From 8b9fb1ffe8754422b49ff75ebb1c1312846d5a5f Mon Sep 17 00:00:00 2001 From: Ciprian Hacman Date: Tue, 24 Nov 2020 08:17:23 +0200 Subject: [PATCH] Update Calico to v3.17.0 --- upup/models/bindata.go | 139 +++++++++--------- .../k8s-1.16.yaml.template | 139 +++++++++--------- .../pkg/fi/cloudup/bootstrapchannelbuilder.go | 2 +- 3 files changed, 133 insertions(+), 147 deletions(-) diff --git a/upup/models/bindata.go b/upup/models/bindata.go index c81cd16408424..2122460da6547 100644 --- a/upup/models/bindata.go +++ b/upup/models/bindata.go @@ -6685,7 +6685,7 @@ func cloudupResourcesAddonsNetworkingProjectcalicoOrgK8s112YamlTemplate() (*asse return a, nil } -var _cloudupResourcesAddonsNetworkingProjectcalicoOrgK8s116YamlTemplate = []byte(`# Pulled and modified from: https://docs.projectcalico.org/v3.16/manifests/calico-typha.yaml +var _cloudupResourcesAddonsNetworkingProjectcalicoOrgK8s116YamlTemplate = []byte(`# Pulled and modified from: https://docs.projectcalico.org/v3.17/manifests/calico-typha.yaml {{- if .Networking.Calico.BPFEnabled }} --- @@ -6716,15 +6716,14 @@ data: typha_service_name: "{{- if .Networking.Calico.TyphaReplicas -}}calico-typha{{- else -}}none{{- end -}}" # Configure the backend to use. calico_backend: "bird" + # Configure the MTU to use for workload interfaces and tunnels. - # - If Wireguard is enabled, set to your network MTU - 60 - # - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50 - # - Otherwise, if IPIP is enabled, set to your network MTU - 20 - # - Otherwise, if not using any encapsulation, set to your network MTU. + # By default, MTU is auto-detected, and explicitly setting this field should not be required. + # You can override auto-detection by providing a non-zero value. {{- if .Networking.Calico.MTU }} veth_mtu: "{{ .Networking.Calico.MTU }}" {{- else }} - veth_mtu: "{{- if eq .CloudProvider "openstack" -}}1430{{- else -}}1440{{- end -}}" + veth_mtu: "0" {{- end }} # The CNI network configuration to install on each node. The special @@ -6771,8 +6770,6 @@ data: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: bgpconfigurations.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -6908,8 +6905,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: bgppeers.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -6946,6 +6941,7 @@ spec: format: int32 type: integer keepOriginalNextHop: + default: false description: Option to keep the original nexthop field when routes are sent to a BGP Peer. Setting "true" configures the selected BGP Peers node to use the "next hop keep;" instead of "next hop self;"(default) @@ -6953,8 +6949,8 @@ spec: type: boolean node: description: The node name identifying the Calico node instance that - is peering with this peer. If this is not set, this represents a - global peer, i.e. a peer that peers with every node in the deployment. + is targeted by this peer. If this is not set, and no nodeSelector + is specified, then this BGP peer selects all nodes in the cluster. type: string nodeSelector: description: Selector for the nodes that should have this peering. When @@ -6996,12 +6992,9 @@ spec: peering between the local node and selected remote nodes, we configure an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The - remote AS number comes from the remote node’s NodeBGPSpec.ASNumber, + remote AS number comes from the remote node's NodeBGPSpec.ASNumber, or the global default if that is not set. type: string - required: - - asNumber - - peerIP type: object type: object served: true @@ -7019,8 +7012,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: blockaffinities.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -7086,8 +7077,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: clusterinformations.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -7156,8 +7145,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: felixconfigurations.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -7218,13 +7205,13 @@ spec: true]' type: boolean bpfDataIfacePattern: - description: 'BPFDataIfacePattern is a regular expression that controls + description: BPFDataIfacePattern is a regular expression that controls which interfaces Felix should attach BPF programs to in order to catch traffic to/from the network. This needs to match the interfaces that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster. It should not match the workload interfaces (usually - named cali...). [Default: ^(en.*|eth.*|tunl0$)]' + named cali...). type: string bpfDisableUnprivileged: description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled @@ -7269,10 +7256,10 @@ spec: ` + "`" + `tc exec bpf debug` + "`" + `. [Default: Off].' type: string chainInsertMode: - description: 'ChainInsertMode controls whether Felix hooks the kernel’s + description: 'ChainInsertMode controls whether Felix hooks the kernel''s top-level iptables chains by inserting a rule at the top of the chain or by appending a rule at the bottom. insert is the safe default - since it prevents Calico’s rules from being bypassed. If you switch + since it prevents Calico''s rules from being bypassed. If you switch to append mode, be sure that the other rules in the chains signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed. [Default: insert]' @@ -7354,7 +7341,7 @@ spec: Each port should be specified as tcp: or udp:. For back-compatibility, if the protocol is not specified, it defaults to “tcp”. To disable all outbound host ports, use the value none. - The default value opens etcd’s standard ports to ensure that Felix + The default value opens etcd''s standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP and DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, udp:53, udp:67]' @@ -7406,8 +7393,8 @@ spec: workload endpoints and so distinguishes them from host endpoint interfaces. Note: in environments other than bare metal, the orchestrators configure this appropriately. For example our Kubernetes and Docker - integrations set the ‘cali’ value, and our OpenStack integration - sets the ‘tap’ value. [Default: cali]' + integrations set the ''cali'' value, and our OpenStack integration + sets the ''tap'' value. [Default: cali]' type: string interfaceRefreshInterval: description: InterfaceRefreshInterval is the period at which Felix @@ -7423,7 +7410,7 @@ spec: ipsetsRefreshInterval: description: 'IpsetsRefreshInterval is the period at which Felix re-checks all iptables state to ensure that no other process has accidentally - broken Calico’s rules. Set to 0 to disable iptables refresh. [Default: + broken Calico''s rules. Set to 0 to disable iptables refresh. [Default: 90s]' type: string iptablesBackend: @@ -7435,7 +7422,7 @@ spec: iptablesLockFilePath: description: 'IptablesLockFilePath is the location of the iptables lock file. You may need to change this if the lock file is not in - its standard location (for example if you have mapped it into Felix’s + its standard location (for example if you have mapped it into Felix''s container at a different path). [Default: /run/xtables.lock]' type: string iptablesLockProbeInterval: @@ -7467,16 +7454,16 @@ spec: description: 'IptablesPostWriteCheckInterval is the period after Felix has done a write to the dataplane that it schedules an extra read back in order to check the write was not clobbered by another process. - This should only occur if another application on the system doesn’t + This should only occur if another application on the system doesn''t respect the iptables lock. [Default: 1s]' type: string iptablesRefreshInterval: description: 'IptablesRefreshInterval is the period at which Felix re-checks the IP sets in the dataplane to ensure that no other process - has accidentally broken Calico’s rules. Set to 0 to disable IP sets - refresh. Note: the default for this value is lower than the other - refresh intervals as a workaround for a Linux kernel bug that was - fixed in kernel version 4.11. If you are using v4.11 or greater + has accidentally broken Calico''s rules. Set to 0 to disable IP + sets refresh. Note: the default for this value is lower than the + other refresh intervals as a workaround for a Linux kernel bug that + was fixed in kernel version 4.11. If you are using v4.11 or greater you may want to set this to, a higher value to reduce Felix CPU usage. [Default: 10s]' type: string @@ -7527,10 +7514,15 @@ spec: type: string metadataPort: description: 'MetadataPort is the port of the metadata server. This, - combined with global.MetadataAddr (if not ‘None’), is used to set - up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. + combined with global.MetadataAddr (if not ''None''), is used to + set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. In most cases this should not need to be changed [Default: 8775].' type: integer + mtuIfacePattern: + description: MTUIfacePattern is a regular expression that controls + which interfaces Felix should scan in order to calculate the host's + MTU. This should not match workload interfaces (usually named cali...). + type: string natOutgoingAddress: description: NATOutgoingAddress specifies an address to use when performing source NAT for traffic in a natOutgoing pool that is leaving the @@ -7601,9 +7593,9 @@ spec: status reports. [Default: 90s]' type: string routeRefreshInterval: - description: 'RouterefreshInterval is the period at which Felix re-checks + description: 'RouteRefreshInterval is the period at which Felix re-checks the routes in the dataplane to ensure that no other process has - accidentally broken Calico’s rules. Set to 0 to disable route refresh. + accidentally broken Calico''s rules. Set to 0 to disable route refresh. [Default: 90s]' type: string routeSource: @@ -7624,6 +7616,13 @@ spec: - max - min type: object + serviceLoopPrevention: + description: 'When service IP advertisement is enabled, prevent routing + loops to service IPs that are not in use, by dropping or rejecting + packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled", + in which case such routing loops continue to be allowed. [Default: + Drop]' + type: string sidecarAccelerationEnabled: description: 'SidecarAccelerationEnabled enables experimental sidecar acceleration [Default: false]' @@ -7702,8 +7701,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: globalnetworkpolicies.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -7908,7 +7905,7 @@ spec: code: description: Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, + limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule. type: integer type: @@ -7937,7 +7934,7 @@ spec: code: description: Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, + limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule. type: integer type: @@ -8239,7 +8236,7 @@ spec: code: description: Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, + limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule. type: integer type: @@ -8268,7 +8265,7 @@ spec: code: description: Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, + limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule. type: integer type: @@ -8479,8 +8476,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: globalnetworksets.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -8538,8 +8533,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: hostendpoints.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -8652,8 +8645,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: ipamblocks.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -8720,7 +8711,6 @@ spec: - allocations - attributes - cidr - - deleted - strictAffinity - unallocated type: object @@ -8740,8 +8730,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: ipamconfigs.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -8776,6 +8764,10 @@ spec: properties: autoAllocateBlocks: type: boolean + maxBlocksPerHost: + description: MaxBlocksPerHost, if non-zero, is the max number of blocks + that can be affine to each host. + type: integer strictAffinity: type: boolean required: @@ -8798,8 +8790,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: ipamhandles.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -8836,6 +8826,8 @@ spec: additionalProperties: type: integer type: object + deleted: + type: boolean handleID: type: string required: @@ -8858,8 +8850,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: ippools.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -9190,8 +9180,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: networkpolicies.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -9385,7 +9373,7 @@ spec: code: description: Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, + limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule. type: integer type: @@ -9414,7 +9402,7 @@ spec: code: description: Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, + limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule. type: integer type: @@ -9716,7 +9704,7 @@ spec: code: description: Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, + limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule. type: integer type: @@ -9745,7 +9733,7 @@ spec: code: description: Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, + limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule. type: integer type: @@ -9948,8 +9936,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: networksets.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -10326,7 +10312,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: calico/typha:v3.16.4 + - image: docker.io/calico/typha:v3.17.0 name: calico-typha ports: - containerPort: 5473 @@ -10443,7 +10429,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: calico/cni:v3.16.4 + image: docker.io/calico/cni:v3.17.0 command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: - configMapRef: @@ -10470,7 +10456,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: calico/cni:v3.16.4 + image: docker.io/calico/cni:v3.17.0 command: ["/opt/cni/bin/install"] envFrom: - configMapRef: @@ -10511,7 +10497,7 @@ spec: # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver - image: calico/pod2daemon-flexvol:v3.16.4 + image: docker.io/calico/pod2daemon-flexvol:v3.17.0 volumeMounts: - name: flexvol-driver-host mountPath: /host/driver @@ -10522,7 +10508,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: calico/node:v3.16.4 + image: docker.io/calico/node:v3.17.0 envFrom: - configMapRef: # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. @@ -10688,6 +10674,9 @@ spec: # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host. # If the host is known to mount that filesystem already then Bidirectional can be omitted. mountPropagation: Bidirectional + - name: cni-log-dir + mountPath: /var/log/calico/cni + readOnly: true volumes: # Used by calico-node. - name: lib-modules @@ -10714,6 +10703,10 @@ spec: - name: cni-net-dir hostPath: path: /etc/cni/net.d + # Used to access CNI logs. + - name: cni-log-dir + hostPath: + path: /var/log/calico/cni # Mount in the directory for host-local IPAM allocations. This is # used when upgrading from host-local to calico-ipam, and can be removed # if not using the upgrade-ipam init container. @@ -10779,7 +10772,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: calico/kube-controllers:v3.16.4 + image: docker.io/calico/kube-controllers:v3.17.0 env: # Choose which controllers to run. - name: ENABLED_CONTROLLERS diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template index c3e67afc3cbdf..53b68cbc2ffcc 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template @@ -1,4 +1,4 @@ -# Pulled and modified from: https://docs.projectcalico.org/v3.16/manifests/calico-typha.yaml +# Pulled and modified from: https://docs.projectcalico.org/v3.17/manifests/calico-typha.yaml {{- if .Networking.Calico.BPFEnabled }} --- @@ -29,15 +29,14 @@ data: typha_service_name: "{{- if .Networking.Calico.TyphaReplicas -}}calico-typha{{- else -}}none{{- end -}}" # Configure the backend to use. calico_backend: "bird" + # Configure the MTU to use for workload interfaces and tunnels. - # - If Wireguard is enabled, set to your network MTU - 60 - # - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50 - # - Otherwise, if IPIP is enabled, set to your network MTU - 20 - # - Otherwise, if not using any encapsulation, set to your network MTU. + # By default, MTU is auto-detected, and explicitly setting this field should not be required. + # You can override auto-detection by providing a non-zero value. {{- if .Networking.Calico.MTU }} veth_mtu: "{{ .Networking.Calico.MTU }}" {{- else }} - veth_mtu: "{{- if eq .CloudProvider "openstack" -}}1430{{- else -}}1440{{- end -}}" + veth_mtu: "0" {{- end }} # The CNI network configuration to install on each node. The special @@ -84,8 +83,6 @@ data: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: bgpconfigurations.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -221,8 +218,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: bgppeers.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -259,6 +254,7 @@ spec: format: int32 type: integer keepOriginalNextHop: + default: false description: Option to keep the original nexthop field when routes are sent to a BGP Peer. Setting "true" configures the selected BGP Peers node to use the "next hop keep;" instead of "next hop self;"(default) @@ -266,8 +262,8 @@ spec: type: boolean node: description: The node name identifying the Calico node instance that - is peering with this peer. If this is not set, this represents a - global peer, i.e. a peer that peers with every node in the deployment. + is targeted by this peer. If this is not set, and no nodeSelector + is specified, then this BGP peer selects all nodes in the cluster. type: string nodeSelector: description: Selector for the nodes that should have this peering. When @@ -309,12 +305,9 @@ spec: peering between the local node and selected remote nodes, we configure an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The - remote AS number comes from the remote node’s NodeBGPSpec.ASNumber, + remote AS number comes from the remote node's NodeBGPSpec.ASNumber, or the global default if that is not set. type: string - required: - - asNumber - - peerIP type: object type: object served: true @@ -332,8 +325,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: blockaffinities.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -399,8 +390,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: clusterinformations.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -469,8 +458,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: felixconfigurations.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -531,13 +518,13 @@ spec: true]' type: boolean bpfDataIfacePattern: - description: 'BPFDataIfacePattern is a regular expression that controls + description: BPFDataIfacePattern is a regular expression that controls which interfaces Felix should attach BPF programs to in order to catch traffic to/from the network. This needs to match the interfaces that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster. It should not match the workload interfaces (usually - named cali...). [Default: ^(en.*|eth.*|tunl0$)]' + named cali...). type: string bpfDisableUnprivileged: description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled @@ -582,10 +569,10 @@ spec: `tc exec bpf debug`. [Default: Off].' type: string chainInsertMode: - description: 'ChainInsertMode controls whether Felix hooks the kernel’s + description: 'ChainInsertMode controls whether Felix hooks the kernel''s top-level iptables chains by inserting a rule at the top of the chain or by appending a rule at the bottom. insert is the safe default - since it prevents Calico’s rules from being bypassed. If you switch + since it prevents Calico''s rules from being bypassed. If you switch to append mode, be sure that the other rules in the chains signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed. [Default: insert]' @@ -667,7 +654,7 @@ spec: Each port should be specified as tcp: or udp:. For back-compatibility, if the protocol is not specified, it defaults to “tcp”. To disable all outbound host ports, use the value none. - The default value opens etcd’s standard ports to ensure that Felix + The default value opens etcd''s standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP and DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, udp:53, udp:67]' @@ -719,8 +706,8 @@ spec: workload endpoints and so distinguishes them from host endpoint interfaces. Note: in environments other than bare metal, the orchestrators configure this appropriately. For example our Kubernetes and Docker - integrations set the ‘cali’ value, and our OpenStack integration - sets the ‘tap’ value. [Default: cali]' + integrations set the ''cali'' value, and our OpenStack integration + sets the ''tap'' value. [Default: cali]' type: string interfaceRefreshInterval: description: InterfaceRefreshInterval is the period at which Felix @@ -736,7 +723,7 @@ spec: ipsetsRefreshInterval: description: 'IpsetsRefreshInterval is the period at which Felix re-checks all iptables state to ensure that no other process has accidentally - broken Calico’s rules. Set to 0 to disable iptables refresh. [Default: + broken Calico''s rules. Set to 0 to disable iptables refresh. [Default: 90s]' type: string iptablesBackend: @@ -748,7 +735,7 @@ spec: iptablesLockFilePath: description: 'IptablesLockFilePath is the location of the iptables lock file. You may need to change this if the lock file is not in - its standard location (for example if you have mapped it into Felix’s + its standard location (for example if you have mapped it into Felix''s container at a different path). [Default: /run/xtables.lock]' type: string iptablesLockProbeInterval: @@ -780,16 +767,16 @@ spec: description: 'IptablesPostWriteCheckInterval is the period after Felix has done a write to the dataplane that it schedules an extra read back in order to check the write was not clobbered by another process. - This should only occur if another application on the system doesn’t + This should only occur if another application on the system doesn''t respect the iptables lock. [Default: 1s]' type: string iptablesRefreshInterval: description: 'IptablesRefreshInterval is the period at which Felix re-checks the IP sets in the dataplane to ensure that no other process - has accidentally broken Calico’s rules. Set to 0 to disable IP sets - refresh. Note: the default for this value is lower than the other - refresh intervals as a workaround for a Linux kernel bug that was - fixed in kernel version 4.11. If you are using v4.11 or greater + has accidentally broken Calico''s rules. Set to 0 to disable IP + sets refresh. Note: the default for this value is lower than the + other refresh intervals as a workaround for a Linux kernel bug that + was fixed in kernel version 4.11. If you are using v4.11 or greater you may want to set this to, a higher value to reduce Felix CPU usage. [Default: 10s]' type: string @@ -840,10 +827,15 @@ spec: type: string metadataPort: description: 'MetadataPort is the port of the metadata server. This, - combined with global.MetadataAddr (if not ‘None’), is used to set - up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. + combined with global.MetadataAddr (if not ''None''), is used to + set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. In most cases this should not need to be changed [Default: 8775].' type: integer + mtuIfacePattern: + description: MTUIfacePattern is a regular expression that controls + which interfaces Felix should scan in order to calculate the host's + MTU. This should not match workload interfaces (usually named cali...). + type: string natOutgoingAddress: description: NATOutgoingAddress specifies an address to use when performing source NAT for traffic in a natOutgoing pool that is leaving the @@ -914,9 +906,9 @@ spec: status reports. [Default: 90s]' type: string routeRefreshInterval: - description: 'RouterefreshInterval is the period at which Felix re-checks + description: 'RouteRefreshInterval is the period at which Felix re-checks the routes in the dataplane to ensure that no other process has - accidentally broken Calico’s rules. Set to 0 to disable route refresh. + accidentally broken Calico''s rules. Set to 0 to disable route refresh. [Default: 90s]' type: string routeSource: @@ -937,6 +929,13 @@ spec: - max - min type: object + serviceLoopPrevention: + description: 'When service IP advertisement is enabled, prevent routing + loops to service IPs that are not in use, by dropping or rejecting + packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled", + in which case such routing loops continue to be allowed. [Default: + Drop]' + type: string sidecarAccelerationEnabled: description: 'SidecarAccelerationEnabled enables experimental sidecar acceleration [Default: false]' @@ -1015,8 +1014,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: globalnetworkpolicies.