admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

gomod: change projectcalico/calico to kubesphere/calico (#5557)

Browse Source 
* chore(calico): update calico to 3.25.0

* chore(calico): replace projectcalico/calico to kubesphere/calico

Signed-off-by: root <renyunkang@kubesphere.io>

---------

Signed-off-by: root <renyunkang@kubesphere.io>
This commit is contained in:
Yunkang Ren
2023-02-28 17:03:36 +08:00
committed by GitHub
parent dc28a0917a
commit a3a6a1cd98
146 changed files with 11189 additions and 4663 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/BUILD generated vendored Normal file
View File

@@ -0,0 +1,27 @@
package(default_visibility = ["//visibility:public"])
licenses(["notice"])
load(
"@io_bazel_rules_go//go:def.bzl",
"go_library",
)
go_library(
name = "go_default_library",
srcs = [
"doc.go",
"register.go",
"types.go",
"zz_generated.conversion.go",
"zz_generated.deepcopy.go",
],
tags = ["automanaged"],
deps = [
"k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"k8s.io/apimachinery/pkg/conversion:go_default_library",
"k8s.io/apimachinery/pkg/runtime:go_default_library",
"k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
"k8s.io/sample-apiserver/pkg/apis/wardle:go_default_library",
],
)

160
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/bgpconfig.go generated vendored Normal file
View File

@@ -0,0 +1,160 @@
// Copyright (c) 2020-2021 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/projectcalico/api/pkg/lib/numorstring"
)
const (
KindBGPConfiguration = "BGPConfiguration"
KindBGPConfigurationList = "BGPConfigurationList"
)
type BindMode string
const (
BindModeNone BindMode = "None"
BindModeNodeIP BindMode = "NodeIP"
)
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// BGPConfigurationList is a list of BGPConfiguration resources.
type BGPConfigurationList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Items []BGPConfiguration `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type BGPConfiguration struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Spec BGPConfigurationSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
// BGPConfigurationSpec contains the values of the BGP configuration.
type BGPConfigurationSpec struct {
// LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: INFO]
LogSeverityScreen string `json:"logSeverityScreen,omitempty" validate:"omitempty,logLevel" confignamev1:"loglevel"`
// NodeToNodeMeshEnabled sets whether full node to node BGP mesh is enabled. [Default: true]
NodeToNodeMeshEnabled *bool `json:"nodeToNodeMeshEnabled,omitempty" validate:"omitempty" confignamev1:"node_mesh"`
// ASNumber is the default AS number used by a node. [Default: 64512]
ASNumber *numorstring.ASNumber `json:"asNumber,omitempty" validate:"omitempty" confignamev1:"as_num"`
// ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes Service LoadBalancer IPs.
// Kubernetes Service status.LoadBalancer.Ingress IPs will only be advertised if they are within one of these blocks.
ServiceLoadBalancerIPs []ServiceLoadBalancerIPBlock `json:"serviceLoadBalancerIPs,omitempty" validate:"omitempty,dive" confignamev1:"svc_loadbalancer_ips"`
// ServiceExternalIPs are the CIDR blocks for Kubernetes Service External IPs.
// Kubernetes Service ExternalIPs will only be advertised if they are within one of these blocks.
ServiceExternalIPs []ServiceExternalIPBlock `json:"serviceExternalIPs,omitempty" validate:"omitempty,dive" confignamev1:"svc_external_ips"`
// ServiceClusterIPs are the CIDR blocks from which service cluster IPs are allocated.
// If specified, Calico will advertise these blocks, as well as any cluster IPs within them.
ServiceClusterIPs []ServiceClusterIPBlock `json:"serviceClusterIPs,omitempty" validate:"omitempty,dive" confignamev1:"svc_cluster_ips"`
// Communities is a list of BGP community values and their arbitrary names for tagging routes.
Communities []Community `json:"communities,omitempty" validate:"omitempty,dive" confignamev1:"communities"`
// PrefixAdvertisements contains per-prefix advertisement configuration.
PrefixAdvertisements []PrefixAdvertisement `json:"prefixAdvertisements,omitempty" validate:"omitempty,dive" confignamev1:"prefix_advertisements"`
// ListenPort is the port where BGP protocol should listen. Defaults to 179
// +kubebuilder:validation:Minimum:=1
// +kubebuilder:validation:Maximum:=65535
ListenPort uint16 `json:"listenPort,omitempty" validate:"omitempty,gt=0" confignamev1:"listen_port"`
// Optional BGP password for full node-to-mesh peerings.
// This field can only be set on the default BGPConfiguration instance and requires that NodeMesh is enabled
// +optional
NodeMeshPassword *BGPPassword `json:"nodeMeshPassword,omitempty" validate:"omitempty" confignamev1:"node_mesh_password"`
// Time to allow for software restart for node-to-mesh peerings. When specified, this is configured
// as the graceful restart timeout. When not specified, the BIRD default of 120s is used.
// This field can only be set on the default BGPConfiguration instance and requires that NodeMesh is enabled
// +optional
NodeMeshMaxRestartTime *metav1.Duration `json:"nodeMeshMaxRestartTime,omitempty" confignamev1:"node_mesh_restart_time"`
// BindMode indicates whether to listen for BGP connections on all addresses (None)
// or only on the node's canonical IP address Node.Spec.BGP.IPvXAddress (NodeIP).
// Default behaviour is to listen for BGP connections on all addresses.
// +optional
BindMode *BindMode `json:"bindMode,omitempty"`
// IgnoredInterfaces indicates the network interfaces that needs to be excluded when reading device routes.
// +optional
IgnoredInterfaces []string `json:"ignoredInterfaces,omitempty" validate:"omitempty,dive,ignoredInterface"`
}
// ServiceLoadBalancerIPBlock represents a single allowed LoadBalancer IP CIDR block.
type ServiceLoadBalancerIPBlock struct {
CIDR string `json:"cidr,omitempty" validate:"omitempty,net"`
}
// ServiceExternalIPBlock represents a single allowed External IP CIDR block.
type ServiceExternalIPBlock struct {
CIDR string `json:"cidr,omitempty" validate:"omitempty,net"`
}
// ServiceClusterIPBlock represents a single allowed ClusterIP CIDR block.
type ServiceClusterIPBlock struct {
CIDR string `json:"cidr,omitempty" validate:"omitempty,net"`
}
// Community contains standard or large community value and its name.
type Community struct {
// Name given to community value.
Name string `json:"name,omitempty" validate:"required,name"`
// Value must be of format `aa:nn` or `aa:nn:mm`.
// For standard community use `aa:nn` format, where `aa` and `nn` are 16 bit number.
// For large community use `aa:nn:mm` format, where `aa`, `nn` and `mm` are 32 bit number.
// Where, `aa` is an AS Number, `nn` and `mm` are per-AS identifier.
// +kubebuilder:validation:Pattern=`^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$`
Value string `json:"value,omitempty" validate:"required"`
}
// PrefixAdvertisement configures advertisement properties for the specified CIDR.
type PrefixAdvertisement struct {
// CIDR for which properties should be advertised.
CIDR string `json:"cidr,omitempty" validate:"required,net"`
// Communities can be list of either community names already defined in `Specs.Communities` or community value of format `aa:nn` or `aa:nn:mm`.
// For standard community use `aa:nn` format, where `aa` and `nn` are 16 bit number.
// For large community use `aa:nn:mm` format, where `aa`, `nn` and `mm` are 32 bit number.
// Where,`aa` is an AS Number, `nn` and `mm` are per-AS identifier.
Communities []string `json:"communities,omitempty" validate:"required"`
}
// New BGPConfiguration creates a new (zeroed) BGPConfiguration struct with the TypeMetadata
// initialized to the current version.
func NewBGPConfiguration() *BGPConfiguration {
return &BGPConfiguration{
TypeMeta: metav1.TypeMeta{
Kind: KindBGPConfiguration,
APIVersion: GroupVersionCurrent,
},
}
}

106
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/bgpfilter.go generated vendored Normal file
View File

@@ -0,0 +1,106 @@
// Copyright (c) 2022 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
KindBGPFilter = "BGPFilter"
KindBGPFilterList = "BGPFilterList"
)
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// BGPFilterList is a list of BGPFilter resources.
type BGPFilterList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Items []BGPFilter `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type BGPFilter struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Spec BGPFilterSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
// BGPFilterSpec contains the IPv4 and IPv6 filter rules of the BGP Filter.
type BGPFilterSpec struct {
// The ordered set of IPv4 BGPFilter rules acting on exporting routes to a peer.
ExportV4 []BGPFilterRuleV4 `json:"exportV4,omitempty" validate:"omitempty,dive"`
// The ordered set of IPv4 BGPFilter rules acting on importing routes from a peer.
ImportV4 []BGPFilterRuleV4 `json:"importV4,omitempty" validate:"omitempty,dive"`
// The ordered set of IPv6 BGPFilter rules acting on exporting routes to a peer.
ExportV6 []BGPFilterRuleV6 `json:"exportV6,omitempty" validate:"omitempty,dive"`
// The ordered set of IPv6 BGPFilter rules acting on importing routes from a peer.
ImportV6 []BGPFilterRuleV6 `json:"importV6,omitempty" validate:"omitempty,dive"`
}
// BGPFilterRuleV4 defines a BGP filter rule consisting a single IPv4 CIDR block and a filter action for this CIDR.
type BGPFilterRuleV4 struct {
CIDR string `json:"cidr" validate:"required,netv4"`
MatchOperator BGPFilterMatchOperator `json:"matchOperator" validate:"required,matchOperator"`
Action BGPFilterAction `json:"action" validate:"required,filterAction"`
}
// BGPFilterRuleV6 defines a BGP filter rule consisting a single IPv6 CIDR block and a filter action for this CIDR.
type BGPFilterRuleV6 struct {
CIDR string `json:"cidr" validate:"required,netv6"`
MatchOperator BGPFilterMatchOperator `json:"matchOperator" validate:"required,matchOperator"`
Action BGPFilterAction `json:"action" validate:"required,filterAction"`
}
type BGPFilterMatchOperator string
const (
Equal BGPFilterMatchOperator = "Equal"
NotEqual = "NotEqual"
In = "In"
NotIn = "NotIn"
)
type BGPFilterAction string
const (
Accept BGPFilterAction = "Accept"
Reject = "Reject"
)
// New BGPFilter creates a new (zeroed) BGPFilter struct with the TypeMetadata
// initialized to the current version.
func NewBGPFilter() *BGPFilter {
return &BGPFilter{
TypeMeta: metav1.TypeMeta{
Kind: KindBGPFilter,
APIVersion: GroupVersionCurrent,
},
}
}

