diff --git a/.codespellignore b/.codespellignore index af3f8c1ada0..c90cd698b43 100644 --- a/.codespellignore +++ b/.codespellignore @@ -2,7 +2,7 @@ aks witht geting ot -intepreted updat shouldnot decorder +overriden \ No newline at end of file diff --git a/Makefile b/Makefile index dd7a8f40382..03ca7131415 100644 --- a/Makefile +++ b/Makefile @@ -492,7 +492,7 @@ generate-addons: fetch-calico-manifests ## Generate metric-server, calico calico $(KUSTOMIZE) build $(ADDONS_DIR)/calico-dual-stack > $(ADDONS_DIR)/calico-dual-stack.yaml # When updating this, make sure to also update the Windows image version in templates/addons/windows/calico. -CALICO_VERSION := v3.24.5 +CALICO_VERSION := v3.25.0 # Where all downloaded Calico manifests are unpacked and stored. CALICO_RELEASES := $(ARTIFACTS)/calico # Path to manifests directory in a Calico release archive. diff --git a/templates/addons/calico-dual-stack.yaml b/templates/addons/calico-dual-stack.yaml index 619e0ad5141..6bbd9850526 100644 --- a/templates/addons/calico-dual-stack.yaml +++ b/templates/addons/calico-dual-stack.yaml @@ -63,6 +63,12 @@ spec: type: string type: object type: array + ignoredInterfaces: + description: IgnoredInterfaces indicates the network interfaces that + needs to be excluded when reading device routes. + items: + type: string + type: array listenPort: description: ListenPort is the port where BGP protocol should listen. Defaults to 179 @@ -280,12 +286,23 @@ spec: remote AS number comes from the remote node's NodeBGPSpec.ASNumber, or the global default if that is not set. type: string + reachableBy: + description: Add an exact, i.e. /32, static route toward peer IP in + order to prevent route flapping. ReachableBy contains the address + of the gateway which peer can be reached by. + type: string sourceAddress: description: Specifies whether and how to configure a source address for the peerings generated by this BGPPeer resource. Default value "UseNodeIP" means to configure the node IP as the source address. "None" means not to configure a source address. type: string + ttlSecurity: + description: TTLSecurity enables the generalized TTL security mechanism + (GTSM) which protects against spoofed packets by ignoring received + packets with a smaller than expected TTL value. The provided value + is the number of hops (edges) between the peers. + type: integer type: object type: object served: true @@ -766,9 +783,10 @@ spec: [Default: false]' type: boolean bpfEnforceRPF: - description: 'BPFEnforceRPF enforce strict RPF on all interfaces with - BPF programs regardless of what is the per-interfaces or global - setting. Possible values are Disabled or Strict. [Default: Strict]' + description: 'BPFEnforceRPF enforce strict RPF on all host interfaces + with BPF programs regardless of what is the per-interfaces or global + setting. Possible values are Disabled, Strict or Loose. [Default: + Strict]' type: string bpfExtToServiceConnmark: description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit @@ -808,6 +826,14 @@ spec: kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by batching up more work. [Default: 1s]' type: string + bpfL3IfacePattern: + description: BPFL3IfacePattern is a regular expression that allows + to list tunnel devices like wireguard or vxlan (i.e., L3 devices) + in addition to BPFDataIfacePattern. That is, tunnel interfaces not + created by Calico, that Calico workload traffic flows over as well + as any interfaces that handle incoming traffic to nodeports and + services from outside the cluster. + type: string bpfLogLevel: description: 'BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of "Off", "Info", or "Debug". The @@ -883,11 +909,12 @@ spec: to use. Only used if UseInternalDataplaneDriver is set to false. type: string dataplaneWatchdogTimeout: - description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout - used for Felix''s (internal) dataplane driver. Increase this value + description: "DataplaneWatchdogTimeout is the readiness/liveness timeout + used for Felix's (internal) dataplane driver. Increase this value if you experience spurious non-ready or non-live events when Felix is under heavy load. Decrease the value to get felix to report non-live - or non-ready more quickly. [Default: 90s]' + or non-ready more quickly. [Default: 90s] \n Deprecated: replaced + by the generic HealthTimeoutOverrides." type: string debugDisableLogDropping: type: boolean @@ -991,15 +1018,21 @@ spec: type: object type: array featureDetectOverride: - description: FeatureDetectOverride is used to override the feature - detection. Values are specified in a comma separated list with no - spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". - "true" or "false" will force the feature, empty or omitted values - are auto-detected. + description: FeatureDetectOverride is used to override feature detection + based on auto-detected platform capabilities. Values are specified + in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" + or "false" will force the feature, empty or omitted values are auto-detected. + type: string + featureGates: + description: FeatureGates is used to enable or disable tech-preview + Calico features. Values are specified in a comma separated list + with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". + This is used to enable features that are not fully production ready. type: string floatingIPs: description: FloatingIPs configures whether or not Felix will program - floating IP addresses. + non-OpenStack floating IP addresses. (OpenStack-derived floating + IPs are always programmed, regardless of this setting.) enum: - Enabled - Disabled @@ -1016,6 +1049,23 @@ spec: type: string healthPort: type: integer + healthTimeoutOverrides: + description: HealthTimeoutOverrides allows the internal watchdog timeouts + of individual subcomponents to be overriden. This is useful for + working around "false positive" liveness timeouts that can occur + in particularly stressful workloads or if CPU is constrained. For + a list of active subcomponents, see Felix's logs. + items: + properties: + name: + type: string + timeout: + type: string + required: + - name + - timeout + type: object + type: array interfaceExclude: description: 'InterfaceExclude is a comma-separated list of interfaces that Felix should exclude when monitoring for host endpoints. The @@ -1057,7 +1107,7 @@ spec: type: string iptablesBackend: description: IptablesBackend specifies which backend of iptables will - be used. The default is legacy. + be used. The default is Auto. type: string iptablesFilterAllowAction: type: string @@ -4301,7 +4351,7 @@ spec: value: node - name: DATASTORE_TYPE value: kubernetes - image: docker.io/calico/kube-controllers:v3.24.5 + image: docker.io/calico/kube-controllers:v3.25.0 imagePullPolicy: IfNotPresent livenessProbe: exec: @@ -4344,6 +4394,11 @@ spec: selector: matchLabels: k8s-app: calico-typha + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 1 + type: RollingUpdate template: metadata: annotations: @@ -4365,13 +4420,15 @@ spec: value: kubernetes - name: TYPHA_HEALTHENABLED value: "true" + - name: TYPHA_SHUTDOWNTIMEOUTSECS + value: "300" - name: USE_POD_CIDR value: "true" envFrom: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/typha:v3.24.5 + image: docker.io/calico/typha:v3.25.