felix selects its
nftables Mark bits from. Should be a 32 bit hexadecimal number with
at least 8 bits set, none of which clash with any other mark bits
in use on the system. [Default: 0xffff0000]'
format: int32
type: integer
nftablesMode:
description: 'NFTablesMode configures nftables support in Felix. [Default:
Disabled]'
enum:
- Disabled
- Enabled
- Auto
type: string
nftablesRefreshInterval:
description: 'NftablesRefreshInterval controls the interval at which
Felix periodically refreshes the nftables rules. [Default: 90s]'
type: string
openstackRegion:
description: 'OpenstackRegion is the name of the region that a particular
Felix belongs to. In a multi-region Calico/OpenStack deployment,
this must be configured somehow for each Felix (here in the datamodel,
or in felix.cfg or the environment on each compute node), and must
match the [calico] openstack_region value configured in neutron.conf
on each node. [Default: Empty]'
type: string
policySyncPathPrefix:
description: 'PolicySyncPathPrefix is used to by Felix to communicate
policy changes to external services, like Application layer policy.
[Default: Empty]'
type: string
prometheusGoMetricsEnabled:
description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
collection, which the Prometheus client does by default, when set
to false. This reduces the number of metrics reported, reducing
Prometheus load. [Default: true]'
type: boolean
prometheusMetricsEnabled:
description: 'PrometheusMetricsEnabled enables the Prometheus metrics
server in Felix if set to true. [Default: false]'
type: boolean
prometheusMetricsHost:
description: 'PrometheusMetricsHost is the host that the Prometheus
metrics server should bind to. [Default: empty]'
type: string
prometheusMetricsPort:
description: 'PrometheusMetricsPort is the TCP port that the Prometheus
metrics server should bind to. [Default: 9091]'
type: integer
prometheusProcessMetricsEnabled:
description: 'PrometheusProcessMetricsEnabled disables process metrics
collection, which the Prometheus client does by default, when set
to false. This reduces the number of metrics reported, reducing
Prometheus load. [Default: true]'
type: boolean
prometheusWireGuardMetricsEnabled:
description: 'PrometheusWireGuardMetricsEnabled disables wireguard
metrics collection, which the Prometheus client does by default,
when set to false. This reduces the number of metrics reported,
reducing Prometheus load. [Default: true]'
type: boolean
removeExternalRoutes:
description: RemoveExternalRoutes Controls whether Felix will remove
unexpected routes to workload interfaces. Felix will always clean
up expected routes that use the configured DeviceRouteProtocol. To
add your own routes, you must use a distinct protocol (in addition
to setting this field to false).
type: boolean
reportingInterval:
description: 'ReportingInterval is the interval at which Felix reports
its status into the datastore or 0 to disable. Must be non-zero
in OpenStack deployments. [Default: 30s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
reportingTTL:
description: 'ReportingTTL is the time-to-live setting for process-wide
status reports. [Default: 90s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
routeRefreshInterval:
description: 'RouteRefreshInterval is the period at which Felix re-checks
the routes in the dataplane to ensure that no other process has
accidentally broken Calico''s rules. Set to 0 to disable route refresh.
[Default: 90s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
routeSource:
description: 'RouteSource configures where Felix gets its routing
information. - WorkloadIPs: use workload endpoints to construct
routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
pattern: ^(?i)(WorkloadIPs|CalicoIPAM)?$
type: string
routeSyncDisabled:
description: RouteSyncDisabled will disable all operations performed
on the route table. Set to true to run in network-policy mode only.
type: boolean
routeTableRange:
description: Deprecated in favor of RouteTableRanges. Calico programs
additional Linux route tables for various purposes. RouteTableRange
specifies the indices of the route tables that Calico should use.
properties:
max:
type: integer
min:
type: integer
required:
- max
- min
type: object
routeTableRanges:
description: Calico programs additional Linux route tables for various
purposes. RouteTableRanges specifies a set of table index ranges
that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`.
items:
properties:
max:
type: integer
min:
type: integer
required:
- max
- min
type: object
type: array
serviceLoopPrevention:
description: 'When service IP advertisement is enabled, prevent routing
loops to service IPs that are not in use, by dropping or rejecting
packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
in which case such routing loops continue to be allowed. [Default:
Drop]'
pattern: ^(?i)(Drop|Reject|Disabled)?$
type: string
sidecarAccelerationEnabled:
description: 'SidecarAccelerationEnabled enables experimental sidecar
acceleration [Default: false]'
type: boolean
usageReportingEnabled:
description: 'UsageReportingEnabled reports anonymous Calico version
number and cluster size to projectcalico.org. Logs warnings returned
by the usage server. For example, if a significant security vulnerability
has been discovered in the version of Calico being used. [Default:
true]'
type: boolean
usageReportingInitialDelay:
description: 'UsageReportingInitialDelay controls the minimum delay
before Felix makes a report. [Default: 300s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
usageReportingInterval:
description: 'UsageReportingInterval controls the interval at which
Felix makes reports. [Default: 86400s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
useInternalDataplaneDriver:
description: UseInternalDataplaneDriver, if true, Felix will use its
internal dataplane programming logic. If false, it will launch
an external dataplane driver and communicate with it over protobuf.
type: boolean
vxlanEnabled:
description: 'VXLANEnabled overrides whether Felix should create the
VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix
determines this based on the existing IP pools. [Default: nil (unset)]'
type: boolean
vxlanMTU: