|
|
|
|
@@ -54,7 +54,7 @@ spec:
|
|
|
|
|
description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. [Default: false]'
|
|
|
|
|
type: boolean
|
|
|
|
|
bpfEnforceRPF:
|
|
|
|
|
description: 'BPFEnforceRPF enforce strict RPF on all interfaces with BPF programs regardless of what is the per-interfaces or global setting. Possible values are Disabled or Strict. [Default: Strict]'
|
|
|
|
|
description: 'BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of what is the per-interfaces or global setting. Possible values are Disabled, Strict or Loose. [Default: Strict]'
|
|
|
|
|
type: string
|
|
|
|
|
bpfExtToServiceConnmark:
|
|
|
|
|
description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit mark that is set on connections from an external client to a local service. This mark allows us to control how packets of that connection are routed within the host and how is routing interpreted by RPF check. [Default: 0]'
|
|
|
|
|
@@ -62,6 +62,9 @@ spec:
|
|
|
|
|
bpfExternalServiceMode:
|
|
|
|
|
description: 'BPFExternalServiceMode in BPF mode, controls how connections from outside the cluster to services (node ports and cluster IPs) are forwarded to remote workloads. If set to "Tunnel" then both request and response traffic is tunneled to the remote node. If set to "DSR", the request traffic is tunneled but the response traffic is sent directly from the remote node. In "DSR" mode, the remote node appears to use the IP of the ingress node; this requires a permissive L2 network. [Default: Tunnel]'
|
|
|
|
|
type: string
|
|
|
|
|
bpfHostConntrackBypass:
|
|
|
|
|
description: 'BPFHostConntrackBypass Controls whether to bypass Linux conntrack in BPF mode for workloads and services. [Default: true - bypass Linux conntrack]'
|
|
|
|
|
type: boolean
|
|
|
|
|
bpfKubeProxyEndpointSlicesEnabled:
|
|
|
|
|
description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls whether Felix's embedded kube-proxy accepts EndpointSlices or not.
|
|
|
|
|
type: boolean
|
|
|
|
|
@@ -71,6 +74,9 @@ spec:
|
|
|
|
|
bpfKubeProxyMinSyncPeriod:
|
|
|
|
|
description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the minimum time between updates to the dataplane for Felix''s embedded kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by batching up more work. [Default: 1s]'
|
|
|
|
|
type: string
|
|
|
|
|
bpfL3IfacePattern:
|
|
|
|
|
description: BPFL3IfacePattern is a regular expression that allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices) in addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster.
|
|
|
|
|
type: string
|
|
|
|
|
bpfLogLevel:
|
|
|
|
|
description: 'BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of "Off", "Info", or "Debug". The logs are emitted to the BPF trace pipe, accessible with the command `tc exec bpf debug`. [Default: Off].'
|
|
|
|
|
type: string
|
|
|
|
|
@@ -111,7 +117,7 @@ spec:
|
|
|
|
|
description: DataplaneDriver filename of the external dataplane driver to use. Only used if UseInternalDataplaneDriver is set to false.
|
|
|
|
|
type: string
|
|
|
|
|
dataplaneWatchdogTimeout:
|
|
|
|
|
description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout used for Felix''s (internal) dataplane driver. Increase this value if you experience spurious non-ready or non-live events when Felix is under heavy load. Decrease the value to get felix to report non-live or non-ready more quickly. [Default: 90s]'
|
|
|
|
|
description: "DataplaneWatchdogTimeout is the readiness/liveness timeout used for Felix's (internal) dataplane driver. Increase this value if you experience spurious non-ready or non-live events when Felix is under heavy load. Decrease the value to get felix to report non-live or non-ready more quickly. [Default: 90s] \n Deprecated: replaced by the generic HealthTimeoutOverrides."
|
|
|
|
|
type: string
|
|
|
|
|
debugDisableLogDropping:
|
|
|
|
|
type: boolean
|
|
|
|
|
@@ -177,10 +183,13 @@ spec:
|
|
|
|
|
type: object
|
|
|
|
|
type: array
|
|
|
|
|
featureDetectOverride:
|
|
|
|
|
description: FeatureDetectOverride is used to override the feature detection. Values are specified in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" or "false" will force the feature, empty or omitted values are auto-detected.
|
|
|
|
|
description: FeatureDetectOverride is used to override feature detection based on auto-detected platform capabilities. Values are specified in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" or "false" will force the feature, empty or omitted values are auto-detected.
|
|
|
|
|
type: string
|
|
|
|
|
featureGates:
|
|
|
|
|
description: FeatureGates is used to enable or disable tech-preview Calico features. Values are specified in a comma separated list with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". This is used to enable features that are not fully production ready.
|
|
|
|
|
type: string
|
|
|
|
|
floatingIPs:
|
|
|
|
|
description: FloatingIPs configures whether or not Felix will program floating IP addresses.
|
|
|
|
|
description: FloatingIPs configures whether or not Felix will program non-OpenStack floating IP addresses. (OpenStack-derived floating IPs are always programmed, regardless of this setting.)
|
|
|
|
|
enum:
|
|
|
|
|
- Enabled
|
|
|
|
|
- Disabled
|
|
|
|
|
@@ -194,6 +203,19 @@ spec:
|
|
|
|
|
type: string
|
|
|
|
|
healthPort:
|
|
|
|
|
type: integer
|
|
|
|
|
healthTimeoutOverrides:
|
|
|
|
|
description: HealthTimeoutOverrides allows the internal watchdog timeouts of individual subcomponents to be overriden. This is useful for working around "false positive" liveness timeouts that can occur in particularly stressful workloads or if CPU is constrained. For a list of active subcomponents, see Felix's logs.
|
|
|
|
|
items:
|
|
|
|
|
properties:
|
|
|
|
|
name:
|
|
|
|
|
type: string
|
|
|
|
|
timeout:
|
|
|
|
|
type: string
|
|
|
|
|
required:
|
|
|
|
|
- name
|
|
|
|
|
- timeout
|
|
|
|
|
type: object
|
|
|
|
|
type: array
|
|
|
|
|
interfaceExclude:
|
|
|
|
|
description: 'InterfaceExclude is a comma-separated list of interfaces that Felix should exclude when monitoring for host endpoints. The default value ensures that Felix ignores Kubernetes'' IPVS dummy interface, which is used internally by kube-proxy. If you want to exclude multiple interface names using a single value, the list supports regular expressions. For regular expressions you must wrap the value with ''/''. For example having values ''/^kube/,veth1'' will exclude all interfaces that begin with ''kube'' and also the interface ''veth1''. [Default: kube-ipvs0]'
|
|
|
|
|
type: string
|
|
|
|
|
@@ -213,7 +235,7 @@ spec:
|
|
|
|
|
description: 'IpsetsRefreshInterval is the period at which Felix re-checks all iptables state to ensure that no other process has accidentally broken Calico''s rules. Set to 0 to disable iptables refresh. [Default: 90s]'
|
|
|
|
|
type: string
|
|
|
|
|
iptablesBackend:
|
|
|
|
|
description: IptablesBackend specifies which backend of iptables will be used. The default is legacy.
|
|
|
|
|
description: IptablesBackend specifies which backend of iptables will be used. The default is Auto.
|
|
|
|
|
type: string
|
|
|
|
|
iptablesFilterAllowAction:
|
|
|
|
|
type: string
|
|
|
|
|
@@ -378,7 +400,7 @@ spec:
|
|
|
|
|
description: UseInternalDataplaneDriver, if true, Felix will use its internal dataplane programming logic. If false, it will launch an external dataplane driver and communicate with it over protobuf.
|
|
|
|
|
type: boolean
|
|
|
|
|
vxlanEnabled:
|
|
|
|
|
description: 'VXLANEnabled overrides whether Felix should create the VXLAN tunnel device for VXLAN networking. Optional as Felix determines this based on the existing IP pools. [Default: nil (unset)]'
|
|
|
|
|
description: 'VXLANEnabled overrides whether Felix should create the VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix determines this based on the existing IP pools. [Default: nil (unset)]'
|
|
|
|
|
type: boolean
|
|
|
|
|
vxlanMTU:
|
|
|
|
|
description: 'VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel device. See Configuring MTU [Default: 1410]'
|
|
|
|
|
|
Dalton Hubble