kubernetes
/
minikube
mirror of https://github.com/kubernetes/minikube.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

CNI: Update calico from v3.26.4 to v3.27.0

pull/17824/head
minikube-bot 2023-12-18 10:05:15 +00:00
parent 40f190b062
commit e73fe62896
2 changed files with 141 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/minikube/bootstrapper/images/images.go
View File

@ -183,7 +183,7 @@ func KindNet(repo string) string {
}
// all calico images are from https://github.com/projectcalico/calico/blob/master/manifests/calico.yaml
const calicoVersion = "v3.26.4"
const calicoVersion = "v3.27.0"
const calicoRepo = "docker.io/calico"
// CalicoDaemonSet returns the image used for calicoDaemonSet

149
pkg/minikube/cni/calico.yaml
View File

@ -325,12 +325,14 @@ spec:
type: string
cidr:
type: string
interface:
type: string
matchOperator:
type: string
source:
type: string
required:
- action
- cidr
- matchOperator
type: object
type: array
exportV6:
@ -344,12 +346,14 @@ spec:
type: string
cidr:
type: string
interface:
type: string
matchOperator:
type: string
source:
type: string
required:
- action
- cidr
- matchOperator
type: object
type: array
importV4:
@ -363,12 +367,14 @@ spec:
type: string
cidr:
type: string
interface:
type: string
matchOperator:
type: string
source:
type: string
required:
- action
- cidr
- matchOperator
type: object
type: array
importV6:
@ -382,12 +388,14 @@ spec:
type: string
cidr:
type: string
interface:
type: string
matchOperator:
type: string
source:
type: string
required:
- action
- cidr
- matchOperator
type: object
type: array
type: object
@ -982,12 +990,32 @@ spec:
- Enable
- Disable
type: string
bpfCTLBLogFilter:
description: 'BPFCTLBLogFilter specifies, what is logged by connect
time load balancer when BPFLogLevel is debug. Currently has to be
specified as ''all'' when BPFLogFilters is set to see CTLB logs.
[Default: unset - means logs are emitted when BPFLogLevel id debug
and BPFLogFilters not set.]'
type: string
bpfConnectTimeLoadBalancing:
description: 'BPFConnectTimeLoadBalancing when in BPF mode, controls
whether Felix installs the connect-time load balancer. The connect-time
load balancer is required for the host to be able to reach Kubernetes
services and it improves the performance of pod-to-service connections.When
set to TCP, connect time load balancing is available only for services
with TCP ports. [Default: TCP]'
enum:
- TCP
- Enabled
- Disabled
type: string
bpfConnectTimeLoadBalancingEnabled:
description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
controls whether Felix installs the connection-time load balancer. The
connect-time load balancer is required for the host to be able to
reach Kubernetes services and it improves the performance of pod-to-service
connections. The only reason to disable it is for debugging purposes. [Default:
connections. The only reason to disable it is for debugging purposes.
This will be deprecated. Use BPFConnectTimeLoadBalancing [Default:
true]'
type: boolean
bpfDSROptoutCIDRs:
@ -1006,6 +1034,12 @@ spec:
the cluster. It should not match the workload interfaces (usually
named cali...).
type: string
bpfDisableGROForIfaces:
description: BPFDisableGROForIfaces is a regular expression that controls
which interfaces Felix should disable the Generic Receive Offload
[GRO] option. It should not match the workload interfaces (usually
named cali...).
type: string
bpfDisableUnprivileged:
description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
sysctl to disable unprivileged use of BPF. This ensures that unprivileged
@ -1021,6 +1055,7 @@ spec:
with BPF programs regardless of what is the per-interfaces or global
setting. Possible values are Disabled, Strict or Loose. [Default:
Loose]'
pattern: ^(?i)(Disabled|Strict|Loose)?$
type: string
bpfExtToServiceConnmark:
description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
@ -1038,12 +1073,31 @@ spec:
is sent directly from the remote node. In "DSR" mode, the remote
node appears to use the IP of the ingress node; this requires a
permissive L2 network. [Default: Tunnel]'
pattern: ^(?i)(Tunnel|DSR)?$
type: string
bpfForceTrackPacketsFromIfaces:
description: 'BPFForceTrackPacketsFromIfaces in BPF mode, forces traffic
from these interfaces to skip Calico''s iptables NOTRACK rule, allowing
traffic from those interfaces to be tracked by Linux conntrack. Should
only be used for interfaces that are not used for the Calico fabric. For
example, a docker bridge device for non-Calico-networked containers.
[Default: docker+]'
items:
type: string
type: array
bpfHostConntrackBypass:
description: 'BPFHostConntrackBypass Controls whether to bypass Linux
conntrack in BPF mode for workloads and services. [Default: true
- bypass Linux conntrack]'
type: boolean
bpfHostNetworkedNATWithoutCTLB:
description: 'BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls
whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing
determines the CTLB behavior. [Default: Enabled]'
enum:
- Enabled
- Disabled
type: string
bpfKubeProxyEndpointSlicesEnabled:
description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
whether Felix's embedded kube-proxy accepts EndpointSlices or not.
@ -1059,6 +1113,7 @@ spec:
minimum time between updates to the dataplane for Felix''s embedded
kube-proxy. Lower values give reduced set-up latency. Higher values
reduce Felix CPU usage by batching up more work. [Default: 1s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
bpfL3IfacePattern:
description: BPFL3IfacePattern is a regular expression that allows
@ -1068,11 +1123,22 @@ spec:
as any interfaces that handle incoming traffic to nodeports and
services from outside the cluster.
type: string
bpfLogFilters:
additionalProperties:
type: string
description: "BPFLogFilters is a map of key=values where the value
is a pcap filter expression and the key is an interface name with
'all' denoting all interfaces, 'weps' all workload endpoints and
'heps' all host endpoints. \n When specified as an env var, it accepts
a comma-separated list of key=values. [Default: unset - means all
debug logs are emitted]"
type: object
bpfLogLevel:
description: 'BPFLogLevel controls the log level of the BPF programs
when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
logs are emitted to the BPF trace pipe, accessible with the command
`tc exec bpf debug`. [Default: Off].'
pattern: ^(?i)(Off|Info|Debug)?$
type: string
bpfMapSizeConntrack:
description: 'BPFMapSizeConntrack sets the size for the conntrack
@ -1137,6 +1203,7 @@ spec:
to append mode, be sure that the other rules in the chains signal
acceptance by falling through to the Calico rules, otherwise the
Calico policy will be bypassed. [Default: insert]'
pattern: ^(?i)(insert|append)?$
type: string
dataplaneDriver:
description: DataplaneDriver filename of the external dataplane driver
@ -1155,8 +1222,10 @@ spec:
debugMemoryProfilePath:
type: string
debugSimulateCalcGraphHangAfter:
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
debugSimulateDataplaneHangAfter:
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
defaultEndpointToHostAction:
description: 'DefaultEndpointToHostAction controls what happens to
@ -1171,6 +1240,7 @@ spec:
endpoint egress policy. Use ACCEPT to unconditionally accept packets
from workloads after processing workload endpoint egress policy.
[Default: Drop]'
pattern: ^(?i)(Drop|Accept|Return)?$
type: string
deviceRouteProtocol:
description: This defines the route protocol added to programmed device
@ -1189,6 +1259,7 @@ spec:
disableConntrackInvalidCheck:
type: boolean
endpointReportingDelay:
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
endpointReportingEnabled:
type: boolean
@ -1256,12 +1327,14 @@ spec:
based on auto-detected platform capabilities. Values are specified
in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true"
or "false" will force the feature, empty or omitted values are auto-detected.
pattern: ^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$
type: string
featureGates:
description: FeatureGates is used to enable or disable tech-preview
Calico features. Values are specified in a comma separated list
with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false".
This is used to enable features that are not fully production ready.
pattern: ^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$
type: string
floatingIPs:
description: FloatingIPs configures whether or not Felix will program
@ -1323,6 +1396,7 @@ spec:
description: InterfaceRefreshInterval is the period at which Felix
rescans local interfaces to verify their state. The rescan can be
disabled by setting the interval to 0.
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
ipipEnabled:
description: 'IPIPEnabled overrides whether Felix should configure
@ -1338,18 +1412,22 @@ spec:
all iptables state to ensure that no other process has accidentally
broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
90s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
iptablesBackend:
description: IptablesBackend specifies which backend of iptables will
be used. The default is Auto.
pattern: ^(?i)(Auto|FelixConfiguration|FelixConfigurationList|Legacy|NFT)?$
type: string
iptablesFilterAllowAction:
pattern: ^(?i)(Accept|Return)?$
type: string
iptablesFilterDenyAction:
description: IptablesFilterDenyAction controls what happens to traffic
that is denied by network policy. By default Calico blocks traffic
with an iptables "DROP" action. If you want to use "REJECT" action
instead you can configure it in here.
pattern: ^(?i)(Drop|Reject)?$
type: string
iptablesLockFilePath:
description: 'IptablesLockFilePath is the location of the iptables
@ -1362,6 +1440,7 @@ spec:
wait between attempts to acquire the iptables lock if it is not
available. Lower values make Felix more responsive when the lock
is contended, but use more CPU. [Default: 50ms]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
iptablesLockTimeout:
description: 'IptablesLockTimeout is the time that Felix will wait
@ -1370,8 +1449,10 @@ spec:
also take the lock. When running Felix inside a container, this
requires the /run directory of the host to be mounted into the calico/node
or calico/felix container. [Default: 0s disabled]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
iptablesMangleAllowAction:
pattern: ^(?i)(Accept|Return)?$
type: string
iptablesMarkMask:
description: 'IptablesMarkMask is the mask that Felix selects its
@ -1388,6 +1469,7 @@ spec:
back in order to check the write was not clobbered by another process.
This should only occur if another application on the system doesn''t
respect the iptables lock. [Default: 1s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
iptablesRefreshInterval:
description: 'IptablesRefreshInterval is the period at which Felix
@ -1398,6 +1480,7 @@ spec:
was fixed in kernel version 4.11. If you are using v4.11 or greater
you may want to set this to, a higher value to reduce Felix CPU
usage. [Default: 10s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
ipv6Support:
description: IPv6Support controls whether Felix enables support for
@ -1432,15 +1515,18 @@ spec:
logSeverityFile:
description: 'LogSeverityFile is the log severity above which logs
are sent to the log file. [Default: Info]'
pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
type: string
logSeverityScreen:
description: 'LogSeverityScreen is the log severity above which logs
are sent to the stdout. [Default: Info]'
pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
type: string
logSeveritySys:
description: 'LogSeveritySys is the log severity above which logs
are sent to the syslog. Set to None for no logging to syslog. [Default:
Info]'
pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$
type: string
maxIpsetSize:
type: integer
@ -1479,6 +1565,7 @@ spec:
pattern: ^.*
x-kubernetes-int-or-string: true
netlinkTimeout:
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
openstackRegion:
description: 'OpenstackRegion is the name of the region that a particular
@ -1533,21 +1620,25 @@ spec:
description: 'ReportingInterval is the interval at which Felix reports
its status into the datastore or 0 to disable. Must be non-zero
in OpenStack deployments. [Default: 30s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
reportingTTL:
description: 'ReportingTTL is the time-to-live setting for process-wide
status reports. [Default: 90s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
routeRefreshInterval:
description: 'RouteRefreshInterval is the period at which Felix re-checks
the routes in the dataplane to ensure that no other process has
accidentally broken Calico''s rules. Set to 0 to disable route refresh.
[Default: 90s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
routeSource:
description: 'RouteSource configures where Felix gets its routing
information. - WorkloadIPs: use workload endpoints to construct
routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
pattern: ^(?i)(WorkloadIPs|CalicoIPAM)?$
type: string
routeSyncDisabled:
description: RouteSyncDisabled will disable all operations performed
@ -1587,6 +1678,7 @@ spec:
packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
in which case such routing loops continue to be allowed. [Default:
Drop]'
pattern: ^(?i)(Drop|Reject|Disabled)?$
type: string
sidecarAccelerationEnabled:
description: 'SidecarAccelerationEnabled enables experimental sidecar
@ -1602,10 +1694,12 @@ spec:
usageReportingInitialDelay:
description: 'UsageReportingInitialDelay controls the minimum delay
before Felix makes a report. [Default: 300s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
usageReportingInterval:
description: 'UsageReportingInterval controls the interval at which
Felix makes reports. [Default: 86400s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
useInternalDataplaneDriver:
description: UseInternalDataplaneDriver, if true, Felix will use its
@ -1629,6 +1723,14 @@ spec:
type: integer
vxlanVNI:
type: integer
windowsManageFirewallRules:
description: 'WindowsManageFirewallRules configures whether or not
Felix will program Windows Firewall rules. (to allow inbound access
to its own metrics ports) [Default: Disabled]'
enum:
- Enabled
- Disabled
type: string
wireguardEnabled:
description: 'WireguardEnabled controls whether Wireguard is enabled
for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network).
@ -1654,6 +1756,7 @@ spec:
wireguardKeepAlive:
description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive
option. Set 0 to disable. [Default: 0]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
wireguardListeningPort:
description: 'WireguardListeningPort controls the listening port used
@ -1680,6 +1783,7 @@ spec:
the allowedSourcePrefixes annotation to send traffic with a source
IP address that is not theirs. This is disabled by default. When
set to "Any", pods can request any prefix.
pattern: ^(?i)(Disabled|Any)?$
type: string
xdpEnabled:
description: 'XDPEnabled enables XDP acceleration for suitable untracked
@ -1690,6 +1794,7 @@ spec:
all XDP state to ensure that no other process has accidentally broken
Calico''s BPF maps or attached programs. Set to 0 to disable XDP
refresh. [Default: 90s]'
pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$
type: string
type: object
type: object
@ -2504,6 +2609,19 @@ spec:
with identical order will be applied in alphanumerical order based
on the Policy "Name".
type: number
performanceHints:
description: "PerformanceHints contains a list of hints to Calico's
policy engine to help process the policy more efficiently. Hints
never change the enforcement behaviour of the policy. \n Currently,
the only available hint is \"AssumeNeededOnEveryNode\". When that
hint is set on a policy, Felix will act as if the policy matches
a local endpoint even if it does not. This is useful for \"preloading\"
any large static policies that are known to be used on every node.
If the policy is _not_ used on a particular node then the work done
to preload the policy (and to maintain it) is wasted."
items:
type: string
type: array
preDNAT:
description: PreDNAT indicates to apply the rules in this policy before
any DNAT.
@ -4163,6 +4281,19 @@ spec:
with identical order will be applied in alphanumerical order based
on the Policy "Name".
type: number
performanceHints:
description: "PerformanceHints contains a list of hints to Calico's
policy engine to help process the policy more efficiently. Hints
never change the enforcement behaviour of the policy. \n Currently,
the only available hint is \"AssumeNeededOnEveryNode\". When that
hint is set on a policy, Felix will act as if the policy matches
a local endpoint even if it does not. This is useful for \"preloading\"
any large static policies that are known to be used on every node.
If the policy is _not_ used on a particular node then the work done
to preload the policy (and to maintain it) is wasted."
items:
type: string
type: array
selector:
description: "The selector is an expression used to pick pick out
the endpoints that the policy should be applied to. \n Selector