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -4403,6 +4460,7 @@ spec: securityContext: fsGroup: 65534 serviceAccountName: calico-node + terminationGracePeriodSeconds: 300 tolerations: - key: CriticalAddonsOnly operator: Exists @@ -4488,7 +4546,7 @@ spec: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/node:v3.24.5 + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -4563,7 +4621,7 @@ spec: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/cni:v3.24.5 + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent name: install-cni securityContext: @@ -4577,7 +4635,7 @@ spec: - calico-node - -init - -best-effort - image: docker.io/calico/node:v3.24.5 + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent name: mount-bpffs securityContext: diff --git a/templates/addons/calico-ipv6.yaml b/templates/addons/calico-ipv6.yaml index 01104e31ffc..f5fc7075747 100644 --- a/templates/addons/calico-ipv6.yaml +++ b/templates/addons/calico-ipv6.yaml @@ -63,6 +63,12 @@ spec: type: string type: object type: array + ignoredInterfaces: + description: IgnoredInterfaces indicates the network interfaces that + needs to be excluded when reading device routes. + items: + type: string + type: array listenPort: description: ListenPort is the port where BGP protocol should listen. Defaults to 179 @@ -280,12 +286,23 @@ spec: remote AS number comes from the remote node's NodeBGPSpec.ASNumber, or the global default if that is not set. type: string + reachableBy: + description: Add an exact, i.e. /32, static route toward peer IP in + order to prevent route flapping. ReachableBy contains the address + of the gateway which peer can be reached by. + type: string sourceAddress: description: Specifies whether and how to configure a source address for the peerings generated by this BGPPeer resource. Default value "UseNodeIP" means to configure the node IP as the source address. "None" means not to configure a source address. type: string + ttlSecurity: + description: TTLSecurity enables the generalized TTL security mechanism + (GTSM) which protects against spoofed packets by ignoring received + packets with a smaller than expected TTL value. The provided value + is the number of hops (edges) between the peers. + type: integer type: object type: object served: true @@ -766,9 +783,10 @@ spec: [Default: false]' type: boolean bpfEnforceRPF: - description: 'BPFEnforceRPF enforce strict RPF on all interfaces with - BPF programs regardless of what is the per-interfaces or global - setting. Possible values are Disabled or Strict. [Default: Strict]' + description: 'BPFEnforceRPF enforce strict RPF on all host interfaces + with BPF programs regardless of what is the per-interfaces or global + setting. Possible values are Disabled, Strict or Loose. [Default: + Strict]' type: string bpfExtToServiceConnmark: description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit @@ -808,6 +826,14 @@ spec: kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by batching up more work. [Default: 1s]' type: string + bpfL3IfacePattern: + description: BPFL3IfacePattern is a regular expression that allows + to list tunnel devices like wireguard or vxlan (i.e., L3 devices) + in addition to BPFDataIfacePattern. That is, tunnel interfaces not + created by Calico, that Calico workload traffic flows over as well + as any interfaces that handle incoming traffic to nodeports and + services from outside the cluster. + type: string bpfLogLevel: description: 'BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of "Off", "Info", or "Debug". The @@ -883,11 +909,12 @@ spec: to use. Only used if UseInternalDataplaneDriver is set to false. type: string dataplaneWatchdogTimeout: - description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout - used for Felix''s (internal) dataplane driver. Increase this value + description: "DataplaneWatchdogTimeout is the readiness/liveness timeout + used for Felix's (internal) dataplane driver. Increase this value if you experience spurious non-ready or non-live events when Felix is under heavy load. Decrease the value to get felix to report non-live - or non-ready more quickly. [Default: 90s]' + or non-ready more quickly. [Default: 90s] \n Deprecated: replaced + by the generic HealthTimeoutOverrides." type: string debugDisableLogDropping: type: boolean @@ -991,15 +1018,21 @@ spec: type: object type: array featureDetectOverride: - description: FeatureDetectOverride is used to override the feature - detection. Values are specified in a comma separated list with no - spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". - "true" or "false" will force the feature, empty or omitted values - are auto-detected. + description: FeatureDetectOverride is used to override feature detection + based on auto-detected platform capabilities. Values are specified + in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" + or "false" will force the feature, empty or omitted values are auto-detected. + type: string + featureGates: + description: FeatureGates is used to enable or disable tech-preview + Calico features. Values are specified in a comma separated list + with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". + This is used to enable features that are not fully production ready. type: string floatingIPs: description: FloatingIPs configures whether or not Felix will program - floating IP addresses. + non-OpenStack floating IP addresses. (OpenStack-derived floating + IPs are always programmed, regardless of this setting.) enum: - Enabled - Disabled @@ -1016,6 +1049,23 @@ spec: type: string healthPort: type: integer + healthTimeoutOverrides: + description: HealthTimeoutOverrides allows the internal watchdog timeouts + of individual subcomponents to be overriden. This is useful for + working around "false positive" liveness timeouts that can occur + in particularly stressful workloads or if CPU is constrained. For + a list of active subcomponents, see Felix's logs. + items: + properties: + name: + type: string + timeout: + type: string + required: + - name + - timeout + type: object + type: array interfaceExclude: description: 'InterfaceExclude is a comma-separated list of interfaces that Felix should exclude when monitoring for host endpoints. The @@ -1057,7 +1107,7 @@ spec: type: string iptablesBackend: description: IptablesBackend specifies which backend of iptables will - be used. The default is legacy. + be used. The default is Auto. type: string iptablesFilterAllowAction: type: string @@ -4290,7 +4340,7 @@ spec: value: node - name: DATASTORE_TYPE value: kubernetes - image: docker.io/calico/kube-controllers:v3.24.5 + image: docker.io/calico/kube-controllers:v3.25.0 imagePullPolicy: IfNotPresent livenessProbe: exec: @@ -4333,6 +4383,11 @@ spec: selector: matchLabels: k8s-app: calico-typha + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 1 + type: RollingUpdate template: metadata: annotations: @@ -4354,13 +4409,15 @@ spec: value: kubernetes - name: TYPHA_HEALTHENABLED value: "true" + - name: TYPHA_SHUTDOWNTIMEOUTSECS + value: "300" - name: USE_POD_CIDR value: "true" envFrom: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/typha:v3.24.5 + image: docker.io/calico/typha:v3.25.0 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -4392,6 +4449,7 @@ spec: securityContext: fsGroup: 65534 serviceAccountName: calico-node + terminationGracePeriodSeconds: 300 tolerations: - key: CriticalAddonsOnly operator: Exists @@ -4477,7 +4535,7 @@ spec: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/node:v3.24.5 + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -4552,7 +4610,7 @@ spec: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/cni:v3.24.5 + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent name: install-cni securityContext: @@ -4566,7 +4624,7 @@ spec: - calico-node - -init - -best-effort - image: docker.io/calico/node:v3.24.5 + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent name: mount-bpffs securityContext: diff --git a/templates/addons/calico-ipv6/calico-policy-only.yaml b/templates/addons/calico-ipv6/calico-policy-only.yaml index eab459afcd9..bc9368dd472 100644 --- a/templates/addons/calico-ipv6/calico-policy-only.yaml +++ b/templates/addons/calico-ipv6/calico-policy-only.yaml @@ -164,6 +164,12 @@ spec: type: string type: object type: array + ignoredInterfaces: + description: IgnoredInterfaces indicates the network interfaces that + needs to be excluded when reading device routes. + items: + type: string + type: array listenPort: description: ListenPort is the port where BGP protocol should listen. Defaults to 179 @@ -382,12 +388,23 @@ spec: remote AS number comes from the remote node's NodeBGPSpec.ASNumber, or the global default if that is not set. type: string + reachableBy: + description: Add an exact, i.e. /32, static route toward peer IP in + order to prevent route flapping. ReachableBy contains the address + of the gateway which peer can be reached by. + type: string sourceAddress: description: Specifies whether and how to configure a source address for the peerings generated by this BGPPeer resource. Default value "UseNodeIP" means to configure the node IP as the source address. "None" means not to configure a source address. type: string + ttlSecurity: + description: TTLSecurity enables the generalized TTL security mechanism + (GTSM) which protects against spoofed packets by ignoring received + packets with a smaller than expected TTL value. The provided value + is the number of hops (edges) between the peers. + type: integer type: object type: object served: true @@ -872,9 +889,10 @@ spec: [Default: false]' type: boolean bpfEnforceRPF: - description: 'BPFEnforceRPF enforce strict RPF on all interfaces with - BPF programs regardless of what is the per-interfaces or global - setting. Possible values are Disabled or Strict. [Default: Strict]' + description: 'BPFEnforceRPF enforce strict RPF on all host interfaces + with BPF programs regardless of what is the per-interfaces or global + setting. Possible values are Disabled, Strict or Loose. [Default: + Strict]' type: string bpfExtToServiceConnmark: description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit @@ -914,6 +932,14 @@ spec: kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by batching up more work. [Default: 1s]' type: string + bpfL3IfacePattern: + description: BPFL3IfacePattern is a regular expression that allows + to list tunnel devices like wireguard or vxlan (i.e., L3 devices) + in addition to BPFDataIfacePattern. That is, tunnel interfaces not + created by Calico, that Calico workload traffic flows over as well + as any interfaces that handle incoming traffic to nodeports and + services from outside the cluster. + type: string bpfLogLevel: description: 'BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of "Off", "Info", or "Debug". The @@ -989,11 +1015,12 @@ spec: to use. Only used if UseInternalDataplaneDriver is set to false. type: string dataplaneWatchdogTimeout: - description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout - used for Felix''s (internal) dataplane driver. Increase this value + description: "DataplaneWatchdogTimeout is the readiness/liveness timeout + used for Felix's (internal) dataplane driver. Increase this value if you experience spurious non-ready or non-live events when Felix is under heavy load. Decrease the value to get felix to report non-live - or non-ready more quickly. [Default: 90s]' + or non-ready more quickly. [Default: 90s] \n Deprecated: replaced + by the generic HealthTimeoutOverrides." type: string debugDisableLogDropping: type: boolean @@ -1097,15 +1124,21 @@ spec: type: object type: array featureDetectOverride: - description: FeatureDetectOverride is used to override the feature - detection. Values are specified in a comma separated list with no - spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". - "true" or "false" will force the feature, empty or omitted values - are auto-detected. + description: FeatureDetectOverride is used to override feature detection + based on auto-detected platform capabilities. Values are specified + in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" + or "false" will force the feature, empty or omitted values are auto-detected. + type: string + featureGates: + description: FeatureGates is used to enable or disable tech-preview + Calico features. Values are specified in a comma separated list + with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". + This is used to enable features that are not fully production ready. type: string floatingIPs: description: FloatingIPs configures whether or not Felix will program - floating IP addresses. + non-OpenStack floating IP addresses. (OpenStack-derived floating + IPs are always programmed, regardless of this setting.) enum: - Enabled - Disabled @@ -1122,6 +1155,23 @@ spec: type: string healthPort: type: integer + healthTimeoutOverrides: + description: HealthTimeoutOverrides allows the internal watchdog timeouts + of individual subcomponents to be overriden. This is useful for + working around "false positive" liveness timeouts that can occur + in particularly stressful workloads or if CPU is constrained. For + a list of active subcomponents, see Felix's logs. + items: + properties: + name: + type: string + timeout: + type: string + required: + - name + - timeout + type: object + type: array interfaceExclude: description: 'InterfaceExclude is a comma-separated list of interfaces that Felix should exclude when monitoring for host endpoints. The @@ -1163,7 +1213,7 @@ spec: type: string iptablesBackend: description: IptablesBackend specifies which backend of iptables will - be used. The default is legacy. + be used. The default is Auto. type: string iptablesFilterAllowAction: type: string @@ -4391,7 +4441,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:v3.24.5 + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -4428,7 +4478,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:v3.24.5 + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -4454,7 +4504,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:v3.24.5 + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -4642,7 +4692,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:v3.24.5 + image: docker.io/calico/kube-controllers:v3.25.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. @@ -4688,6 +4738,19 @@ spec: selector: matchLabels: k8s-app: calico-typha + strategy: + rollingUpdate: + # 100% surge allows a complete up-level set of typha instances to start and become ready, + # which in turn allows all the back-level typha instances to start shutting down. This + # means that connections tend to bounce directly from a back-level instance to an up-level + # instance. + maxSurge: 100% + # In case the cluster is unable to schedule extra surge instances, allow at most one instance + # to shut down to make room. You can set this to 0 if you're sure there'll always be enough room to + # schedule extra typha instances during an upgrade (because setting it to 0 blocks shutdown until + # up-level typha instances are online and ready). + maxUnavailable: 1 + type: RollingUpdate template: metadata: labels: @@ -4698,6 +4761,9 @@ spec: nodeSelector: kubernetes.io/os: linux hostNetwork: true + # Typha supports graceful shut down, disconnecting clients slowly during the grace period. + # The TYPHA_SHUTDOWNTIMEOUTSECS env var should be kept in sync with this value. + terminationGracePeriodSeconds: 300 tolerations: # Mark the pod as a critical add-on for rescheduling. - key: CriticalAddonsOnly @@ -4710,7 +4776,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: docker.io/calico/typha:v3.24.5 + - image: docker.io/calico/typha:v3.25.0 imagePullPolicy: IfNotPresent name: calico-typha ports: @@ -4739,6 +4805,10 @@ spec: value: "kubernetes" - name: TYPHA_HEALTHENABLED value: "true" + # Set this to the same value as terminationGracePeriodSeconds; it tells Typha how much time + # it has to shut down. + - name: TYPHA_SHUTDOWNTIMEOUTSECS + value: "300" # Configure route aggregation based on pod CIDR. - name: USE_POD_CIDR value: "true" diff --git a/templates/addons/calico.yaml b/templates/addons/calico.yaml index 30ffb10bbe0..f5df6094bce 100644 --- a/templates/addons/calico.yaml +++ b/templates/addons/calico.yaml @@ -63,6 +63,12 @@ spec: type: string type: object type: array + ignoredInterfaces: + description: IgnoredInterfaces indicates the network interfaces that + needs to be excluded when reading device routes. + items: + type: string + type: array listenPort: description: ListenPort is the port where BGP protocol should listen. Defaults to 179 @@ -280,12 +286,23 @@ spec: remote AS number comes from the remote node's NodeBGPSpec.ASNumber, or the global default if that is not set. type: string + reachableBy: + description: Add an exact, i.e. /32, static route toward peer IP in + order to prevent route flapping. ReachableBy contains the address + of the gateway which peer can be reached by. + type: string sourceAddress: description: Specifies whether and how to configure a source address for the peerings generated by this BGPPeer resource. Default value "UseNodeIP" means to configure the node IP as the source address. "None" means not to configure a source address. type: string + ttlSecurity: + description: TTLSecurity enables the generalized TTL security mechanism + (GTSM) which protects against spoofed packets by ignoring received + packets with a smaller than expected TTL value. The provided value + is the number of hops (edges) between the peers. + type: integer type: object type: object served: true @@ -766,9 +783,10 @@ spec: [Default: false]' type: boolean bpfEnforceRPF: - description: 'BPFEnforceRPF enforce strict RPF on all interfaces with - BPF programs regardless of what is the per-interfaces or global - setting. Possible values are Disabled or Strict. [Default: Strict]' + description: 'BPFEnforceRPF enforce strict RPF on all host interfaces + with BPF programs regardless of what is the per-interfaces or global + setting. Possible values are Disabled, Strict or Loose. [Default: + Strict]' type: string bpfExtToServiceConnmark: description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit @@ -808,6 +826,14 @@ spec: kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by batching up more work. [Default: 1s]' type: string + bpfL3IfacePattern: + description: BPFL3IfacePattern is a regular expression that allows + to list tunnel devices like wireguard or vxlan (i.e., L3 devices) + in addition to BPFDataIfacePattern. That is, tunnel interfaces not + created by Calico, that Calico workload traffic flows over as well + as any interfaces that handle incoming traffic to nodeports and + services from outside the cluster. + type: string bpfLogLevel: description: 'BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of "Off", "Info", or "Debug". The @@ -883,11 +909,12 @@ spec: to use. Only used if UseInternalDataplaneDriver is set to false. type: string dataplaneWatchdogTimeout: - description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout - used for Felix''s (internal) dataplane driver. Increase this value + description: "DataplaneWatchdogTimeout is the readiness/liveness timeout + used for Felix's (internal) dataplane driver. Increase this value if you experience spurious non-ready or non-live events when Felix is under heavy load. Decrease the value to get felix to report non-live - or non-ready more quickly. [Default: 90s]' + or non-ready more quickly. [Default: 90s] \n Deprecated: replaced + by the generic HealthTimeoutOverrides." type: string debugDisableLogDropping: type: boolean @@ -991,15 +1018,21 @@ spec: type: object type: array featureDetectOverride: - description: FeatureDetectOverride is used to override the feature - detection. Values are specified in a comma separated list with no - spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". - "true" or "false" will force the feature, empty or omitted values - are auto-detected. + description: FeatureDetectOverride is used to override feature detection + based on auto-detected platform capabilities. Values are specified + in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" + or "false" will force the feature, empty or omitted values are auto-detected. + type: string + featureGates: + description: FeatureGates is used to enable or disable tech-preview + Calico features. Values are specified in a comma separated list + with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". + This is used to enable features that are not fully production ready. type: string floatingIPs: description: FloatingIPs configures whether or not Felix will program - floating IP addresses. + non-OpenStack floating IP addresses. (OpenStack-derived floating + IPs are always programmed, regardless of this setting.) enum: - Enabled - Disabled @@ -1016,6 +1049,23 @@ spec: type: string healthPort: type: integer + healthTimeoutOverrides: + description: HealthTimeoutOverrides allows the internal watchdog timeouts + of individual subcomponents to be overriden. This is useful for + working around "false positive" liveness timeouts that can occur + in particularly stressful workloads or if CPU is constrained. For + a list of active subcomponents, see Felix's logs. + items: + properties: + name: + type: string + timeout: + type: string + required: + - name + - timeout + type: object + type: array interfaceExclude: description: 'InterfaceExclude is a comma-separated list of interfaces that Felix should exclude when monitoring for host endpoints. The @@ -1057,7 +1107,7 @@ spec: type: string iptablesBackend: description: IptablesBackend specifies which backend of iptables will - be used. The default is legacy. + be used. The default is Auto. type: string iptablesFilterAllowAction: type: string @@ -4305,7 +4355,7 @@ spec: value: node - name: DATASTORE_TYPE value: kubernetes - image: docker.io/calico/kube-controllers:v3.24.5 + image: docker.io/calico/kube-controllers:v3.25.0 imagePullPolicy: IfNotPresent livenessProbe: exec: @@ -4418,7 +4468,7 @@ spec: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/node:v3.24.5 + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -4490,7 +4540,7 @@ spec: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/cni:v3.24.5 + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent name: upgrade-ipam securityContext: @@ -4525,7 +4575,7 @@ spec: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/cni:v3.24.5 + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent name: install-cni securityContext: @@ -4539,7 +4589,7 @@ spec: - calico-node - -init - -best-effort - image: docker.io/calico/node:v3.24.5 + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent name: mount-bpffs securityContext: diff --git a/templates/addons/calico/calico-vxlan.yaml b/templates/addons/calico/calico-vxlan.yaml index 37649727f62..4876d794f79 100644 --- a/templates/addons/calico/calico-vxlan.yaml +++ b/templates/addons/calico/calico-vxlan.yaml @@ -149,6 +149,12 @@ spec: type: string type: object type: array + ignoredInterfaces: + description: IgnoredInterfaces indicates the network interfaces that + needs to be excluded when reading device routes. + items: + type: string + type: array listenPort: description: ListenPort is the port where BGP protocol should listen. Defaults to 179 @@ -367,12 +373,23 @@ spec: remote AS number comes from the remote node's NodeBGPSpec.ASNumber, or the global default if that is not set. type: string + reachableBy: + description: Add an exact, i.e. /32, static route toward peer IP in + order to prevent route flapping. ReachableBy contains the address + of the gateway which peer can be reached by. + type: string sourceAddress: description: Specifies whether and how to configure a source address for the peerings generated by this BGPPeer resource. Default value "UseNodeIP" means to configure the node IP as the source address. "None" means not to configure a source address. type: string + ttlSecurity: + description: TTLSecurity enables the generalized TTL security mechanism + (GTSM) which protects against spoofed packets by ignoring received + packets with a smaller than expected TTL value. The provided value + is the number of hops (edges) between the peers. + type: integer type: object type: object served: true @@ -857,9 +874,10 @@ spec: [Default: false]' type: boolean bpfEnforceRPF: - description: 'BPFEnforceRPF enforce strict RPF on all interfaces with - BPF programs regardless of what is the per-interfaces or global - setting. Possible values are Disabled or Strict. [Default: Strict]' + description: 'BPFEnforceRPF enforce strict RPF on all host interfaces + with BPF programs regardless of what is the per-interfaces or global + setting. Possible values are Disabled, Strict or Loose. [Default: + Strict]' type: string bpfExtToServiceConnmark: description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit @@ -899,6 +917,14 @@ spec: kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by batching up more work. [Default: 1s]' type: string + bpfL3IfacePattern: + description: BPFL3IfacePattern is a regular expression that allows + to list tunnel devices like wireguard or vxlan (i.e., L3 devices) + in addition to BPFDataIfacePattern. That is, tunnel interfaces not + created by Calico, that Calico workload traffic flows over as well + as any interfaces that handle incoming traffic to nodeports and + services from outside the cluster. + type: string bpfLogLevel: description: 'BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of "Off", "Info", or "Debug". The @@ -974,11 +1000,12 @@ spec: to use. Only used if UseInternalDataplaneDriver is set to false. type: string dataplaneWatchdogTimeout: - description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout - used for Felix''s (internal) dataplane driver. Increase this value + description: "DataplaneWatchdogTimeout is the readiness/liveness timeout + used for Felix's (internal) dataplane driver. Increase this value if you experience spurious non-ready or non-live events when Felix is under heavy load. Decrease the value to get felix to report non-live - or non-ready more quickly. [Default: 90s]' + or non-ready more quickly. [Default: 90s] \n Deprecated: replaced + by the generic HealthTimeoutOverrides." type: string debugDisableLogDropping: type: boolean @@ -1082,15 +1109,21 @@ spec: type: object type: array featureDetectOverride: - description: FeatureDetectOverride is used to override the feature - detection. Values are specified in a comma separated list with no - spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". - "true" or "false" will force the feature, empty or omitted values - are auto-detected. + description: FeatureDetectOverride is used to override feature detection + based on auto-detected platform capabilities. Values are specified + in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" + or "false" will force the feature, empty or omitted values are auto-detected. + type: string + featureGates: + description: FeatureGates is used to enable or disable tech-preview + Calico features. Values are specified in a comma separated list + with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". + This is used to enable features that are not fully production ready. type: string floatingIPs: description: FloatingIPs configures whether or not Felix will program - floating IP addresses. + non-OpenStack floating IP addresses. (OpenStack-derived floating + IPs are always programmed, regardless of this setting.) enum: - Enabled - Disabled @@ -1107,6 +1140,23 @@ spec: type: string healthPort: type: integer + healthTimeoutOverrides: + description: HealthTimeoutOverrides allows the internal watchdog timeouts + of individual subcomponents to be overriden. This is useful for + working around "false positive" liveness timeouts that can occur + in particularly stressful workloads or if CPU is constrained. For + a list of active subcomponents, see Felix's logs. + items: + properties: + name: + type: string + timeout: + type: string + required: + - name + - timeout + type: object + type: array interfaceExclude: description: 'InterfaceExclude is a comma-separated list of interfaces that Felix should exclude when monitoring for host endpoints. The @@ -1148,7 +1198,7 @@ spec: type: string iptablesBackend: description: IptablesBackend specifies which backend of iptables will - be used. The default is legacy. + be used. The default is Auto. type: string iptablesFilterAllowAction: type: string @@ -4390,7 +4440,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: docker.io/calico/cni:v3.24.5 + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: @@ -4418,7 +4468,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:v3.24.5 + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -4461,7 +4511,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:v3.24.5 + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -4487,7 +4537,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:v3.24.5 + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -4702,7 +4752,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:v3.24.5 + image: docker.io/calico/kube-controllers:v3.25.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. diff --git a/templates/addons/windows/calico/calico.yaml b/templates/addons/windows/calico/calico.yaml index bec154aee32..770af40021b 100644 --- a/templates/addons/windows/calico/calico.yaml +++ b/templates/addons/windows/calico/calico.yaml @@ -163,7 +163,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: sigwindowstools/calico-install:v3.24.5-hostprocess + image: sigwindowstools/calico-install:v3.25.0-hostprocess args: ["$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/install.ps1"] imagePullPolicy: Always env: @@ -205,7 +205,7 @@ spec: runAsUserName: "NT AUTHORITY\\system" containers: - name: calico-node-startup - image: sigwindowstools/calico-node:v3.24.5-hostprocess + image: sigwindowstools/calico-node:v3.25.0-hostprocess args: ["$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/node-service.ps1"] workingDir: "$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/" imagePullPolicy: Always @@ -232,7 +232,7 @@ spec: - name: VXLAN_VNI value: "4096" - name: calico-node-felix - image: sigwindowstools/calico-node:v3.24.5-hostprocess + image: sigwindowstools/calico-node:v3.25.0-hostprocess args: ["$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/felix-service.ps1"] imagePullPolicy: Always workingDir: "$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/" diff --git a/templates/test/ci/cluster-template-prow-ci-version-windows-containerd-2022.yaml b/templates/test/ci/cluster-template-prow-ci-version-windows-containerd-2022.yaml index 8832fcb5b69..72671c5f202 100644 --- a/templates/test/ci/cluster-template-prow-ci-version-windows-containerd-2022.yaml +++ b/templates/test/ci/cluster-template-prow-ci-version-windows-containerd-2022.yaml @@ -728,7 +728,7 @@ data: for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n \ - effect: NoExecute\n operator: Exists\n initContainers:\n # This container installs the CNI binaries\n # and CNI network config file - on each node.\n - name: install-cni\n image: sigwindowstools/calico-install:v3.24.5-hostprocess\n + on each node.\n - name: install-cni\n image: sigwindowstools/calico-install:v3.25.0-hostprocess\n \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/install.ps1\"]\n \ imagePullPolicy: Always\n env:\n # Name of the CNI config file to create.\n - name: CNI_CONF_NAME\n value: @@ -747,7 +747,7 @@ data: cni-net-dir\n - name: kubeadm-config\n mountPath: /etc/kubeadm-config/\n \ securityContext:\n windowsOptions:\n hostProcess: true\n runAsUserName: \"NT AUTHORITY\\\\system\"\n containers:\n - \ - name: calico-node-startup\n image: sigwindowstools/calico-node:v3.24.5-hostprocess\n + \ - name: calico-node-startup\n image: sigwindowstools/calico-node:v3.25.0-hostprocess\n \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/node-service.ps1\"]\n \ workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n imagePullPolicy: Always\n volumeMounts:\n - name: calico-config-windows\n mountPath: @@ -758,7 +758,7 @@ data: name: CNI_IPAM_TYPE\n value: \"calico-ipam\"\n - name: CALICO_NETWORKING_BACKEND\n \ value: \"vxlan\"\n - name: KUBECONFIG\n value: \"C:/etc/cni/net.d/calico-kubeconfig\"\n \ - name: VXLAN_VNI\n value: \"4096\"\n - name: calico-node-felix\n - \ image: sigwindowstools/calico-node:v3.24.5-hostprocess\n args: + \ image: sigwindowstools/calico-node:v3.25.0-hostprocess\n args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/felix-service.ps1\"]\n imagePullPolicy: Always\n workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n volumeMounts:\n \ - name: calico-config-windows\n mountPath: /etc/kube-calico-windows/\n diff --git a/templates/test/ci/cluster-template-prow-ci-version.yaml b/templates/test/ci/cluster-template-prow-ci-version.yaml index 9f83d075c64..4ec3526024d 100644 --- a/templates/test/ci/cluster-template-prow-ci-version.yaml +++ b/templates/test/ci/cluster-template-prow-ci-version.yaml @@ -728,7 +728,7 @@ data: for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n \ - effect: NoExecute\n operator: Exists\n initContainers:\n # This container installs the CNI binaries\n # and CNI network config file - on each node.\n - name: install-cni\n image: sigwindowstools/calico-install:v3.24.5-hostprocess\n + on each node.\n - name: install-cni\n image: sigwindowstools/calico-install:v3.25.0-hostprocess\n \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/install.ps1\"]\n \ imagePullPolicy: Always\n env:\n # Name of the CNI config file to create.\n - name: CNI_CONF_NAME\n value: @@ -747,7 +747,7 @@ data: cni-net-dir\n - name: kubeadm-config\n mountPath: /etc/kubeadm-config/\n \ securityContext:\n windowsOptions:\n hostProcess: true\n runAsUserName: \"NT AUTHORITY\\\\system\"\n containers:\n - \ - name: calico-node-startup\n image: sigwindowstools/calico-node:v3.24.5-hostprocess\n + \ - name: calico-node-startup\n image: sigwindowstools/calico-node:v3.25.0-hostprocess\n \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/node-service.ps1\"]\n \ workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n imagePullPolicy: Always\n volumeMounts:\n - name: calico-config-windows\n mountPath: @@ -758,7 +758,7 @@ data: name: CNI_IPAM_TYPE\n value: \"calico-ipam\"\n - name: CALICO_NETWORKING_BACKEND\n \ value: \"vxlan\"\n - name: KUBECONFIG\n value: \"C:/etc/cni/net.d/calico-kubeconfig\"\n \ - name: VXLAN_VNI\n value: \"4096\"\n - name: calico-node-felix\n - \ image: sigwindowstools/calico-node:v3.24.5-hostprocess\n args: + \ image: sigwindowstools/calico-node:v3.25.0-hostprocess\n args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/felix-service.ps1\"]\n imagePullPolicy: Always\n workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n volumeMounts:\n \ - name: calico-config-windows\n mountPath: /etc/kube-calico-windows/\n diff --git a/templates/test/ci/cluster-template-prow-external-cloud-provider-ci-version.yaml b/templates/test/ci/cluster-template-prow-external-cloud-provider-ci-version.yaml index 08fdf5bb9c3..911cc7d2636 100644 --- a/templates/test/ci/cluster-template-prow-external-cloud-provider-ci-version.yaml +++ b/templates/test/ci/cluster-template-prow-external-cloud-provider-ci-version.yaml @@ -732,7 +732,7 @@ data: for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n \ - effect: NoExecute\n operator: Exists\n initContainers:\n # This container installs the CNI binaries\n # and CNI network config file - on each node.\n - name: install-cni\n image: sigwindowstools/calico-install:v3.24.5-hostprocess\n + on each node.\n - name: install-cni\n image: sigwindowstools/calico-install:v3.25.0-hostprocess\n \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/install.ps1\"]\n \ imagePullPolicy: Always\n env:\n # Name of the CNI config file to create.\n - name: CNI_CONF_NAME\n value: @@ -751,7 +751,7 @@ data: cni-net-dir\n - name: kubeadm-config\n mountPath: /etc/kubeadm-config/\n \ securityContext:\n windowsOptions:\n hostProcess: true\n runAsUserName: \"NT AUTHORITY\\\\system\"\n containers:\n - \ - name: calico-node-startup\n image: sigwindowstools/calico-node:v3.24.5-hostprocess\n + \ - name: calico-node-startup\n image: sigwindowstools/calico-node:v3.25.0-hostprocess\n \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/node-service.ps1\"]\n \ workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n imagePullPolicy: Always\n volumeMounts:\n - name: calico-config-windows\n mountPath: @@ -762,7 +762,7 @@ data: name: CNI_IPAM_TYPE\n value: \"calico-ipam\"\n - name: CALICO_NETWORKING_BACKEND\n \ value: \"vxlan\"\n - name: KUBECONFIG\n value: \"C:/etc/cni/net.d/calico-kubeconfig\"\n \ - name: VXLAN_VNI\n value: \"4096\"\n - name: calico-node-felix\n - \ image: sigwindowstools/calico-node:v3.24.5-hostprocess\n args: + \ image: sigwindowstools/calico-node:v3.25.0-hostprocess\n args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/felix-service.ps1\"]\n imagePullPolicy: Always\n workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n volumeMounts:\n \ - name: calico-config-windows\n mountPath: /etc/kube-calico-windows/\n diff --git a/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml b/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml index d07a1c7f25a..26d9f689d60 100644 --- a/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml +++ b/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml @@ -663,7 +663,7 @@ data: for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n \ - effect: NoExecute\n operator: Exists\n initContainers:\n # This container installs the CNI binaries\n # and CNI network config file - on each node.\n - name: install-cni\n image: sigwindowstools/calico-install:v3.24.5-hostprocess\n + on each node.\n - name: install-cni\n image: sigwindowstools/calico-install:v3.25.0-hostprocess\n \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/install.ps1\"]\n \ imagePullPolicy: Always\n env:\n # Name of the CNI config file to create.\n - name: CNI_CONF_NAME\n value: @@ -682,7 +682,7 @@ data: cni-net-dir\n - name: kubeadm-config\n mountPath: /etc/kubeadm-config/\n \ securityContext:\n windowsOptions:\n hostProcess: true\n runAsUserName: \"NT AUTHORITY\\\\system\"\n containers:\n - \ - name: calico-node-startup\n image: sigwindowstools/calico-node:v3.24.5-hostprocess\n + \ - name: calico-node-startup\n image: sigwindowstools/calico-node:v3.25.0-hostprocess\n \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/node-service.ps1\"]\n \ workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n imagePullPolicy: Always\n volumeMounts:\n - name: calico-config-windows\n mountPath: @@ -693,7 +693,7 @@ data: name: CNI_IPAM_TYPE\n value: \"calico-ipam\"\n - name: CALICO_NETWORKING_BACKEND\n \ value: \"vxlan\"\n - name: KUBECONFIG\n value: \"C:/etc/cni/net.d/calico-kubeconfig\"\n \ - name: VXLAN_VNI\n value: \"4096\"\n - name: calico-node-felix\n - \ image: sigwindowstools/calico-node:v3.24.5-hostprocess\n args: + \ image: sigwindowstools/calico-node:v3.25.0-hostprocess\n args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/felix-service.ps1\"]\n imagePullPolicy: Always\n workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n volumeMounts:\n \ - name: calico-config-windows\n mountPath: /etc/kube-calico-windows/\n diff --git a/templates/test/ci/cluster-template-prow-machine-pool.yaml b/templates/test/ci/cluster-template-prow-machine-pool.yaml index ba94098eb3d..368e1e98e99 100644 --- a/templates/test/ci/cluster-template-prow-machine-pool.yaml +++ b/templates/test/ci/cluster-template-prow-machine-pool.yaml @@ -475,7 +475,7 @@ data: for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n \ - effect: NoExecute\n operator: Exists\n initContainers:\n # This container installs the CNI binaries\n # and CNI network config file - on each node.\n - name: install-cni\n image: sigwindowstools/calico-install:v3.24.5-hostprocess\n + on each node.\n - name: install-cni\n image: sigwindowstools/calico-install:v3.25.0-hostprocess\n \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/install.ps1\"]\n \ imagePullPolicy: Always\n env:\n # Name of the CNI config file to create.\n - name: CNI_CONF_NAME\n value: @@ -494,7 +494,7 @@ data: cni-net-dir\n - name: kubeadm-config\n mountPath: /etc/kubeadm-config/\n \ securityContext:\n windowsOptions:\n hostProcess: true\n runAsUserName: \"NT AUTHORITY\\\\system\"\n containers:\n - \ - name: calico-node-startup\n image: sigwindowstools/calico-node:v3.24.5-hostprocess\n + \ - name: calico-node-startup\n image: sigwindowstools/calico-node:v3.25.0-hostprocess\n \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/node-service.ps1\"]\n \ workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n imagePullPolicy: Always\n volumeMounts:\n - name: calico-config-windows\n mountPath: @@ -505,7 +505,7 @@ data: name: CNI_IPAM_TYPE\n value: \"calico-ipam\"\n - name: CALICO_NETWORKING_BACKEND\n \ value: \"vxlan\"\n - name: KUBECONFIG\n value: \"C:/etc/cni/net.d/calico-kubeconfig\"\n \ - name: VXLAN_VNI\n value: \"4096\"\n - name: calico-node-felix\n - \ image: sigwindowstools/calico-node:v3.24.5-hostprocess\n args: + \ image: sigwindowstools/calico-node:v3.25.0-hostprocess\n args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/felix-service.ps1\"]\n imagePullPolicy: Always\n workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n volumeMounts:\n \ - name: calico-config-windows\n mountPath: /etc/kube-calico-windows/\n diff --git a/templates/test/ci/cluster-template-prow-private.yaml b/templates/test/ci/cluster-template-prow-private.yaml index ad0c777d382..41f4fb14f91 100644 --- a/templates/test/ci/cluster-template-prow-private.yaml +++ b/templates/test/ci/cluster-template-prow-private.yaml @@ -349,6 +349,12 @@ data: type: string type: object type: array + ignoredInterfaces: + description: IgnoredInterfaces indicates the network interfaces that + needs to be excluded when reading device routes. + items: + type: string + type: array listenPort: description: ListenPort is the port where BGP protocol should listen. Defaults to 179 @@ -566,12 +572,23 @@ data: remote AS number comes from the remote node's NodeBGPSpec.ASNumber, or the global default if that is not set. type: string + reachableBy: + description: Add an exact, i.e. /32, static route toward peer IP in + order to prevent route flapping. ReachableBy contains the address + of the gateway which peer can be reached by. + type: string sourceAddress: description: Specifies whether and how to configure a source address for the peerings generated by this BGPPeer resource. Default value "UseNodeIP" means to configure the node IP as the source address. "None" means not to configure a source address. type: string + ttlSecurity: + description: TTLSecurity enables the generalized TTL security mechanism + (GTSM) which protects against spoofed packets by ignoring received + packets with a smaller than expected TTL value. The provided value + is the number of hops (edges) between the peers. + type: integer type: object type: object served: true @@ -1052,9 +1069,10 @@ data: [Default: false]' type: boolean bpfEnforceRPF: - description: 'BPFEnforceRPF enforce strict RPF on all interfaces with - BPF programs regardless of what is the per-interfaces or global - setting. Possible values are Disabled or Strict. [Default: Strict]' + description: 'BPFEnforceRPF enforce strict RPF on all host interfaces + with BPF programs regardless of what is the per-interfaces or global + setting. Possible values are Disabled, Strict or Loose. [Default: + Strict]' type: string bpfExtToServiceConnmark: description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit @@ -1094,6 +1112,14 @@ data: kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by batching up more work. [Default: 1s]' type: string + bpfL3IfacePattern: + description: BPFL3IfacePattern is a regular expression that allows + to list tunnel devices like wireguard or vxlan (i.e., L3 devices) + in addition to BPFDataIfacePattern. That is, tunnel interfaces not + created by Calico, that Calico workload traffic flows over as well + as any interfaces that handle incoming traffic to nodeports and + services from outside the cluster. + type: string bpfLogLevel: description: 'BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of "Off", "Info", or "Debug". The @@ -1169,11 +1195,12 @@ data: to use. Only used if UseInternalDataplaneDriver is set to false. type: string dataplaneWatchdogTimeout: - description: 'DataplaneWatchdogTimeout is the readiness/liveness timeout - used for Felix''s (internal) dataplane driver. Increase this value + description: "DataplaneWatchdogTimeout is the readiness/liveness timeout + used for Felix's (internal) dataplane driver. Increase this value if you experience spurious non-ready or non-live events when Felix is under heavy load. Decrease the value to get felix to report non-live - or non-ready more quickly. [Default: 90s]' + or non-ready more quickly. [Default: 90s] \n Deprecated: replaced + by the generic HealthTimeoutOverrides." type: string debugDisableLogDropping: type: boolean @@ -1277,15 +1304,21 @@ data: type: object type: array featureDetectOverride: - description: FeatureDetectOverride is used to override the feature - detection. Values are specified in a comma separated list with no - spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". - "true" or "false" will force the feature, empty or omitted values - are auto-detected. + description: FeatureDetectOverride is used to override feature detection + based on auto-detected platform capabilities. Values are specified + in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" + or "false" will force the feature, empty or omitted values are auto-detected. + type: string + featureGates: + description: FeatureGates is used to enable or disable tech-preview + Calico features. Values are specified in a comma separated list + with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". + This is used to enable features that are not fully production ready. type: string floatingIPs: description: FloatingIPs configures whether or not Felix will program - floating IP addresses. + non-OpenStack floating IP addresses. (OpenStack-derived floating + IPs are always programmed, regardless of this setting.) enum: - Enabled - Disabled @@ -1302,6 +1335,23 @@ data: type: string healthPort: type: integer + healthTimeoutOverrides: + description: HealthTimeoutOverrides allows the internal watchdog timeouts + of individual subcomponents to be overriden. This is useful for + working around "false positive" liveness timeouts that can occur + in particularly stressful workloads or if CPU is constrained. For + a list of active subcomponents, see Felix's logs. + items: + properties: + name: + type: string + timeout: + type: string + required: + - name + - timeout + type: object + type: array interfaceExclude: description: 'InterfaceExclude is a comma-separated list of interfaces that Felix should exclude when monitoring for host endpoints. The @@ -1343,7 +1393,7 @@ data: type: string iptablesBackend: description: IptablesBackend specifies which backend of iptables will - be used. The default is legacy. + be used. The default is Auto. type: string iptablesFilterAllowAction: type: string @@ -4591,7 +4641,7 @@ data: value: node - name: DATASTORE_TYPE value: kubernetes - image: docker.io/calico/kube-controllers:v3.24.5 + image: docker.io/calico/kube-controllers:v3.25.0 imagePullPolicy: IfNotPresent livenessProbe: exec: @@ -4704,7 +4754,7 @@ data: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/node:v3.24.5 + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -4776,7 +4826,7 @@ data: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/cni:v3.24.5 + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent name: upgrade-ipam securityContext: @@ -4811,7 +4861,7 @@ data: - configMapRef: name: kubernetes-services-endpoint optional: true - image: docker.io/calico/cni:v3.24.5 + image: docker.io/calico/cni:v3.25.0 imagePullPolicy: IfNotPresent name: install-cni securityContext: @@ -4825,7 +4875,7 @@ data: - calico-node - -init - -best-effort - image: docker.io/calico/node:v3.24.5 + image: docker.io/calico/node:v3.25.0 imagePullPolicy: IfNotPresent name: mount-bpffs securityContext: diff --git a/templates/test/ci/cluster-template-prow-topology.yaml b/templates/test/ci/cluster-template-prow-topology.yaml index 71d945aa60d..39a3cb658c5 100644 --- a/templates/test/ci/cluster-template-prow-topology.yaml +++ b/templates/test/ci/cluster-template-prow-topology.yaml @@ -187,7 +187,7 @@ data: for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n \ - effect: NoExecute\n operator: Exists\n initContainers:\n # This container installs the CNI binaries\n # and CNI network config file - on each node.\n - name: install-cni\n image: sigwindowstools/calico-install:v3.24.5-hostprocess\n + on each node.\n - name: install-cni\n image: sigwindowstools/calico-install:v3.25.0-hostprocess\n \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/install.ps1\"]\n \ imagePullPolicy: Always\n env:\n # Name of the CNI config file to create.\n - name: CNI_CONF_NAME\n value: @@ -206,7 +206,7 @@ data: cni-net-dir\n - name: kubeadm-config\n mountPath: /etc/kubeadm-config/\n \ securityContext:\n windowsOptions:\n hostProcess: true\n runAsUserName: \"NT AUTHORITY\\\\system\"\n containers:\n - \ - name: calico-node-startup\n image: sigwindowstools/calico-node:v3.24.5-hostprocess\n + \ - name: calico-node-startup\n image: sigwindowstools/calico-node:v3.25.0-hostprocess\n \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/node-service.ps1\"]\n \ workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n imagePullPolicy: Always\n volumeMounts:\n - name: calico-config-windows\n mountPath: @@ -217,7 +217,7 @@ data: name: CNI_IPAM_TYPE\n value: \"calico-ipam\"\n - name: CALICO_NETWORKING_BACKEND\n \ value: \"vxlan\"\n - name: KUBECONFIG\n value: \"C:/etc/cni/net.d/calico-kubeconfig\"\n \ - name: VXLAN_VNI\n value: \"4096\"\n - name: calico-node-felix\n - \ image: sigwindowstools/calico-node:v3.24.5-hostprocess\n args: + \ image: sigwindowstools/calico-node:v3.25.0-hostprocess\n args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/felix-service.ps1\"]\n imagePullPolicy: Always\n workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n volumeMounts:\n \ - name: calico-config-windows\n mountPath: /etc/kube-calico-windows/\n diff --git a/templates/test/ci/cluster-template-prow.yaml b/templates/test/ci/cluster-template-prow.yaml index baf726a6297..93d07bc5c46 100644 --- a/templates/test/ci/cluster-template-prow.yaml +++ b/templates/test/ci/cluster-template-prow.yaml @@ -538,7 +538,7 @@ data: for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n \ - effect: NoExecute\n operator: Exists\n initContainers:\n # This container installs the CNI binaries\n # and CNI network config file - on each node.\n - name: install-cni\n image: sigwindowstools/calico-install:v3.24.5-hostprocess\n + on each node.\n - name: install-cni\n image: sigwindowstools/calico-install:v3.25.0-hostprocess\n \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/install.ps1\"]\n \ imagePullPolicy: Always\n env:\n # Name of the CNI config file to create.\n - name: CNI_CONF_NAME\n value: @@ -557,7 +557,7 @@ data: cni-net-dir\n - name: kubeadm-config\n mountPath: /etc/kubeadm-config/\n \ securityContext:\n windowsOptions:\n hostProcess: true\n runAsUserName: \"NT AUTHORITY\\\\system\"\n containers:\n - \ - name: calico-node-startup\n image: sigwindowstools/calico-node:v3.24.5-hostprocess\n + \ - name: calico-node-startup\n image: sigwindowstools/calico-node:v3.25.0-hostprocess\n \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/node-service.ps1\"]\n \ workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n imagePullPolicy: Always\n volumeMounts:\n - name: calico-config-windows\n mountPath: @@ -568,7 +568,7 @@ data: name: CNI_IPAM_TYPE\n value: \"calico-ipam\"\n - name: CALICO_NETWORKING_BACKEND\n \ value: \"vxlan\"\n - name: KUBECONFIG\n value: \"C:/etc/cni/net.d/calico-kubeconfig\"\n \ - name: VXLAN_VNI\n value: \"4096\"\n - name: calico-node-felix\n - \ image: sigwindowstools/calico-node:v3.24.5-hostprocess\n args: + \ image: sigwindowstools/calico-node:v3.25.0-hostprocess\n args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/felix-service.ps1\"]\n imagePullPolicy: Always\n workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n volumeMounts:\n \ - name: calico-config-windows\n mountPath: /etc/kube-calico-windows/\n diff --git a/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml b/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml index 02836957e19..50914394eea 100644 --- a/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml +++ b/templates/test/dev/cluster-template-custom-builds-machine-pool.yaml @@ -568,7 +568,7 @@ data: for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n \ - effect: NoExecute\n operator: Exists\n initContainers:\n # This container installs the CNI binaries\n # and CNI network config file - on each node.\n - name: install-cni\n image: sigwindowstools/calico-install:v3.24.5-hostprocess\n + on each node.\n - name: install-cni\n image: sigwindowstools/calico-install:v3.25.0-hostprocess\n \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/install.ps1\"]\n \ imagePullPolicy: Always\n env:\n # Name of the CNI config file to create.\n - name: CNI_CONF_NAME\n value: @@ -587,7 +587,7 @@ data: cni-net-dir\n - name: kubeadm-config\n mountPath: /etc/kubeadm-config/\n \ securityContext:\n windowsOptions:\n hostProcess: true\n runAsUserName: \"NT AUTHORITY\\\\system\"\n containers:\n - \ - name: calico-node-startup\n image: sigwindowstools/calico-node:v3.24.5-hostprocess\n + \ - name: calico-node-startup\n image: sigwindowstools/calico-node:v3.25.0-hostprocess\n \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/node-service.ps1\"]\n \ workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n imagePullPolicy: Always\n volumeMounts:\n - name: calico-config-windows\n mountPath: @@ -598,7 +598,7 @@ data: name: CNI_IPAM_TYPE\n value: \"calico-ipam\"\n - name: CALICO_NETWORKING_BACKEND\n \ value: \"vxlan\"\n - name: KUBECONFIG\n value: \"C:/etc/cni/net.d/calico-kubeconfig\"\n \ - name: VXLAN_VNI\n value: \"4096\"\n - name: calico-node-felix\n - \ image: sigwindowstools/calico-node:v3.24.5-hostprocess\n args: + \ image: sigwindowstools/calico-node:v3.25.0-hostprocess\n args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/felix-service.ps1\"]\n imagePullPolicy: Always\n workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n volumeMounts:\n \ - name: calico-config-windows\n mountPath: /etc/kube-calico-windows/\n diff --git a/templates/test/dev/cluster-template-custom-builds.yaml b/templates/test/dev/cluster-template-custom-builds.yaml index 1aaf340f7af..6edbe3c550c 100644 --- a/templates/test/dev/cluster-template-custom-builds.yaml +++ b/templates/test/dev/cluster-template-custom-builds.yaml @@ -675,7 +675,7 @@ data: for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n \ - effect: NoExecute\n operator: Exists\n initContainers:\n # This container installs the CNI binaries\n # and CNI network config file - on each node.\n - name: install-cni\n image: sigwindowstools/calico-install:v3.24.5-hostprocess\n + on each node.\n - name: install-cni\n image: sigwindowstools/calico-install:v3.25.0-hostprocess\n \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/install.ps1\"]\n \ imagePullPolicy: Always\n env:\n # Name of the CNI config file to create.\n - name: CNI_CONF_NAME\n value: @@ -694,7 +694,7 @@ data: cni-net-dir\n - name: kubeadm-config\n mountPath: /etc/kubeadm-config/\n \ securityContext:\n windowsOptions:\n hostProcess: true\n runAsUserName: \"NT AUTHORITY\\\\system\"\n containers:\n - \ - name: calico-node-startup\n image: sigwindowstools/calico-node:v3.24.5-hostprocess\n + \ - name: calico-node-startup\n image: sigwindowstools/calico-node:v3.25.0-hostprocess\n \ args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/node-service.ps1\"]\n \ workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n imagePullPolicy: Always\n volumeMounts:\n - name: calico-config-windows\n mountPath: @@ -705,7 +705,7 @@ data: name: CNI_IPAM_TYPE\n value: \"calico-ipam\"\n - name: CALICO_NETWORKING_BACKEND\n \ value: \"vxlan\"\n - name: KUBECONFIG\n value: \"C:/etc/cni/net.d/calico-kubeconfig\"\n \ - name: VXLAN_VNI\n value: \"4096\"\n - name: calico-node-felix\n - \ image: sigwindowstools/calico-node:v3.24.5-hostprocess\n args: + \ image: sigwindowstools/calico-node:v3.25.0-hostprocess\n args: [\"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/felix-service.ps1\"]\n imagePullPolicy: Always\n workingDir: \"$env:CONTAINER_SANDBOX_MOUNT_POINT/calico/\"\n volumeMounts:\n \ - name: calico-config-windows\n mountPath: /etc/kube-calico-windows/\n