Blame - cluster/kube/lib/calico_crd.yml - hscloud

internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'

33

type: string

34

kind:

35

description: 'Kind is a string value representing the REST resource this

36

object represents. Servers may infer this from the endpoint the client

37

submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'

type: string

metadata:

type: object

spec:

description: BGPConfigurationSpec contains the values of the BGP configuration.

43

properties:

44

asNumber:

45

description: 'ASNumber is the default AS number used by a node. [Default:

64512]'

format: int32

type: integer

logSeverityScreen:

description: 'LogSeverityScreen is the log severity above which logs

51

are sent to the stdout. [Default: INFO]'

52

type: string

53

nodeToNodeMeshEnabled:

54

description: 'NodeToNodeMeshEnabled sets whether full node to node

55

BGP mesh is enabled. [Default: true]'

56

type: boolean

57

serviceClusterIPs:

58

description: ServiceClusterIPs are the CIDR blocks from which service

59

cluster IPs are allocated. If specified, Calico will advertise these

60

blocks, as well as any cluster IPs within them.

61

items:

62

description: ServiceClusterIPBlock represents a single whitelisted

63

CIDR block for ClusterIPs.

properties:

cidr:

type: string

type: object

type: array

serviceExternalIPs:

description: ServiceExternalIPs are the CIDR blocks for Kubernetes

71

Service External IPs. Kubernetes Service ExternalIPs will only be

72

advertised if they are within one of these blocks.

73

items:

74

description: ServiceExternalIPBlock represents a single whitelisted

75

CIDR External IP block.

properties:

cidr:

type: string

type: object

type: array

type: object

type: object

served: true

storage: true

status:

acceptedNames:

kind: ""

plural: ""

conditions: []

storedVersions: []

---

---

apiVersion: apiextensions.k8s.io/v1

96

kind: CustomResourceDefinition

97

metadata:

98

annotations:

99

controller-gen.kubebuilder.io/version: (devel)

100

creationTimestamp: null

101

102

spec:

103

group: crd.projectcalico.org

104

names:

105

kind: BGPPeer

106

listKind: BGPPeerList

plural: bgppeers

singular: bgppeer

scope: Cluster

versions:

- name: v1

schema:

openAPIV3Schema:

properties:

apiVersion:

description: 'APIVersion defines the versioned schema of this representation

117

of an object. Servers should convert recognized schemas to the latest

118

internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'

119

type: string

120

kind:

121

description: 'Kind is a string value representing the REST resource this

122

object represents. Servers may infer this from the endpoint the client

123

submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'

type: string

metadata:

type: object

spec:

description: BGPPeerSpec contains the specification for a BGPPeer resource.

129

properties:

130

asNumber:

131

description: The AS Number of the peer.

format: int32

type: integer

node:

description: The node name identifying the Calico node instance that

136

is peering with this peer. If this is not set, this represents a

137

global peer, i.e. a peer that peers with every node in the deployment.

138

type: string

139

nodeSelector:

140

description: Selector for the nodes that should have this peering. When

141

this is set, the Node field must be empty.

142

type: string

143

peerIP:

144

description: The IP address of the peer.

145

type: string

146

peerSelector:

147

description: Selector for the remote nodes to peer with. When this

148

is set, the PeerIP and ASNumber fields must be empty. For each

149

peering between the local node and selected remote nodes, we configure

150

an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,

151

and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The

152

remote AS number comes from the remote node’s NodeBGPSpec.ASNumber,

153

or the global default if that is not set.

type: string

required:

- asNumber

- peerIP

type: object

type: object

served: true

storage: true

status:

acceptedNames:

kind: ""

plural: ""

conditions: []

storedVersions: []

---

---

apiVersion: apiextensions.k8s.io/v1

173

kind: CustomResourceDefinition

174

metadata:

175

annotations:

176

controller-gen.kubebuilder.io/version: (devel)

177

creationTimestamp: null

178

179

spec:

180

group: crd.projectcalico.org

181

names:

182

kind: BlockAffinity

183

listKind: BlockAffinityList

184

plural: blockaffinities

185

singular: blockaffinity

scope: Cluster

versions:

- name: v1

schema:

openAPIV3Schema:

properties:

apiVersion:

description: 'APIVersion defines the versioned schema of this representation

194

of an object. Servers should convert recognized schemas to the latest

195

internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'

196

type: string

197

kind:

198

description: 'Kind is a string value representing the REST resource this

199

object represents. Servers may infer this from the endpoint the client

200

submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'

type: string

metadata:

type: object

spec:

description: BlockAffinitySpec contains the specification for a BlockAffinity

resource.

properties:

cidr:

type: string

deleted:

description: Deleted indicates that this block affinity is being deleted.

212

This field is a string for compatibility with older releases that

213

mistakenly treat this field as a string.

type: string

node:

type: string

state:

type: string

required:

- cidr

- deleted

- node

- state

type: object

type: object

served: true

storage: true

status:

acceptedNames:

kind: ""

plural: ""

conditions: []

storedVersions: []

---

---

apiVersion: apiextensions.k8s.io/v1

239

kind: CustomResourceDefinition

240

metadata:

241

annotations:

242

controller-gen.kubebuilder.io/version: (devel)

243

creationTimestamp: null

244

245

spec:

246

group: crd.projectcalico.org

247

names:

248

kind: ClusterInformation

249

listKind: ClusterInformationList

250

plural: clusterinformations

251

singular: clusterinformation

scope: Cluster

versions:

- name: v1

schema:

openAPIV3Schema:

description: ClusterInformation contains the cluster specific information.

258

properties:

259

apiVersion:

260

description: 'APIVersion defines the versioned schema of this representation

261

of an object. Servers should convert recognized schemas to the latest

262

internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'

263

type: string

264

kind:

265

description: 'Kind is a string value representing the REST resource this

266

object represents. Servers may infer this from the endpoint the client

267

submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'

type: string

metadata:

type: object

spec:

description: ClusterInformationSpec contains the values of describing

the cluster.

properties:

calicoVersion:

description: CalicoVersion is the version of Calico that the cluster

is running

type: string

clusterGUID:

description: ClusterGUID is the GUID of the cluster

281

type: string

282

clusterType:

283

description: ClusterType describes the type of the cluster

284

type: string

285

datastoreReady:

286

description: DatastoreReady is used during significant datastore migrations

287

to signal to components such as Felix that it should wait before

288

accessing the datastore.

289

type: boolean

290

variant:

291

description: Variant declares which variant of Calico should be active.

type: string

type: object

type: object

served: true

storage: true

status:

acceptedNames:

kind: ""

plural: ""

conditions: []

storedVersions: []

---

---

apiVersion: apiextensions.k8s.io/v1

308

kind: CustomResourceDefinition

309

metadata:

310

annotations:

311

controller-gen.kubebuilder.io/version: (devel)

312

creationTimestamp: null

313

314

spec:

315

group: crd.projectcalico.org

316

names:

317

kind: FelixConfiguration

318

listKind: FelixConfigurationList

319

plural: felixconfigurations

320

singular: felixconfiguration

scope: Cluster

versions:

- name: v1

schema:

openAPIV3Schema:

description: Felix Configuration contains the configuration for Felix.

327

properties:

328

apiVersion:

329

description: 'APIVersion defines the versioned schema of this representation

330

of an object. Servers should convert recognized schemas to the latest

331

internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'

332

type: string

333

kind:

334

description: 'Kind is a string value representing the REST resource this

335

object represents. Servers may infer this from the endpoint the client

336

submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'

type: string

metadata:

type: object

spec:

description: FelixConfigurationSpec contains the values of the Felix configuration.

342

properties:

343

allowIPIPPacketsFromWorkloads:

344

description: 'AllowIPIPPacketsFromWorkloads controls whether Felix

345

will add a rule to drop IPIP encapsulated traffic from workloads

346

[Default: false]'

347

type: boolean

348

allowVXLANPacketsFromWorkloads:

349

description: 'AllowVXLANPacketsFromWorkloads controls whether Felix

350

will add a rule to drop VXLAN encapsulated traffic from workloads

351

[Default: false]'

352

type: boolean

353

bpfConnectTimeLoadBalancingEnabled:

354

description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,

355

controls whether Felix installs the connection-time load balancer. The

356

connect-time load balancer is required for the host to be able to

357

reach Kubernetes services and it improves the performance of pod-to-service

358

connections. The only reason to disable it is for debugging purposes. [Default:

true]'

type: boolean

bpfDataIfacePattern:

description: 'BPFDataIfacePattern is a regular expression that controls

363

which interfaces Felix should attach BPF programs to in order to

364

catch traffic to/from the network. This needs to match the interfaces

365

that Calico workload traffic flows over as well as any interfaces

366

that handle incoming traffic to nodeports and services from outside

367

the cluster. It should not match the workload interfaces (usually

368

named cali...). [Default: ^(en.*|eth.*|tunl0$)]'

369

type: string

370

bpfDisableUnprivileged:

371

description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled

372

sysctl to disable unprivileged use of BPF. This ensures that unprivileged

373

users cannot access Calico''s BPF maps and cannot insert their own

374

BPF programs to interfere with Calico''s. [Default: true]'

375

type: boolean

376

bpfEnabled:

377

description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.

378

[Default: false]'

379

type: boolean

380

bpfExternalServiceMode:

381

description: 'BPFExternalServiceMode in BPF mode, controls how connections

382

from outside the cluster to services (node ports and cluster IPs)

383

are forwarded to remote workloads. If set to "Tunnel" then both

384

request and response traffic is tunneled to the remote node. If

385

set to "DSR", the request traffic is tunneled but the response traffic

386

is sent directly from the remote node. In "DSR" mode, the remote

387

node appears to use the IP of the ingress node; this requires a

388

permissive L2 network. [Default: Tunnel]'

389

type: string

390

bpfKubeProxyEndpointSlicesEnabled:

391

description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls

392

whether Felix's embedded kube-proxy accepts EndpointSlices or not.

393

type: boolean

394

bpfKubeProxyIptablesCleanupEnabled:

395

description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF

396

mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s

397

iptables chains. Should only be enabled if kube-proxy is not running. [Default:

398

true]'

399

type: boolean

400

bpfKubeProxyMinSyncPeriod:

401

description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the

402

minimum time between updates to the dataplane for Felix''s embedded

403

kube-proxy. Lower values give reduced set-up latency. Higher values

404

reduce Felix CPU usage by batching up more work. [Default: 1s]'

405

type: string

406

bpfLogLevel:

407

description: 'BPFLogLevel controls the log level of the BPF programs

408

when in BPF dataplane mode. One of "Off", "Info", or "Debug". The

409

logs are emitted to the BPF trace pipe, accessible with the command

410

`tc exec bpf debug`. [Default: Off].'

411

type: string

412

chainInsertMode:

413

description: 'ChainInsertMode controls whether Felix hooks the kernel’s

414

top-level iptables chains by inserting a rule at the top of the

415

chain or by appending a rule at the bottom. insert is the safe default

416

since it prevents Calico’s rules from being bypassed. If you switch

417

to append mode, be sure that the other rules in the chains signal

418

acceptance by falling through to the Calico rules, otherwise the

419

Calico policy will be bypassed. [Default: insert]'

type: string

dataplaneDriver:

type: string

debugDisableLogDropping:

424

type: boolean

425

debugMemoryProfilePath:

426

type: string

427

debugSimulateCalcGraphHangAfter:

428

type: string

429

debugSimulateDataplaneHangAfter:

430

type: string

431

defaultEndpointToHostAction:

432

description: 'DefaultEndpointToHostAction controls what happens to

433

traffic that goes from a workload endpoint to the host itself (after

434

the traffic hits the endpoint egress policy). By default Calico

435

blocks traffic from workload endpoints to the host itself with an

436

iptables “DROP” action. If you want to allow some or all traffic

437

from endpoint to host, set this parameter to RETURN or ACCEPT. Use

438

RETURN if you have your own rules in the iptables “INPUT” chain;

439

Calico will insert its rules at the top of that chain, then “RETURN”

440

packets to the “INPUT” chain once it has completed processing workload

441

endpoint egress policy. Use ACCEPT to unconditionally accept packets

442

from workloads after processing workload endpoint egress policy.

[Default: Drop]'

type: string

deviceRouteProtocol:

description: This defines the route protocol added to programmed device

447

routes, by default this will be RTPROT_BOOT when left blank.

448

type: integer

449

deviceRouteSourceAddress:

450

description: This is the source address to use on programmed device

451

routes. By default the source address is left blank, leaving the

452

kernel to choose the source address used.

453

type: string

454

disableConntrackInvalidCheck:

455

type: boolean

456

endpointReportingDelay:

457

type: string

458

endpointReportingEnabled:

459

type: boolean

460

externalNodesList:

461

description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes

462

which may source tunnel traffic and have the tunneled traffic be

463

accepted at calico nodes.

items:

type: string

type: array

failsafeInboundHostPorts:

468

description: 'FailsafeInboundHostPorts is a comma-delimited list of

469

UDP/TCP ports that Felix will allow incoming traffic to host endpoints

470

on irrespective of the security policy. This is useful to avoid

471

accidentally cutting off a host with incorrect configuration. Each

472

port should be specified as tcp:<port-number> or udp:<port-number>.

473

For back-compatibility, if the protocol is not specified, it defaults

474

to “tcp”. To disable all inbound host ports, use the value none.

475

The default value allows ssh access and DHCP. [Default: tcp:22,

476

udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'

477

items:

478

description: ProtoPort is combination of protocol and port, both

must be specified.

properties:

port:

type: integer

protocol:

type: string

required:

- port

- protocol

type: object

type: array

failsafeOutboundHostPorts:

491

description: 'FailsafeOutboundHostPorts is a comma-delimited list

492

of UDP/TCP ports that Felix will allow outgoing traffic from host

493

endpoints to irrespective of the security policy. This is useful

494

to avoid accidentally cutting off a host with incorrect configuration.

495

Each port should be specified as tcp:<port-number> or udp:<port-number>.

496

For back-compatibility, if the protocol is not specified, it defaults

497

to “tcp”. To disable all outbound host ports, use the value none.

498

The default value opens etcd’s standard ports to ensure that Felix

499

does not get cut off from etcd as well as allowing DHCP and DNS.

500

[Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667,

501

udp:53, udp:67]'

502

items:

503

description: ProtoPort is combination of protocol and port, both

must be specified.

properties:

port:

type: integer

protocol:

type: string

required:

- port

- protocol

type: object

type: array

genericXDPEnabled:

description: 'GenericXDPEnabled enables Generic XDP so network cards

517

that don''t support XDP offload or driver modes can use XDP. This

518

is not recommended since it doesn''t provide better performance

519

than iptables. [Default: false]'

type: boolean

healthEnabled:

type: boolean

healthHost:

type: string

healthPort:

type: integer

interfaceExclude:

description: 'InterfaceExclude is a comma-separated list of interfaces

529

that Felix should exclude when monitoring for host endpoints. The

530

default value ensures that Felix ignores Kubernetes'' IPVS dummy

531

interface, which is used internally by kube-proxy. If you want to

532

exclude multiple interface names using a single value, the list

533

supports regular expressions. For regular expressions you must wrap

534

the value with ''/''. For example having values ''/^kube/,veth1''

535

will exclude all interfaces that begin with ''kube'' and also the

536

interface ''veth1''. [Default: kube-ipvs0]'

537

type: string

538

interfacePrefix:

539

description: 'InterfacePrefix is the interface name prefix that identifies

540

workload endpoints and so distinguishes them from host endpoint

541

interfaces. Note: in environments other than bare metal, the orchestrators

542

configure this appropriately. For example our Kubernetes and Docker

543

integrations set the ‘cali’ value, and our OpenStack integration

544

sets the ‘tap’ value. [Default: cali]'

type: string

ipipEnabled:

type: boolean

ipipMTU:

description: 'IPIPMTU is the MTU to set on the tunnel device. See

550

Configuring MTU [Default: 1440]'

551

type: integer

552

ipsetsRefreshInterval:

553

description: 'IpsetsRefreshInterval is the period at which Felix re-checks

554

all iptables state to ensure that no other process has accidentally

555

broken Calico’s rules. Set to 0 to disable iptables refresh. [Default:

90s]'

type: string

iptablesBackend:

description: IptablesBackend specifies which backend of iptables will

560

be used. The default is legacy.

561

type: string

562

iptablesFilterAllowAction:

563

type: string

564

iptablesLockFilePath:

565

description: 'IptablesLockFilePath is the location of the iptables

566

lock file. You may need to change this if the lock file is not in

567

its standard location (for example if you have mapped it into Felix’s

568

container at a different path). [Default: /run/xtables.lock]'

569

type: string

570

iptablesLockProbeInterval:

571

description: 'IptablesLockProbeInterval is the time that Felix will

572

wait between attempts to acquire the iptables lock if it is not

573

available. Lower values make Felix more responsive when the lock

574

is contended, but use more CPU. [Default: 50ms]'

575

type: string

576

iptablesLockTimeout:

577

description: 'IptablesLockTimeout is the time that Felix will wait

578

for the iptables lock, or 0, to disable. To use this feature, Felix

579

must share the iptables lock file with all other processes that

580

also take the lock. When running Felix inside a container, this

581

requires the /run directory of the host to be mounted into the calico/node

582

or calico/felix container. [Default: 0s disabled]'

583

type: string

584

iptablesMangleAllowAction:

585

type: string

586

iptablesMarkMask:

587

description: 'IptablesMarkMask is the mask that Felix selects its

588

IPTables Mark bits from. Should be a 32 bit hexadecimal number with

589

at least 8 bits set, none of which clash with any other mark bits

590

in use on the system. [Default: 0xff000000]'

591

format: int32

592

type: integer

593

iptablesNATOutgoingInterfaceFilter:

594

type: string

595

iptablesPostWriteCheckInterval:

596

description: 'IptablesPostWriteCheckInterval is the period after Felix

597

has done a write to the dataplane that it schedules an extra read

598

back in order to check the write was not clobbered by another process.

599

This should only occur if another application on the system doesn’t

600

respect the iptables lock. [Default: 1s]'

601

type: string

602

iptablesRefreshInterval:

603

description: 'IptablesRefreshInterval is the period at which Felix

604

re-checks the IP sets in the dataplane to ensure that no other process

605

has accidentally broken Calico’s rules. Set to 0 to disable IP sets

606

refresh. Note: the default for this value is lower than the other

607

refresh intervals as a workaround for a Linux kernel bug that was

608

fixed in kernel version 4.11. If you are using v4.11 or greater

609

you may want to set this to, a higher value to reduce Felix CPU

610

usage. [Default: 10s]'

type: string

ipv6Support:

type: boolean

kubeNodePortRanges:

description: 'KubeNodePortRanges holds list of port ranges used for

616

service node ports. Only used if felix detects kube-proxy running

617

in ipvs mode. Felix uses these ranges to separate host and workload

618

traffic. [Default: 30000:32767].'

items:

anyOf:

- type: integer

- type: string

pattern: ^.*

x-kubernetes-int-or-string: true

625

type: array

626

logFilePath:

627

description: 'LogFilePath is the full path to the Felix log. Set to

628

none to disable file logging. [Default: /var/log/calico/felix.log]'

629

type: string

630

logPrefix:

631

description: 'LogPrefix is the log prefix that Felix uses when rendering

632

LOG rules. [Default: calico-packet]'

633

type: string

634

logSeverityFile:

635

description: 'LogSeverityFile is the log severity above which logs

636

are sent to the log file. [Default: Info]'

637

type: string

638

logSeverityScreen:

639

description: 'LogSeverityScreen is the log severity above which logs

640

are sent to the stdout. [Default: Info]'

641

type: string

642

logSeveritySys:

643

description: 'LogSeveritySys is the log severity above which logs

644

are sent to the syslog. Set to None for no logging to syslog. [Default:

Info]'

type: string

maxIpsetSize:

type: integer

metadataAddr:

description: 'MetadataAddr is the IP address or domain name of the

651

server that can answer VM queries for cloud-init metadata. In OpenStack,

652

this corresponds to the machine running nova-api (or in Ubuntu,

653

nova-api-metadata). A value of none (case insensitive) means that

654

Felix should not set up any NAT rule for the metadata path. [Default:

127.0.0.1]'

type: string

metadataPort:

description: 'MetadataPort is the port of the metadata server. This,

659

combined with global.MetadataAddr (if not ‘None’), is used to set

660

up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.

661

In most cases this should not need to be changed [Default: 8775].'

662

type: integer

663

natOutgoingAddress:

664

description: NATOutgoingAddress specifies an address to use when performing

665

source NAT for traffic in a natOutgoing pool that is leaving the

666

network. By default the address used is an address on the interface

667

the traffic is leaving on (ie it uses the iptables MASQUERADE target)

type: string

natPortRange:

anyOf:

- type: integer

- type: string

description: NATPortRange specifies the range of ports that is used

674

for port mapping when doing outgoing NAT. When unset the default

675

behavior of the network stack is used.

676

pattern: ^.*

677

x-kubernetes-int-or-string: true

netlinkTimeout:

type: string

openstackRegion:

description: 'OpenstackRegion is the name of the region that a particular

682

Felix belongs to. In a multi-region Calico/OpenStack deployment,

683

this must be configured somehow for each Felix (here in the datamodel,

684

or in felix.cfg or the environment on each compute node), and must

685

match the [calico] openstack_region value configured in neutron.conf

686

on each node. [Default: Empty]'

687

type: string

688

policySyncPathPrefix:

689

description: 'PolicySyncPathPrefix is used to by Felix to communicate

690

policy changes to external services, like Application layer policy.

691

[Default: Empty]'

692

type: string

693

prometheusGoMetricsEnabled:

694

description: 'PrometheusGoMetricsEnabled disables Go runtime metrics

695

collection, which the Prometheus client does by default, when set

696

to false. This reduces the number of metrics reported, reducing

697

Prometheus load. [Default: true]'

698

type: boolean

699

prometheusMetricsEnabled:

700

description: 'PrometheusMetricsEnabled enables the Prometheus metrics

701

server in Felix if set to true. [Default: false]'

702

type: boolean

703

prometheusMetricsHost:

704

description: 'PrometheusMetricsHost is the host that the Prometheus

705

metrics server should bind to. [Default: empty]'

706

type: string

707

prometheusMetricsPort:

708

description: 'PrometheusMetricsPort is the TCP port that the Prometheus

709

metrics server should bind to. [Default: 9091]'

710

type: integer

711

prometheusProcessMetricsEnabled:

712

description: 'PrometheusProcessMetricsEnabled disables process metrics

713

collection, which the Prometheus client does by default, when set

714

to false. This reduces the number of metrics reported, reducing

715

Prometheus load. [Default: true]'

716

type: boolean

717

removeExternalRoutes:

718

description: Whether or not to remove device routes that have not

719

been programmed by Felix. Disabling this will allow external applications

720

to also add device routes. This is enabled by default which means

721

we will remove externally added routes.

722

type: boolean

723

reportingInterval:

724

description: 'ReportingInterval is the interval at which Felix reports

725

its status into the datastore or 0 to disable. Must be non-zero

726

in OpenStack deployments. [Default: 30s]'

727

type: string

728

reportingTTL:

729

description: 'ReportingTTL is the time-to-live setting for process-wide

730

status reports. [Default: 90s]'

731

type: string

732

routeRefreshInterval:

733

description: 'RouterefreshInterval is the period at which Felix re-checks

734

the routes in the dataplane to ensure that no other process has

735

accidentally broken Calico’s rules. Set to 0 to disable route refresh.

[Default: 90s]'

type: string

routeSource:

description: 'RouteSource configures where Felix gets its routing

740

information. - WorkloadIPs: use workload endpoints to construct

741

routes. - CalicoIPAM: the default - use IPAM data to construct routes.'

742

type: string

743

routeTableRange:

744

description: Calico programs additional Linux route tables for various

745

purposes. RouteTableRange specifies the indices of the route tables

746

that Calico should use.

properties:

max:

type: integer

min:

type: integer

required:

- max

- min

type: object

sidecarAccelerationEnabled:

757

description: 'SidecarAccelerationEnabled enables experimental sidecar

758

acceleration [Default: false]'

759

type: boolean

760

usageReportingEnabled:

761

description: 'UsageReportingEnabled reports anonymous Calico version

762

number and cluster size to projectcalico.org. Logs warnings returned

763

by the usage server. For example, if a significant security vulnerability

764

has been discovered in the version of Calico being used. [Default:

765

true]'

766

type: boolean

767

usageReportingInitialDelay:

768

description: 'UsageReportingInitialDelay controls the minimum delay

769

before Felix makes a report. [Default: 300s]'

770

type: string

771

usageReportingInterval:

772

description: 'UsageReportingInterval controls the interval at which

773

Felix makes reports. [Default: 86400s]'

774

type: string

775

useInternalDataplaneDriver:

type: boolean

vxlanEnabled:

type: boolean

vxlanMTU:

description: 'VXLANMTU is the MTU to set on the tunnel device. See

781

Configuring MTU [Default: 1440]'

type: integer

vxlanPort:

type: integer

vxlanVNI:

type: integer

wireguardEnabled:

description: 'WireguardEnabled controls whether Wireguard is enabled.

789

[Default: false]'

790

type: boolean

791

wireguardInterfaceName:

792

description: 'WireguardInterfaceName specifies the name to use for

793

the Wireguard interface. [Default: wg.calico]'

794

type: string

795

wireguardListeningPort:

796

description: 'WireguardListeningPort controls the listening port used

797

by Wireguard. [Default: 51820]'

798

type: integer

799

wireguardMTU:

800

description: 'WireguardMTU controls the MTU on the Wireguard interface.

801

See Configuring MTU [Default: 1420]'

802

type: integer

803

wireguardRoutingRulePriority:

804

description: 'WireguardRoutingRulePriority controls the priority value

805

to use for the Wireguard routing rule. [Default: 99]'

806

type: integer

807

xdpEnabled:

808

description: 'XDPEnabled enables XDP acceleration for suitable untracked

809

incoming deny rules. [Default: true]'

810

type: boolean

811

xdpRefreshInterval:

812

description: 'XDPRefreshInterval is the period at which Felix re-checks

813

all XDP state to ensure that no other process has accidentally broken

814

Calico''s BPF maps or attached programs. Set to 0 to disable XDP

815

refresh. [Default: 90s]'

type: string

required:

- bpfLogLevel

type: object

type: object

served: true

storage: true

status:

acceptedNames:

kind: ""

plural: ""

conditions: []

storedVersions: []

---

---

apiVersion: apiextensions.k8s.io/v1

834

kind: CustomResourceDefinition

835

metadata:

836

annotations:

837

controller-gen.kubebuilder.io/version: (devel)

838

creationTimestamp: null

839

840

spec:

841

group: crd.projectcalico.org

842

names:

843

kind: GlobalNetworkPolicy

844

listKind: GlobalNetworkPolicyList

845

plural: globalnetworkpolicies

846

singular: globalnetworkpolicy

scope: Cluster

versions:

- name: v1

schema:

openAPIV3Schema:

properties:

apiVersion:

description: 'APIVersion defines the versioned schema of this representation

855

of an object. Servers should convert recognized schemas to the latest

856

internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'

857

type: string

858

kind:

859

description: 'Kind is a string value representing the REST resource this

860

object represents. Servers may infer this from the endpoint the client

861

submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'

type: string

metadata:

type: object

spec:

properties:

applyOnForward:

description: ApplyOnForward indicates to apply the rules in this policy

on forward traffic.

type: boolean

doNotTrack:

description: DoNotTrack indicates whether packets matched by the rules

873

in this policy should go through the data plane's connection tracking,

874

such as Linux conntrack. If True, the rules in this policy are

875

applied before any data plane connection tracking, and packets allowed

876

by this policy are marked as not to be tracked.

877

type: boolean

878

egress:

879

description: The ordered set of egress rules. Each rule contains

880

a set of packet match criteria and a corresponding action to apply.

881

items:

882

description: "A Rule encapsulates a set of match criteria and an

883

action. Both selector-based security Policy and security Profiles

884

reference rules - separated out as a list of rules for both ingress

885

and egress packet matching. \n Each positive match criteria has

886

a negated version, prefixed with ”Not”. All the match criteria

887

within a rule must be satisfied for a packet to match. A single

888

rule can contain the positive and negative version of a match

889

and both must be satisfied for the rule to match."

properties:

action:

type: string

destination:

description: Destination contains the match criteria that apply

895

to destination entity.

896

properties:

897

namespaceSelector:

898

description: "NamespaceSelector is an optional field that

899

contains a selector expression. Only traffic that originates

900

from (or terminates at) endpoints within the selected

901

namespaces will be matched. When both NamespaceSelector

902

and Selector are defined on the same rule, then only workload

903

endpoints that are matched by both selectors will be selected

904

by the rule. \n For NetworkPolicy, an empty NamespaceSelector

905

implies that the Selector is limited to selecting only

906

workload endpoints in the same namespace as the NetworkPolicy.

907

\n For NetworkPolicy, `global()` NamespaceSelector implies

908

that the Selector is limited to selecting only GlobalNetworkSet

909

or HostEndpoint. \n For GlobalNetworkPolicy, an empty

910

NamespaceSelector implies the Selector applies to workload

911

endpoints across all namespaces."

912

type: string

913

nets:

914

description: Nets is an optional field that restricts the

915

rule to only apply to traffic that originates from (or

916

terminates at) IP addresses in any of the given subnets.

items:

type: string

type: array

notNets:

description: NotNets is the negated version of the Nets

field.

items:

type: string

type: array

notPorts:

description: NotPorts is the negated version of the Ports

928

field. Since only some protocols have ports, if any ports

929

are specified it requires the Protocol match in the Rule

930

to be set to "TCP" or "UDP".

items:

anyOf:

- type: integer

- type: string

pattern: ^.*

x-kubernetes-int-or-string: true

937

type: array

938

notSelector:

939

description: NotSelector is the negated version of the Selector

940

field. See Selector field for subtleties with negated

selectors.

type: string

ports:

description: "Ports is an optional field that restricts

945

the rule to only apply to traffic that has a source (destination)

946

port that matches one of these ranges/values. This value

947

is a list of integers or strings that represent ranges

948

of ports. \n Since only some protocols have ports, if

949

any ports are specified it requires the Protocol match

950

in the Rule to be set to \"TCP\" or \"UDP\"."

items:

anyOf:

- type: integer

- type: string

pattern: ^.*

x-kubernetes-int-or-string: true

957

type: array

958

selector:

959

description: "Selector is an optional field that contains

960

a selector expression (see Policy for sample syntax).

961

\ Only traffic that originates from (terminates at) endpoints

962

matching the selector will be matched. \n Note that: in

963

addition to the negated version of the Selector (see NotSelector

964

below), the selector expression syntax itself supports

965

negation. The two types of negation are subtly different.

966

One negates the set of matched endpoints, the other negates

967

the whole match: \n \tSelector = \"!has(my_label)\" matches

968

packets that are from other Calico-controlled \tendpoints

969

that do not have the label “my_label”. \n \tNotSelector

970

= \"has(my_label)\" matches packets that are not from

971

Calico-controlled \tendpoints that do have the label “my_label”.

972

\n The effect is that the latter will accept packets from

973

non-Calico sources whereas the former is limited to packets

974

from Calico-controlled endpoints."

975

type: string

976

serviceAccounts:

977

description: ServiceAccounts is an optional field that restricts

978

the rule to only apply to traffic that originates from

979

(or terminates at) a pod running as a matching service

account.

properties:

names:

description: Names is an optional field that restricts

984

the rule to only apply to traffic that originates

985

from (or terminates at) a pod running as a service

986

account whose name is in the list.

items:

type: string

type: array

selector:

description: Selector is an optional field that restricts

992

the rule to only apply to traffic that originates

993

from (or terminates at) a pod running as a service

994

account that matches the given label selector. If

995

both Names and Selector are specified then they are

AND'ed.

type: string

type: object

type: object

http:

description: HTTP contains match criteria that apply to HTTP

requests.

properties:

methods:

description: Methods is an optional field that restricts

1006

the rule to apply only to HTTP requests that use one of

1007

the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple

1008

methods are OR'd together.

items:

type: string

type: array

paths:

description: 'Paths is an optional field that restricts

1014

the rule to apply to HTTP requests that use one of the

1015

listed HTTP Paths. Multiple paths are OR''d together.

1016

e.g: - exact: /foo - prefix: /bar NOTE: Each entry may

1017

ONLY specify either a `exact` or a `prefix` match. The

1018

validator will check for it.'

1019

items:

1020

description: 'HTTPPath specifies an HTTP path to match.

1021

It may be either of the form: exact: <path>: which matches

1022

the path exactly or prefix: <path-prefix>: which matches

the path prefix'

properties:

exact:

type: string

prefix:

type: string

type: object

type: array

type: object

icmp:

description: ICMP is an optional field that restricts the rule

1034

to apply to a specific type and code of ICMP traffic. This

1035

should only be specified if the Protocol field is set to "ICMP"

or "ICMPv6".

properties:

code:

description: Match on a specific ICMP code. If specified,

1040

the Type value must also be specified. This is a technical

1041

limitation imposed by the kernel’s iptables firewall,

1042

which Calico uses to enforce the rule.

1043

type: integer

1044

type:

1045

description: Match on a specific ICMP type. For example

1046

a value of 8 refers to ICMP Echo Request (i.e. pings).

type: integer

type: object

ipVersion:

description: IPVersion is an optional field that restricts the

1051

rule to only match a specific IP version.

1052

type: integer

1053

metadata:

1054

description: Metadata contains additional information for this

rule

properties:

annotations:

additionalProperties:

1059

type: string

1060

description: Annotations is a set of key value pairs that

1061

give extra information about the rule

type: object

type: object

notICMP:

description: NotICMP is the negated version of the ICMP field.

1066

properties:

1067

code:

1068

description: Match on a specific ICMP code. If specified,

1069

the Type value must also be specified. This is a technical

1070

limitation imposed by the kernel’s iptables firewall,

1071

which Calico uses to enforce the rule.

1072

type: integer

1073

type:

1074

description: Match on a specific ICMP type. For example

1075

a value of 8 refers to ICMP Echo Request (i.e. pings).

type: integer

type: object

notProtocol:

anyOf:

- type: integer

- type: string

description: NotProtocol is the negated version of the Protocol

1083

field.

1084

pattern: ^.*

1085

x-kubernetes-int-or-string: true

protocol:

anyOf:

- type: integer

- type: string

description: "Protocol is an optional field that restricts the

1091

rule to only apply to traffic of a specific IP protocol. Required

1092

if any of the EntityRules contain Ports (because ports only

1093

apply to certain protocols). \n Must be one of these string

1094

values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",

1095

\"UDPLite\" or an integer in the range 1-255."

1096

pattern: ^.*

1097

x-kubernetes-int-or-string: true

1098

source:

1099

description: Source contains the match criteria that apply to

source entity.

properties:

namespaceSelector:

description: "NamespaceSelector is an optional field that

1104

contains a selector expression. Only traffic that originates

1105

from (or terminates at) endpoints within the selected

1106

namespaces will be matched. When both NamespaceSelector

1107

and Selector are defined on the same rule, then only workload

1108

endpoints that are matched by both selectors will be selected

1109

by the rule. \n For NetworkPolicy, an empty NamespaceSelector

1110

implies that the Selector is limited to selecting only

1111

workload endpoints in the same namespace as the NetworkPolicy.

1112

\n For NetworkPolicy, `global()` NamespaceSelector implies

1113

that the Selector is limited to selecting only GlobalNetworkSet

1114

or HostEndpoint. \n For GlobalNetworkPolicy, an empty

1115

NamespaceSelector implies the Selector applies to workload

1116

endpoints across all namespaces."

1117

type: string

1118

nets:

1119

description: Nets is an optional field that restricts the

1120

rule to only apply to traffic that originates from (or

1121

terminates at) IP addresses in any of the given subnets.

items:

type: string

type: array

notNets:

description: NotNets is the negated version of the Nets

field.

items:

type: string

type: array

notPorts:

description: NotPorts is the negated version of the Ports

1133

field. Since only some protocols have ports, if any ports

1134

are specified it requires the Protocol match in the Rule

1135

to be set to "TCP" or "UDP".

items:

anyOf:

- type: integer

- type: string

pattern: ^.*

x-kubernetes-int-or-string: true

1142

type: array

1143

notSelector:

1144

description: NotSelector is the negated version of the Selector

1145

field. See Selector field for subtleties with negated

selectors.

type: string

ports:

description: "Ports is an optional field that restricts

1150

the rule to only apply to traffic that has a source (destination)

1151

port that matches one of these ranges/values. This value

1152

is a list of integers or strings that represent ranges

1153

of ports. \n Since only some protocols have ports, if

1154

any ports are specified it requires the Protocol match

1155

in the Rule to be set to \"TCP\" or \"UDP\"."

items:

anyOf:

- type: integer

- type: string

pattern: ^.*

x-kubernetes-int-or-string: true

1162

type: array

1163

selector:

1164

description: "Selector is an optional field that contains

1165

a selector expression (see Policy for sample syntax).

1166

\ Only traffic that originates from (terminates at) endpoints

1167

matching the selector will be matched. \n Note that: in

1168

addition to the negated version of the Selector (see NotSelector

1169

below), the selector expression syntax itself supports

1170

negation. The two types of negation are subtly different.

1171

One negates the set of matched endpoints, the other negates

1172

the whole match: \n \tSelector = \"!has(my_label)\" matches

1173

packets that are from other Calico-controlled \tendpoints

1174

that do not have the label “my_label”. \n \tNotSelector

1175

= \"has(my_label)\" matches packets that are not from

1176

Calico-controlled \tendpoints that do have the label “my_label”.

1177

\n The effect is that the latter will accept packets from

1178

non-Calico sources whereas the former is limited to packets

1179

from Calico-controlled endpoints."

1180

type: string

1181

serviceAccounts:

1182

description: ServiceAccounts is an optional field that restricts

1183

the rule to only apply to traffic that originates from

1184

(or terminates at) a pod running as a matching service

account.

properties:

names:

description: Names is an optional field that restricts

1189

the rule to only apply to traffic that originates

1190

from (or terminates at) a pod running as a service

1191

account whose name is in the list.

items:

type: string

type: array

selector:

description: Selector is an optional field that restricts

1197

the rule to only apply to traffic that originates

1198

from (or terminates at) a pod running as a service

1199

account that matches the given label selector. If

1200

both Names and Selector are specified then they are

AND'ed.

type: string

type: object

type: object

required:

- action

type: object

type: array

ingress:

description: The ordered set of ingress rules. Each rule contains

1211

a set of packet match criteria and a corresponding action to apply.

1212

items:

1213

description: "A Rule encapsulates a set of match criteria and an

1214

action. Both selector-based security Policy and security Profiles

1215

reference rules - separated out as a list of rules for both ingress

1216

and egress packet matching. \n Each positive match criteria has

1217

a negated version, prefixed with ”Not”. All the match criteria

1218

within a rule must be satisfied for a packet to match. A single

1219

rule can contain the positive and negative version of a match

1220

and both must be satisfied for the rule to match."

properties:

action:

type: string

destination:

description: Destination contains the match criteria that apply

1226

to destination entity.

1227

properties:

1228

namespaceSelector:

1229

description: "NamespaceSelector is an optional field that

1230

contains a selector expression. Only traffic that originates

1231

from (or terminates at) endpoints within the selected

1232

namespaces will be matched. When both NamespaceSelector

1233

and Selector are defined on the same rule, then only workload

1234

endpoints that are matched by both selectors will be selected

1235

by the rule. \n For NetworkPolicy, an empty NamespaceSelector

1236

implies that the Selector is limited to selecting only

1237

workload endpoints in the same namespace as the NetworkPolicy.

1238

\n For NetworkPolicy, `global()` NamespaceSelector implies

1239

that the Selector is limited to selecting only GlobalNetworkSet

1240

or HostEndpoint. \n For GlobalNetworkPolicy, an empty

1241

NamespaceSelector implies the Selector applies to workload

1242

endpoints across all namespaces."

1243

type: string

1244

nets:

1245

description: Nets is an optional field that restricts the

1246

rule to only apply to traffic that originates from (or

1247

terminates at) IP addresses in any of the given subnets.

items:

type: string

type: array

notNets:

description: NotNets is the negated version of the Nets

field.

items:

type: string

type: array

notPorts:

description: NotPorts is the negated version of the Ports

1259

field. Since only some protocols have ports, if any ports

1260

are specified it requires the Protocol match in the Rule

1261

to be set to "TCP" or "UDP".

items:

anyOf:

- type: integer

- type: string

pattern: ^.*

x-kubernetes-int-or-string: true

1268

type: array

1269

notSelector:

1270

description: NotSelector is the negated version of the Selector

1271

field. See Selector field for subtleties with negated

selectors.

type: string

ports:

description: "Ports is an optional field that restricts

1276

the rule to only apply to traffic that has a source (destination)

1277

port that matches one of these ranges/values. This value

1278

is a list of integers or strings that represent ranges

1279

of ports. \n Since only some protocols have ports, if

1280

any ports are specified it requires the Protocol match

1281

in the Rule to be set to \"TCP\" or \"UDP\"."

items:

anyOf:

- type: integer

- type: string

pattern: ^.*

x-kubernetes-int-or-string: true

1288

type: array

1289

selector:

1290

description: "Selector is an optional field that contains

1291

a selector expression (see Policy for sample syntax).

1292

\ Only traffic that originates from (terminates at) endpoints

1293

matching the selector will be matched. \n Note that: in

1294

addition to the negated version of the Selector (see NotSelector

1295

below), the selector expression syntax itself supports

1296

negation. The two types of negation are subtly different.

1297

One negates the set of matched endpoints, the other negates

1298

the whole match: \n \tSelector = \"!has(my_label)\" matches

1299

packets that are from other Calico-controlled \tendpoints

1300

that do not have the label “my_label”. \n \tNotSelector

1301

= \"has(my_label)\" matches packets that are not from

1302

Calico-controlled \tendpoints that do have the label “my_label”.

1303

\n The effect is that the latter will accept packets from

1304

non-Calico sources whereas the former is limited to packets

1305

from Calico-controlled endpoints."

1306

type: string

1307

serviceAccounts:

1308

description: ServiceAccounts is an optional field that restricts

1309

the rule to only apply to traffic that originates from

1310

(or terminates at) a pod running as a matching service

account.

properties:

names:

description: Names is an optional field that restricts

1315

the rule to only apply to traffic that originates

1316

from (or terminates at) a pod running as a service

1317

account whose name is in the list.

items:

type: string

type: array

selector:

description: Selector is an optional field that restricts

1323

the rule to only apply to traffic that originates

1324

from (or terminates at) a pod running as a service

1325

account that matches the given label selector. If

1326

both Names and Selector are specified then they are

AND'ed.

type: string

type: object

type: object

http:

description: HTTP contains match criteria that apply to HTTP

requests.

properties:

methods:

description: Methods is an optional field that restricts

1337

the rule to apply only to HTTP requests that use one of

1338

the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple

1339

methods are OR'd together.

items:

type: string

type: array

paths:

description: 'Paths is an optional field that restricts

1345

the rule to apply to HTTP requests that use one of the

1346

listed HTTP Paths. Multiple paths are OR''d together.

1347

e.g: - exact: /foo - prefix: /bar NOTE: Each entry may

1348

ONLY specify either a `exact` or a `prefix` match. The

1349

validator will check for it.'

1350

items:

1351

description: 'HTTPPath specifies an HTTP path to match.

1352

It may be either of the form: exact: <path>: which matches

1353

the path exactly or prefix: <path-prefix>: which matches

the path prefix'

properties:

exact:

type: string

prefix:

type: string

type: object

type: array

type: object

icmp:

description: ICMP is an optional field that restricts the rule

1365

to apply to a specific type and code of ICMP traffic. This

1366

should only be specified if the Protocol field is set to "ICMP"

or "ICMPv6".

properties:

code:

description: Match on a specific ICMP code. If specified,

1371

the Type value must also be specified. This is a technical

1372

limitation imposed by the kernel’s iptables firewall,

1373

which Calico uses to enforce the rule.

1374

type: integer

1375

type:

1376

description: Match on a specific ICMP type. For example

1377

a value of 8 refers to ICMP Echo Request (i.e. pings).

type: integer

type: object

ipVersion:

description: IPVersion is an optional field that restricts the

1382

rule to only match a specific IP version.

1383

type: integer

1384

metadata:

1385

description: Metadata contains additional information for this

rule

properties:

annotations:

additionalProperties:

1390

type: string

1391

description: Annotations is a set of key value pairs that

1392

give extra information about the rule

type: object

type: object

notICMP:

description: NotICMP is the negated version of the ICMP field.

1397

properties:

1398

code:

1399

description: Match on a specific ICMP code. If specified,

1400

the Type value must also be specified. This is a technical

1401

limitation imposed by the kernel’s iptables firewall,

1402

which Calico uses to enforce the rule.

1403

type: integer

1404

type:

1405

description: Match on a specific ICMP type. For example

1406

a value of 8 refers to ICMP Echo Request (i.e. pings).

type: integer

type: object

notProtocol:

anyOf:

- type: integer

- type: string

description: NotProtocol is the negated version of the Protocol

1414

field.

1415

pattern: ^.*

1416

x-kubernetes-int-or-string: true

protocol:

anyOf:

- type: integer

- type: string

description: "Protocol is an optional field that restricts the

1422

rule to only apply to traffic of a specific IP protocol. Required

1423

if any of the EntityRules contain Ports (because ports only

1424

apply to certain protocols). \n Must be one of these string

1425

values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",

1426

\"UDPLite\" or an integer in the range 1-255."

1427

pattern: ^.*

1428

x-kubernetes-int-or-string: true

1429

source:

1430

description: Source contains the match criteria that apply to

source entity.

properties:

namespaceSelector:

description: "NamespaceSelector is an optional field that

1435

contains a selector expression. Only traffic that originates

1436

from (or terminates at) endpoints within the selected

1437

namespaces will be matched. When both NamespaceSelector

1438

and Selector are defined on the same rule, then only workload

1439

endpoints that are matched by both selectors will be selected

1440

by the rule. \n For NetworkPolicy, an empty NamespaceSelector

1441

implies that the Selector is limited to selecting only

1442

workload endpoints in the same namespace as the NetworkPolicy.

1443

\n For NetworkPolicy, `global()` NamespaceSelector implies

1444

that the Selector is limited to selecting only GlobalNetworkSet

1445

or HostEndpoint. \n For GlobalNetworkPolicy, an empty

1446

NamespaceSelector implies the Selector applies to workload

1447

endpoints across all namespaces."

1448

type: string

1449

nets:

1450

description: Nets is an optional field that restricts the

1451

rule to only apply to traffic that originates from (or

1452

terminates at) IP addresses in any of the given subnets.

items:

type: string

type: array

notNets:

description: NotNets is the negated version of the Nets

field.

items:

type: string

type: array

notPorts:

description: NotPorts is the negated version of the Ports

1464

field. Since only some protocols have ports, if any ports

1465

are specified it requires the Protocol match in the Rule

1466

to be set to "TCP" or "UDP".

items:

anyOf:

- type: integer

- type: string

pattern: ^.*

x-kubernetes-int-or-string: true

1473

type: array

1474

notSelector:

1475

description: NotSelector is the negated version of the Selector

1476

field. See Selector field for subtleties with negated

selectors.

type: string

ports:

description: "Ports is an optional field that restricts

1481

the rule to only apply to traffic that has a source (destination)

1482

port that matches one of these ranges/values. This value

1483

is a list of integers or strings that represent ranges

1484

of ports. \n Since only some protocols have ports, if

1485

any ports are specified it requires the Protocol match

1486

in the Rule to be set to \"TCP\" or \"UDP\"."

items:

anyOf:

- type: integer

- type: string

pattern: ^.*

x-kubernetes-int-or-string: true

1493

type: array

1494

selector:

1495

description: "Selector is an optional field that contains

1496

a selector expression (see Policy for sample syntax).

1497

\ Only traffic that originates from (terminates at) endpoints

1498

matching the selector will be matched. \n Note that: in

1499

addition to the negated version of the Selector (see NotSelector

1500

below), the selector expression syntax itself supports

1501

negation. The two types of negation are subtly different.

1502

One negates the set of matched endpoints, the other negates

1503

the whole match: \n \tSelector = \"!has(my_label)\" matches

1504

packets that are from other Calico-controlled \tendpoints

1505

that do not have the label “my_label”. \n \tNotSelector

1506

= \"has(my_label)\" matches packets that are not from

1507

Calico-controlled \tendpoints that do have the label “my_label”.

1508

\n The effect is that the latter will accept packets from

1509

non-Calico sources whereas the former is limited to packets

1510

from Calico-controlled endpoints."

1511

type: string

1512

serviceAccounts:

1513

description: ServiceAccounts is an optional field that restricts

1514

the rule to only apply to traffic that originates from

1515

(or terminates at) a pod running as a matching service

account.

properties:

names:

description: Names is an optional field that restricts

1520

the rule to only apply to traffic that originates

1521

from (or terminates at) a pod running as a service

1522

account whose name is in the list.

items:

type: string

type: array

selector:

description: Selector is an optional field that restricts

1528

the rule to only apply to traffic that originates

1529

from (or terminates at) a pod running as a service

1530

account that matches the given label selector. If

1531

both Names and Selector are specified then they are

AND'ed.

type: string

type: object

type: object

required:

- action

type: object

type: array

namespaceSelector:

description: NamespaceSelector is an optional field for an expression

1542

used to select a pod based on namespaces.

1543

type: string

1544

order:

1545

description: Order is an optional field that specifies the order in

1546

which the policy is applied. Policies with higher "order" are applied

1547

after those with lower order. If the order is omitted, it may be

1548

considered to be "infinite" - i.e. the policy will be applied last. Policies

1549

with identical order will be applied in alphanumerical order based

1550

on the Policy "Name".

1551

type: number

1552

preDNAT:

1553

description: PreDNAT indicates to apply the rules in this policy before

any DNAT.

type: boolean

selector:

description: "The selector is an expression used to pick pick out

1558

the endpoints that the policy should be applied to. \n Selector

1559

expressions follow this syntax: \n \tlabel == \"string_literal\"

1560

\ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"

1561

\ -> not equal; also matches if label is not present \tlabel in

1562

{ \"a\", \"b\", \"c\", ... } -> true if the value of label X is

1563

one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",

1564

... } -> true if the value of label X is not one of \"a\", \"b\",

1565

\"c\" \thas(label_name) -> True if that label is present \t! expr

1566

-> negation of expr \texpr && expr -> Short-circuit and \texpr

1567

|| expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()

1568

or the empty selector -> matches all endpoints. \n Label names are

1569

allowed to contain alphanumerics, -, _ and /. String literals are

1570

more permissive but they do not support escape characters. \n Examples

1571

(with made-up labels): \n \ttype == \"webserver\" && deployment

1572

== \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=

1573

\"dev\" \t! has(label_name)"

1574

type: string

1575

serviceAccountSelector:

1576

description: ServiceAccountSelector is an optional field for an expression

1577

used to select a pod based on service accounts.

1578

type: string

1579

types:

1580

description: "Types indicates whether this policy applies to ingress,

1581

or to egress, or to both. When not explicitly specified (and so

1582

the value on creation is empty or nil), Calico defaults Types according

1583

to what Ingress and Egress rules are present in the policy. The

1584

default is: \n - [ PolicyTypeIngress ], if there are no Egress rules

1585

(including the case where there are also no Ingress rules) \n

1586

- [ PolicyTypeEgress ], if there are Egress rules but no Ingress

1587

rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are

1588

both Ingress and Egress rules. \n When the policy is read back again,

1589

Types will always be one of these values, never empty or nil."

1590

items:

1591

description: PolicyType enumerates the possible values of the PolicySpec

Types field.

type: string

type: array

type: object

type: object

served: true

storage: true

status:

acceptedNames:

kind: ""

plural: ""

conditions: []

storedVersions: []

---

---

apiVersion: apiextensions.k8s.io/v1

1610

kind: CustomResourceDefinition

1611

metadata:

1612

annotations:

1613

controller-gen.kubebuilder.io/version: (devel)

1614

creationTimestamp: null

1615

1616

spec:

1617

group: crd.projectcalico.org

1618

names:

1619

kind: GlobalNetworkSet

1620

listKind: GlobalNetworkSetList

1621

plural: globalnetworksets

1622

singular: globalnetworkset

scope: Cluster

versions:

- name: v1

schema:

openAPIV3Schema:

description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs

1629

that share labels to allow rules to refer to them via selectors. The labels

1630

of GlobalNetworkSet are not namespaced.

1631

properties:

1632

apiVersion:

1633

description: 'APIVersion defines the versioned schema of this representation

1634

of an object. Servers should convert recognized schemas to the latest

1635

internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'

1636

type: string

1637

kind:

1638

description: 'Kind is a string value representing the REST resource this

1639

object represents. Servers may infer this from the endpoint the client

1640

submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'

type: string

metadata:

type: object

spec:

description: GlobalNetworkSetSpec contains the specification for a NetworkSet

resource.

properties:

nets:

description: The list of IP networks that belong to this set.

items:

type: string

type: array

type: object

type: object

served: true

storage: true

status:

acceptedNames:

kind: ""

plural: ""

conditions: []

storedVersions: []

---

---

apiVersion: apiextensions.k8s.io/v1

1668

kind: CustomResourceDefinition

1669

metadata:

1670

annotations:

1671

controller-gen.kubebuilder.io/version: (devel)

1672

creationTimestamp: null

1673

1674

spec:

1675

group: crd.projectcalico.org

1676

names:

1677

kind: HostEndpoint

1678

listKind: HostEndpointList

1679

plural: hostendpoints

1680

singular: hostendpoint

scope: Cluster

versions:

- name: v1

schema:

openAPIV3Schema:

properties:

apiVersion:

description: 'APIVersion defines the versioned schema of this representation

1689

of an object. Servers should convert recognized schemas to the latest

1690

internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'

1691

type: string

1692

kind:

1693

description: 'Kind is a string value representing the REST resource this

1694

object represents. Servers may infer this from the endpoint the client

1695

submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'

type: string

metadata:

type: object

spec:

description: HostEndpointSpec contains the specification for a HostEndpoint

resource.

properties:

expectedIPs:

description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.

1705

If \"InterfaceName\" is not present, Calico will look for an interface

1706

matching any of the IPs in the list and apply policy to that. Note:

1707

\tWhen using the selector match criteria in an ingress or egress

1708

security Policy \tor Profile, Calico converts the selector into

1709

a set of IP addresses. For host \tendpoints, the ExpectedIPs field

1710

is used for that purpose. (If only the interface \tname is specified,

1711

Calico does not learn the IPs of the interface for use in match

\tcriteria.)"

items:

type: string

type: array

interfaceName:

description: "Either \"*\", or the name of a specific Linux interface

1718

to apply policy to; or empty. \"*\" indicates that this HostEndpoint

1719

governs all traffic to, from or through the default network namespace

1720

of the host named by the \"Node\" field; entering and leaving that

1721

namespace via any interface, including those from/to non-host-networked

1722

local workloads. \n If InterfaceName is not \"*\", this HostEndpoint

1723

only governs traffic that enters or leaves the host through the

1724

specific interface named by InterfaceName, or - when InterfaceName

1725

is empty - through the specific interface that has one of the IPs

1726

in ExpectedIPs. Therefore, when InterfaceName is empty, at least

1727

one expected IP must be specified. Only external interfaces (such

1728

as “eth0”) are supported here; it isn't possible for a HostEndpoint

1729

to protect traffic through a specific local workload interface.

1730

\n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;

1731

initially just pre-DNAT policy. Please check Calico documentation

1732

for the latest position."

1733

type: string

1734

node:

1735

description: The node name identifying the Calico node instance.

1736

type: string

1737

ports:

1738

description: Ports contains the endpoint's named ports, which may

1739

be referenced in security policy rules.

items:

properties:

name:

type: string

port:

type: integer

protocol:

anyOf:

- type: integer

- type: string

pattern: ^.*

x-kubernetes-int-or-string: true

required:

- name

- port

- protocol

type: object

type: array

profiles:

description: A list of identifiers of security Profile objects that

1760

apply to this endpoint. Each profile is applied in the order that

1761

they appear in this list. Profile rules are applied after the selector-based

security policy.

items:

type: string

type: array

type: object

type: object

served: true

storage: true

status:

acceptedNames:

kind: ""

plural: ""

conditions: []

storedVersions: []

---

---

apiVersion: apiextensions.k8s.io/v1

1781

kind: CustomResourceDefinition

1782

metadata:

1783

annotations:

1784

controller-gen.kubebuilder.io/version: (devel)

1785

creationTimestamp: null

1786

1787

spec:

1788

group: crd.projectcalico.org

1789

names:

1790

kind: IPAMBlock

1791

listKind: IPAMBlockList

plural: ipamblocks

singular: ipamblock

scope: Cluster

versions:

- name: v1

schema:

openAPIV3Schema:

properties:

apiVersion:

description: 'APIVersion defines the versioned schema of this representation

1802

of an object. Servers should convert recognized schemas to the latest

1803

internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'

1804

type: string

1805

kind:

1806

description: 'Kind is a string value representing the REST resource this

1807

object represents. Servers may infer this from the endpoint the client

1808

submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'

type: string

metadata:

type: object

spec:

description: IPAMBlockSpec contains the specification for an IPAMBlock

resource.

properties:

affinity:

type: string

allocations:

items:

type: integer

# TODO: This nullable is manually added in. We should update controller-gen

1822

# to handle []*int properly itself.

nullable: true

type: array

attributes:

items:

properties:

handle_id:

type: string

secondary:

additionalProperties:

type: string

type: object

type: object

type: array

cidr:

type: string

deleted:

type: boolean

strictAffinity:

type: boolean

unallocated:

items:

type: integer

type: array

required:

- allocations

- attributes

- cidr

- deleted

- strictAffinity

- unallocated

type: object

type: object

served: true

storage: true

status:

acceptedNames:

kind: ""

plural: ""

conditions: []

storedVersions: []

---

---

apiVersion: apiextensions.k8s.io/v1

1868

kind: CustomResourceDefinition

1869

metadata:

1870

annotations:

1871

controller-gen.kubebuilder.io/version: (devel)

1872

creationTimestamp: null

1873

1874

spec:

1875

group: crd.projectcalico.org

1876

names:

1877

kind: IPAMConfig

1878

listKind: IPAMConfigList

plural: ipamconfigs

singular: ipamconfig

scope: Cluster

versions:

- name: v1

schema:

openAPIV3Schema:

properties:

apiVersion:

description: 'APIVersion defines the versioned schema of this representation

1889

of an object. Servers should convert recognized schemas to the latest

1890

internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'

1891

type: string

1892

kind:

1893

description: 'Kind is a string value representing the REST resource this

1894

object represents. Servers may infer this from the endpoint the client

1895

submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'

type: string

metadata:

type: object

spec:

description: IPAMConfigSpec contains the specification for an IPAMConfig

resource.

properties:

autoAllocateBlocks:

type: boolean

strictAffinity:

type: boolean

required:

- autoAllocateBlocks

- strictAffinity

type: object

type: object

served: true

storage: true

status:

acceptedNames:

kind: ""

plural: ""

conditions: []

storedVersions: []

---

---

apiVersion: apiextensions.k8s.io/v1

1925

kind: CustomResourceDefinition

1926

metadata:

1927

annotations:

1928

controller-gen.kubebuilder.io/version: (devel)

1929

creationTimestamp: null

1930

1931

spec:

1932

group: crd.projectcalico.org

1933

names:

1934

kind: IPAMHandle

1935

listKind: IPAMHandleList

plural: ipamhandles

singular: ipamhandle

scope: Cluster

versions:

- name: v1

schema:

openAPIV3Schema:

properties:

apiVersion:

description: 'APIVersion defines the versioned schema of this representation

1946

of an object. Servers should convert recognized schemas to the latest

1947

internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'

1948

type: string

1949

kind:

1950

description: 'Kind is a string value representing the REST resource this

1951

object represents. Servers may infer this from the endpoint the client

1952

submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'

type: string

metadata:

type: object

spec:

description: IPAMHandleSpec contains the specification for an IPAMHandle

resource.

properties:

block:

additionalProperties:

type: integer

type: object

handleID:

type: string

required:

- block

- handleID

type: object

type: object

served: true

storage: true

status:

acceptedNames:

kind: ""

plural: ""

conditions: []

storedVersions: []

---

---

apiVersion: apiextensions.k8s.io/v1

1984

kind: CustomResourceDefinition

1985

metadata:

1986

annotations:

1987

controller-gen.kubebuilder.io/version: (devel)

1988

creationTimestamp: null

1989

1990

spec:

1991

group: crd.projectcalico.org

names:

kind: IPPool

listKind: IPPoolList

plural: ippools

singular: ippool

scope: Cluster

versions:

- name: v1

schema:

openAPIV3Schema:

properties:

apiVersion:

description: 'APIVersion defines the versioned schema of this representation

2005

of an object. Servers should convert recognized schemas to the latest

2006

internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'

2007

type: string

2008

kind:

2009

description: 'Kind is a string value representing the REST resource this

2010

object represents. Servers may infer this from the endpoint the client

2011

submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'

type: string

metadata:

type: object

spec:

description: IPPoolSpec contains the specification for an IPPool resource.

2017

properties:

2018

blockSize:

2019

description: The block size to use for IP address assignments from

2020

this pool. Defaults to 26 for IPv4 and 112 for IPv6.

2021

type: integer

2022

cidr:

2023

description: The pool CIDR.

2024

type: string

2025

disabled:

2026

description: When disabled is true, Calico IPAM will not assign addresses

from this pool.

type: boolean

ipip:

description: 'Deprecated: this field is only used for APIv1 backwards

2031

compatibility. Setting this field is not allowed, this field is

2032

for internal use only.'

2033

properties:

2034

enabled:

2035

description: When enabled is true, ipip tunneling will be used

2036

to deliver packets to destinations within this pool.

2037

type: boolean

2038

mode:

2039

description: The IPIP mode. This can be one of "always" or "cross-subnet". A

2040

mode of "always" will also use IPIP tunneling for routing to

2041

destination IP addresses within this pool. A mode of "cross-subnet"

2042

will only use IPIP tunneling when the destination node is on

2043

a different subnet to the originating node. The default value

2044

(if not specified) is "always".

type: string

type: object

ipipMode:

description: Contains configuration for IPIP tunneling for this pool.

2049

If not specified, then this is defaulted to "Never" (i.e. IPIP tunelling

is disabled).

type: string

nat-outgoing:

description: 'Deprecated: this field is only used for APIv1 backwards

2054

compatibility. Setting this field is not allowed, this field is

2055

for internal use only.'

2056

type: boolean

2057

natOutgoing:

2058

description: When nat-outgoing is true, packets sent from Calico networked

2059

containers in this pool to destinations outside of this pool will

be masqueraded.

type: boolean

nodeSelector:

description: Allows IPPool to allocate for a specific node by label

selector.

type: string

vxlanMode:

description: Contains configuration for VXLAN tunneling for this pool.

2068

If not specified, then this is defaulted to "Never" (i.e. VXLAN

2069

tunelling is disabled).

type: string

required:

- cidr

type: object

type: object

served: true

storage: true

status:

acceptedNames:

kind: ""

plural: ""

conditions: []

storedVersions: []

---

---

apiVersion: apiextensions.k8s.io/v1

2088

kind: CustomResourceDefinition

2089

metadata:

2090

annotations:

2091

controller-gen.kubebuilder.io/version: (devel)

2092

creationTimestamp: null

2093

2094

spec:

2095

group: crd.projectcalico.org

2096

names:

2097

kind: KubeControllersConfiguration

2098

listKind: KubeControllersConfigurationList

2099

plural: kubecontrollersconfigurations

2100

singular: kubecontrollersconfiguration

scope: Cluster

versions:

- name: v1

schema:

openAPIV3Schema:

properties:

apiVersion:

description: 'APIVersion defines the versioned schema of this representation

2109

of an object. Servers should convert recognized schemas to the latest

2110

internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'

2111

type: string

2112

kind:

2113

description: 'Kind is a string value representing the REST resource this

2114

object represents. Servers may infer this from the endpoint the client

2115

submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'

type: string

metadata:

type: object

spec:

description: KubeControllersConfigurationSpec contains the values of the

2121

Kubernetes controllers configuration.

2122

properties:

2123

controllers:

2124

description: Controllers enables and configures individual Kubernetes

controllers

properties:

namespace:

description: Namespace enables and configures the namespace controller.

2129

Enabled by default, set to nil to disable.

2130

properties:

2131

reconcilerPeriod:

2132

description: 'ReconcilerPeriod is the period to perform reconciliation

2133

with the Calico datastore. [Default: 5m]'

type: string

type: object

node:

description: Node enables and configures the node controller.

2138

Enabled by default, set to nil to disable.

2139

properties:

2140

hostEndpoint:

2141

description: HostEndpoint controls syncing nodes to host endpoints.

2142

Disabled by default, set to nil to disable.

2143

properties:

2144

autoCreate:

2145

description: 'AutoCreate enables automatic creation of

2146

host endpoints for every node. [Default: Disabled]'

type: string

type: object

reconcilerPeriod:

description: 'ReconcilerPeriod is the period to perform reconciliation

2151

with the Calico datastore. [Default: 5m]'

2152

type: string

2153

syncLabels:

2154

description: 'SyncLabels controls whether to copy Kubernetes

2155

node labels to Calico nodes. [Default: Enabled]'

type: string

type: object

policy:

description: Policy enables and configures the policy controller.

2160

Enabled by default, set to nil to disable.

2161

properties:

2162

reconcilerPeriod:

2163

description: 'ReconcilerPeriod is the period to perform reconciliation

2164

with the Calico datastore. [Default: 5m]'

type: string

type: object

serviceAccount:

description: ServiceAccount enables and configures the service

2169

account controller. Enabled by default, set to nil to disable.

2170

properties:

2171

reconcilerPeriod:

2172

description: 'ReconcilerPeriod is the period to perform reconciliation

2173

with the Calico datastore. [Default: 5m]'

type: string

type: object

workloadEndpoint:

description: WorkloadEndpoint enables and configures the workload

2178

endpoint controller. Enabled by default, set to nil to disable.

2179

properties:

2180

reconcilerPeriod:

2181

description: 'ReconcilerPeriod is the period to perform reconciliation

2182

with the Calico datastore. [Default: 5m]'

type: string

type: object

type: object

etcdV3CompactionPeriod:

2187

description: 'EtcdV3CompactionPeriod is the period between etcdv3

2188

compaction requests. Set to 0 to disable. [Default: 10m]'

2189

type: string

2190

healthChecks:

2191

description: 'HealthChecks enables or disables support for health

2192

checks [Default: Enabled]'

2193

type: string

2194

logSeverityScreen:

2195

description: 'LogSeverityScreen is the log severity above which logs

2196

are sent to the stdout. [Default: Info]'

type: string

required:

- controllers

type: object

status:

description: KubeControllersConfigurationStatus represents the status

2203

of the configuration. It's useful for admins to be able to see the actual

2204

config that was applied, which can be modified by environment variables

2205

on the kube-controllers process.

2206

properties:

2207

environmentVars:

2208

additionalProperties:

2209

type: string

2210

description: EnvironmentVars contains the environment variables on

2211

the kube-controllers that influenced the RunningConfig.

2212

type: object

2213

runningConfig:

2214

description: RunningConfig contains the effective config that is running

2215

in the kube-controllers pod, after merging the API resource with

2216

any environment variables.

2217

properties:

2218

controllers:

2219

description: Controllers enables and configures individual Kubernetes

controllers

properties:

namespace:

description: Namespace enables and configures the namespace

2224

controller. Enabled by default, set to nil to disable.

2225

properties:

2226

reconcilerPeriod:

2227

description: 'ReconcilerPeriod is the period to perform

2228

reconciliation with the Calico datastore. [Default:

5m]'

type: string

type: object

node:

description: Node enables and configures the node controller.

2234

Enabled by default, set to nil to disable.

2235

properties:

2236

hostEndpoint:

2237

description: HostEndpoint controls syncing nodes to host

2238

endpoints. Disabled by default, set to nil to disable.

2239

properties:

2240

autoCreate:

2241

description: 'AutoCreate enables automatic creation

2242

of host endpoints for every node. [Default: Disabled]'

type: string

type: object

reconcilerPeriod:

description: 'ReconcilerPeriod is the period to perform

2247

reconciliation with the Calico datastore. [Default:

5m]'

type: string

syncLabels:

description: 'SyncLabels controls whether to copy Kubernetes

2252

node labels to Calico nodes. [Default: Enabled]'

type: string

type: object

policy:

description: Policy enables and configures the policy controller.

2257

Enabled by default, set to nil to disable.

2258

properties:

2259

reconcilerPeriod:

2260

description: 'ReconcilerPeriod is the period to perform

2261

reconciliation with the Calico datastore. [Default:

5m]'

type: string

type: object

serviceAccount:

description: ServiceAccount enables and configures the service

2267

account controller. Enabled by default, set to nil to disable.

2268

properties:

2269

reconcilerPeriod:

2270

description: 'ReconcilerPeriod is the period to perform

2271

reconciliation with the Calico datastore. [Default:

5m]'

type: string

type: object

workloadEndpoint:

description: WorkloadEndpoint enables and configures the workload

2277

endpoint controller. Enabled by default, set to nil to disable.

2278

properties:

2279

reconcilerPeriod:

2280

description: 'ReconcilerPeriod is the period to perform

2281

reconciliation with the Calico datastore. [Default:

5m]'

type: string

type: object

type: object

etcdV3CompactionPeriod:

2287

description: 'EtcdV3CompactionPeriod is the period between etcdv3

2288

compaction requests. Set to 0 to disable. [Default: 10m]'

2289

type: string

2290

healthChecks:

2291

description: 'HealthChecks enables or disables support for health

2292

checks [Default: Enabled]'

2293

type: string

2294

logSeverityScreen:

2295

description: 'LogSeverityScreen is the log severity above which

2296

logs are sent to the stdout. [Default: Info]'

type: string

required:

- controllers

type: object

type: object

type: object

served: true

storage: true

status:

acceptedNames:

kind: ""

plural: ""

conditions: []

storedVersions: []

---

---

apiVersion: apiextensions.k8s.io/v1

2316

kind: CustomResourceDefinition

2317

metadata:

2318

annotations:

2319

controller-gen.kubebuilder.io/version: (devel)

2320

creationTimestamp: null

2321

2322

spec:

2323

group: crd.projectcalico.org

2324

names:

2325

kind: NetworkPolicy

2326

listKind: NetworkPolicyList

2327

plural: networkpolicies

2328

singular: networkpolicy

scope: Namespaced

versions:

- name: v1

schema:

openAPIV3Schema:

properties:

apiVersion:

description: 'APIVersion defines the versioned schema of this representation

2337

of an object. Servers should convert recognized schemas to the latest

2338

internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'

2339

type: string

2340

kind:

2341

description: 'Kind is a string value representing the REST resource this

2342

object represents. Servers may infer this from the endpoint the client

2343

submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'

type: string

metadata:

type: object

spec:

properties:

egress:

description: The ordered set of egress rules. Each rule contains

2351

a set of packet match criteria and a corresponding action to apply.

2352

items:

2353

description: "A Rule encapsulates a set of match criteria and an

2354

action. Both selector-based security Policy and security Profiles

2355

reference rules - separated out as a list of rules for both ingress

2356

and egress packet matching. \n Each positive match criteria has

2357

a negated version, prefixed with ”Not”. All the match criteria

2358

within a rule must be satisfied for a packet to match. A single

2359

rule can contain the positive and negative version of a match

2360

and both must be satisfied for the rule to match."

properties:

action:

type: string

destination:

description: Destination contains the match criteria that apply

2366

to destination entity.

2367

properties:

2368

namespaceSelector:

2369

description: "NamespaceSelector is an optional field that

2370

contains a selector expression. Only traffic that originates

2371

from (or terminates at) endpoints within the selected

2372

namespaces will be matched. When both NamespaceSelector

2373

and Selector are defined on the same rule, then only workload

2374

endpoints that are matched by both selectors will be selected

2375

by the rule. \n For NetworkPolicy, an empty NamespaceSelector

2376

implies that the Selector is limited to selecting only

2377

workload endpoints in the same namespace as the NetworkPolicy.

2378

\n For NetworkPolicy, `global()` NamespaceSelector implies

2379

that the Selector is limited to selecting only GlobalNetworkSet

2380

or HostEndpoint. \n For GlobalNetworkPolicy, an empty

2381

NamespaceSelector implies the Selector applies to workload

2382

endpoints across all namespaces."

2383

type: string

2384

nets:

2385

description: Nets is an optional field that restricts the

2386

rule to only apply to traffic that originates from (or

2387

terminates at) IP addresses in any of the given subnets.

items:

type: string

type: array

notNets:

description: NotNets is the negated version of the Nets

field.

items:

type: string

type: array

notPorts:

description: NotPorts is the negated version of the Ports

2399

field. Since only some protocols have ports, if any ports

2400

are specified it requires the Protocol match in the Rule

2401

to be set to "TCP" or "UDP".

items:

anyOf:

- type: integer

- type: string

pattern: ^.*

x-kubernetes-int-or-string: true

2408

type: array

2409

notSelector:

2410

description: NotSelector is the negated version of the Selector

2411

field. See Selector field for subtleties with negated

selectors.

type: string

ports:

description: "Ports is an optional field that restricts

2416

the rule to only apply to traffic that has a source (destination)

2417

port that matches one of these ranges/values. This value

2418

is a list of integers or strings that represent ranges

2419

of ports. \n Since only some protocols have ports, if

2420

any ports are specified it requires the Protocol match

2421

in the Rule to be set to \"TCP\" or \"UDP\"."

items:

anyOf:

- type: integer

- type: string

pattern: ^.*

x-kubernetes-int-or-string: true

2428

type: array

2429

selector:

2430

description: "Selector is an optional field that contains

2431

a selector expression (see Policy for sample syntax).

2432

\ Only traffic that originates from (terminates at) endpoints

2433

matching the selector will be matched. \n Note that: in

2434

addition to the negated version of the Selector (see NotSelector

2435

below), the selector expression syntax itself supports

2436

negation. The two types of negation are subtly different.

2437

One negates the set of matched endpoints, the other negates

2438

the whole match: \n \tSelector = \"!has(my_label)\" matches

2439

packets that are from other Calico-controlled \tendpoints

2440

that do not have the label “my_label”. \n \tNotSelector

2441

= \"has(my_label)\" matches packets that are not from

2442

Calico-controlled \tendpoints that do have the label “my_label”.

2443

\n The effect is that the latter will accept packets from

2444

non-Calico sources whereas the former is limited to packets

2445

from Calico-controlled endpoints."

2446

type: string

2447

serviceAccounts:

2448

description: ServiceAccounts is an optional field that restricts

2449

the rule to only apply to traffic that originates from

2450

(or terminates at) a pod running as a matching service

account.

properties:

names:

description: Names is an optional field that restricts

2455

the rule to only apply to traffic that originates

2456

from (or terminates at) a pod running as a service

2457

account whose name is in the list.

items:

type: string

type: array

selector:

description: Selector is an optional field that restricts

2463

the rule to only apply to traffic that originates

2464

from (or terminates at) a pod running as a service

2465

account that matches the given label selector. If

2466

both Names and Selector are specified then they are

AND'ed.

type: string

type: object

type: object

http:

description: HTTP contains match criteria that apply to HTTP

requests.

properties:

methods:

description: Methods is an optional field that restricts

2477

the rule to apply only to HTTP requests that use one of

2478

the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple

2479

methods are OR'd together.

items:

type: string

type: array

paths:

description: 'Paths is an optional field that restricts

2485

the rule to apply to HTTP requests that use one of the

2486

listed HTTP Paths. Multiple paths are OR''d together.

2487

e.g: - exact: /foo - prefix: /bar NOTE: Each entry may

2488

ONLY specify either a `exact` or a `prefix` match. The

2489

validator will check for it.'

2490

items:

2491

description: 'HTTPPath specifies an HTTP path to match.

2492

It may be either of the form: exact: <path>: which matches

2493

the path exactly or prefix: <path-prefix>: which matches

the path prefix'

properties:

exact:

type: string

prefix:

type: string

type: object

type: array

type: object

icmp:

description: ICMP is an optional field that restricts the rule

2505

to apply to a specific type and code of ICMP traffic. This

2506

should only be specified if the Protocol field is set to "ICMP"

or "ICMPv6".

properties:

code:

description: Match on a specific ICMP code. If specified,

2511

the Type value must also be specified. This is a technical

2512

limitation imposed by the kernel’s iptables firewall,

2513

which Calico uses to enforce the rule.

2514

type: integer

2515

type:

2516

description: Match on a specific ICMP type. For example

2517

a value of 8 refers to ICMP Echo Request (i.e. pings).

type: integer

type: object

ipVersion:

description: IPVersion is an optional field that restricts the

2522

rule to only match a specific IP version.

2523

type: integer

2524

metadata:

2525

description: Metadata contains additional information for this

rule

properties:

annotations:

additionalProperties:

2530

type: string

2531

description: Annotations is a set of key value pairs that

2532

give extra information about the rule

type: object

type: object

notICMP:

description: NotICMP is the negated version of the ICMP field.

2537

properties:

2538

code:

2539

description: Match on a specific ICMP code. If specified,

2540

the Type value must also be specified. This is a technical

2541

limitation imposed by the kernel’s iptables firewall,

2542

which Calico uses to enforce the rule.

2543

type: integer

2544

type:

2545

description: Match on a specific ICMP type. For example

2546

a value of 8 refers to ICMP Echo Request (i.e. pings).

type: integer

type: object

notProtocol:

anyOf:

- type: integer

- type: string

description: NotProtocol is the negated version of the Protocol

2554

field.

2555

pattern: ^.*

2556

x-kubernetes-int-or-string: true

protocol:

anyOf:

- type: integer

- type: string

description: "Protocol is an optional field that restricts the

2562

rule to only apply to traffic of a specific IP protocol. Required

2563

if any of the EntityRules contain Ports (because ports only

2564

apply to certain protocols). \n Must be one of these string

2565

values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",

2566

\"UDPLite\" or an integer in the range 1-255."

2567

pattern: ^.*

2568

x-kubernetes-int-or-string: true

2569

source:

2570

description: Source contains the match criteria that apply to

source entity.

properties:

namespaceSelector:

description: "NamespaceSelector is an optional field that

2575

contains a selector expression. Only traffic that originates

2576

from (or terminates at) endpoints within the selected

2577

namespaces will be matched. When both NamespaceSelector

2578

and Selector are defined on the same rule, then only workload

2579

endpoints that are matched by both selectors will be selected

2580

by the rule. \n For NetworkPolicy, an empty NamespaceSelector

2581

implies that the Selector is limited to selecting only

2582

workload endpoints in the same namespace as the NetworkPolicy.

2583

\n For NetworkPolicy, `global()` NamespaceSelector implies

2584

that the Selector is limited to selecting only GlobalNetworkSet

2585

or HostEndpoint. \n For GlobalNetworkPolicy, an empty

2586

NamespaceSelector implies the Selector applies to workload

2587

endpoints across all namespaces."

2588

type: string

2589

nets:

2590

description: Nets is an optional field that restricts the

2591

rule to only apply to traffic that originates from (or

2592

terminates at) IP addresses in any of the given subnets.

items:

type: string

type: array

notNets:

description: NotNets is the negated version of the Nets

field.

items:

type: string

type: array

notPorts:

description: NotPorts is the negated version of the Ports

2604

field. Since only some protocols have ports, if any ports

2605

are specified it requires the Protocol match in the Rule

2606

to be set to "TCP" or "UDP".

items:

anyOf:

- type: integer

- type: string

pattern: ^.*

x-kubernetes-int-or-string: true

2613

type: array

2614

notSelector:

2615

description: NotSelector is the negated version of the Selector

2616

field. See Selector field for subtleties with negated

selectors.

type: string

ports:

description: "Ports is an optional field that restricts

2621

the rule to only apply to traffic that has a source (destination)

2622

port that matches one of these ranges/values. This value

2623

is a list of integers or strings that represent ranges

2624

of ports. \n Since only some protocols have ports, if

2625

any ports are specified it requires the Protocol match

2626

in the Rule to be set to \"TCP\" or \"UDP\"."

items:

anyOf:

- type: integer

- type: string

pattern: ^.*

x-kubernetes-int-or-string: true

2633

type: array

2634

selector:

2635

description: "Selector is an optional field that contains

2636

a selector expression (see Policy for sample syntax).

2637

\ Only traffic that originates from (terminates at) endpoints

2638

matching the selector will be matched. \n Note that: in

2639

addition to the negated version of the Selector (see NotSelector

2640

below), the selector expression syntax itself supports

2641

negation. The two types of negation are subtly different.

2642

One negates the set of matched endpoints, the other negates

2643

the whole match: \n \tSelector = \"!has(my_label)\" matches

2644

packets that are from other Calico-controlled \tendpoints

2645

that do not have the label “my_label”. \n \tNotSelector

2646

= \"has(my_label)\" matches packets that are not from

2647

Calico-controlled \tendpoints that do have the label “my_label”.

2648

\n The effect is that the latter will accept packets from

2649

non-Calico sources whereas the former is limited to packets

2650

from Calico-controlled endpoints."

2651

type: string

2652

serviceAccounts:

2653

description: ServiceAccounts is an optional field that restricts

2654

the rule to only apply to traffic that originates from

2655

(or terminates at) a pod running as a matching service

account.

properties:

names:

description: Names is an optional field that restricts

2660

the rule to only apply to traffic that originates

2661

from (or terminates at) a pod running as a service

2662

account whose name is in the list.

items:

type: string

type: array

selector:

description: Selector is an optional field that restricts

2668

the rule to only apply to traffic that originates

2669

from (or terminates at) a pod running as a service

2670

account that matches the given label selector. If

2671

both Names and Selector are specified then they are

AND'ed.

type: string

type: object

type: object

required:

- action

type: object

type: array

ingress:

description: The ordered set of ingress rules. Each rule contains

2682

a set of packet match criteria and a corresponding action to apply.

2683

items:

2684

description: "A Rule encapsulates a set of match criteria and an

2685

action. Both selector-based security Policy and security Profiles

2686

reference rules - separated out as a list of rules for both ingress

2687

and egress packet matching. \n Each positive match criteria has

2688

a negated version, prefixed with ”Not”. All the match criteria

2689

within a rule must be satisfied for a packet to match. A single

2690

rule can contain the positive and negative version of a match

2691

and both must be satisfied for the rule to match."

properties:

action:

type: string

destination:

description: Destination contains the match criteria that apply

2697

to destination entity.

2698

properties:

2699

namespaceSelector:

2700

description: "NamespaceSelector is an optional field that

2701

contains a selector expression. Only traffic that originates

2702

from (or terminates at) endpoints within the selected

2703

namespaces will be matched. When both NamespaceSelector

2704

and Selector are defined on the same rule, then only workload

2705

endpoints that are matched by both selectors will be selected

2706

by the rule. \n For NetworkPolicy, an empty NamespaceSelector

2707

implies that the Selector is limited to selecting only

2708

workload endpoints in the same namespace as the NetworkPolicy.

2709

\n For NetworkPolicy, `global()` NamespaceSelector implies

2710

that the Selector is limited to selecting only GlobalNetworkSet

2711

or HostEndpoint. \n For GlobalNetworkPolicy, an empty

2712

NamespaceSelector implies the Selector applies to workload

2713

endpoints across all namespaces."

2714

type: string

2715

nets:

2716

description: Nets is an optional field that restricts the

2717

rule to only apply to traffic that originates from (or

2718

terminates at) IP addresses in any of the given subnets.

items:

type: string

type: array

notNets:

description: NotNets is the negated version of the Nets

field.

items:

type: string

type: array

notPorts:

description: NotPorts is the negated version of the Ports

2730

field. Since only some protocols have ports, if any ports

2731

are specified it requires the Protocol match in the Rule

2732

to be set to "TCP" or "UDP".

items:

anyOf:

- type: integer

- type: string

pattern: ^.*

x-kubernetes-int-or-string: true

2739

type: array

2740

notSelector:

2741

description: NotSelector is the negated version of the Selector

2742

field. See Selector field for subtleties with negated

selectors.

type: string

ports:

description: "Ports is an optional field that restricts

2747

the rule to only apply to traffic that has a source (destination)

2748

port that matches one of these ranges/values. This value

2749

is a list of integers or strings that represent ranges

2750

of ports. \n Since only some protocols have ports, if

2751

any ports are specified it requires the Protocol match

2752

in the Rule to be set to \"TCP\" or \"UDP\"."

items:

anyOf:

- type: integer

- type: string

pattern: ^.*

x-kubernetes-int-or-string: true

2759

type: array

2760

selector:

2761

description: "Selector is an optional field that contains

2762

a selector expression (see Policy for sample syntax).

2763

\ Only traffic that originates from (terminates at) endpoints

2764

matching the selector will be matched. \n Note that: in

2765

addition to the negated version of the Selector (see NotSelector

2766

below), the selector expression syntax itself supports

2767

negation. The two types of negation are subtly different.

2768

One negates the set of matched endpoints, the other negates

2769

the whole match: \n \tSelector = \"!has(my_label)\" matches

2770

packets that are from other Calico-controlled \tendpoints

2771

that do not have the label “my_label”. \n \tNotSelector

2772

= \"has(my_label)\" matches packets that are not from

2773

Calico-controlled \tendpoints that do have the label “my_label”.

2774

\n The effect is that the latter will accept packets from

2775

non-Calico sources whereas the former is limited to packets

2776

from Calico-controlled endpoints."

2777

type: string

2778

serviceAccounts:

2779

description: ServiceAccounts is an optional field that restricts

2780

the rule to only apply to traffic that originates from

2781

(or terminates at) a pod running as a matching service

account.

properties:

names:

description: Names is an optional field that restricts

2786

the rule to only apply to traffic that originates

2787

from (or terminates at) a pod running as a service

2788

account whose name is in the list.

items:

type: string

type: array

selector:

description: Selector is an optional field that restricts

2794

the rule to only apply to traffic that originates

2795

from (or terminates at) a pod running as a service

2796

account that matches the given label selector. If

2797

both Names and Selector are specified then they are

AND'ed.

type: string

type: object

type: object

http:

description: HTTP contains match criteria that apply to HTTP

requests.

properties:

methods:

description: Methods is an optional field that restricts

2808

the rule to apply only to HTTP requests that use one of

2809

the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple

2810

methods are OR'd together.

items:

type: string

type: array

paths:

description: 'Paths is an optional field that restricts

2816

the rule to apply to HTTP requests that use one of the

2817

listed HTTP Paths. Multiple paths are OR''d together.

2818

e.g: - exact: /foo - prefix: /bar NOTE: Each entry may

2819

ONLY specify either a `exact` or a `prefix` match. The

2820

validator will check for it.'

2821

items:

2822

description: 'HTTPPath specifies an HTTP path to match.

2823

It may be either of the form: exact: <path>: which matches

2824

the path exactly or prefix: <path-prefix>: which matches

the path prefix'

properties:

exact:

type: string

prefix:

type: string

type: object

type: array

type: object

icmp:

description: ICMP is an optional field that restricts the rule

2836

to apply to a specific type and code of ICMP traffic. This

2837

should only be specified if the Protocol field is set to "ICMP"

or "ICMPv6".

properties:

code:

description: Match on a specific ICMP code. If specified,

2842

the Type value must also be specified. This is a technical

2843

limitation imposed by the kernel’s iptables firewall,

2844

which Calico uses to enforce the rule.

2845

type: integer

2846

type:

2847

description: Match on a specific ICMP type. For example

2848

a value of 8 refers to ICMP Echo Request (i.e. pings).

type: integer

type: object

ipVersion:

description: IPVersion is an optional field that restricts the

2853

rule to only match a specific IP version.

2854

type: integer

2855

metadata:

2856

description: Metadata contains additional information for this

rule

properties:

annotations:

additionalProperties:

2861

type: string

2862

description: Annotations is a set of key value pairs that

2863

give extra information about the rule

type: object

type: object

notICMP:

description: NotICMP is the negated version of the ICMP field.

2868

properties:

2869

code:

2870

description: Match on a specific ICMP code. If specified,

2871

the Type value must also be specified. This is a technical

2872

limitation imposed by the kernel’s iptables firewall,

2873

which Calico uses to enforce the rule.

2874

type: integer

2875

type:

2876

description: Match on a specific ICMP type. For example

2877

a value of 8 refers to ICMP Echo Request (i.e. pings).

type: integer

type: object

notProtocol:

anyOf:

- type: integer

- type: string

description: NotProtocol is the negated version of the Protocol

2885

field.

2886

pattern: ^.*

2887

x-kubernetes-int-or-string: true

protocol:

anyOf:

- type: integer

- type: string

description: "Protocol is an optional field that restricts the

2893

rule to only apply to traffic of a specific IP protocol. Required

2894

if any of the EntityRules contain Ports (because ports only

2895

apply to certain protocols). \n Must be one of these string

2896

values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",

2897

\"UDPLite\" or an integer in the range 1-255."

2898

pattern: ^.*

2899

x-kubernetes-int-or-string: true

2900

source:

2901

description: Source contains the match criteria that apply to

source entity.

properties:

namespaceSelector:

description: "NamespaceSelector is an optional field that

2906

contains a selector expression. Only traffic that originates

2907

from (or terminates at) endpoints within the selected

2908

namespaces will be matched. When both NamespaceSelector

2909

and Selector are defined on the same rule, then only workload

2910

endpoints that are matched by both selectors will be selected

2911

by the rule. \n For NetworkPolicy, an empty NamespaceSelector

2912

implies that the Selector is limited to selecting only

2913

workload endpoints in the same namespace as the NetworkPolicy.

2914

\n For NetworkPolicy, `global()` NamespaceSelector implies

2915

that the Selector is limited to selecting only GlobalNetworkSet

2916

or HostEndpoint. \n For GlobalNetworkPolicy, an empty

2917

NamespaceSelector implies the Selector applies to workload

2918

endpoints across all namespaces."

2919

type: string

2920

nets:

2921

description: Nets is an optional field that restricts the

2922

rule to only apply to traffic that originates from (or

2923

terminates at) IP addresses in any of the given subnets.

items:

type: string

type: array

notNets:

description: NotNets is the negated version of the Nets

field.

items:

type: string

type: array

notPorts:

description: NotPorts is the negated version of the Ports

2935

field. Since only some protocols have ports, if any ports

2936

are specified it requires the Protocol match in the Rule

2937

to be set to "TCP" or "UDP".

items:

anyOf:

- type: integer

- type: string

pattern: ^.*

x-kubernetes-int-or-string: true

2944

type: array

2945

notSelector:

2946

description: NotSelector is the negated version of the Selector

2947

field. See Selector field for subtleties with negated

selectors.

type: string

ports:

description: "Ports is an optional field that restricts

2952

the rule to only apply to traffic that has a source (destination)

2953

port that matches one of these ranges/values. This value

2954

is a list of integers or strings that represent ranges

2955

of ports. \n Since only some protocols have ports, if

2956

any ports are specified it requires the Protocol match

2957

in the Rule to be set to \"TCP\" or \"UDP\"."

items:

anyOf:

- type: integer

- type: string

pattern: ^.*

x-kubernetes-int-or-string: true

2964

type: array

2965

selector:

2966

description: "Selector is an optional field that contains

2967

a selector expression (see Policy for sample syntax).

2968

\ Only traffic that originates from (terminates at) endpoints

2969

matching the selector will be matched. \n Note that: in

2970

addition to the negated version of the Selector (see NotSelector

2971

below), the selector expression syntax itself supports

2972

negation. The two types of negation are subtly different.

2973

One negates the set of matched endpoints, the other negates

2974

the whole match: \n \tSelector = \"!has(my_label)\" matches

2975

packets that are from other Calico-controlled \tendpoints

2976

that do not have the label “my_label”. \n \tNotSelector

2977

= \"has(my_label)\" matches packets that are not from

2978

Calico-controlled \tendpoints that do have the label “my_label”.

2979

\n The effect is that the latter will accept packets from

2980

non-Calico sources whereas the former is limited to packets

2981

from Calico-controlled endpoints."

2982

type: string

2983

serviceAccounts:

2984

description: ServiceAccounts is an optional field that restricts

2985

the rule to only apply to traffic that originates from

2986

(or terminates at) a pod running as a matching service

account.

properties:

names:

description: Names is an optional field that restricts

2991

the rule to only apply to traffic that originates

2992

from (or terminates at) a pod running as a service

2993

account whose name is in the list.

items:

type: string

type: array

selector:

description: Selector is an optional field that restricts

2999

the rule to only apply to traffic that originates

3000

from (or terminates at) a pod running as a service

3001

account that matches the given label selector. If

3002

both Names and Selector are specified then they are

AND'ed.

type: string

type: object

type: object

required:

- action

type: object

type: array

order:

description: Order is an optional field that specifies the order in

3013

which the policy is applied. Policies with higher "order" are applied

3014

after those with lower order. If the order is omitted, it may be

3015

considered to be "infinite" - i.e. the policy will be applied last. Policies

3016

with identical order will be applied in alphanumerical order based

3017

on the Policy "Name".

3018

type: number

3019

selector:

3020

description: "The selector is an expression used to pick pick out

3021

the endpoints that the policy should be applied to. \n Selector

3022

expressions follow this syntax: \n \tlabel == \"string_literal\"

3023

\ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"

3024

\ -> not equal; also matches if label is not present \tlabel in

3025

{ \"a\", \"b\", \"c\", ... } -> true if the value of label X is

3026

one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",

3027

... } -> true if the value of label X is not one of \"a\", \"b\",

3028

\"c\" \thas(label_name) -> True if that label is present \t! expr

3029

-> negation of expr \texpr && expr -> Short-circuit and \texpr

3030

|| expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()

3031

or the empty selector -> matches all endpoints. \n Label names are

3032

allowed to contain alphanumerics, -, _ and /. String literals are

3033

more permissive but they do not support escape characters. \n Examples

3034

(with made-up labels): \n \ttype == \"webserver\" && deployment

3035

== \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=

3036

\"dev\" \t! has(label_name)"

3037

type: string

3038

serviceAccountSelector:

3039

description: ServiceAccountSelector is an optional field for an expression

3040

used to select a pod based on service accounts.

3041

type: string

3042

types:

3043

description: "Types indicates whether this policy applies to ingress,

3044

or to egress, or to both. When not explicitly specified (and so

3045

the value on creation is empty or nil), Calico defaults Types according

3046

to what Ingress and Egress are present in the policy. The default

3047

is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including

3048

the case where there are also no Ingress rules) \n - [ PolicyTypeEgress

3049

], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,

3050

PolicyTypeEgress ], if there are both Ingress and Egress rules.

3051

\n When the policy is read back again, Types will always be one

3052

of these values, never empty or nil."

3053

items:

3054

description: PolicyType enumerates the possible values of the PolicySpec

Types field.

type: string

type: array

type: object

type: object

served: true

storage: true

status:

acceptedNames:

kind: ""

plural: ""

conditions: []

storedVersions: []

---

---

apiVersion: apiextensions.k8s.io/v1

3073

kind: CustomResourceDefinition

3074

metadata:

3075

annotations:

3076

controller-gen.kubebuilder.io/version: (devel)

3077

creationTimestamp: null

3078

3079

spec:

3080

group: crd.projectcalico.org

3081

names:

3082

kind: NetworkSet

3083

listKind: NetworkSetList

plural: networksets

singular: networkset

scope: Namespaced

versions:

- name: v1

schema:

openAPIV3Schema:

description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.

3092

properties:

3093

apiVersion:

3094

description: 'APIVersion defines the versioned schema of this representation

3095

of an object. Servers should convert recognized schemas to the latest

3096

internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'

3097

type: string

3098

kind:

3099

description: 'Kind is a string value representing the REST resource this

3100

object represents. Servers may infer this from the endpoint the client

3101

submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'

type: string

metadata:

type: object

spec:

description: NetworkSetSpec contains the specification for a NetworkSet

3107

resource.