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -1221,7 +1218,7 @@ spec: code: description: Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, + limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule. type: integer type: @@ -1250,7 +1247,7 @@ spec: code: description: Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, + limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule. type: integer type: @@ -1552,7 +1549,7 @@ spec: code: description: Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, + limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule. type: integer type: @@ -1581,7 +1578,7 @@ spec: code: description: Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, + limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule. type: integer type: @@ -1792,8 +1789,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: globalnetworksets.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -1851,8 +1846,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: hostendpoints.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -1965,8 +1958,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: ipamblocks.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -2033,7 +2024,6 @@ spec: - allocations - attributes - cidr - - deleted - strictAffinity - unallocated type: object @@ -2053,8 +2043,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: ipamconfigs.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -2089,6 +2077,10 @@ spec: properties: autoAllocateBlocks: type: boolean + maxBlocksPerHost: + description: MaxBlocksPerHost, if non-zero, is the max number of blocks + that can be affine to each host. + type: integer strictAffinity: type: boolean required: @@ -2111,8 +2103,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: ipamhandles.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -2149,6 +2139,8 @@ spec: additionalProperties: type: integer type: object + deleted: + type: boolean handleID: type: string required: @@ -2171,8 +2163,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: ippools.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -2503,8 +2493,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: networkpolicies.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -2698,7 +2686,7 @@ spec: code: description: Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, + limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule. type: integer type: @@ -2727,7 +2715,7 @@ spec: code: description: Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, + limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule. type: integer type: @@ -3029,7 +3017,7 @@ spec: code: description: Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, + limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule. type: integer type: @@ -3058,7 +3046,7 @@ spec: code: description: Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, + limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule. type: integer type: @@ -3261,8 +3249,6 @@ status: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) name: networksets.crd.projectcalico.org labels: role.kubernetes.io/networking: "1" @@ -3639,7 +3625,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: calico/typha:v3.16.4 + - image: docker.io/calico/typha:v3.17.0 name: calico-typha ports: - containerPort: 5473 @@ -3756,7 +3742,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: calico/cni:v3.16.4 + image: docker.io/calico/cni:v3.17.0 command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: - configMapRef: @@ -3783,7 +3769,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: calico/cni:v3.16.4 + image: docker.io/calico/cni:v3.17.0 command: ["/opt/cni/bin/install"] envFrom: - configMapRef: @@ -3824,7 +3810,7 @@ spec: # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver - image: calico/pod2daemon-flexvol:v3.16.4 + image: docker.io/calico/pod2daemon-flexvol:v3.17.0 volumeMounts: - name: flexvol-driver-host mountPath: /host/driver @@ -3835,7 +3821,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: calico/node:v3.16.4 + image: docker.io/calico/node:v3.17.0 envFrom: - configMapRef: # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. @@ -4001,6 +3987,9 @@ spec: # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host. # If the host is known to mount that filesystem already then Bidirectional can be omitted. mountPropagation: Bidirectional + - name: cni-log-dir + mountPath: /var/log/calico/cni + readOnly: true volumes: # Used by calico-node. - name: lib-modules @@ -4027,6 +4016,10 @@ spec: - name: cni-net-dir hostPath: path: /etc/cni/net.d + # Used to access CNI logs. + - name: cni-log-dir + hostPath: + path: /var/log/calico/cni # Mount in the directory for host-local IPAM allocations. This is # used when upgrading from host-local to calico-ipam, and can be removed # if not using the upgrade-ipam init container. @@ -4092,7 +4085,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: calico/kube-controllers:v3.16.4 + image: docker.io/calico/kube-controllers:v3.17.0 env: # Choose which controllers to run. - name: ENABLED_CONTROLLERS diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go index 5b5eb488e554b..3c82798277b1f 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go @@ -711,7 +711,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann key := "networking.projectcalico.org" versions := map[string]string{ "k8s-1.12": "3.9.6-kops.1", - "k8s-1.16": "3.16.3-kops.2", + "k8s-1.16": "3.17.0-kops.1", } {