Skip to content

Auto: sync versions [master] #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
github-actions wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Auto: sync versions [master] #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions pkg/imports/admission/calico/protect-builtin-tiers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
# ValidatingAdmissionPolicy that prevents deletion of the built-in Calico tiers
# (default, kube-admin, kube-baseline). These tiers are required for correct
# operation and should never be deleted.
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: protect-builtin-tiers.projectcalico.org
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: ["projectcalico.org"]
apiVersions: ["v3"]
resources: ["tiers"]
operations: ["DELETE"]
validations:
- expression: "!(oldObject.metadata.name in ['default', 'kube-admin', 'kube-baseline'])"
messageExpression: "'The built-in tier ' + oldObject.metadata.name + ' cannot be deleted'"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: protect-builtin-tiers.projectcalico.org
spec:
policyName: protect-builtin-tiers.projectcalico.org
validationActions:
- Deny
28 changes: 28 additions & 0 deletions pkg/imports/admission/enterprise/protect-builtin-tiers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
# ValidatingAdmissionPolicy that prevents deletion of the built-in Calico tiers
# (default, kube-admin, kube-baseline). These tiers are required for correct
# operation and should never be deleted.
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: protect-builtin-tiers.projectcalico.org
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups: ["projectcalico.org"]
apiVersions: ["v3"]
resources: ["tiers"]
operations: ["DELETE"]
validations:
- expression: "!(oldObject.metadata.name in ['default', 'kube-admin', 'kube-baseline'])"
messageExpression: "'The built-in tier ' + oldObject.metadata.name + ' cannot be deleted'"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: protect-builtin-tiers.projectcalico.org
spec:
policyName: protect-builtin-tiers.projectcalico.org
validationActions:
- Deny
32 changes: 29 additions & 3 deletions ...ports/crds/calico/v1.crd.projectcalico.org/crd.projectcalico.org_felixconfigurations.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -862,7 +862,9 @@ spec:
IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal
number with at least 8 bits set, none of which clash with any other mark bits in use on the system.
[Default: 0xffff0000]
format: int32
format: int64
maximum: 4294967295
minimum: 0
type: integer
iptablesNATOutgoingInterfaceFilter:
description: |-
Expand Down Expand Up @@ -929,12 +931,14 @@ spec:
- Disabled
type: string
istioDSCPMark:
anyOf:
- type: integer
- type: string
description: |-
IstioDSCPMark sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on
SYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used
with other Istio installation. [Default: 23]
pattern: ^.*
type: integer
x-kubernetes-int-or-string: true
kubeNodePortRanges:
description: |-
Expand All @@ -955,6 +959,26 @@ spec:
reverting to normal priority. [Default: 30s]
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))*$
type: string
localSubnetL2Reachability:
description: |-
LocalSubnetL2Reachability controls whether Felix automatically responds to
ARP (IPv4) and NDP (IPv6) requests on host interfaces for local pod IPs and
selected LoadBalancer VIPs that fall within the same subnet as the host
interface. When set to PodsAndLoadBalancers, pods and LB VIPs on the host
subnet are reachable from the local L2 segment without BGP. [Default: Disabled]
enum:
- Disabled
- PodsAndLoadBalancers
type: string
localSubnetL2ReachabilityRefreshInterval:
description: |-
LocalSubnetL2ReachabilityRefreshInterval controls how often Felix re-announces
(gratuitous ARP / unsolicited NA) every IP it proxies ARP/NDP for when
LocalSubnetL2Reachability is enabled, keeping neighbor caches and switch
forwarding tables warm even when the set of proxied IPs is unchanged. Set to 0
to disable periodic re-announcement, leaving only the one-shot announce when an
IP is added. [Default: 120s]
type: string
logActionRateLimit:
description: |-
LogActionRateLimit sets the rate of hitting a Log action. The value must be in the format "N/unit",
Expand Down Expand Up @@ -1092,7 +1116,9 @@ spec:
NftablesMarkMask is the mask that Felix selects its nftables Mark bits from. Should be a 32 bit hexadecimal
number with at least 8 bits set, none of which clash with any other mark bits in use on the system.
[Default: 0xffff0000]
format: int32
format: int64
maximum: 4294967295
minimum: 0
type: integer
nftablesMode:
default: Auto
Expand Down
4 changes: 1 addition & 3 deletions pkg/imports/crds/calico/v1.crd.projectcalico.org/crd.projectcalico.org_ipamblocks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,10 +54,8 @@ spec:
For non-nil entries at index i, the index is the ordinal of the allocation within this block
and the value is the index of the associated attributes in the Attributes array.
items:
type: integer
# TODO: This nullable is manually added in. We should update controller-gen
# to handle []*int properly itself.
nullable: true
type: integer
type: array
attributes:
description: |-
Expand Down
32 changes: 29 additions & 3 deletions pkg/imports/crds/calico/v3.projectcalico.org/projectcalico.org_felixconfigurations.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -861,7 +861,9 @@ spec:
IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal
number with at least 8 bits set, none of which clash with any other mark bits in use on the system.
[Default: 0xffff0000]
format: int32
format: int64
maximum: 4294967295
minimum: 0
type: integer
iptablesNATOutgoingInterfaceFilter:
description: |-
Expand Down Expand Up @@ -928,12 +930,14 @@ spec:
- Disabled
type: string
istioDSCPMark:
anyOf:
- type: integer
- type: string
description: |-
IstioDSCPMark sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on
SYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used
with other Istio installation. [Default: 23]
pattern: ^.*
type: integer
x-kubernetes-int-or-string: true
kubeNodePortRanges:
description: |-
Expand All @@ -954,6 +958,26 @@ spec:
reverting to normal priority. [Default: 30s]
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))*$
type: string
localSubnetL2Reachability:
description: |-
LocalSubnetL2Reachability controls whether Felix automatically responds to
ARP (IPv4) and NDP (IPv6) requests on host interfaces for local pod IPs and
selected LoadBalancer VIPs that fall within the same subnet as the host
interface. When set to PodsAndLoadBalancers, pods and LB VIPs on the host
subnet are reachable from the local L2 segment without BGP. [Default: Disabled]
enum:
- Disabled
- PodsAndLoadBalancers
type: string
localSubnetL2ReachabilityRefreshInterval:
description: |-
LocalSubnetL2ReachabilityRefreshInterval controls how often Felix re-announces
(gratuitous ARP / unsolicited NA) every IP it proxies ARP/NDP for when
LocalSubnetL2Reachability is enabled, keeping neighbor caches and switch
forwarding tables warm even when the set of proxied IPs is unchanged. Set to 0
to disable periodic re-announcement, leaving only the one-shot announce when an
IP is added. [Default: 120s]
type: string
logActionRateLimit:
description: |-
LogActionRateLimit sets the rate of hitting a Log action. The value must be in the format "N/unit",
Expand Down Expand Up @@ -1091,7 +1115,9 @@ spec:
NftablesMarkMask is the mask that Felix selects its nftables Mark bits from. Should be a 32 bit hexadecimal
number with at least 8 bits set, none of which clash with any other mark bits in use on the system.
[Default: 0xffff0000]
format: int32
format: int64
maximum: 4294967295
minimum: 0
type: integer
nftablesMode:
default: Auto
Expand Down
4 changes: 1 addition & 3 deletions pkg/imports/crds/calico/v3.projectcalico.org/projectcalico.org_ipamblocks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,10 +69,8 @@ spec:
For non-nil entries at index i, the index is the ordinal of the allocation within this block
and the value is the index of the associated attributes in the Attributes array.
items:
type: integer
# TODO: This nullable is manually added in. We should update controller-gen
# to handle []*int properly itself.
nullable: true
type: integer
type: array
x-kubernetes-list-type: atomic
attributes:
Expand Down
2 changes: 2 additions & 0 deletions ...ports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_alertexceptions.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,3 +76,5 @@ spec:
type: object
served: true
storage: true
subresources:
status: {}
14 changes: 13 additions & 1 deletion pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_bgppeers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,9 @@ spec:
used in custom BGP templates
type: object
externalNetwork:
description: Name of the external network to which this peer belongs.
description:
Name of the external network to which this peer belongs. Cannot
be set if network is set.
type: string
failureDetectionMode:
description: |-
Expand Down Expand Up @@ -110,6 +112,11 @@ spec:
RestartMode is "LongLivedGracefulRestart". When not specified, the BIRD defaults are
used, which are 120s for "GracefulRestart" and 3600s for "LongLivedGracefulRestart".
type: string
network:
description:
Name of the network to which this peer belongs. Cannot
be set if externalNetwork is set.
type: string
nextHopMode:
description: |-
NextHopMode defines the method of calculating the next hop attribute for received routes.
Expand Down Expand Up @@ -282,6 +289,11 @@ spec:
rule:
"!has(self.keepOriginalNextHop) || !self.keepOriginalNextHop ||
!has(self.nextHopMode)"
- message: network and externalNetwork cannot both be set
reason: FieldValueForbidden
rule:
(!has(self.network) || size(self.network) == 0) || (!has(self.externalNetwork)
|| size(self.externalNetwork) == 0)
type: object
served: true
storage: true
47 changes: 45 additions & 2 deletions ...s/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_felixconfigurations.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -312,6 +312,9 @@ spec:
description: |-
BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing
determines the CTLB behavior. [Default: Enabled]
enum:
- Enabled
- Disabled
type: string
bpfIPFragTimeout:
description: |-
Expand Down Expand Up @@ -1325,7 +1328,9 @@ spec:
IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal
number with at least 8 bits set, none of which clash with any other mark bits in use on the system.
[Default: 0xffff0000]
format: int32
format: int64
maximum: 4294967295
minimum: 0
type: integer
iptablesNATOutgoingInterfaceFilter:
description: |-
Expand Down Expand Up @@ -1479,6 +1484,16 @@ spec:
ExcludeL7SourceInfo - Aggregate over all other fields ignoring the source aggregated name, namespace, and type.
pattern: ^(?i)(IncludeL7SourceInfo|IncludeL7SourceInfoNoPort|ExcludeL7SourceInfo)?$
type: string
l7LogsFileAggregationTLSSNI:
description: |-
L7LogsFileAggregationTLSSNI controls whether the TLS Server Name Indication (SNI)
participates in the aggregation key for L7 logs.
[Default: IncludeL7TLSSNI - SNI is part of the aggregation key]
Accepted values:
IncludeL7TLSSNI - Include the SNI in the aggregation key.
ExcludeL7TLSSNI - Aggregate over all other fields ignoring the SNI entirely.
pattern: ^(?i)(IncludeL7TLSSNI|ExcludeL7TLSSNI)?$
type: string
l7LogsFileAggregationTrimURL:
description: |-
L7LogsFileAggregationTrimURL is used to choose the type of aggregation for the url on L7 log entries.
Expand Down Expand Up @@ -1528,13 +1543,39 @@ spec:
[Default: 300s]
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
l7ObservabilityEnabled:
description: |-
L7ObservabilityEnabled enables eBPF-based L7 HTTP and TLS observability.
It is dataplane-agnostic - works with eBPF, iptables, or nftables.
Requires kernel 5.17+. [Default: false]
type: boolean
liveMigrationRouteConvergenceTime:
description: |-
LiveMigrationRouteConvergenceTime is the time to keep elevated route priority after a
VM live migration completes. This allows routes to converge across the cluster before
reverting to normal priority. [Default: 30s]
pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))*$
type: string
localSubnetL2Reachability:
description: |-
LocalSubnetL2Reachability controls whether Felix automatically responds to
ARP (IPv4) and NDP (IPv6) requests on host interfaces for local pod IPs and
selected LoadBalancer VIPs that fall within the same subnet as the host
interface. When set to PodsAndLoadBalancers, pods and LB VIPs on the host
subnet are reachable from the local L2 segment without BGP. [Default: Disabled]
enum:
- Disabled
- PodsAndLoadBalancers
type: string
localSubnetL2ReachabilityRefreshInterval:
description: |-
LocalSubnetL2ReachabilityRefreshInterval controls how often Felix re-announces
(gratuitous ARP / unsolicited NA) every IP it proxies ARP/NDP for when
LocalSubnetL2Reachability is enabled, keeping neighbor caches and switch
forwarding tables warm even when the set of proxied IPs is unchanged. Set to 0
to disable periodic re-announcement, leaving only the one-shot announce when an
IP is added. [Default: 120s]
type: string
logActionRateLimit:
description: |-
LogActionRateLimit sets the rate of hitting a Log action. The value must be in the format "N/unit",
Expand Down Expand Up @@ -1701,7 +1742,9 @@ spec:
NftablesMarkMask is the mask that Felix selects its nftables Mark bits from. Should be a 32 bit hexadecimal
number with at least 8 bits set, none of which clash with any other mark bits in use on the system.
[Default: 0xffff0000]
format: int32
format: int64
maximum: 4294967295
minimum: 0
type: integer
nftablesMode:
default: Auto
Expand Down
2 changes: 2 additions & 0 deletions pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalalerts.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -225,3 +225,5 @@ spec:
type: object
served: true
storage: true
subresources:
status: {}
2 changes: 2 additions & 0 deletions ...imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalreports.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -455,3 +455,5 @@ spec:
type: object
served: true
storage: true
subresources:
status: {}
Loading