[calico] update to latest version
Nico Schottelius
parent
f5a30dd84b
commit
83fd83c84a
|
|
@ -32,9 +32,9 @@ data:
|
|||
"nodename": "__KUBERNETES_NODE_NAME__",
|
||||
"mtu": __CNI_MTU__,
|
||||
"ipam": {
|
||||
"type": "calico-ipam",
|
||||
"assign_ipv4": "false",
|
||||
"assign_ipv6": "true"
|
||||
"type": "calico-ipam",
|
||||
"assign_ipv4": "false",
|
||||
"assign_ipv6": "true"
|
||||
},
|
||||
"policy": {
|
||||
"type": "k8s"
|
||||
|
|
@ -513,6 +513,13 @@ spec:
|
|||
description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
|
||||
[Default: false]'
|
||||
type: boolean
|
||||
bpfExtToServiceConnmark:
|
||||
description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
|
||||
mark that is set on connections from an external client to a local
|
||||
service. This mark allows us to control how packets of that connection
|
||||
are routed within the host and how is routing intepreted by RPF
|
||||
check. [Default: 0]'
|
||||
type: integer
|
||||
bpfExternalServiceMode:
|
||||
description: 'BPFExternalServiceMode in BPF mode, controls how connections
|
||||
from outside the cluster to services (node ports and cluster IPs)
|
||||
|
|
@ -601,19 +608,21 @@ spec:
|
|||
type: string
|
||||
type: array
|
||||
failsafeInboundHostPorts:
|
||||
description: 'FailsafeInboundHostPorts is a comma-delimited list of
|
||||
UDP/TCP ports that Felix will allow incoming traffic to host endpoints
|
||||
description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports
|
||||
and CIDRs that Felix will allow incoming traffic to host endpoints
|
||||
on irrespective of the security policy. This is useful to avoid
|
||||
accidentally cutting off a host with incorrect configuration. Each
|
||||
port should be specified as tcp:<port-number> or udp:<port-number>.
|
||||
For back-compatibility, if the protocol is not specified, it defaults
|
||||
to "tcp". To disable all inbound host ports, use the value none.
|
||||
The default value allows ssh access and DHCP. [Default: tcp:22,
|
||||
accidentally cutting off a host with incorrect configuration. For
|
||||
back-compatibility, if the protocol is not specified, it defaults
|
||||
to "tcp". If a CIDR is not specified, it will allow traffic from
|
||||
all addresses. To disable all inbound host ports, use the value
|
||||
none. The default value allows ssh access and DHCP. [Default: tcp:22,
|
||||
udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
|
||||
items:
|
||||
description: ProtoPort is combination of protocol and port, both
|
||||
must be specified.
|
||||
description: ProtoPort is combination of protocol, port, and CIDR.
|
||||
Protocol and port must be specified.
|
||||
properties:
|
||||
net:
|
||||
type: string
|
||||
port:
|
||||
type: integer
|
||||
protocol:
|
||||
|
|
@ -624,21 +633,23 @@ spec:
|
|||
type: object
|
||||
type: array
|
||||
failsafeOutboundHostPorts:
|
||||
description: 'FailsafeOutboundHostPorts is a comma-delimited list
|
||||
of UDP/TCP ports that Felix will allow outgoing traffic from host
|
||||
endpoints to irrespective of the security policy. This is useful
|
||||
to avoid accidentally cutting off a host with incorrect configuration.
|
||||
Each port should be specified as tcp:<port-number> or udp:<port-number>.
|
||||
For back-compatibility, if the protocol is not specified, it defaults
|
||||
to "tcp". To disable all outbound host ports, use the value none.
|
||||
The default value opens etcd''s standard ports to ensure that Felix
|
||||
does not get cut off from etcd as well as allowing DHCP and DNS.