141
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/bgppeer.go generated vendored Normal file
View File

@@ -0,0 +1,141 @@
// Copyright (c) 2017,2020-2021 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
k8sv1 "k8s.io/api/core/v1"
"github.com/projectcalico/api/pkg/lib/numorstring"
)
const (
KindBGPPeer = "BGPPeer"
KindBGPPeerList = "BGPPeerList"
)
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// BGPPeerList is a list of BGPPeer resources.
type BGPPeerList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Items []BGPPeer `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type BGPPeer struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Spec BGPPeerSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
// BGPPeerSpec contains the specification for a BGPPeer resource.
type BGPPeerSpec struct {
// The node name identifying the Calico node instance that is targeted by this peer.
// If this is not set, and no nodeSelector is specified, then this BGP peer selects all
// nodes in the cluster.
// +optional
Node string `json:"node,omitempty" validate:"omitempty,name"`
// Selector for the nodes that should have this peering. When this is set, the Node
// field must be empty.
// +optional
NodeSelector string `json:"nodeSelector,omitempty" validate:"omitempty,selector"`
// The IP address of the peer followed by an optional port number to peer with.
// If port number is given, format should be `[<IPv6>]:port` or `<IPv4>:<port>` for IPv4.
// If optional port number is not set, and this peer IP and ASNumber belongs to a calico/node
// with ListenPort set in BGPConfiguration, then we use that port to peer.
// +optional
PeerIP string `json:"peerIP,omitempty" validate:"omitempty,IP:port"`
// The AS Number of the peer.
// +optional
ASNumber numorstring.ASNumber `json:"asNumber,omitempty"`
// Selector for the remote nodes to peer with. When this is set, the PeerIP and
// ASNumber fields must be empty. For each peering between the local node and
// selected remote nodes, we configure an IPv4 peering if both ends have
// NodeBGPSpec.IPv4Address specified, and an IPv6 peering if both ends have
// NodeBGPSpec.IPv6Address specified. The remote AS number comes from the remote
// node's NodeBGPSpec.ASNumber, or the global default if that is not set.
// +optional
PeerSelector string `json:"peerSelector,omitempty" validate:"omitempty,selector"`
// Option to keep the original nexthop field when routes are sent to a BGP Peer.
// Setting "true" configures the selected BGP Peers node to use the "next hop keep;"
// instead of "next hop self;"(default) in the specific branch of the Node on "bird.cfg".
KeepOriginalNextHop bool `json:"keepOriginalNextHop,omitempty"`
// Optional BGP password for the peerings generated by this BGPPeer resource.
Password *BGPPassword `json:"password,omitempty" validate:"omitempty"`
// Specifies whether and how to configure a source address for the peerings generated by
// this BGPPeer resource. Default value "UseNodeIP" means to configure the node IP as the
// source address. "None" means not to configure a source address.
SourceAddress SourceAddress `json:"sourceAddress,omitempty" validate:"omitempty,sourceAddress"`
// Time to allow for software restart. When specified, this is configured as the graceful
// restart timeout. When not specified, the BIRD default of 120s is used.
MaxRestartTime *metav1.Duration `json:"maxRestartTime,omitempty"`
// Maximum number of local AS numbers that are allowed in the AS path for received routes.
// This removes BGP loop prevention and should only be used if absolutely necesssary.
// +optional
NumAllowedLocalASNumbers *int32 `json:"numAllowedLocalASNumbers,omitempty"`
// TTLSecurity enables the generalized TTL security mechanism (GTSM) which protects against spoofed packets by
// ignoring received packets with a smaller than expected TTL value. The provided value is the number of hops
// (edges) between the peers.
// +optional
TTLSecurity *uint8 `json:"ttlSecurity,omitempty"`
// Add an exact, i.e. /32, static route toward peer IP in order to prevent route flapping.
// ReachableBy contains the address of the gateway which peer can be reached by.
// +optional
ReachableBy string `json:"reachableBy,omitempty" validate:"omitempty,reachableBy"`
// The ordered set of BGPFilters applied on this BGP peer.
// +optional
Filters []string `json:"filters,omitempty" validate:"omitempty,dive,name"`
}
type SourceAddress string
const (
SourceAddressUseNodeIP SourceAddress = "UseNodeIP"
SourceAddressNone = "None"
)
// BGPPassword contains ways to specify a BGP password.
type BGPPassword struct {
// Selects a key of a secret in the node pod's namespace.
SecretKeyRef *k8sv1.SecretKeySelector `json:"secretKeyRef,omitempty"`
}
// NewBGPPeer creates a new (zeroed) BGPPeer struct with the TypeMetadata initialised to the current
// version.
func NewBGPPeer() *BGPPeer {
return &BGPPeer{
TypeMeta: metav1.TypeMeta{
Kind: KindBGPPeer,
APIVersion: GroupVersionCurrent,
},
}
}

94
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/blockaffinity.go generated vendored Normal file
View File

@@ -0,0 +1,94 @@
// Copyright (c) 2022 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
KindBlockAffinity = "BlockAffinity"
KindBlockAffinityList = "BlockAffinityList"
)
type BlockAffinityState string
const (
StateConfirmed BlockAffinityState = "confirmed"
StatePending BlockAffinityState = "pending"
StatePendingDeletion BlockAffinityState = "pendingDeletion"
)
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// BlockAffinity maintains a block affinity's state
type BlockAffinity struct {
metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
metav1.ObjectMeta `json:"metadata,omitempty"`
// Specification of the BlockAffinity.
Spec BlockAffinitySpec `json:"spec,omitempty"`
}
// BlockAffinitySpec contains the specification for a BlockAffinity resource.
type BlockAffinitySpec struct {
// The state of the block affinity with regard to any referenced IPAM blocks.
State BlockAffinityState `json:"state"`
// The node that this block affinity is assigned to.
Node string `json:"node"`
// The CIDR range this block affinity references.
CIDR string `json:"cidr"`
// Deleted indicates whether or not this block affinity is disabled and is
// used as part of race-condition prevention. When set to true, clients
// should treat this block as if it does not exist.
Deleted bool `json:"deleted,omitempty"`
}
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// BlockAffinityList contains a list of BlockAffinity resources.
type BlockAffinityList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []BlockAffinity `json:"items"`
}
// NewBlockAffinity creates a new (zeroed) BlockAffinity struct with the TypeMetadata initialised to the current
// version.
func NewBlockAffinity() *BlockAffinity {
return &BlockAffinity{
TypeMeta: metav1.TypeMeta{
Kind: KindBlockAffinity,
APIVersion: GroupVersionCurrent,
},
}
}
// NewBlockAffinityList creates a new (zeroed) BlockAffinityList struct with the TypeMetadata initialised to the current
// version.
func NewBlockAffinityList() *BlockAffinityList {
return &BlockAffinityList{
TypeMeta: metav1.TypeMeta{
Kind: KindBlockAffinityList,
APIVersion: GroupVersionCurrent,
},
}
}

72
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/clusterinfo.go generated vendored Normal file
View File

@@ -0,0 +1,72 @@
// Copyright (c) 2017, 2020-2021 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
KindClusterInformation = "ClusterInformation"
KindClusterInformationList = "ClusterInformationList"
)
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// ClusterInformationList is a list of ClusterInformation objects.
type ClusterInformationList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Items []ClusterInformation `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type ClusterInformation struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Spec ClusterInformationSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
// ClusterInformationSpec contains the values of describing the cluster.
type ClusterInformationSpec struct {
// ClusterGUID is the GUID of the cluster
ClusterGUID string `json:"clusterGUID,omitempty" validate:"omitempty"`
// ClusterType describes the type of the cluster
ClusterType string `json:"clusterType,omitempty" validate:"omitempty"`
// CalicoVersion is the version of Calico that the cluster is running
CalicoVersion string `json:"calicoVersion,omitempty" validate:"omitempty"`
// DatastoreReady is used during significant datastore migrations to signal to components
// such as Felix that it should wait before accessing the datastore.
DatastoreReady *bool `json:"datastoreReady,omitempty"`
// Variant declares which variant of Calico should be active.
Variant string `json:"variant,omitempty"`
}
// New ClusterInformation creates a new (zeroed) ClusterInformation struct with the TypeMetadata
// initialized to the current version.
func NewClusterInformation() *ClusterInformation {
return &ClusterInformation{
TypeMeta: metav1.TypeMeta{
Kind: KindClusterInformation,
APIVersion: GroupVersionCurrent,
},
}
}

52
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/constants.go generated vendored Normal file
View File

@@ -0,0 +1,52 @@
// Copyright (c) 2017-2021 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
const (
// API group details for the Calico v3 API.
Group = "projectcalico.org"
VersionCurrent = "v3"
GroupVersionCurrent = Group + "/" + VersionCurrent
// AllNamepaces is used for client instantiation, either for when the namespace
// will be specified in the resource request, or for List or Watch queries across
// all namespaces.
AllNamespaces = ""
// AllNames is used for List or Watch queries to wildcard the name.
AllNames = ""
// Label used to denote the Namespace. This is added to workload endpoints and network sets by Calico
// and may be used for label matches by Policy selectors.
LabelNamespace = "projectcalico.org/namespace"
// Label used to denote the ServiceAccount. This is added to the workload endpoints by Calico
// and may be used for label matches by Policy selectors.
LabelServiceAccount = "projectcalico.org/serviceaccount"
// Label used to denote the Orchestrator. This is added to the workload endpoints by an
// orchestrator.
LabelOrchestrator = "projectcalico.org/orchestrator"
// Known orchestrators. Orchestrators are not limited to this list.
OrchestratorKubernetes = "k8s"
OrchestratorCNI = "cni"
OrchestratorDocker = "libnetwork"
OrchestratorOpenStack = "openstack"
// Enum options for enable/disable fields
Enabled = "Enabled"
Disabled = "Disabled"
)

183
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/conversion.go generated vendored Normal file
View File

@@ -0,0 +1,183 @@
// Copyright (c) 2019-2021 Tigera, Inc. All rights reserved.
package v3
import (
"fmt"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
)
func addConversionFuncs(scheme *runtime.Scheme) error {
// Add non-generated conversion functions
err := scheme.AddFieldLabelConversionFunc(schema.GroupVersionKind{"projectcalico.org", "v3", "NetworkPolicy"},
func(label, value string) (string, string, error) {
switch label {
case "metadata.name", "metadata.namespace":
return label, value, nil
default:
return "", "", fmt.Errorf("field label not supported: %s", label)
}
},
)
if err != nil {
return err
}
err = scheme.AddFieldLabelConversionFunc(schema.GroupVersionKind{"projectcalico.org", "v3", "GlobalNetworkPolicy"},
func(label, value string) (string, string, error) {
switch label {
case "metadata.name":
return label, value, nil
default:
return "", "", fmt.Errorf("field label not supported: %s", label)
}
},
)
if err != nil {
return err
}
err = scheme.AddFieldLabelConversionFunc(schema.GroupVersionKind{"projectcalico.org", "v3", "GlobalNetworkSet"},
func(label, value string) (string, string, error) {
switch label {
case "metadata.name":
return label, value, nil
default:
return "", "", fmt.Errorf("field label not supported: %s", label)
}
},
)
if err != nil {
return err
}
err = scheme.AddFieldLabelConversionFunc(schema.GroupVersionKind{"projectcalico.org", "v3", "NetworkSet"},
func(label, value string) (string, string, error) {
switch label {
case "metadata.name", "metadata.namespace":
return label, value, nil
default:
return "", "", fmt.Errorf("field label not supported: %s", label)
}
},
)
if err != nil {
return err
}
err = scheme.AddFieldLabelConversionFunc(schema.GroupVersionKind{"projectcalico.org", "v3", "HostEndpoint"},
func(label, value string) (string, string, error) {
switch label {
case "metadata.name":
return label, value, nil
default:
return "", "", fmt.Errorf("field label not supported: %s", label)
}
},
)
if err != nil {
return err
}
err = scheme.AddFieldLabelConversionFunc(schema.GroupVersionKind{"projectcalico.org", "v3", "IPPool"},
func(label, value string) (string, string, error) {
switch label {
case "metadata.name":
return label, value, nil
default:
return "", "", fmt.Errorf("field label not supported: %s", label)
}
},
)
if err != nil {
return err
}
err = scheme.AddFieldLabelConversionFunc(schema.GroupVersionKind{"projectcalico.org", "v3", "BGPConfiguration"},
func(label, value string) (string, string, error) {
switch label {
case "metadata.name":
return label, value, nil
default:
return "", "", fmt.Errorf("field label not supported: %s", label)
}
},
)
if err != nil {
return err
}
err = scheme.AddFieldLabelConversionFunc(schema.GroupVersionKind{"projectcalico.org", "v3", "BGPPeer"},
func(label, value string) (string, string, error) {
switch label {
case "metadata.name":
return label, value, nil
default:
return "", "", fmt.Errorf("field label not supported: %s", label)
}
},
)
if err != nil {
return err
}
err = scheme.AddFieldLabelConversionFunc(schema.GroupVersionKind{"projectcalico.org", "v3", "Profile"},
func(label, value string) (string, string, error) {
switch label {
case "metadata.name":
return label, value, nil
default:
return "", "", fmt.Errorf("field label not supported: %s", label)
}
},
)
if err != nil {
return err
}
err = scheme.AddFieldLabelConversionFunc(schema.GroupVersionKind{"projectcalico.org", "v3", "FelixConfiguration"},
func(label, value string) (string, string, error) {
switch label {
case "metadata.name":
return label, value, nil
default:
return "", "", fmt.Errorf("field label not supported: %s", label)
}
},
)
if err != nil {
return err
}
err = scheme.AddFieldLabelConversionFunc(schema.GroupVersionKind{"projectcalico.org", "v3", "KubeControllersConfiguration"},
func(label, value string) (string, string, error) {
switch label {
case "metadata.name":
return label, value, nil
default:
return "", "", fmt.Errorf("field label not supported: %s", label)
}
},
)
if err != nil {
return err
}
err = scheme.AddFieldLabelConversionFunc(schema.GroupVersionKind{"projectcalico.org", "v3", "ClusterInformation"},
func(label, value string) (string, string, error) {
switch label {
case "metadata.name":
return label, value, nil
default:
return "", "", fmt.Errorf("field label not supported: %s", label)
}
},
)
if err != nil {
return err
}
return nil
}

9
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/doc.go generated vendored Normal file
View File

@@ -0,0 +1,9 @@
// Copyright (c) 2021 Tigera, Inc. All rights reserved.
// +k8s:deepcopy-gen=package,register
// +k8s:openapi-gen=true
// Package v3 is the v3 version of the API.
// +groupName=projectcalico.org
package v3 // import "github.com/projectcalico/api/pkg/apis/projectcalico/v3"

557
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/felixconfig.go generated vendored Normal file
View File

@@ -0,0 +1,557 @@
// Copyright (c) 2017-2022 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/projectcalico/api/pkg/lib/numorstring"
)
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// FelixConfigurationList contains a list of FelixConfiguration object.
type FelixConfigurationList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Items []FelixConfiguration `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type FelixConfiguration struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Spec FelixConfigurationSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
type IptablesBackend string
const (
KindFelixConfiguration = "FelixConfiguration"
KindFelixConfigurationList = "FelixConfigurationList"
IptablesBackendLegacy = "Legacy"
IptablesBackendNFTables = "NFT"
IptablesBackendAuto = "Auto"
)
// +kubebuilder:validation:Enum=DoNothing;Enable;Disable
type AWSSrcDstCheckOption string
const (
AWSSrcDstCheckOptionDoNothing AWSSrcDstCheckOption = "DoNothing"
AWSSrcDstCheckOptionEnable = "Enable"
AWSSrcDstCheckOptionDisable = "Disable"
)
// +kubebuilder:validation:Enum=Enabled;Disabled
type FloatingIPType string
const (
FloatingIPsEnabled FloatingIPType = "Enabled"
FloatingIPsDisabled FloatingIPType = "Disabled"
)
// FelixConfigurationSpec contains the values of the Felix configuration.
type FelixConfigurationSpec struct {
// UseInternalDataplaneDriver, if true, Felix will use its internal dataplane programming logic. If false, it
// will launch an external dataplane driver and communicate with it over protobuf.
UseInternalDataplaneDriver *bool `json:"useInternalDataplaneDriver,omitempty"`
// DataplaneDriver filename of the external dataplane driver to use. Only used if UseInternalDataplaneDriver
// is set to false.
DataplaneDriver string `json:"dataplaneDriver,omitempty"`
// DataplaneWatchdogTimeout is the readiness/liveness timeout used for Felix's (internal) dataplane driver.
// Increase this value if you experience spurious non-ready or non-live events when Felix is under heavy load.
// Decrease the value to get felix to report non-live or non-ready more quickly. [Default: 90s]
//
// Deprecated: replaced by the generic HealthTimeoutOverrides.
DataplaneWatchdogTimeout *metav1.Duration `json:"dataplaneWatchdogTimeout,omitempty" configv1timescale:"seconds"`
// IPv6Support controls whether Felix enables support for IPv6 (if supported by the in-use dataplane).
IPv6Support *bool `json:"ipv6Support,omitempty" confignamev1:"Ipv6Support"`
// RouteRefreshInterval is the period at which Felix re-checks the routes
// in the dataplane to ensure that no other process has accidentally broken Calico's rules.
// Set to 0 to disable route refresh. [Default: 90s]
RouteRefreshInterval *metav1.Duration `json:"routeRefreshInterval,omitempty" configv1timescale:"seconds"`
// InterfaceRefreshInterval is the period at which Felix rescans local interfaces to verify their state.
// The rescan can be disabled by setting the interval to 0.
InterfaceRefreshInterval *metav1.Duration `json:"interfaceRefreshInterval,omitempty" configv1timescale:"seconds"`
// IptablesRefreshInterval is the period at which Felix re-checks the IP sets
// in the dataplane to ensure that no other process has accidentally broken Calico's rules.
// Set to 0 to disable IP sets refresh. Note: the default for this value is lower than the
// other refresh intervals as a workaround for a Linux kernel bug that was fixed in kernel
// version 4.11. If you are using v4.11 or greater you may want to set this to, a higher value
// to reduce Felix CPU usage. [Default: 10s]
IptablesRefreshInterval *metav1.Duration `json:"iptablesRefreshInterval,omitempty" configv1timescale:"seconds"`
// IptablesPostWriteCheckInterval is the period after Felix has done a write
// to the dataplane that it schedules an extra read back in order to check the write was not
// clobbered by another process. This should only occur if another application on the system
// doesn't respect the iptables lock. [Default: 1s]
IptablesPostWriteCheckInterval *metav1.Duration `json:"iptablesPostWriteCheckInterval,omitempty" configv1timescale:"seconds" confignamev1:"IptablesPostWriteCheckIntervalSecs"`
// IptablesLockFilePath is the location of the iptables lock file. You may need to change this
// if the lock file is not in its standard location (for example if you have mapped it into Felix's
// container at a different path). [Default: /run/xtables.lock]
IptablesLockFilePath string `json:"iptablesLockFilePath,omitempty"`
// IptablesLockTimeout is the time that Felix will wait for the iptables lock,
// or 0, to disable. To use this feature, Felix must share the iptables lock file with all other
// processes that also take the lock. When running Felix inside a container, this requires the
// /run directory of the host to be mounted into the calico/node or calico/felix container.
// [Default: 0s disabled]
IptablesLockTimeout *metav1.Duration `json:"iptablesLockTimeout,omitempty" configv1timescale:"seconds" confignamev1:"IptablesLockTimeoutSecs"`
// IptablesLockProbeInterval is the time that Felix will wait between
// attempts to acquire the iptables lock if it is not available. Lower values make Felix more
// responsive when the lock is contended, but use more CPU. [Default: 50ms]
IptablesLockProbeInterval *metav1.Duration `json:"iptablesLockProbeInterval,omitempty" configv1timescale:"milliseconds" confignamev1:"IptablesLockProbeIntervalMillis"`
// FeatureDetectOverride is used to override feature detection based on auto-detected platform
// capabilities. Values are specified in a comma separated list with no spaces, example;
// "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" or "false" will
// force the feature, empty or omitted values are auto-detected.
FeatureDetectOverride string `json:"featureDetectOverride,omitempty" validate:"omitempty,keyValueList"`
// FeatureGates is used to enable or disable tech-preview Calico features.
// Values are specified in a comma separated list with no spaces, example;
// "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". This is
// used to enable features that are not fully production ready.
FeatureGates string `json:"featureGates,omitempty" validate:"omitempty,keyValueList"`
// IpsetsRefreshInterval is the period at which Felix re-checks all iptables
// state to ensure that no other process has accidentally broken Calico's rules. Set to 0 to
// disable iptables refresh. [Default: 90s]
IpsetsRefreshInterval *metav1.Duration `json:"ipsetsRefreshInterval,omitempty" configv1timescale:"seconds"`
MaxIpsetSize *int `json:"maxIpsetSize,omitempty"`
// IptablesBackend specifies which backend of iptables will be used. The default is Auto.
IptablesBackend *IptablesBackend `json:"iptablesBackend,omitempty" validate:"omitempty,iptablesBackend"`
// XDPRefreshInterval is the period at which Felix re-checks all XDP state to ensure that no
// other process has accidentally broken Calico's BPF maps or attached programs. Set to 0 to
// disable XDP refresh. [Default: 90s]
XDPRefreshInterval *metav1.Duration `json:"xdpRefreshInterval,omitempty" configv1timescale:"seconds"`
NetlinkTimeout *metav1.Duration `json:"netlinkTimeout,omitempty" configv1timescale:"seconds" confignamev1:"NetlinkTimeoutSecs"`
// MetadataAddr is the IP address or domain name of the server that can answer VM queries for
// cloud-init metadata. In OpenStack, this corresponds to the machine running nova-api (or in
// Ubuntu, nova-api-metadata). A value of none (case insensitive) means that Felix should not
// set up any NAT rule for the metadata path. [Default: 127.0.0.1]
MetadataAddr string `json:"metadataAddr,omitempty"`
// MetadataPort is the port of the metadata server. This, combined with global.MetadataAddr (if
// not 'None'), is used to set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
// In most cases this should not need to be changed [Default: 8775].
MetadataPort *int `json:"metadataPort,omitempty"`
// OpenstackRegion is the name of the region that a particular Felix belongs to. In a multi-region
// Calico/OpenStack deployment, this must be configured somehow for each Felix (here in the datamodel,
// or in felix.cfg or the environment on each compute node), and must match the [calico]
// openstack_region value configured in neutron.conf on each node. [Default: Empty]
OpenstackRegion string `json:"openstackRegion,omitempty"`
// InterfacePrefix is the interface name prefix that identifies workload endpoints and so distinguishes
// them from host endpoint interfaces. Note: in environments other than bare metal, the orchestrators
// configure this appropriately. For example our Kubernetes and Docker integrations set the 'cali' value,
// and our OpenStack integration sets the 'tap' value. [Default: cali]
InterfacePrefix string `json:"interfacePrefix,omitempty"`
// InterfaceExclude is a comma-separated list of interfaces that Felix should exclude when monitoring for host
// endpoints. The default value ensures that Felix ignores Kubernetes' IPVS dummy interface, which is used
// internally by kube-proxy. If you want to exclude multiple interface names using a single value, the list
// supports regular expressions. For regular expressions you must wrap the value with '/'. For example
// having values '/^kube/,veth1' will exclude all interfaces that begin with 'kube' and also the interface
// 'veth1'. [Default: kube-ipvs0]
InterfaceExclude string `json:"interfaceExclude,omitempty"`
// ChainInsertMode controls whether Felix hooks the kernel's top-level iptables chains by inserting a rule
// at the top of the chain or by appending a rule at the bottom. insert is the safe default since it prevents
// Calico's rules from being bypassed. If you switch to append mode, be sure that the other rules in the chains
// signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed.
// [Default: insert]
ChainInsertMode string `json:"chainInsertMode,omitempty"`
// DefaultEndpointToHostAction controls what happens to traffic that goes from a workload endpoint to the host
// itself (after the traffic hits the endpoint egress policy). By default Calico blocks traffic from workload
// endpoints to the host itself with an iptables "DROP" action. If you want to allow some or all traffic from
// endpoint to host, set this parameter to RETURN or ACCEPT. Use RETURN if you have your own rules in the iptables
// "INPUT" chain; Calico will insert its rules at the top of that chain, then "RETURN" packets to the "INPUT" chain
// once it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets
// from workloads after processing workload endpoint egress policy. [Default: Drop]
DefaultEndpointToHostAction string `json:"defaultEndpointToHostAction,omitempty" validate:"omitempty,dropAcceptReturn"`
IptablesFilterAllowAction string `json:"iptablesFilterAllowAction,omitempty" validate:"omitempty,acceptReturn"`
IptablesMangleAllowAction string `json:"iptablesMangleAllowAction,omitempty" validate:"omitempty,acceptReturn"`
// IptablesFilterDenyAction controls what happens to traffic that is denied by network policy. By default Calico blocks traffic
// with an iptables "DROP" action. If you want to use "REJECT" action instead you can configure it in here.
IptablesFilterDenyAction string `json:"iptablesFilterDenyAction,omitempty" validate:"omitempty,dropReject"`
// LogPrefix is the log prefix that Felix uses when rendering LOG rules. [Default: calico-packet]
LogPrefix string `json:"logPrefix,omitempty"`
// LogFilePath is the full path to the Felix log. Set to none to disable file logging. [Default: /var/log/calico/felix.log]
LogFilePath string `json:"logFilePath,omitempty"`
// LogSeverityFile is the log severity above which logs are sent to the log file. [Default: Info]
LogSeverityFile string `json:"logSeverityFile,omitempty" validate:"omitempty,logLevel"`
// LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]
LogSeverityScreen string `json:"logSeverityScreen,omitempty" validate:"omitempty,logLevel"`
// LogSeveritySys is the log severity above which logs are sent to the syslog. Set to None for no logging to syslog.
// [Default: Info]
LogSeveritySys string `json:"logSeveritySys,omitempty" validate:"omitempty,logLevel"`
// LogDebugFilenameRegex controls which source code files have their Debug log output included in the logs.
// Only logs from files with names that match the given regular expression are included. The filter only applies
// to Debug level logs.
LogDebugFilenameRegex string `json:"logDebugFilenameRegex,omitempty" validate:"omitempty,regexp"`
// IPIPEnabled overrides whether Felix should configure an IPIP interface on the host. Optional as Felix determines this based on the existing IP pools. [Default: nil (unset)]
IPIPEnabled *bool `json:"ipipEnabled,omitempty" confignamev1:"IpInIpEnabled"`
// IPIPMTU is the MTU to set on the tunnel device. See Configuring MTU [Default: 1440]
IPIPMTU *int `json:"ipipMTU,omitempty" confignamev1:"IpInIpMtu"`
// VXLANEnabled overrides whether Felix should create the VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix determines this based on the existing IP pools. [Default: nil (unset)]
VXLANEnabled *bool `json:"vxlanEnabled,omitempty" confignamev1:"VXLANEnabled"`
// VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel device. See Configuring MTU [Default: 1410]
VXLANMTU *int `json:"vxlanMTU,omitempty"`
// VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel device. See Configuring MTU [Default: 1390]
VXLANMTUV6 *int `json:"vxlanMTUV6,omitempty"`
VXLANPort *int `json:"vxlanPort,omitempty"`
VXLANVNI *int `json:"vxlanVNI,omitempty"`
// AllowVXLANPacketsFromWorkloads controls whether Felix will add a rule to drop VXLAN encapsulated traffic
// from workloads [Default: false]
// +optional
AllowVXLANPacketsFromWorkloads *bool `json:"allowVXLANPacketsFromWorkloads,omitempty"`
// AllowIPIPPacketsFromWorkloads controls whether Felix will add a rule to drop IPIP encapsulated traffic
// from workloads [Default: false]
// +optional
AllowIPIPPacketsFromWorkloads *bool `json:"allowIPIPPacketsFromWorkloads,omitempty"`
// ReportingInterval is the interval at which Felix reports its status into the datastore or 0 to disable.
// Must be non-zero in OpenStack deployments. [Default: 30s]
ReportingInterval *metav1.Duration `json:"reportingInterval,omitempty" configv1timescale:"seconds" confignamev1:"ReportingIntervalSecs"`
// ReportingTTL is the time-to-live setting for process-wide status reports. [Default: 90s]
ReportingTTL *metav1.Duration `json:"reportingTTL,omitempty" configv1timescale:"seconds" confignamev1:"ReportingTTLSecs"`
EndpointReportingEnabled *bool `json:"endpointReportingEnabled,omitempty"`
EndpointReportingDelay *metav1.Duration `json:"endpointReportingDelay,omitempty" configv1timescale:"seconds" confignamev1:"EndpointReportingDelaySecs"`
// IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal
// number with at least 8 bits set, none of which clash with any other mark bits in use on the system.
// [Default: 0xff000000]
IptablesMarkMask *uint32 `json:"iptablesMarkMask,omitempty"`
DisableConntrackInvalidCheck *bool `json:"disableConntrackInvalidCheck,omitempty"`
HealthEnabled *bool `json:"healthEnabled,omitempty"`
HealthHost *string `json:"healthHost,omitempty"`
HealthPort *int `json:"healthPort,omitempty"`
// HealthTimeoutOverrides allows the internal watchdog timeouts of individual subcomponents to be
// overridden. This is useful for working around "false positive" liveness timeouts that can occur
// in particularly stressful workloads or if CPU is constrained. For a list of active
// subcomponents, see Felix's logs.
HealthTimeoutOverrides []HealthTimeoutOverride `json:"healthTimeoutOverrides,omitempty" validate:"omitempty,dive"`
// PrometheusMetricsEnabled enables the Prometheus metrics server in Felix if set to true. [Default: false]
PrometheusMetricsEnabled *bool `json:"prometheusMetricsEnabled,omitempty"`
// PrometheusMetricsHost is the host that the Prometheus metrics server should bind to. [Default: empty]
PrometheusMetricsHost string `json:"prometheusMetricsHost,omitempty" validate:"omitempty,prometheusHost"`
// PrometheusMetricsPort is the TCP port that the Prometheus metrics server should bind to. [Default: 9091]
PrometheusMetricsPort *int `json:"prometheusMetricsPort,omitempty"`
// PrometheusGoMetricsEnabled disables Go runtime metrics collection, which the Prometheus client does by default, when
// set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]
PrometheusGoMetricsEnabled *bool `json:"prometheusGoMetricsEnabled,omitempty"`
// PrometheusProcessMetricsEnabled disables process metrics collection, which the Prometheus client does by default, when
// set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]
PrometheusProcessMetricsEnabled *bool `json:"prometheusProcessMetricsEnabled,omitempty"`
// PrometheusWireGuardMetricsEnabled disables wireguard metrics collection, which the Prometheus client does by default, when
// set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]
PrometheusWireGuardMetricsEnabled *bool `json:"prometheusWireGuardMetricsEnabled,omitempty"`
// FailsafeInboundHostPorts is a list of UDP/TCP ports and CIDRs that Felix will allow incoming traffic to host endpoints
// on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration.
// For back-compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow
// traffic from all addresses. To disable all inbound host ports, use the value none. The default value allows ssh access
// and DHCP.
// [Default: tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]
FailsafeInboundHostPorts *[]ProtoPort `json:"failsafeInboundHostPorts,omitempty"`
// FailsafeOutboundHostPorts is a list of UDP/TCP ports and CIDRs that Felix will allow outgoing traffic from host endpoints
// to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration.
// For back-compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow
// traffic from all addresses. To disable all outbound host ports, use the value none. The default value opens etcd's standard
// ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP and DNS.
// [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, udp:53, udp:67]
FailsafeOutboundHostPorts *[]ProtoPort `json:"failsafeOutboundHostPorts,omitempty"`
// KubeNodePortRanges holds list of port ranges used for service node ports. Only used if felix detects kube-proxy running in ipvs mode.
// Felix uses these ranges to separate host and workload traffic. [Default: 30000:32767].
KubeNodePortRanges *[]numorstring.Port `json:"kubeNodePortRanges,omitempty" validate:"omitempty,dive"`
// PolicySyncPathPrefix is used to by Felix to communicate policy changes to external services,
// like Application layer policy. [Default: Empty]
PolicySyncPathPrefix string `json:"policySyncPathPrefix,omitempty"`
// UsageReportingEnabled reports anonymous Calico version number and cluster size to projectcalico.org. Logs warnings returned by the usage
// server. For example, if a significant security vulnerability has been discovered in the version of Calico being used. [Default: true]
UsageReportingEnabled *bool `json:"usageReportingEnabled,omitempty"`
// UsageReportingInitialDelay controls the minimum delay before Felix makes a report. [Default: 300s]
UsageReportingInitialDelay *metav1.Duration `json:"usageReportingInitialDelay,omitempty" configv1timescale:"seconds" confignamev1:"UsageReportingInitialDelaySecs"`
// UsageReportingInterval controls the interval at which Felix makes reports. [Default: 86400s]
UsageReportingInterval *metav1.Duration `json:"usageReportingInterval,omitempty" configv1timescale:"seconds" confignamev1:"UsageReportingIntervalSecs"`
// NATPortRange specifies the range of ports that is used for port mapping when doing outgoing NAT. When unset the default behavior of the
// network stack is used.
NATPortRange *numorstring.Port `json:"natPortRange,omitempty"`
// NATOutgoingAddress specifies an address to use when performing source NAT for traffic in a natOutgoing pool that
// is leaving the network. By default the address used is an address on the interface the traffic is leaving on
// (ie it uses the iptables MASQUERADE target)
NATOutgoingAddress string `json:"natOutgoingAddress,omitempty"`
// This is the IPv4 source address to use on programmed device routes. By default the source address is left blank,
// leaving the kernel to choose the source address used.
DeviceRouteSourceAddress string `json:"deviceRouteSourceAddress,omitempty"`
// This is the IPv6 source address to use on programmed device routes. By default the source address is left blank,
// leaving the kernel to choose the source address used.
DeviceRouteSourceAddressIPv6 string `json:"deviceRouteSourceAddressIPv6,omitempty"`
// This defines the route protocol added to programmed device routes, by default this will be RTPROT_BOOT
// when left blank.
DeviceRouteProtocol *int `json:"deviceRouteProtocol,omitempty"`
// Whether or not to remove device routes that have not been programmed by Felix. Disabling this will allow external
// applications to also add device routes. This is enabled by default which means we will remove externally added routes.
RemoveExternalRoutes *bool `json:"removeExternalRoutes,omitempty"`
// ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes which may source tunnel traffic and have
// the tunneled traffic be accepted at calico nodes.
ExternalNodesCIDRList *[]string `json:"externalNodesList,omitempty"`
DebugMemoryProfilePath string `json:"debugMemoryProfilePath,omitempty"`
DebugDisableLogDropping *bool `json:"debugDisableLogDropping,omitempty"`
DebugSimulateCalcGraphHangAfter *metav1.Duration `json:"debugSimulateCalcGraphHangAfter,omitempty" configv1timescale:"seconds"`
DebugSimulateDataplaneHangAfter *metav1.Duration `json:"debugSimulateDataplaneHangAfter,omitempty" configv1timescale:"seconds"`
IptablesNATOutgoingInterfaceFilter string `json:"iptablesNATOutgoingInterfaceFilter,omitempty" validate:"omitempty,ifaceFilter"`
// SidecarAccelerationEnabled enables experimental sidecar acceleration [Default: false]
SidecarAccelerationEnabled *bool `json:"sidecarAccelerationEnabled,omitempty"`
// XDPEnabled enables XDP acceleration for suitable untracked incoming deny rules. [Default: true]
XDPEnabled *bool `json:"xdpEnabled,omitempty" confignamev1:"XDPEnabled"`
// GenericXDPEnabled enables Generic XDP so network cards that don't support XDP offload or driver
// modes can use XDP. This is not recommended since it doesn't provide better performance than
// iptables. [Default: false]
GenericXDPEnabled *bool `json:"genericXDPEnabled,omitempty" confignamev1:"GenericXDPEnabled"`
// BPFEnabled, if enabled Felix will use the BPF dataplane. [Default: false]
BPFEnabled *bool `json:"bpfEnabled,omitempty" validate:"omitempty"`
// BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable
// unprivileged use of BPF. This ensures that unprivileged users cannot access Calico's BPF maps and
// cannot insert their own BPF programs to interfere with Calico's. [Default: true]
BPFDisableUnprivileged *bool `json:"bpfDisableUnprivileged,omitempty" validate:"omitempty"`
// BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of "Off", "Info", or
// "Debug". The logs are emitted to the BPF trace pipe, accessible with the command `tc exec bpf debug`.
// [Default: Off].
// +optional
BPFLogLevel string `json:"bpfLogLevel" validate:"omitempty,bpfLogLevel"`
// BPFDataIfacePattern is a regular expression that controls which interfaces Felix should attach BPF programs to
// in order to catch traffic to/from the network. This needs to match the interfaces that Calico workload traffic
// flows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the
// cluster. It should not match the workload interfaces (usually named cali...).
BPFDataIfacePattern string `json:"bpfDataIfacePattern,omitempty" validate:"omitempty,regexp"`
// BPFL3IfacePattern is a regular expression that allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices)
// in addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows
// over as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster.
BPFL3IfacePattern string `json:"bpfL3IfacePattern,omitempty" validate:"omitempty,regexp"`
// BPFConnectTimeLoadBalancingEnabled when in BPF mode, controls whether Felix installs the connection-time load
// balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services
// and it improves the performance of pod-to-service connections. The only reason to disable it is for debugging
// purposes. [Default: true]
BPFConnectTimeLoadBalancingEnabled *bool `json:"bpfConnectTimeLoadBalancingEnabled,omitempty" validate:"omitempty"`
// BPFExternalServiceMode in BPF mode, controls how connections from outside the cluster to services (node ports
// and cluster IPs) are forwarded to remote workloads. If set to "Tunnel" then both request and response traffic
// is tunneled to the remote node. If set to "DSR", the request traffic is tunneled but the response traffic
// is sent directly from the remote node. In "DSR" mode, the remote node appears to use the IP of the ingress
// node; this requires a permissive L2 network. [Default: Tunnel]
BPFExternalServiceMode string `json:"bpfExternalServiceMode,omitempty" validate:"omitempty,bpfServiceMode"`
// BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients
// in those CIDRs will accesses nodeports as if BPFExternalServiceMode was set to
// Tunnel.
BPFDSROptoutCIDRs *[]string `json:"bpfDSROptoutCIDRs,omitempty" validate:"omitempty,cidrs"`
// BPFExtToServiceConnmark in BPF mode, control a 32bit mark that is set on connections from an
// external client to a local service. This mark allows us to control how packets of that
// connection are routed within the host and how is routing interpreted by RPF check. [Default: 0]
BPFExtToServiceConnmark *int `json:"bpfExtToServiceConnmark,omitempty" validate:"omitempty,gte=0,lte=4294967295"`
// BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF mode, Felix will proactively clean up the upstream
// Kubernetes kube-proxy's iptables chains. Should only be enabled if kube-proxy is not running. [Default: true]
BPFKubeProxyIptablesCleanupEnabled *bool `json:"bpfKubeProxyIptablesCleanupEnabled,omitempty" validate:"omitempty"`
// BPFKubeProxyMinSyncPeriod, in BPF mode, controls the minimum time between updates to the dataplane for Felix's
// embedded kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by
// batching up more work. [Default: 1s]
BPFKubeProxyMinSyncPeriod *metav1.Duration `json:"bpfKubeProxyMinSyncPeriod,omitempty" validate:"omitempty" configv1timescale:"seconds"`
// BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls whether Felix's
// embedded kube-proxy accepts EndpointSlices or not.
BPFKubeProxyEndpointSlicesEnabled *bool `json:"bpfKubeProxyEndpointSlicesEnabled,omitempty" validate:"omitempty"`
// BPFPSNATPorts sets the range from which we randomly pick a port if there is a source port
// collision. This should be within the ephemeral range as defined by RFC 6056 (102465535) and
// preferably outside the ephemeral ranges used by common operating systems. Linux uses
// 3276860999, while others mostly use the IANA defined range 4915265535. It is not necessarily
// a problem if this range overlaps with the operating systems. Both ends of the range are
// inclusive. [Default: 20000:29999]
BPFPSNATPorts *numorstring.Port `json:"bpfPSNATPorts,omitempty"`
// BPFMapSizeNATFrontend sets the size for nat front end map.
// FrontendMap should be large enough to hold an entry for each nodeport,
// external IP and each port in each service.
BPFMapSizeNATFrontend *int `json:"bpfMapSizeNATFrontend,omitempty"`
// BPFMapSizeNATBackend sets the size for nat back end map.
// This is the total number of endpoints. This is mostly
// more than the size of the number of services.
BPFMapSizeNATBackend *int `json:"bpfMapSizeNATBackend,omitempty"`
BPFMapSizeNATAffinity *int `json:"bpfMapSizeNATAffinity,omitempty"`
// BPFMapSizeRoute sets the size for the routes map. The routes map should be large enough
// to hold one entry per workload and a handful of entries per host (enough to cover its own IPs and
// tunnel IPs).
BPFMapSizeRoute *int `json:"bpfMapSizeRoute,omitempty"`
// BPFMapSizeConntrack sets the size for the conntrack map. This map must be large enough to hold
// an entry for each active connection. Warning: changing the size of the conntrack map can cause disruption.
BPFMapSizeConntrack *int `json:"bpfMapSizeConntrack,omitempty"`
// BPFMapSizeIPSets sets the size for ipsets map. The IP sets map must be large enough to hold an entry
// for each endpoint matched by every selector in the source/destination matches in network policy. Selectors
// such as "all()" can result in large numbers of entries (one entry per endpoint in that case).
BPFMapSizeIPSets *int `json:"bpfMapSizeIPSets,omitempty"`
// BPFMapSizeIfState sets the size for ifstate map. The ifstate map must be large enough to hold an entry
// for each device (host + workloads) on a host.
BPFMapSizeIfState *int `json:"bpfMapSizeIfState,omitempty"`
// BPFHostConntrackBypass Controls whether to bypass Linux conntrack in BPF mode for
// workloads and services. [Default: true - bypass Linux conntrack]
BPFHostConntrackBypass *bool `json:"bpfHostConntrackBypass,omitempty"`
// BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of
// what is the per-interfaces or global setting. Possible values are Disabled, Strict
// or Loose. [Default: Strict]
BPFEnforceRPF string `json:"bpfEnforceRPF,omitempty"`
// BPFPolicyDebugEnabled when true, Felix records detailed information
// about the BPF policy programs, which can be examined with the calico-bpf command-line tool.
BPFPolicyDebugEnabled *bool `json:"bpfPolicyDebugEnabled,omitempty"`
// RouteSource configures where Felix gets its routing information.
// - WorkloadIPs: use workload endpoints to construct routes.
// - CalicoIPAM: the default - use IPAM data to construct routes.
RouteSource string `json:"routeSource,omitempty" validate:"omitempty,routeSource"`
// Calico programs additional Linux route tables for various purposes.
// RouteTableRanges specifies a set of table index ranges that Calico should use.
// Deprecates`RouteTableRange`, overrides `RouteTableRange`.
RouteTableRanges *RouteTableRanges `json:"routeTableRanges,omitempty" validate:"omitempty,dive"`
// Deprecated in favor of RouteTableRanges.
// Calico programs additional Linux route tables for various purposes.
// RouteTableRange specifies the indices of the route tables that Calico should use.
RouteTableRange *RouteTableRange `json:"routeTableRange,omitempty" validate:"omitempty"`
// RouteSyncDisabled will disable all operations performed on the route table. Set to true to
// run in network-policy mode only.
RouteSyncDisabled *bool `json:"routeSyncDisabled,omitempty"`
// WireguardEnabled controls whether Wireguard is enabled for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network). [Default: false]
WireguardEnabled *bool `json:"wireguardEnabled,omitempty"`
// WireguardEnabledV6 controls whether Wireguard is enabled for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network). [Default: false]
WireguardEnabledV6 *bool `json:"wireguardEnabledV6,omitempty"`
// WireguardListeningPort controls the listening port used by IPv4 Wireguard. [Default: 51820]
WireguardListeningPort *int `json:"wireguardListeningPort,omitempty" validate:"omitempty,gt=0,lte=65535"`
// WireguardListeningPortV6 controls the listening port used by IPv6 Wireguard. [Default: 51821]
WireguardListeningPortV6 *int `json:"wireguardListeningPortV6,omitempty" validate:"omitempty,gt=0,lte=65535"`
// WireguardRoutingRulePriority controls the priority value to use for the Wireguard routing rule. [Default: 99]
WireguardRoutingRulePriority *int `json:"wireguardRoutingRulePriority,omitempty" validate:"omitempty,gt=0,lt=32766"`
// WireguardInterfaceName specifies the name to use for the IPv4 Wireguard interface. [Default: wireguard.cali]
WireguardInterfaceName string `json:"wireguardInterfaceName,omitempty" validate:"omitempty,interface"`
// WireguardInterfaceNameV6 specifies the name to use for the IPv6 Wireguard interface. [Default: wg-v6.cali]
WireguardInterfaceNameV6 string `json:"wireguardInterfaceNameV6,omitempty" validate:"omitempty,interface"`
// WireguardMTU controls the MTU on the IPv4 Wireguard interface. See Configuring MTU [Default: 1440]
WireguardMTU *int `json:"wireguardMTU,omitempty"`
// WireguardMTUV6 controls the MTU on the IPv6 Wireguard interface. See Configuring MTU [Default: 1420]
WireguardMTUV6 *int `json:"wireguardMTUV6,omitempty"`
// WireguardHostEncryptionEnabled controls whether Wireguard host-to-host encryption is enabled. [Default: false]
WireguardHostEncryptionEnabled *bool `json:"wireguardHostEncryptionEnabled,omitempty"`
// WireguardKeepAlive controls Wireguard PersistentKeepalive option. Set 0 to disable. [Default: 0]
WireguardPersistentKeepAlive *metav1.Duration `json:"wireguardKeepAlive,omitempty"`
// Set source-destination-check on AWS EC2 instances. Accepted value must be one of "DoNothing", "Enable" or "Disable".
// [Default: DoNothing]
AWSSrcDstCheck *AWSSrcDstCheckOption `json:"awsSrcDstCheck,omitempty" validate:"omitempty,oneof=DoNothing Enable Disable"`
// When service IP advertisement is enabled, prevent routing loops to service IPs that are
// not in use, by dropping or rejecting packets that do not get DNAT'd by kube-proxy.
// Unless set to "Disabled", in which case such routing loops continue to be allowed.
// [Default: Drop]
ServiceLoopPrevention string `json:"serviceLoopPrevention,omitempty" validate:"omitempty,oneof=Drop Reject Disabled"`
// WorkloadSourceSpoofing controls whether pods can use the allowedSourcePrefixes annotation to send traffic with a source IP
// address that is not theirs. This is disabled by default. When set to "Any", pods can request any prefix.
WorkloadSourceSpoofing string `json:"workloadSourceSpoofing,omitempty" validate:"omitempty,oneof=Disabled Any"`
// MTUIfacePattern is a regular expression that controls which interfaces Felix should scan in order
// to calculate the host's MTU.
// This should not match workload interfaces (usually named cali...).
// +optional
MTUIfacePattern string `json:"mtuIfacePattern,omitempty" validate:"omitempty,regexp"`
// FloatingIPs configures whether or not Felix will program non-OpenStack floating IP addresses. (OpenStack-derived
// floating IPs are always programmed, regardless of this setting.)
//
// +optional
FloatingIPs *FloatingIPType `json:"floatingIPs,omitempty" validate:"omitempty"`
}
type HealthTimeoutOverride struct {
Name string `json:"name"`
Timeout metav1.Duration `json:"timeout"`
}
type RouteTableRange struct {
Min int `json:"min"`
Max int `json:"max"`
}
type RouteTableIDRange struct {
Min int `json:"min"`
Max int `json:"max"`
}
type RouteTableRanges []RouteTableIDRange
func (r RouteTableRanges) NumDesignatedTables() int {
var len int = 0
for _, rng := range r {
len += (rng.Max - rng.Min) + 1 // add one, since range is inclusive
}
return len
}
// ProtoPort is combination of protocol, port, and CIDR. Protocol and port must be specified.
type ProtoPort struct {
Protocol string `json:"protocol"`
Port uint16 `json:"port"`
// +optional
Net string `json:"net"`
}
// New FelixConfiguration creates a new (zeroed) FelixConfiguration struct with the TypeMetadata
// initialized to the current version.
func NewFelixConfiguration() *FelixConfiguration {
return &FelixConfiguration{
TypeMeta: metav1.TypeMeta{
Kind: KindFelixConfiguration,
APIVersion: GroupVersionCurrent,
},
}
}

129
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/globalnetworkpolicy.go generated vendored Normal file
View File

@@ -0,0 +1,129 @@
// Copyright (c) 2017,2019-2021 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
KindGlobalNetworkPolicy = "GlobalNetworkPolicy"
KindGlobalNetworkPolicyList = "GlobalNetworkPolicyList"
)
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// GlobalNetworkPolicyList is a list of Policy objects.
type GlobalNetworkPolicyList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Items []GlobalNetworkPolicy `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type GlobalNetworkPolicy struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Spec GlobalNetworkPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
type GlobalNetworkPolicySpec struct {
// Order is an optional field that specifies the order in which the policy is applied.
// Policies with higher "order" are applied after those with lower
// order. If the order is omitted, it may be considered to be "infinite" - i.e. the
// policy will be applied last. Policies with identical order will be applied in
// alphanumerical order based on the Policy "Name".
Order *float64 `json:"order,omitempty"`
// The ordered set of ingress rules. Each rule contains a set of packet match criteria and
// a corresponding action to apply.
Ingress []Rule `json:"ingress,omitempty" validate:"omitempty,dive"`
// The ordered set of egress rules. Each rule contains a set of packet match criteria and
// a corresponding action to apply.
Egress []Rule `json:"egress,omitempty" validate:"omitempty,dive"`
// The selector is an expression used to pick pick out the endpoints that the policy should
// be applied to.
//
// Selector expressions follow this syntax:
//
// label == "string_literal" -> comparison, e.g. my_label == "foo bar"
// label != "string_literal" -> not equal; also matches if label is not present
// label in { "a", "b", "c", ... } -> true if the value of label X is one of "a", "b", "c"
// label not in { "a", "b", "c", ... } -> true if the value of label X is not one of "a", "b", "c"
// has(label_name) -> True if that label is present
// ! expr -> negation of expr
// expr && expr -> Short-circuit and
// expr || expr -> Short-circuit or
// ( expr ) -> parens for grouping
// all() or the empty selector -> matches all endpoints.
//
// Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive
// but they do not support escape characters.
//
// Examples (with made-up labels):
//
// type == "webserver" && deployment == "prod"
// type in {"frontend", "backend"}
// deployment != "dev"
// ! has(label_name)
Selector string `json:"selector,omitempty" validate:"selector"`
// Types indicates whether this policy applies to ingress, or to egress, or to both. When
// not explicitly specified (and so the value on creation is empty or nil), Calico defaults
// Types according to what Ingress and Egress rules are present in the policy. The
// default is:
//
// - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are
// also no Ingress rules)
//
// - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules
//
// - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules.
//
// When the policy is read back again, Types will always be one of these values, never empty
// or nil.
Types []PolicyType `json:"types,omitempty" validate:"omitempty,dive,policyType"`
// DoNotTrack indicates whether packets matched by the rules in this policy should go through
// the data plane's connection tracking, such as Linux conntrack. If True, the rules in
// this policy are applied before any data plane connection tracking, and packets allowed by
// this policy are marked as not to be tracked.
DoNotTrack bool `json:"doNotTrack,omitempty"`
// PreDNAT indicates to apply the rules in this policy before any DNAT.
PreDNAT bool `json:"preDNAT,omitempty"`
// ApplyOnForward indicates to apply the rules in this policy on forward traffic.
ApplyOnForward bool `json:"applyOnForward,omitempty"`
// ServiceAccountSelector is an optional field for an expression used to select a pod based on service accounts.
ServiceAccountSelector string `json:"serviceAccountSelector,omitempty" validate:"selector"`
// NamespaceSelector is an optional field for an expression used to select a pod based on namespaces.
NamespaceSelector string `json:"namespaceSelector,omitempty" validate:"selector"`
}
// NewGlobalNetworkPolicy creates a new (zeroed) GlobalNetworkPolicy struct with the TypeMetadata initialised to the current
// version.
func NewGlobalNetworkPolicy() *GlobalNetworkPolicy {
return &GlobalNetworkPolicy{
TypeMeta: metav1.TypeMeta{
Kind: KindGlobalNetworkPolicy,
APIVersion: GroupVersionCurrent,
},
}
}

63
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/globalnetworkset.go generated vendored Normal file
View File

@@ -0,0 +1,63 @@
// Copyright (c) 2018, 2021 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
KindGlobalNetworkSet = "GlobalNetworkSet"
KindGlobalNetworkSetList = "GlobalNetworkSetList"
)
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// GlobalNetworkSetList is a list of NetworkSet objects.
type GlobalNetworkSetList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Items []GlobalNetworkSet `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type GlobalNetworkSet struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Spec GlobalNetworkSetSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
// GlobalNetworkSetSpec contains the specification for a NetworkSet resource.
type GlobalNetworkSetSpec struct {
// The list of IP networks that belong to this set.
Nets []string `json:"nets,omitempty" validate:"omitempty,dive,cidr"`
}
// NewGlobalNetworkSet creates a new (zeroed) NetworkSet struct with the TypeMetadata initialised to the current
// version.
func NewGlobalNetworkSet() *GlobalNetworkSet {
return &GlobalNetworkSet{
TypeMeta: metav1.TypeMeta{
Kind: KindGlobalNetworkSet,
APIVersion: GroupVersionCurrent,
},
}
}

102
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/hostendpoint.go generated vendored Normal file
View File

@@ -0,0 +1,102 @@
// Copyright (c) 2017,2020-2021 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/projectcalico/api/pkg/lib/numorstring"
)
const (
KindHostEndpoint = "HostEndpoint"
KindHostEndpointList = "HostEndpointList"
)
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// HostEndpointList is a list of HostEndpoint objects.
type HostEndpointList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Items []HostEndpoint `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type HostEndpoint struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Spec HostEndpointSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
// HostEndpointSpec contains the specification for a HostEndpoint resource.
type HostEndpointSpec struct {
// The node name identifying the Calico node instance.
Node string `json:"node,omitempty" validate:"omitempty,name"`
// Either "*", or the name of a specific Linux interface to apply policy to; or empty. "*"
// indicates that this HostEndpoint governs all traffic to, from or through the default
// network namespace of the host named by the "Node" field; entering and leaving that
// namespace via any interface, including those from/to non-host-networked local workloads.
//
// If InterfaceName is not "*", this HostEndpoint only governs traffic that enters or leaves
// the host through the specific interface named by InterfaceName, or - when InterfaceName
// is empty - through the specific interface that has one of the IPs in ExpectedIPs.
// Therefore, when InterfaceName is empty, at least one expected IP must be specified. Only
// external interfaces (such as "eth0") are supported here; it isn't possible for a
// HostEndpoint to protect traffic through a specific local workload interface.
//
// Note: Only some kinds of policy are implemented for "*" HostEndpoints; initially just
// pre-DNAT policy. Please check Calico documentation for the latest position.
InterfaceName string `json:"interfaceName,omitempty" validate:"omitempty,interface"`
// The expected IP addresses (IPv4 and IPv6) of the endpoint.
// If "InterfaceName" is not present, Calico will look for an interface matching any
// of the IPs in the list and apply policy to that.
// Note:
// When using the selector match criteria in an ingress or egress security Policy
// or Profile, Calico converts the selector into a set of IP addresses. For host
// endpoints, the ExpectedIPs field is used for that purpose. (If only the interface
// name is specified, Calico does not learn the IPs of the interface for use in match
// criteria.)
ExpectedIPs []string `json:"expectedIPs,omitempty" validate:"omitempty,dive,ip"`
// A list of identifiers of security Profile objects that apply to this endpoint. Each
// profile is applied in the order that they appear in this list. Profile rules are applied
// after the selector-based security policy.
Profiles []string `json:"profiles,omitempty" validate:"omitempty,dive,name"`
// Ports contains the endpoint's named ports, which may be referenced in security policy rules.
Ports []EndpointPort `json:"ports,omitempty" validate:"dive"`
}
type EndpointPort struct {
Name string `json:"name" validate:"portName"`
Protocol numorstring.Protocol `json:"protocol"`
Port uint16 `json:"port" validate:"gt=0"`
}
// NewHostEndpoint creates a new (zeroed) HostEndpoint struct with the TypeMetadata initialised to the current
// version.
func NewHostEndpoint() *HostEndpoint {
return &HostEndpoint{
TypeMeta: metav1.TypeMeta{
Kind: KindHostEndpoint,
APIVersion: GroupVersionCurrent,
},
}
}

68
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/ipamconfig.go generated vendored Normal file
View File

@@ -0,0 +1,68 @@
// Copyright (c) 2022 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
KindIPAMConfiguration = "IPAMConfiguration"
KindIPAMConfigurationList = "IPAMConfigurationList"
)
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// IPAMConfigurationList contains a list of IPAMConfiguration resources.
type IPAMConfigurationList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Items []IPAMConfiguration `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// IPAMConfiguration contains information about a block for IP address assignment.
type IPAMConfiguration struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Spec IPAMConfigurationSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
// IPAMConfigurationSpec contains the specification for an IPPool resource.
type IPAMConfigurationSpec struct {
// When StrictAffinity is true, borrowing IP addresses is not allowed.
StrictAffinity bool `json:"strictAffinity" validate:"required"`
// MaxBlocksPerHost, if non-zero, is the max number of blocks that can be
// affine to each host.
MaxBlocksPerHost int32 `json:"maxBlocksPerHost,omitempty"`
}
// NewIPAMConfiguration creates a new (zeroed) IPAMConfiguration struct with the TypeMetadata initialised to the current
// version.
func NewIPAMConfiguration() *IPAMConfiguration {
return &IPAMConfiguration{
TypeMeta: metav1.TypeMeta{
Kind: KindIPPool,
APIVersion: GroupVersionCurrent,
},
}
}

147
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/ippool.go generated vendored Normal file
View File

@@ -0,0 +1,147 @@
// Copyright (c) 2017, 2021 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
KindIPPool = "IPPool"
KindIPPoolList = "IPPoolList"
)
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// IPPoolList contains a list of IPPool resources.
type IPPoolList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Items []IPPool `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type IPPool struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Spec IPPoolSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
// IPPoolSpec contains the specification for an IPPool resource.
type IPPoolSpec struct {
// The pool CIDR.
CIDR string `json:"cidr" validate:"net"`
// Contains configuration for VXLAN tunneling for this pool. If not specified,
// then this is defaulted to "Never" (i.e. VXLAN tunneling is disabled).
VXLANMode VXLANMode `json:"vxlanMode,omitempty" validate:"omitempty,vxlanMode"`
// Contains configuration for IPIP tunneling for this pool. If not specified,
// then this is defaulted to "Never" (i.e. IPIP tunneling is disabled).
IPIPMode IPIPMode `json:"ipipMode,omitempty" validate:"omitempty,ipIpMode"`
// When natOutgoing is true, packets sent from Calico networked containers in
// this pool to destinations outside of this pool will be masqueraded.
NATOutgoing bool `json:"natOutgoing,omitempty"`
// When disabled is true, Calico IPAM will not assign addresses from this pool.
Disabled bool `json:"disabled,omitempty"`
// Disable exporting routes from this IP Pool's CIDR over BGP. [Default: false]
DisableBGPExport bool `json:"disableBGPExport,omitempty" validate:"omitempty"`
// The block size to use for IP address assignments from this pool. Defaults to 26 for IPv4 and 122 for IPv6.
BlockSize int `json:"blockSize,omitempty"`
// Allows IPPool to allocate for a specific node by label selector.
NodeSelector string `json:"nodeSelector,omitempty" validate:"omitempty,selector"`
// Deprecated: this field is only used for APIv1 backwards compatibility.
// Setting this field is not allowed, this field is for internal use only.
IPIP *IPIPConfiguration `json:"ipip,omitempty" validate:"omitempty,mustBeNil"`
// Deprecated: this field is only used for APIv1 backwards compatibility.
// Setting this field is not allowed, this field is for internal use only.
NATOutgoingV1 bool `json:"nat-outgoing,omitempty" validate:"omitempty,mustBeFalse"`
// AllowedUse controls what the IP pool will be used for. If not specified or empty, defaults to
// ["Tunnel", "Workload"] for back-compatibility
AllowedUses []IPPoolAllowedUse `json:"allowedUses,omitempty" validate:"omitempty"`
}
type IPPoolAllowedUse string
const (
IPPoolAllowedUseWorkload IPPoolAllowedUse = "Workload"
IPPoolAllowedUseTunnel = "Tunnel"
)
type VXLANMode string
const (
VXLANModeNever VXLANMode = "Never"
VXLANModeAlways = "Always"
VXLANModeCrossSubnet = "CrossSubnet"
)
type IPIPMode string
const (
IPIPModeNever IPIPMode = "Never"
IPIPModeAlways = "Always"
IPIPModeCrossSubnet = "CrossSubnet"
)
// The following definitions are only used for APIv1 backwards compatibility.
// They are for internal use only.
type EncapMode string
const (
Undefined EncapMode = ""
Always = "always"
CrossSubnet = "cross-subnet"
)
const DefaultMode = Always
type IPIPConfiguration struct {
// When enabled is true, ipip tunneling will be used to deliver packets to
// destinations within this pool.
Enabled bool `json:"enabled,omitempty"`
// The IPIP mode. This can be one of "always" or "cross-subnet". A mode
// of "always" will also use IPIP tunneling for routing to destination IP
// addresses within this pool. A mode of "cross-subnet" will only use IPIP
// tunneling when the destination node is on a different subnet to the
// originating node. The default value (if not specified) is "always".
Mode EncapMode `json:"mode,omitempty" validate:"ipIpMode"`
}
// NewIPPool creates a new (zeroed) IPPool struct with the TypeMetadata initialised to the current
// version.
func NewIPPool() *IPPool {
return &IPPool{
TypeMeta: metav1.TypeMeta{
Kind: KindIPPool,
APIVersion: GroupVersionCurrent,
},
}
}

