temp commit
This commit is contained in:
magicsong
292
vendor/github.com/projectcalico/libcalico-go/lib/apis/v3/felixconfig.go
generated
vendored
Normal file
292
vendor/github.com/projectcalico/libcalico-go/lib/apis/v3/felixconfig.go
generated
vendored
Normal file
@@ -0,0 +1,292 @@
|
||||
// Copyright (c) 2017-2019 Tigera, Inc. All rights reserved.
|
||||
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package v3
|
||||
|
||||
import (
|
||||
"github.com/projectcalico/libcalico-go/lib/numorstring"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
type IptablesBackend string
|
||||
|
||||
const (
|
||||
KindFelixConfiguration = "FelixConfiguration"
|
||||
KindFelixConfigurationList = "FelixConfigurationList"
|
||||
IptablesBackendLegacy = "Legacy"
|
||||
IptablesBackendNFTables = "NFT"
|
||||
)
|
||||
|
||||
// +genclient
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
||||
// Felix Configuration contains the configuration for Felix.
|
||||
type FelixConfiguration struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Standard object's metadata.
|
||||
metav1.ObjectMeta `json:"metadata,omitempty"`
|
||||
// Specification of the FelixConfiguration.
|
||||
Spec FelixConfigurationSpec `json:"spec,omitempty"`
|
||||
}
|
||||
|
||||
// FelixConfigurationSpec contains the values of the Felix configuration.
|
||||
type FelixConfigurationSpec struct {
|
||||
UseInternalDataplaneDriver *bool `json:"useInternalDataplaneDriver,omitempty"`
|
||||
DataplaneDriver string `json:"dataplaneDriver,omitempty"`
|
||||
|
||||
IPv6Support *bool `json:"ipv6Support,omitempty" confignamev1:"Ipv6Support"`
|
||||
IgnoreLooseRPF *bool `json:"ignoreLooseRPF,omitempty"`
|
||||
|
||||
// RouterefreshInterval is the period at which Felix re-checks the routes
|
||||
// in the dataplane to ensure that no other process has accidentally broken Calico’s rules.
|
||||
// Set to 0 to disable route refresh. [Default: 90s]
|
||||
RouteRefreshInterval *metav1.Duration `json:"routeRefreshInterval,omitempty" configv1timescale:"seconds"`
|
||||
// IptablesRefreshInterval is the period at which Felix re-checks the IP sets
|
||||
// in the dataplane to ensure that no other process has accidentally broken Calico’s rules.
|
||||
// Set to 0 to disable IP sets refresh. Note: the default for this value is lower than the
|
||||
// other refresh intervals as a workaround for a Linux kernel bug that was fixed in kernel
|
||||
// version 4.11. If you are using v4.11 or greater you may want to set this to, a higher value
|
||||
// to reduce Felix CPU usage. [Default: 10s]
|
||||
IptablesRefreshInterval *metav1.Duration `json:"iptablesRefreshInterval,omitempty" configv1timescale:"seconds"`
|
||||
// IptablesPostWriteCheckInterval is the period after Felix has done a write
|
||||
// to the dataplane that it schedules an extra read back in order to check the write was not
|
||||
// clobbered by another process. This should only occur if another application on the system
|
||||
// doesn’t respect the iptables lock. [Default: 1s]
|
||||
IptablesPostWriteCheckInterval *metav1.Duration `json:"iptablesPostWriteCheckInterval,omitempty" configv1timescale:"seconds" confignamev1:"IptablesPostWriteCheckIntervalSecs"`
|
||||
// IptablesLockFilePath is the location of the iptables lock file. You may need to change this
|
||||
// if the lock file is not in its standard location (for example if you have mapped it into Felix’s
|
||||
// container at a different path). [Default: /run/xtables.lock]
|
||||
IptablesLockFilePath string `json:"iptablesLockFilePath,omitempty"`
|
||||
// IptablesLockTimeout is the time that Felix will wait for the iptables lock,
|
||||
// or 0, to disable. To use this feature, Felix must share the iptables lock file with all other
|
||||
// processes that also take the lock. When running Felix inside a container, this requires the
|
||||
// /run directory of the host to be mounted into the calico/node or calico/felix container.
|
||||
// [Default: 0s disabled]
|
||||
IptablesLockTimeout *metav1.Duration `json:"iptablesLockTimeout,omitempty" configv1timescale:"seconds" confignamev1:"IptablesLockTimeoutSecs"`
|
||||
// IptablesLockProbeInterval is the time that Felix will wait between
|
||||
// attempts to acquire the iptables lock if it is not available. Lower values make Felix more
|
||||
// responsive when the lock is contended, but use more CPU. [Default: 50ms]
|
||||
IptablesLockProbeInterval *metav1.Duration `json:"iptablesLockProbeInterval,omitempty" configv1timescale:"milliseconds" confignamev1:"IptablesLockProbeIntervalMillis"`
|
||||
// IpsetsRefreshInterval is the period at which Felix re-checks all iptables
|
||||
// state to ensure that no other process has accidentally broken Calico’s rules. Set to 0 to
|
||||
// disable iptables refresh. [Default: 90s]
|
||||
IpsetsRefreshInterval *metav1.Duration `json:"ipsetsRefreshInterval,omitempty" configv1timescale:"seconds"`
|
||||
MaxIpsetSize *int `json:"maxIpsetSize,omitempty"`
|
||||
// IptablesBackend specifies which backend of iptables will be used. The default is legacy.
|
||||
IptablesBackend *IptablesBackend `json:"iptablesBackend,omitempty" validate:"omitempty,iptablesBackend"`
|
||||
|
||||
// XDPRefreshInterval is the period at which Felix re-checks all XDP state to ensure that no
|
||||
// other process has accidentally broken Calico's BPF maps or attached programs. Set to 0 to
|
||||
// disable XDP refresh. [Default: 90s]
|
||||
XDPRefreshInterval *metav1.Duration `json"xdpRefreshInterval,omitempty" configv1timescale:"seconds"`
|
||||
|
||||
NetlinkTimeout *metav1.Duration `json:"netlinkTimeout,omitempty" configv1timescale:"seconds" confignamev1:"NetlinkTimeoutSecs"`
|
||||
|
||||
// MetadataAddr is the IP address or domain name of the server that can answer VM queries for
|
||||
// cloud-init metadata. In OpenStack, this corresponds to the machine running nova-api (or in
|
||||
// Ubuntu, nova-api-metadata). A value of none (case insensitive) means that Felix should not
|
||||
// set up any NAT rule for the metadata path. [Default: 127.0.0.1]
|
||||
MetadataAddr string `json:"metadataAddr,omitempty"`
|
||||
// MetadataPort is the port of the metadata server. This, combined with global.MetadataAddr (if
|
||||
// not ‘None’), is used to set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
|
||||
// In most cases this should not need to be changed [Default: 8775].
|
||||
MetadataPort *int `json:"metadataPort,omitempty"`
|
||||
|
||||
// OpenstackRegion is the name of the region that a particular Felix belongs to. In a multi-region
|
||||
// Calico/OpenStack deployment, this must be configured somehow for each Felix (here in the datamodel,
|
||||
// or in felix.cfg or the environment on each compute node), and must match the [calico]
|
||||
// openstack_region value configured in neutron.conf on each node. [Default: Empty]
|
||||
OpenstackRegion string `json:"openstackRegion,omitempty"`
|
||||
|
||||
// InterfacePrefix is the interface name prefix that identifies workload endpoints and so distinguishes
|
||||
// them from host endpoint interfaces. Note: in environments other than bare metal, the orchestrators
|
||||
// configure this appropriately. For example our Kubernetes and Docker integrations set the ‘cali’ value,
|
||||
// and our OpenStack integration sets the ‘tap’ value. [Default: cali]
|
||||
InterfacePrefix string `json:"interfacePrefix,omitempty"`
|
||||
// InterfaceExclude is a comma-separated list of interfaces that Felix should exclude when monitoring for host
|
||||
// endpoints. The default value ensures that Felix ignores Kubernetes' IPVS dummy interface, which is used
|
||||
// internally by kube-proxy. If you want to exclude multiple interface names using a single value, the list
|
||||
// supports regular expressions. For regular expressions you must wrap the value with '/'. For example
|
||||
// having values '/^kube/,veth1' will exclude all interfaces that begin with 'kube' and also the interface
|
||||
// 'veth1'. [Default: kube-ipvs0]
|
||||
InterfaceExclude string `json:"interfaceExclude,omitempty"`
|
||||
|
||||
// ChainInsertMode controls whether Felix hooks the kernel’s top-level iptables chains by inserting a rule
|
||||
// at the top of the chain or by appending a rule at the bottom. insert is the safe default since it prevents
|
||||
// Calico’s rules from being bypassed. If you switch to append mode, be sure that the other rules in the chains
|
||||
// signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed.
|
||||
// [Default: insert]
|
||||
ChainInsertMode string `json:"chainInsertMode,omitempty"`
|
||||
// DefaultEndpointToHostAction controls what happens to traffic that goes from a workload endpoint to the host
|
||||
// itself (after the traffic hits the endpoint egress policy). By default Calico blocks traffic from workload
|
||||
// endpoints to the host itself with an iptables “DROP” action. If you want to allow some or all traffic from
|
||||
// endpoint to host, set this parameter to RETURN or ACCEPT. Use RETURN if you have your own rules in the iptables
|
||||
// “INPUT” chain; Calico will insert its rules at the top of that chain, then “RETURN” packets to the “INPUT” chain
|
||||
// once it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets
|
||||
// from workloads after processing workload endpoint egress policy. [Default: Drop]
|
||||
DefaultEndpointToHostAction string `json:"defaultEndpointToHostAction,omitempty" validate:"omitempty,dropAcceptReturn"`
|
||||
IptablesFilterAllowAction string `json:"iptablesFilterAllowAction,omitempty" validate:"omitempty,acceptReturn"`
|
||||
IptablesMangleAllowAction string `json:"iptablesMangleAllowAction,omitempty" validate:"omitempty,acceptReturn"`
|
||||
// LogPrefix is the log prefix that Felix uses when rendering LOG rules. [Default: calico-packet]
|
||||
LogPrefix string `json:"logPrefix,omitempty"`
|
||||
|
||||
// LogFilePath is the full path to the Felix log. Set to none to disable file logging. [Default: /var/log/calico/felix.log]
|
||||
LogFilePath string `json:"logFilePath,omitempty"`
|
||||
|
||||
// LogSeverityFile is the log severity above which logs are sent to the log file. [Default: Info]
|
||||
LogSeverityFile string `json:"logSeverityFile,omitempty" validate:"omitempty,logLevel"`
|
||||
// LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]
|
||||
LogSeverityScreen string `json:"logSeverityScreen,omitempty" validate:"omitempty,logLevel"`
|
||||
// LogSeveritySys is the log severity above which logs are sent to the syslog. Set to None for no logging to syslog.
|
||||
// [Default: Info]
|
||||
LogSeveritySys string `json:"logSeveritySys,omitempty" validate:"omitempty,logLevel"`
|
||||
|
||||
IPIPEnabled *bool `json:"ipipEnabled,omitempty" confignamev1:"IpInIpEnabled"`
|
||||
// IPIPMTU is the MTU to set on the tunnel device. See Configuring MTU [Default: 1440]
|
||||
IPIPMTU *int `json:"ipipMTU,omitempty" confignamev1:"IpInIpMtu"`
|
||||
|
||||
VXLANEnabled *bool `json:"vxlanEnabled,omitempty"`
|
||||
// VXLANMTU is the MTU to set on the tunnel device. See Configuring MTU [Default: 1440]
|
||||
VXLANMTU *int `json:"vxlanMTU,omitempty"`
|
||||
VXLANPort *int `json:"vxlanPort,omitempty"`
|
||||
VXLANVNI *int `json:"vxlanVNI,omitempty"`
|
||||
|
||||
// ReportingInterval is the interval at which Felix reports its status into the datastore or 0 to disable.
|
||||
// Must be non-zero in OpenStack deployments. [Default: 30s]
|
||||
ReportingInterval *metav1.Duration `json:"reportingInterval,omitempty" configv1timescale:"seconds" confignamev1:"ReportingIntervalSecs"`
|
||||
// ReportingTTL is the time-to-live setting for process-wide status reports. [Default: 90s]
|
||||
ReportingTTL *metav1.Duration `json:"reportingTTL,omitempty" configv1timescale:"seconds" confignamev1:"ReportingTTLSecs"`
|
||||
|
||||
EndpointReportingEnabled *bool `json:"endpointReportingEnabled,omitempty"`
|
||||
EndpointReportingDelay *metav1.Duration `json:"endpointReportingDelay,omitempty" configv1timescale:"seconds" confignamev1:"EndpointReportingDelaySecs"`
|
||||
|
||||
// IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal
|
||||
// number with at least 8 bits set, none of which clash with any other mark bits in use on the system.
|
||||
// [Default: 0xff000000]
|
||||
IptablesMarkMask *uint32 `json:"iptablesMarkMask,omitempty"`
|
||||
|
||||
DisableConntrackInvalidCheck *bool `json:"disableConntrackInvalidCheck,omitempty"`
|
||||
|
||||
HealthEnabled *bool `json:"healthEnabled,omitempty"`
|
||||
HealthHost *string `json:"healthHost,omitempty"`
|
||||
HealthPort *int `json:"healthPort,omitempty"`
|
||||
|
||||
// PrometheusMetricsEnabled enables the experimental Prometheus metrics server in Felix if set to true. [Default: false]
|
||||
PrometheusMetricsEnabled *bool `json:"prometheusMetricsEnabled,omitempty"`
|
||||
// PrometheusMetricsPort is the TCP port that the experimental Prometheus metrics server should bind to. [Default:9091]
|
||||
PrometheusMetricsPort *int `json:"prometheusMetricsPort,omitempty"`
|
||||
// PrometheusGoMetricsEnabled disables Go runtime metrics collection, which the Prometheus client does by default, when
|
||||
// set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]
|
||||
PrometheusGoMetricsEnabled *bool `json:"prometheusGoMetricsEnabled,omitempty"`
|
||||
// PrometheusProcessMetricsEnabled disables process metrics collection, which the Prometheus client does by default, when
|
||||
// set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]
|
||||
PrometheusProcessMetricsEnabled *bool `json:"prometheusProcessMetricsEnabled,omitempty"`
|
||||
|
||||
// FailsafeInboundHostPorts is a comma-delimited list of UDP/TCP ports that Felix will allow incoming traffic to host endpoints
|
||||
// on irrespective of the security policy. This is useful to avoid accidently cutting off a host with incorrect configuration. Each
|
||||
// port should be specified as tcp:<port-number> or udp:<port-number>. For back-compatibility, if the protocol is not specified, it
|
||||
// defaults to “tcp”. To disable all inbound host ports, use the value none. The default value allows ssh access and DHCP.
|
||||
// [Default: tcp:22, udp:68]
|
||||
FailsafeInboundHostPorts *[]ProtoPort `json:"failsafeInboundHostPorts,omitempty"`
|
||||
// FailsafeOutboundHostPorts is a comma-delimited list of UDP/TCP ports that Felix will allow outgoing traffic from host endpoints to
|
||||
// irrespective of the security policy. This is useful to avoid accidently cutting off a host with incorrect configuration. Each port
|
||||
// should be specified as tcp:<port-number> or udp:<port-number>. For back-compatibility, if the protocol is not specified, it defaults
|
||||
// to “tcp”. To disable all outbound host ports, use the value none. The default value opens etcd’s standard ports to ensure that Felix
|
||||
// does not get cut off from etcd as well as allowing DHCP and DNS. [Default: tcp:2379, tcp:2380, tcp:4001, tcp:7001, udp:53, udp:67]
|
||||
FailsafeOutboundHostPorts *[]ProtoPort `json:"failsafeOutboundHostPorts,omitempty"`
|
||||
|
||||
// KubeNodePortRanges holds list of port ranges used for service node ports. Only used if felix detects kube-proxy running in ipvs mode.
|
||||
// Felix uses these ranges to separate host and workload traffic. [Default: 30000:32767].
|
||||
KubeNodePortRanges *[]numorstring.Port `json:"kubeNodePortRanges,omitempty" validate:"omitempty,dive"`
|
||||
|
||||
// PolicySyncPathPrefix is used to by Felix to communicate policy changes to external services,
|
||||
// like Application layer policy. [Default: Empty]
|
||||
PolicySyncPathPrefix string `json:"policySyncPathPrefix,omitempty"`
|
||||
|
||||
// UsageReportingEnabled reports anonymous Calico version number and cluster size to projectcalico.org. Logs warnings returned by the usage
|
||||
// server. For example, if a significant security vulnerability has been discovered in the version of Calico being used. [Default: true]
|
||||
UsageReportingEnabled *bool `json:"usageReportingEnabled,omitempty"`
|
||||
// UsageReportingInitialDelay controls the minimum delay before Felix makes a report. [Default: 300s]
|
||||
UsageReportingInitialDelay *metav1.Duration `json:"usageReportingInitialDelay,omitempty" configv1timescale:"seconds" confignamev1:"UsageReportingInitialDelaySecs"`
|
||||
// UsageReportingInterval controls the interval at which Felix makes reports. [Default: 86400s]
|
||||
UsageReportingInterval *metav1.Duration `json:"usageReportingInterval,omitempty" configv1timescale:"seconds" confignamev1:"UsageReportingIntervalSecs"`
|
||||
|
||||
// NATPortRange specifies the range of ports that is used for port mapping when doing outgoing NAT. When unset the default behavior of the
|
||||
// network stack is used.
|
||||
NATPortRange *numorstring.Port `json:"natPortRange,omitempty"`
|
||||
|
||||
// NATOutgoingAddress specifies an address to use when performing source NAT for traffic in a natOutgoing pool that
|
||||
// is leaving the network. By default the address used is an address on the interface the traffic is leaving on
|
||||
// (ie it uses the iptables MASQUERADE target)
|
||||
NATOutgoingAddress string `json:"natOutgoingAddress,omitempty"`
|
||||
|
||||
// ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes which may source tunnel traffic and have
|
||||
// the tunneled traffic be accepted at calico nodes.
|
||||
ExternalNodesCIDRList *[]string `json:"externalNodesList,omitempty"`
|
||||
|
||||
DebugMemoryProfilePath string `json:"debugMemoryProfilePath,omitempty"`
|
||||
DebugDisableLogDropping *bool `json:"debugDisableLogDropping,omitempty"`
|
||||
DebugSimulateCalcGraphHangAfter *metav1.Duration `json:"debugSimulateCalcGraphHangAfter,omitempty" configv1timescale:"seconds"`
|
||||
DebugSimulateDataplaneHangAfter *metav1.Duration `json:"debugSimulateDataplaneHangAfter,omitempty" configv1timescale:"seconds"`
|
||||
|
||||
IptablesNATOutgoingInterfaceFilter string `json:"iptablesNATOutgoingInterfaceFilter,omitempty" validate:"omitempty,ifaceFilter"`
|
||||
|
||||
// SidecarAccelerationEnabled enables experimental sidecar acceleration [Default: false]
|
||||
SidecarAccelerationEnabled *bool `json:"sidecarAccelerationEnabled,omitempty"`
|
||||
|
||||
// XDPEnabled enables XDP acceleration for suitable untracked incoming deny rules. [Default: true]
|
||||
XDPEnabled *bool `json:"xdpEnabled,omitempty" confignamev1:"XDPEnabled"`
|
||||
|
||||
// GenericXDPEnabled enables Generic XDP so network cards that don't support XDP offload or driver
|
||||
// modes can use XDP. This is not recommended since it doesn't provide better performance than
|
||||
// iptables. [Default: false]
|
||||
GenericXDPEnabled *bool `json:"genericXDPEnabled,omitempty" confignamev1:"GenericXDPEnabled"`
|
||||
}
|
||||
|
||||
// ProtoPort is combination of protocol and port, both must be specified.
|
||||
type ProtoPort struct {
|
||||
Protocol string `json:"protocol"`
|
||||
Port uint16 `json:"port"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
||||
// FelixConfigurationList contains a list of FelixConfiguration resources.
|
||||
type FelixConfigurationList struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
metav1.ListMeta `json:"metadata"`
|
||||
Items []FelixConfiguration `json:"items"`
|
||||
}
|
||||
|
||||
// New FelixConfiguration creates a new (zeroed) FelixConfiguration struct with the TypeMetadata
|
||||
// initialized to the current version.
|
||||
func NewFelixConfiguration() *FelixConfiguration {
|
||||
return &FelixConfiguration{
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
Kind: KindFelixConfiguration,
|
||||
APIVersion: GroupVersionCurrent,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// NewFelixConfigurationList creates a new 9zeroed) FelixConfigurationList struct with the TypeMetadata
|
||||
// initialized to the current version.
|
||||
func NewFelixConfigurationList() *FelixConfigurationList {
|
||||
return &FelixConfigurationList{
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
Kind: KindFelixConfigurationList,
|
||||
APIVersion: GroupVersionCurrent,
|
||||
},
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user