|
||||
[Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667,
|
||||
udp:53, udp:67]'
|
||||
description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports
|
||||
and CIDRs that Felix will allow outgoing traffic from host endpoints
|
||||
to irrespective of the security policy. This is useful to avoid
|
||||
accidentally cutting off a host with incorrect configuration. For
|
||||
back-compatibility, if the protocol is not specified, it defaults
|
||||
to "tcp". If a CIDR is not specified, it will allow traffic from
|
||||
all addresses. To disable all outbound host ports, use the value
|
||||
none. The default value opens etcd''s standard ports to ensure that
|
||||
Felix does not get cut off from etcd as well as allowing DHCP and
|
||||
DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,
|
||||
tcp:6667, udp:53, udp:67]'
|
||||
items:
|
||||
description: ProtoPort is combination of protocol and port, both
|
||||
must be specified.
|
||||
description: ProtoPort is combination of protocol, port, and CIDR.
|
||||
Protocol and port must be specified.
|
||||
properties:
|
||||
net:
|
||||
type: string
|
||||
port:
|
||||
type: integer
|
||||
protocol:
|
||||
|
|
@ -3535,7 +3546,7 @@ spec:
|
|||
# It can be deleted if this is a fresh installation, or if you have already
|
||||
# upgraded to use calico-ipam.
|
||||
- name: upgrade-ipam
|
||||
image: docker.io/calico/cni:v3.18.1
|
||||
image: docker.io/calico/cni:v3.19.0
|
||||
command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
|
|
@ -3562,7 +3573,7 @@ spec:
|
|||
# This container installs the CNI binaries
|
||||
# and CNI network config file on each node.
|
||||
- name: install-cni
|
||||
image: docker.io/calico/cni:v3.18.1
|
||||
image: docker.io/calico/cni:v3.19.0
|
||||
command: ["/opt/cni/bin/install"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
|
|
@ -3603,7 +3614,7 @@ spec:
|
|||
# Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
|
||||
# to communicate with Felix over the Policy Sync API.
|
||||
- name: flexvol-driver
|
||||
image: docker.io/calico/pod2daemon-flexvol:v3.18.1
|
||||
image: docker.io/calico/pod2daemon-flexvol:v3.19.0
|
||||
volumeMounts:
|
||||
- name: flexvol-driver-host
|
||||
mountPath: /host/driver
|
||||
|
|
@ -3614,7 +3625,7 @@ spec:
|
|||
# container programs network policy and routes on each
|
||||
# host.
|
||||
- name: calico-node
|
||||
image: docker.io/calico/node:v3.18.1
|
||||
image: docker.io/calico/node:v3.19.0
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
|
||||
|
|
@ -3686,9 +3697,6 @@ spec:
|
|||
# Disable IPv6 on Kubernetes.
|
||||
- name: FELIX_IPV6SUPPORT
|
||||
value: "true"
|
||||
# Set Felix logging to "info"
|
||||
- name: FELIX_LOGSEVERITYSCREEN
|
||||
value: "info"
|
||||
- name: FELIX_HEALTHENABLED
|
||||
value: "true"
|
||||
securityContext:
|
||||
|
|
@ -3828,18 +3836,27 @@ spec:
|
|||
priorityClassName: system-cluster-critical
|
||||
containers:
|
||||
- name: calico-kube-controllers
|
||||
image: docker.io/calico/kube-controllers:v3.18.1
|
||||
image: docker.io/calico/kube-controllers:v3.19.0
|
||||
env:
|
||||
# Choose which controllers to run.
|
||||
- name: ENABLED_CONTROLLERS
|
||||
value: node
|
||||
- name: DATASTORE_TYPE
|
||||
value: kubernetes
|
||||
livenessProbe:
|
||||
exec:
|
||||
command:
|
||||
- /usr/bin/check-status
|
||||
- -l
|
||||
periodSeconds: 10
|
||||
initialDelaySeconds: 10
|
||||
failureThreshold: 6
|
||||
readinessProbe:
|
||||
exec:
|
||||
command:
|
||||
- /usr/bin/check-status
|
||||
- -r
|
||||
periodSeconds: 10
|
||||
|
||||
---
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue