ungleich-public/ungleich-k8s
6
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Merge branch 'master' of code.ungleich.ch:ungleich-public/ungleich-k8s

Browse source
This commit is contained in:
Nico Schottelius 2021-08-04 15:03:55 +02:00
commit c96851587b
3 changed files with 339 additions and 95 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
k8s/p6/calico-bgp.yaml Normal file
View file

@ -0,0 +1,29 @@
---
apiVersion: projectcalico.org/v3
kind: BGPConfiguration
metadata:
name: default
spec:
logSeverityScreen: Info
nodeToNodeMeshEnabled: true
asNumber: 65534
serviceClusterIPs:
- cidr: 2a0a:e5c0:2:14::/108
serviceExternalIPs:
- cidr: 2a0a:e5c0:2:14::/108
---
apiVersion: projectcalico.org/v3
kind: BGPPeer
metadata:
name: apu-router1-place6
spec:
peerIP: 2a0a:e5c0:2:1::43
asNumber: 207996
---
apiVersion: projectcalico.org/v3
kind: BGPPeer
metadata:
name: apu-router2-place6
spec:
peerIP: 2a0a:e5c0:2:1::44
asNumber: 207996

13
k8s/p6/kubeadm.yaml Normal file
View file

@ -0,0 +1,13 @@
# kubeadm-config.yaml
kind: ClusterConfiguration
apiVersion: kubeadm.k8s.io/v1beta2
kubernetesVersion: v1.21.2
networking:
dnsDomain: p6.k8s.ooo
podSubnet: 2a0a:e5c0:2:13::/64
serviceSubnet: 2a0a:e5c0:2:14::/108
controlPlaneEndpoint: "p6-api.k8s.ooo:6443"
---
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
cgroupDriver: cgroupfs

392
v3-calico/calico.yaml
View file

@ -32,9 +32,9 @@ data:
"nodename": "__KUBERNETES_NODE_NAME__", "nodename": "__KUBERNETES_NODE_NAME__",
"mtu": __CNI_MTU__, "mtu": __CNI_MTU__,
"ipam": { "ipam": {
"type": "calico-ipam",
"assign_ipv4": "false", "assign_ipv4": "false",
"assign_ipv6": "true" "assign_ipv6": true",
"type": "calico-ipam"
}, },
"policy": { "policy": {
"type": "k8s" "type": "k8s"
@ -243,6 +243,11 @@ spec:
Peers node to use the "next hop keep;" instead of "next hop self;"(default) Peers node to use the "next hop keep;" instead of "next hop self;"(default)
in the specific branch of the Node on "bird.cfg". in the specific branch of the Node on "bird.cfg".
type: boolean type: boolean
maxRestartTime:
description: Time to allow for software restart. When specified, this
is configured as the graceful restart timeout. When not specified,
the BIRD default of 120s is used.
type: string
node: node:
description: The node name identifying the Calico node instance that description: The node name identifying the Calico node instance that
is targeted by this peer. If this is not set, and no nodeSelector is targeted by this peer. If this is not set, and no nodeSelector
@ -513,13 +518,6 @@ spec:
description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
[Default: false]' [Default: false]'
type: boolean type: boolean
bpfExtToServiceConnmark:
description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
mark that is set on connections from an external client to a local
service. This mark allows us to control how packets of that connection
are routed within the host and how is routing intepreted by RPF
check. [Default: 0]'
type: integer
bpfExternalServiceMode: bpfExternalServiceMode:
description: 'BPFExternalServiceMode in BPF mode, controls how connections description: 'BPFExternalServiceMode in BPF mode, controls how connections
from outside the cluster to services (node ports and cluster IPs) from outside the cluster to services (node ports and cluster IPs)
@ -530,6 +528,14 @@ spec:
node appears to use the IP of the ingress node; this requires a node appears to use the IP of the ingress node; this requires a
permissive L2 network. [Default: Tunnel]' permissive L2 network. [Default: Tunnel]'
type: string type: string
bpfExtToServiceConnmark:
description: 'BPFExtToServiceConnmark in BPF mode, controls a
32bit mark that is set on connections from an external client to
a local service. This mark allows us to control how packets of
that connection are routed within the host and how is routing
intepreted by RPF check. [Default: 0]'
type: integer
bpfKubeProxyEndpointSlicesEnabled: bpfKubeProxyEndpointSlicesEnabled:
description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
whether Felix's embedded kube-proxy accepts EndpointSlices or not. whether Felix's embedded kube-proxy accepts EndpointSlices or not.
@ -1063,16 +1069,17 @@ spec:
contains a selector expression. Only traffic that originates contains a selector expression. Only traffic that originates
from (or terminates at) endpoints within the selected from (or terminates at) endpoints within the selected
namespaces will be matched. When both NamespaceSelector namespaces will be matched. When both NamespaceSelector
and Selector are defined on the same rule, then only workload and another selector are defined on the same rule, then
endpoints that are matched by both selectors will be selected only workload endpoints that are matched by both selectors
by the rule. \n For NetworkPolicy, an empty NamespaceSelector will be selected by the rule. \n For NetworkPolicy, an
implies that the Selector is limited to selecting only empty NamespaceSelector implies that the Selector is limited
workload endpoints in the same namespace as the NetworkPolicy. to selecting only workload endpoints in the same namespace
\n For NetworkPolicy, `global()` NamespaceSelector implies as the NetworkPolicy. \n For NetworkPolicy, `global()`
that the Selector is limited to selecting only GlobalNetworkSet NamespaceSelector implies that the Selector is limited
or HostEndpoint. \n For GlobalNetworkPolicy, an empty to selecting only GlobalNetworkSet or HostEndpoint. \n
NamespaceSelector implies the Selector applies to workload For GlobalNetworkPolicy, an empty NamespaceSelector implies
endpoints across all namespaces." the Selector applies to workload endpoints across all
namespaces."
type: string type: string
nets: nets:
description: Nets is an optional field that restricts the description: Nets is an optional field that restricts the
@ -1160,6 +1167,26 @@ spec:
AND'ed. AND'ed.
type: string type: string
type: object type: object
services:
description: "Services is an optional field that contains
options for matching Kubernetes Services. If specified,
only traffic that originates from or terminates at endpoints
within the selected service(s) will be matched, and only
to/from each endpoint's port. \n Services cannot be specified
on the same rule as Selector, NotSelector, NamespaceSelector,
Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
Only valid on egress rules."
properties:
name:
description: Name specifies the name of a Kubernetes
Service to match.
type: string
namespace:
description: Namespace specifies the namespace of the
given Service. If left empty, the rule will match
within this policy's namespace.
type: string
type: object
type: object type: object
http: http:
description: HTTP contains match criteria that apply to HTTP description: HTTP contains match criteria that apply to HTTP
@ -1268,16 +1295,17 @@ spec:
contains a selector expression. Only traffic that originates contains a selector expression. Only traffic that originates
from (or terminates at) endpoints within the selected from (or terminates at) endpoints within the selected
namespaces will be matched. When both NamespaceSelector namespaces will be matched. When both NamespaceSelector
and Selector are defined on the same rule, then only workload and another selector are defined on the same rule, then
endpoints that are matched by both selectors will be selected only workload endpoints that are matched by both selectors
by the rule. \n For NetworkPolicy, an empty NamespaceSelector will be selected by the rule. \n For NetworkPolicy, an
implies that the Selector is limited to selecting only empty NamespaceSelector implies that the Selector is limited
workload endpoints in the same namespace as the NetworkPolicy. to selecting only workload endpoints in the same namespace
\n For NetworkPolicy, `global()` NamespaceSelector implies as the NetworkPolicy. \n For NetworkPolicy, `global()`
that the Selector is limited to selecting only GlobalNetworkSet NamespaceSelector implies that the Selector is limited
or HostEndpoint. \n For GlobalNetworkPolicy, an empty to selecting only GlobalNetworkSet or HostEndpoint. \n
NamespaceSelector implies the Selector applies to workload For GlobalNetworkPolicy, an empty NamespaceSelector implies
endpoints across all namespaces." the Selector applies to workload endpoints across all
namespaces."
type: string type: string
nets: nets:
description: Nets is an optional field that restricts the description: Nets is an optional field that restricts the
@ -1365,6 +1393,26 @@ spec:
AND'ed. AND'ed.
type: string type: string
type: object type: object
services:
description: "Services is an optional field that contains
options for matching Kubernetes Services. If specified,
only traffic that originates from or terminates at endpoints
within the selected service(s) will be matched, and only
to/from each endpoint's port. \n Services cannot be specified
on the same rule as Selector, NotSelector, NamespaceSelector,
Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
Only valid on egress rules."
properties:
name:
description: Name specifies the name of a Kubernetes
Service to match.
type: string
namespace:
description: Namespace specifies the namespace of the
given Service. If left empty, the rule will match
within this policy's namespace.
type: string
type: object
type: object type: object
required: required:
- action - action
@ -1394,16 +1442,17 @@ spec:
contains a selector expression. Only traffic that originates contains a selector expression. Only traffic that originates
from (or terminates at) endpoints within the selected from (or terminates at) endpoints within the selected
namespaces will be matched. When both NamespaceSelector namespaces will be matched. When both NamespaceSelector
and Selector are defined on the same rule, then only workload and another selector are defined on the same rule, then
endpoints that are matched by both selectors will be selected only workload endpoints that are matched by both selectors
by the rule. \n For NetworkPolicy, an empty NamespaceSelector will be selected by the rule. \n For NetworkPolicy, an
implies that the Selector is limited to selecting only empty NamespaceSelector implies that the Selector is limited
workload endpoints in the same namespace as the NetworkPolicy. to selecting only workload endpoints in the same namespace
\n For NetworkPolicy, `global()` NamespaceSelector implies as the NetworkPolicy. \n For NetworkPolicy, `global()`
that the Selector is limited to selecting only GlobalNetworkSet NamespaceSelector implies that the Selector is limited
or HostEndpoint. \n For GlobalNetworkPolicy, an empty to selecting only GlobalNetworkSet or HostEndpoint. \n
NamespaceSelector implies the Selector applies to workload For GlobalNetworkPolicy, an empty NamespaceSelector implies
endpoints across all namespaces." the Selector applies to workload endpoints across all
namespaces."
type: string type: string
nets: nets:
description: Nets is an optional field that restricts the description: Nets is an optional field that restricts the
@ -1491,6 +1540,26 @@ spec:
AND'ed. AND'ed.
type: string type: string
type: object type: object
services:
description: "Services is an optional field that contains
options for matching Kubernetes Services. If specified,
only traffic that originates from or terminates at endpoints
within the selected service(s) will be matched, and only
to/from each endpoint's port. \n Services cannot be specified
on the same rule as Selector, NotSelector, NamespaceSelector,
Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
Only valid on egress rules."
properties:
name:
description: Name specifies the name of a Kubernetes
Service to match.
type: string
namespace:
description: Namespace specifies the namespace of the
given Service. If left empty, the rule will match
within this policy's namespace.
type: string
type: object
type: object type: object
http: http:
description: HTTP contains match criteria that apply to HTTP description: HTTP contains match criteria that apply to HTTP
@ -1599,16 +1668,17 @@ spec:
contains a selector expression. Only traffic that originates contains a selector expression. Only traffic that originates
from (or terminates at) endpoints within the selected from (or terminates at) endpoints within the selected
namespaces will be matched. When both NamespaceSelector namespaces will be matched. When both NamespaceSelector
and Selector are defined on the same rule, then only workload and another selector are defined on the same rule, then
endpoints that are matched by both selectors will be selected only workload endpoints that are matched by both selectors
by the rule. \n For NetworkPolicy, an empty NamespaceSelector will be selected by the rule. \n For NetworkPolicy, an
implies that the Selector is limited to selecting only empty NamespaceSelector implies that the Selector is limited
workload endpoints in the same namespace as the NetworkPolicy. to selecting only workload endpoints in the same namespace
\n For NetworkPolicy, `global()` NamespaceSelector implies as the NetworkPolicy. \n For NetworkPolicy, `global()`
that the Selector is limited to selecting only GlobalNetworkSet NamespaceSelector implies that the Selector is limited
or HostEndpoint. \n For GlobalNetworkPolicy, an empty to selecting only GlobalNetworkSet or HostEndpoint. \n
NamespaceSelector implies the Selector applies to workload For GlobalNetworkPolicy, an empty NamespaceSelector implies
endpoints across all namespaces." the Selector applies to workload endpoints across all
namespaces."
type: string type: string
nets: nets:
description: Nets is an optional field that restricts the description: Nets is an optional field that restricts the
@ -1696,6 +1766,26 @@ spec:
AND'ed. AND'ed.
type: string type: string
type: object type: object
services:
description: "Services is an optional field that contains
options for matching Kubernetes Services. If specified,
only traffic that originates from or terminates at endpoints
within the selected service(s) will be matched, and only
to/from each endpoint's port. \n Services cannot be specified
on the same rule as Selector, NotSelector, NamespaceSelector,
Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
Only valid on egress rules."
properties:
name:
description: Name specifies the name of a Kubernetes
Service to match.
type: string
namespace:
description: Namespace specifies the namespace of the
given Service. If left empty, the rule will match
within this policy's namespace.
type: string
type: object
type: object type: object
required: required:
- action - action
@ -2280,6 +2370,11 @@ spec:
host endpoints for every node. [Default: Disabled]' host endpoints for every node. [Default: Disabled]'
type: string type: string
type: object type: object
leakGracePeriod:
description: 'LeakGracePeriod is the period used by the controller
to determine if an IP address has been leaked. Set to 0
to disable IP garbage collection. [Default: 15m]'
type: string
reconcilerPeriod: reconcilerPeriod:
description: 'ReconcilerPeriod is the period to perform reconciliation description: 'ReconcilerPeriod is the period to perform reconciliation
with the Calico datastore. [Default: 5m]' with the Calico datastore. [Default: 5m]'
@ -2380,6 +2475,12 @@ spec:
of host endpoints for every node. [Default: Disabled]' of host endpoints for every node. [Default: Disabled]'
type: string type: string
type: object type: object
leakGracePeriod:
description: 'LeakGracePeriod is the period used by the
controller to determine if an IP address has been leaked.
Set to 0 to disable IP garbage collection. [Default:
15m]'
type: string
reconcilerPeriod: reconcilerPeriod:
description: 'ReconcilerPeriod is the period to perform description: 'ReconcilerPeriod is the period to perform
reconciliation with the Calico datastore. [Default: reconciliation with the Calico datastore. [Default:
@ -2508,16 +2609,17 @@ spec:
contains a selector expression. Only traffic that originates contains a selector expression. Only traffic that originates
from (or terminates at) endpoints within the selected from (or terminates at) endpoints within the selected
namespaces will be matched. When both NamespaceSelector namespaces will be matched. When both NamespaceSelector
and Selector are defined on the same rule, then only workload and another selector are defined on the same rule, then
endpoints that are matched by both selectors will be selected only workload endpoints that are matched by both selectors
by the rule. \n For NetworkPolicy, an empty NamespaceSelector will be selected by the rule. \n For NetworkPolicy, an
implies that the Selector is limited to selecting only empty NamespaceSelector implies that the Selector is limited
workload endpoints in the same namespace as the NetworkPolicy. to selecting only workload endpoints in the same namespace
\n For NetworkPolicy, `global()` NamespaceSelector implies as the NetworkPolicy. \n For NetworkPolicy, `global()`
that the Selector is limited to selecting only GlobalNetworkSet NamespaceSelector implies that the Selector is limited
or HostEndpoint. \n For GlobalNetworkPolicy, an empty to selecting only GlobalNetworkSet or HostEndpoint. \n
NamespaceSelector implies the Selector applies to workload For GlobalNetworkPolicy, an empty NamespaceSelector implies
endpoints across all namespaces." the Selector applies to workload endpoints across all
namespaces."
type: string type: string
nets: nets:
description: Nets is an optional field that restricts the description: Nets is an optional field that restricts the
@ -2605,6 +2707,26 @@ spec:
AND'ed. AND'ed.
type: string type: string
type: object type: object
services:
description: "Services is an optional field that contains
options for matching Kubernetes Services. If specified,
only traffic that originates from or terminates at endpoints
within the selected service(s) will be matched, and only
to/from each endpoint's port. \n Services cannot be specified
on the same rule as Selector, NotSelector, NamespaceSelector,
Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
Only valid on egress rules."
properties:
name:
description: Name specifies the name of a Kubernetes
Service to match.
type: string
namespace:
description: Namespace specifies the namespace of the
given Service. If left empty, the rule will match
within this policy's namespace.
type: string
type: object
type: object type: object
http: http:
description: HTTP contains match criteria that apply to HTTP description: HTTP contains match criteria that apply to HTTP
@ -2713,16 +2835,17 @@ spec:
contains a selector expression. Only traffic that originates contains a selector expression. Only traffic that originates
from (or terminates at) endpoints within the selected from (or terminates at) endpoints within the selected
namespaces will be matched. When both NamespaceSelector namespaces will be matched. When both NamespaceSelector
and Selector are defined on the same rule, then only workload and another selector are defined on the same rule, then
endpoints that are matched by both selectors will be selected only workload endpoints that are matched by both selectors
by the rule. \n For NetworkPolicy, an empty NamespaceSelector will be selected by the rule. \n For NetworkPolicy, an
implies that the Selector is limited to selecting only empty NamespaceSelector implies that the Selector is limited
workload endpoints in the same namespace as the NetworkPolicy. to selecting only workload endpoints in the same namespace
\n For NetworkPolicy, `global()` NamespaceSelector implies as the NetworkPolicy. \n For NetworkPolicy, `global()`
that the Selector is limited to selecting only GlobalNetworkSet NamespaceSelector implies that the Selector is limited
or HostEndpoint. \n For GlobalNetworkPolicy, an empty to selecting only GlobalNetworkSet or HostEndpoint. \n
NamespaceSelector implies the Selector applies to workload For GlobalNetworkPolicy, an empty NamespaceSelector implies
endpoints across all namespaces." the Selector applies to workload endpoints across all
namespaces."
type: string type: string
nets: nets:
description: Nets is an optional field that restricts the description: Nets is an optional field that restricts the
@ -2810,6 +2933,26 @@ spec:
AND'ed. AND'ed.
type: string type: string
type: object type: object
services:
description: "Services is an optional field that contains
options for matching Kubernetes Services. If specified,
only traffic that originates from or terminates at endpoints
within the selected service(s) will be matched, and only
to/from each endpoint's port. \n Services cannot be specified
on the same rule as Selector, NotSelector, NamespaceSelector,
Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
Only valid on egress rules."
properties:
name:
description: Name specifies the name of a Kubernetes
Service to match.
type: string
namespace:
description: Namespace specifies the namespace of the
given Service. If left empty, the rule will match
within this policy's namespace.
type: string
type: object
type: object type: object
required: required:
- action - action
@ -2839,16 +2982,17 @@ spec:
contains a selector expression. Only traffic that originates contains a selector expression. Only traffic that originates
from (or terminates at) endpoints within the selected from (or terminates at) endpoints within the selected
namespaces will be matched. When both NamespaceSelector namespaces will be matched. When both NamespaceSelector
and Selector are defined on the same rule, then only workload and another selector are defined on the same rule, then
endpoints that are matched by both selectors will be selected only workload endpoints that are matched by both selectors
by the rule. \n For NetworkPolicy, an empty NamespaceSelector will be selected by the rule. \n For NetworkPolicy, an
implies that the Selector is limited to selecting only empty NamespaceSelector implies that the Selector is limited
workload endpoints in the same namespace as the NetworkPolicy. to selecting only workload endpoints in the same namespace
\n For NetworkPolicy, `global()` NamespaceSelector implies as the NetworkPolicy. \n For NetworkPolicy, `global()`
that the Selector is limited to selecting only GlobalNetworkSet NamespaceSelector implies that the Selector is limited
or HostEndpoint. \n For GlobalNetworkPolicy, an empty to selecting only GlobalNetworkSet or HostEndpoint. \n
NamespaceSelector implies the Selector applies to workload For GlobalNetworkPolicy, an empty NamespaceSelector implies
endpoints across all namespaces." the Selector applies to workload endpoints across all
namespaces."
type: string type: string
nets: nets:
description: Nets is an optional field that restricts the description: Nets is an optional field that restricts the
@ -2936,6 +3080,26 @@ spec:
AND'ed. AND'ed.
type: string type: string
type: object type: object
services:
description: "Services is an optional field that contains
options for matching Kubernetes Services. If specified,
only traffic that originates from or terminates at endpoints
within the selected service(s) will be matched, and only
to/from each endpoint's port. \n Services cannot be specified
on the same rule as Selector, NotSelector, NamespaceSelector,
Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
Only valid on egress rules."
properties:
name:
description: Name specifies the name of a Kubernetes
Service to match.
type: string
namespace:
description: Namespace specifies the namespace of the
given Service. If left empty, the rule will match
within this policy's namespace.
type: string
type: object
type: object type: object
http: http:
description: HTTP contains match criteria that apply to HTTP description: HTTP contains match criteria that apply to HTTP
@ -3044,16 +3208,17 @@ spec:
contains a selector expression. Only traffic that originates contains a selector expression. Only traffic that originates
from (or terminates at) endpoints within the selected from (or terminates at) endpoints within the selected
namespaces will be matched. When both NamespaceSelector namespaces will be matched. When both NamespaceSelector
and Selector are defined on the same rule, then only workload and another selector are defined on the same rule, then
endpoints that are matched by both selectors will be selected only workload endpoints that are matched by both selectors
by the rule. \n For NetworkPolicy, an empty NamespaceSelector will be selected by the rule. \n For NetworkPolicy, an
implies that the Selector is limited to selecting only empty NamespaceSelector implies that the Selector is limited
workload endpoints in the same namespace as the NetworkPolicy. to selecting only workload endpoints in the same namespace
\n For NetworkPolicy, `global()` NamespaceSelector implies as the NetworkPolicy. \n For NetworkPolicy, `global()`
that the Selector is limited to selecting only GlobalNetworkSet NamespaceSelector implies that the Selector is limited
or HostEndpoint. \n For GlobalNetworkPolicy, an empty to selecting only GlobalNetworkSet or HostEndpoint. \n
NamespaceSelector implies the Selector applies to workload For GlobalNetworkPolicy, an empty NamespaceSelector implies
endpoints across all namespaces." the Selector applies to workload endpoints across all
namespaces."
type: string type: string
nets: nets:
description: Nets is an optional field that restricts the description: Nets is an optional field that restricts the
@ -3141,6 +3306,26 @@ spec:
AND'ed. AND'ed.
type: string type: string
type: object type: object
services:
description: "Services is an optional field that contains
options for matching Kubernetes Services. If specified,
only traffic that originates from or terminates at endpoints
within the selected service(s) will be matched, and only
to/from each endpoint's port. \n Services cannot be specified
on the same rule as Selector, NotSelector, NamespaceSelector,
Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
Only valid on egress rules."
properties:
name:
description: Name specifies the name of a Kubernetes
Service to match.
type: string
namespace:
description: Namespace specifies the namespace of the
given Service. If left empty, the rule will match
within this policy's namespace.
type: string
type: object
type: object type: object
required: required:
- action - action
@ -3274,12 +3459,14 @@ rules:
- watch - watch
- list - list
- get - get
# Pods are queried to check for existence. # Pods are watched to check for existence as part of IPAM controller.
- apiGroups: [""] - apiGroups: [""]
resources: resources:
- pods - pods
verbs: verbs:
- get - get
- list
- watch
# IPAM resources are manipulated when nodes are deleted. # IPAM resources are manipulated when nodes are deleted.
- apiGroups: ["crd.projectcalico.org"] - apiGroups: ["crd.projectcalico.org"]
resources: resources:
@ -3361,6 +3548,14 @@ rules:
- namespaces - namespaces
verbs: verbs:
- get - get
# EndpointSlices are used for Service-based network policy rule
# enforcement.
- apiGroups: ["discovery.k8s.io"]
resources:
- endpointslices
verbs:
- watch
- list
- apiGroups: [""] - apiGroups: [""]
resources: resources:
- endpoints - endpoints
@ -3546,7 +3741,7 @@ spec:
# It can be deleted if this is a fresh installation, or if you have already # It can be deleted if this is a fresh installation, or if you have already
# upgraded to use calico-ipam. # upgraded to use calico-ipam.
- name: upgrade-ipam - name: upgrade-ipam
image: docker.io/calico/cni:v3.19.0 image: docker.io/calico/cni:v3.20.0
command: ["/opt/cni/bin/calico-ipam", "-upgrade"] command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
envFrom: envFrom:
- configMapRef: - configMapRef:
@ -3573,7 +3768,7 @@ spec:
# This container installs the CNI binaries # This container installs the CNI binaries
# and CNI network config file on each node. # and CNI network config file on each node.
- name: install-cni - name: install-cni
image: docker.io/calico/cni:v3.19.0 image: docker.io/calico/cni:v3.20.0
command: ["/opt/cni/bin/install"] command: ["/opt/cni/bin/install"]
envFrom: envFrom:
- configMapRef: - configMapRef:
@ -3614,7 +3809,7 @@ spec:
# Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
# to communicate with Felix over the Policy Sync API. # to communicate with Felix over the Policy Sync API.
- name: flexvol-driver - name: flexvol-driver
image: docker.io/calico/pod2daemon-flexvol:v3.19.0 image: docker.io/calico/pod2daemon-flexvol:v3.20.0
volumeMounts: volumeMounts:
- name: flexvol-driver-host - name: flexvol-driver-host
mountPath: /host/driver mountPath: /host/driver
@ -3625,7 +3820,7 @@ spec:
# container programs network policy and routes on each # container programs network policy and routes on each
# host. # host.
- name: calico-node - name: calico-node
image: docker.io/calico/node:v3.19.0 image: docker.io/calico/node:v3.20.0
envFrom: envFrom:
- configMapRef: - configMapRef:
# Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
@ -3713,6 +3908,7 @@ spec:
periodSeconds: 10 periodSeconds: 10
initialDelaySeconds: 10 initialDelaySeconds: 10
failureThreshold: 6 failureThreshold: 6
timeoutSeconds: 10
readinessProbe: readinessProbe:
exec: exec:
command: command:
@ -3720,7 +3916,12 @@ spec:
- -felix-ready - -felix-ready
- -bird-ready - -bird-ready
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 10
volumeMounts: volumeMounts:
# For maintaining CNI plugin API credentials.
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
readOnly: false
- mountPath: /lib/modules - mountPath: /lib/modules
name: lib-modules name: lib-modules
readOnly: true readOnly: true
@ -3836,7 +4037,7 @@ spec:
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
containers: containers:
- name: calico-kube-controllers - name: calico-kube-controllers
image: docker.io/calico/kube-controllers:v3.19.0 image: docker.io/calico/kube-controllers:v3.20.0
env: env:
# Choose which controllers to run. # Choose which controllers to run.
- name: ENABLED_CONTROLLERS - name: ENABLED_CONTROLLERS
@ -3851,6 +4052,7 @@ spec:
periodSeconds: 10 periodSeconds: 10
initialDelaySeconds: 10 initialDelaySeconds: 10
failureThreshold: 6 failureThreshold: 6
timeoutSeconds: 10
readinessProbe: readinessProbe:
exec: exec:
command: command: