Skip to content
This repository has been archived by the owner on Jun 29, 2022. It is now read-only.

Commit

Permalink
Merge pull request #1113 from kinvolk/imran/update-calico-to-3.16.4
Browse files Browse the repository at this point in the history 
Update calico to 3.16.4
  • Loading branch information
@ipochi
ipochi authored Oct 28, 2020
2 parents 13a331a + b94e31f commit 579f999
Show file tree
Hide file tree
Showing 25 changed files with 458 additions and 291 deletions.
59 changes: 54 additions & 5 deletions assets/charts/control-plane/calico/crds/bgpconfigurations.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)

creationTimestamp: null
name: bgpconfigurations.crd.projectcalico.org
spec:
group: crd.projectcalico.org
Expand Down Expand Up @@ -39,6 +39,32 @@ spec:
64512]'
format: int32
type: integer
communities:
description: Communities is a list of BGP community values and their
arbitrary names for tagging routes.
items:
description: Community contains standard or large community value
and its name.
properties:
name:
description: Name given to community value.
type: string
value:
description: Value must be of format `aa:nn` or `aa:nn:mm`.
For standard community use `aa:nn` format, where `aa` and
`nn` are 16 bit number. For large community use `aa:nn:mm`
format, where `aa`, `nn` and `mm` are 32 bit number. Where,
`aa` is an AS Number, `nn` and `mm` are per-AS identifier.
pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$
type: string
type: object
type: array
listenPort:
description: ListenPort is the port where BGP protocol should listen.
Defaults to 179
maximum: 65535
minimum: 1
type: integer
logSeverityScreen:
description: 'LogSeverityScreen is the log severity above which logs
are sent to the stdout. [Default: INFO]'
Expand All @@ -47,13 +73,36 @@ spec:
description: 'NodeToNodeMeshEnabled sets whether full node to node
BGP mesh is enabled. [Default: true]'
type: boolean
prefixAdvertisements:
description: PrefixAdvertisements contains per-prefix advertisement
configuration.
items:
description: PrefixAdvertisement configures advertisement properties
for the specified CIDR.
properties:
cidr:
description: CIDR for which properties should be advertised.
type: string
communities:
description: Communities can be list of either community names
already defined in `Specs.Communities` or community value
of format `aa:nn` or `aa:nn:mm`. For standard community use
`aa:nn` format, where `aa` and `nn` are 16 bit number. For
large community use `aa:nn:mm` format, where `aa`, `nn` and
`mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and
`mm` are per-AS identifier.
items:
type: string
type: array
type: object
type: array
serviceClusterIPs:
description: ServiceClusterIPs are the CIDR blocks from which service
cluster IPs are allocated. If specified, Calico will advertise these
blocks, as well as any cluster IPs within them.
items:
description: ServiceClusterIPBlock represents a single whitelisted
CIDR block for ClusterIPs.
description: ServiceClusterIPBlock represents a single allowed ClusterIP
CIDR block.
properties:
cidr:
type: string
Expand All @@ -64,8 +113,8 @@ spec:
Service External IPs. Kubernetes Service ExternalIPs will only be
advertised if they are within one of these blocks.
items:
description: ServiceExternalIPBlock represents a single whitelisted
CIDR External IP block.
description: ServiceExternalIPBlock represents a single allowed
External IP CIDR block.
properties:
cidr:
type: string
Expand Down
41 changes: 38 additions & 3 deletions assets/charts/control-plane/calico/crds/bgppeers.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)

creationTimestamp: null
name: bgppeers.crd.projectcalico.org
spec:
group: crd.projectcalico.org
Expand Down Expand Up @@ -37,6 +39,12 @@ spec:
description: The AS Number of the peer.
format: int32
type: integer
keepOriginalNextHop:
description: Option to keep the original nexthop field when routes
are sent to a BGP Peer. Setting "true" configures the selected BGP
Peers node to use the "next hop keep;" instead of "next hop self;"(default)
in the specific branch of the Node on "bird.cfg".
type: boolean
node:
description: The node name identifying the Calico node instance that
is peering with this peer. If this is not set, this represents a
Expand All @@ -46,16 +54,43 @@ spec:
description: Selector for the nodes that should have this peering. When
this is set, the Node field must be empty.
type: string
password:
description: Optional BGP password for the peerings generated by this
BGPPeer resource.
properties:
secretKeyRef:
description: Selects a key of a secret in the node pod's namespace.
properties:
key:
description: The key of the secret to select from. Must be
a valid secret key.
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
optional:
description: Specify whether the Secret or its key must be
defined
type: boolean
required:
- key
type: object
type: object
peerIP:
description: The IP address of the peer.
description: The IP address of the peer followed by an optional port
number to peer with. If port number is given, format should be `[<IPv6>]:port`
or `<IPv4>:<port>` for IPv4. If optional port number is not set,
and this peer IP and ASNumber belongs to a calico/node with ListenPort
set in BGPConfiguration, then we use that port to peer.
type: string
peerSelector:
description: Selector for the remote nodes to peer with. When this
is set, the PeerIP and ASNumber fields must be empty. For each
peering between the local node and selected remote nodes, we configure
an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The
remote AS number comes from the remote node’s NodeBGPSpec.ASNumber,
remote AS number comes from the remote node’s NodeBGPSpec.ASNumber,
or the global default if that is not set.
type: string
required:
Expand Down
4 changes: 3 additions & 1 deletion assets/charts/control-plane/calico/crds/blockaffinities.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)

creationTimestamp: null
name: blockaffinities.crd.projectcalico.org
spec:
group: crd.projectcalico.org
Expand Down
4 changes: 3 additions & 1 deletion assets/charts/control-plane/calico/crds/clusterinformations.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)

creationTimestamp: null
name: clusterinformations.crd.projectcalico.org
spec:
group: crd.projectcalico.org
Expand Down
71 changes: 51 additions & 20 deletions assets/charts/control-plane/calico/crds/felixconfigurations.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)

creationTimestamp: null
name: felixconfigurations.crd.projectcalico.org
spec:
group: crd.projectcalico.org
Expand Down Expand Up @@ -34,6 +36,25 @@ spec:
spec:
description: FelixConfigurationSpec contains the values of the Felix configuration.
properties:
allowIPIPPacketsFromWorkloads:
description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
will add a rule to drop IPIP encapsulated traffic from workloads
[Default: false]'
type: boolean
allowVXLANPacketsFromWorkloads:
description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
will add a rule to drop VXLAN encapsulated traffic from workloads
[Default: false]'
type: boolean
awsSrcDstCheck:
description: 'Set source-destination-check on AWS EC2 instances. Accepted
value must be one of "DoNothing", "Enabled" or "Disabled". [Default:
DoNothing]'
enum:
- DoNothing
- Enable
- Disable
type: string
bpfConnectTimeLoadBalancingEnabled:
description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
controls whether Felix installs the connection-time load balancer. The
Expand Down Expand Up @@ -94,10 +115,10 @@ spec:
`tc exec bpf debug`. [Default: Off].'
type: string
chainInsertMode:
description: 'ChainInsertMode controls whether Felix hooks the kernels
description: 'ChainInsertMode controls whether Felix hooks the kernel’s
top-level iptables chains by inserting a rule at the top of the
chain or by appending a rule at the bottom. insert is the safe default
since it prevents Calicos rules from being bypassed. If you switch
since it prevents Calico’s rules from being bypassed. If you switch
to append mode, be sure that the other rules in the chains signal
acceptance by falling through to the Calico rules, otherwise the
Calico policy will be bypassed. [Default: insert]'
Expand All @@ -117,11 +138,11 @@ spec:
traffic that goes from a workload endpoint to the host itself (after
the traffic hits the endpoint egress policy). By default Calico
blocks traffic from workload endpoints to the host itself with an
iptables DROP action. If you want to allow some or all traffic
iptables DROP action. If you want to allow some or all traffic
from endpoint to host, set this parameter to RETURN or ACCEPT. Use
RETURN if you have your own rules in the iptables INPUT chain;
Calico will insert its rules at the top of that chain, then RETURN
packets to the INPUT chain once it has completed processing workload
RETURN if you have your own rules in the iptables INPUT chain;
Calico will insert its rules at the top of that chain, then RETURN
packets to the INPUT chain once it has completed processing workload
endpoint egress policy. Use ACCEPT to unconditionally accept packets
from workloads after processing workload endpoint egress policy.
[Default: Drop]'
Expand Down Expand Up @@ -155,7 +176,7 @@ spec:
accidentally cutting off a host with incorrect configuration. Each
port should be specified as tcp:<port-number> or udp:<port-number>.
For back-compatibility, if the protocol is not specified, it defaults
to tcp. To disable all inbound host ports, use the value none.
to tcp. To disable all inbound host ports, use the value none.
The default value allows ssh access and DHCP. [Default: tcp:22,
udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
items:
Expand All @@ -178,8 +199,8 @@ spec:
to avoid accidentally cutting off a host with incorrect configuration.
Each port should be specified as tcp:<port-number> or udp:<port-number>.
For back-compatibility, if the protocol is not specified, it defaults
to tcp. To disable all outbound host ports, use the value none.
The default value opens etcds standard ports to ensure that Felix
to tcp. To disable all outbound host ports, use the value none.
The default value opens etcd’s standard ports to ensure that Felix
does not get cut off from etcd as well as allowing DHCP and DNS.
[Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667,
udp:53, udp:67]'
Expand All @@ -196,6 +217,13 @@ spec:
- protocol
type: object
type: array
featureDetectOverride:
description: FeatureDetectOverride is used to override the feature
detection. Values are specified in a comma separated list with no
spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
"true" or "false" will force the feature, empty or omitted values
are auto-detected.
type: string
genericXDPEnabled:
description: 'GenericXDPEnabled enables Generic XDP so network cards
that don''t support XDP offload or driver modes can use XDP. This
Expand Down Expand Up @@ -224,8 +252,13 @@ spec:
workload endpoints and so distinguishes them from host endpoint
interfaces. Note: in environments other than bare metal, the orchestrators
configure this appropriately. For example our Kubernetes and Docker
integrations set the ‘cali value, and our OpenStack integration
sets the ‘tap value. [Default: cali]'
integrations set the ‘cali’ value, and our OpenStack integration
sets the ‘tap’ value. [Default: cali]'
type: string
interfaceRefreshInterval:
description: InterfaceRefreshInterval is the period at which Felix
rescans local interfaces to verify their state. The rescan can be
disabled by setting the interval to 0.
type: string
ipipEnabled:
type: boolean
Expand All @@ -236,7 +269,7 @@ spec:
ipsetsRefreshInterval:
description: 'IpsetsRefreshInterval is the period at which Felix re-checks
all iptables state to ensure that no other process has accidentally
broken Calicos rules. Set to 0 to disable iptables refresh. [Default:
broken Calico’s rules. Set to 0 to disable iptables refresh. [Default:
90s]'
type: string
iptablesBackend:
Expand All @@ -248,7 +281,7 @@ spec:
iptablesLockFilePath:
description: 'IptablesLockFilePath is the location of the iptables
lock file. You may need to change this if the lock file is not in
its standard location (for example if you have mapped it into Felixs
its standard location (for example if you have mapped it into Felix’s
container at a different path). [Default: /run/xtables.lock]'
type: string
iptablesLockProbeInterval:
Expand Down Expand Up @@ -280,13 +313,13 @@ spec:
description: 'IptablesPostWriteCheckInterval is the period after Felix
has done a write to the dataplane that it schedules an extra read
back in order to check the write was not clobbered by another process.
This should only occur if another application on the system doesnt
This should only occur if another application on the system doesn’t
respect the iptables lock. [Default: 1s]'
type: string
iptablesRefreshInterval:
description: 'IptablesRefreshInterval is the period at which Felix
re-checks the IP sets in the dataplane to ensure that no other process
has accidentally broken Calicos rules. Set to 0 to disable IP sets
has accidentally broken Calico’s rules. Set to 0 to disable IP sets
refresh. Note: the default for this value is lower than the other
refresh intervals as a workaround for a Linux kernel bug that was
fixed in kernel version 4.11. If you are using v4.11 or greater
Expand Down Expand Up @@ -340,7 +373,7 @@ spec:
type: string
metadataPort:
description: 'MetadataPort is the port of the metadata server. This,
combined with global.MetadataAddr (if not ‘None), is used to set
combined with global.MetadataAddr (if not None), is used to set
up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
In most cases this should not need to be changed [Default: 8775].'
type: integer
Expand Down Expand Up @@ -416,7 +449,7 @@ spec:
routeRefreshInterval:
description: 'RouterefreshInterval is the period at which Felix re-checks
the routes in the dataplane to ensure that no other process has
accidentally broken Calicos rules. Set to 0 to disable route refresh.
accidentally broken Calico’s rules. Set to 0 to disable route refresh.
[Default: 90s]'
type: string
routeSource:
Expand Down Expand Up @@ -498,8 +531,6 @@ spec:
Calico''s BPF maps or attached programs. Set to 0 to disable XDP
refresh. [Default: 90s]'
type: string
required:
- bpfLogLevel
type: object
type: object
served: true
Expand Down
Loading

0 comments on commit 579f999

Please sign in to comment.