68
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/ipreservation.go generated vendored Normal file
View File

@@ -0,0 +1,68 @@
// Copyright (c) 2017, 2021 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
KindIPReservation = "IPReservation"
KindIPReservationList = "IPReservationList"
)
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// IPReservationList contains a list of IPReservation resources.
type IPReservationList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Items []IPReservation `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// IPReservation allows certain IP addresses to be reserved (i.e. prevented from being allocated) by Calico
// IPAM. Reservations only block new allocations, they do not cause existing IP allocations to be released.
// The current implementation is only suitable for reserving small numbers of IP addresses relative to the
// size of the IP pool. If large portions of an IP pool are reserved, Calico IPAM may hunt for a long time
// to find a non-reserved IP.
type IPReservation struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Spec IPReservationSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
// IPReservationSpec contains the specification for an IPReservation resource.
type IPReservationSpec struct {
// ReservedCIDRs is a list of CIDRs and/or IP addresses that Calico IPAM will exclude from new allocations.
ReservedCIDRs []string `json:"reservedCIDRs,omitempty" validate:"cidrs,omitempty"`
}
// NewIPReservation creates a new (zeroed) IPReservation struct with the TypeMetadata initialised to the current
// version.
func NewIPReservation() *IPReservation {
return &IPReservation{
TypeMeta: metav1.TypeMeta{
Kind: KindIPReservation,
APIVersion: GroupVersionCurrent,
},
}
}

162
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/kubecontrollersconfig.go generated vendored Normal file
View File

@@ -0,0 +1,162 @@
// Copyright (c) 2020-2021 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
KindKubeControllersConfiguration = "KubeControllersConfiguration"
KindKubeControllersConfigurationList = "KubeControllersConfigurationList"
)
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// KubeControllersConfigurationList contains a list of KubeControllersConfiguration object.
type KubeControllersConfigurationList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Items []KubeControllersConfiguration `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type KubeControllersConfiguration struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Spec KubeControllersConfigurationSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
Status KubeControllersConfigurationStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
}
// KubeControllersConfigurationSpec contains the values of the Kubernetes controllers configuration.
type KubeControllersConfigurationSpec struct {
// LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]
LogSeverityScreen string `json:"logSeverityScreen,omitempty" validate:"omitempty,logLevel"`
// HealthChecks enables or disables support for health checks [Default: Enabled]
HealthChecks string `json:"healthChecks,omitempty" validate:"omitempty,oneof=Enabled Disabled"`
// EtcdV3CompactionPeriod is the period between etcdv3 compaction requests. Set to 0 to disable. [Default: 10m]
EtcdV3CompactionPeriod *metav1.Duration `json:"etcdV3CompactionPeriod,omitempty" validate:"omitempty"`
// PrometheusMetricsPort is the TCP port that the Prometheus metrics server should bind to. Set to 0 to disable. [Default: 9094]
PrometheusMetricsPort *int `json:"prometheusMetricsPort,omitempty"`
// Controllers enables and configures individual Kubernetes controllers
Controllers ControllersConfig `json:"controllers"`
// DebugProfilePort configures the port to serve memory and cpu profiles on. If not specified, profiling
// is disabled.
DebugProfilePort *int32 `json:"debugProfilePort,omitempty"`
}
// ControllersConfig enables and configures individual Kubernetes controllers
type ControllersConfig struct {
// Node enables and configures the node controller. Enabled by default, set to nil to disable.
Node *NodeControllerConfig `json:"node,omitempty"`
// Policy enables and configures the policy controller. Enabled by default, set to nil to disable.
Policy *PolicyControllerConfig `json:"policy,omitempty"`
// WorkloadEndpoint enables and configures the workload endpoint controller. Enabled by default, set to nil to disable.
WorkloadEndpoint *WorkloadEndpointControllerConfig `json:"workloadEndpoint,omitempty"`
// ServiceAccount enables and configures the service account controller. Enabled by default, set to nil to disable.
ServiceAccount *ServiceAccountControllerConfig `json:"serviceAccount,omitempty"`
// Namespace enables and configures the namespace controller. Enabled by default, set to nil to disable.
Namespace *NamespaceControllerConfig `json:"namespace,omitempty"`
}
// NodeControllerConfig configures the node controller, which automatically cleans up configuration
// for nodes that no longer exist. Optionally, it can create host endpoints for all Kubernetes nodes.
type NodeControllerConfig struct {
// ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]
ReconcilerPeriod *metav1.Duration `json:"reconcilerPeriod,omitempty" validate:"omitempty"`
// SyncLabels controls whether to copy Kubernetes node labels to Calico nodes. [Default: Enabled]
SyncLabels string `json:"syncLabels,omitempty" validate:"omitempty,oneof=Enabled Disabled"`
// HostEndpoint controls syncing nodes to host endpoints. Disabled by default, set to nil to disable.
HostEndpoint *AutoHostEndpointConfig `json:"hostEndpoint,omitempty"`
// LeakGracePeriod is the period used by the controller to determine if an IP address has been leaked.
// Set to 0 to disable IP garbage collection. [Default: 15m]
// +optional
LeakGracePeriod *metav1.Duration `json:"leakGracePeriod,omitempty"`
}
type AutoHostEndpointConfig struct {
// AutoCreate enables automatic creation of host endpoints for every node. [Default: Disabled]
AutoCreate string `json:"autoCreate,omitempty" validate:"omitempty,oneof=Enabled Disabled"`
}
// PolicyControllerConfig configures the network policy controller, which syncs Kubernetes policies
// to Calico policies (only used for etcdv3 datastore).
type PolicyControllerConfig struct {
// ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]
ReconcilerPeriod *metav1.Duration `json:"reconcilerPeriod,omitempty" validate:"omitempty"`
}
// WorkloadEndpointControllerConfig configures the workload endpoint controller, which syncs Kubernetes
// labels to Calico workload endpoints (only used for etcdv3 datastore).
type WorkloadEndpointControllerConfig struct {
// ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]
ReconcilerPeriod *metav1.Duration `json:"reconcilerPeriod,omitempty" validate:"omitempty"`
}
// ServiceAccountControllerConfig configures the service account controller, which syncs Kubernetes
// service accounts to Calico profiles (only used for etcdv3 datastore).
type ServiceAccountControllerConfig struct {
// ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]
ReconcilerPeriod *metav1.Duration `json:"reconcilerPeriod,omitempty" validate:"omitempty"`
}
// NamespaceControllerConfig configures the service account controller, which syncs Kubernetes
// service accounts to Calico profiles (only used for etcdv3 datastore).
type NamespaceControllerConfig struct {
// ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]
ReconcilerPeriod *metav1.Duration `json:"reconcilerPeriod,omitempty" validate:"omitempty"`
}
// KubeControllersConfigurationStatus represents the status of the configuration. It's useful for admins to
// be able to see the actual config that was applied, which can be modified by environment variables on the
// kube-controllers process.
type KubeControllersConfigurationStatus struct {
// RunningConfig contains the effective config that is running in the kube-controllers pod, after
// merging the API resource with any environment variables.
RunningConfig KubeControllersConfigurationSpec `json:"runningConfig,omitempty"`
// EnvironmentVars contains the environment variables on the kube-controllers that influenced
// the RunningConfig.
EnvironmentVars map[string]string `json:"environmentVars,omitempty"`
}
// New KubeControllersConfiguration creates a new (zeroed) KubeControllersConfiguration struct with
// the TypeMetadata initialized to the current version.
func NewKubeControllersConfiguration() *KubeControllersConfiguration {
return &KubeControllersConfiguration{
TypeMeta: metav1.TypeMeta{
Kind: KindKubeControllersConfiguration,
APIVersion: GroupVersionCurrent,
},
}
}

114
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/networkpolicy.go generated vendored Normal file
View File

@@ -0,0 +1,114 @@
// Copyright (c) 2017,2019,2021 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
KindNetworkPolicy = "NetworkPolicy"
KindNetworkPolicyList = "NetworkPolicyList"
)
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// NetworkPolicyList is a list of Policy objects.
type NetworkPolicyList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Items []NetworkPolicy `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type NetworkPolicy struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Spec NetworkPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
type NetworkPolicySpec struct {
// Order is an optional field that specifies the order in which the policy is applied.
// Policies with higher "order" are applied after those with lower
// order. If the order is omitted, it may be considered to be "infinite" - i.e. the
// policy will be applied last. Policies with identical order will be applied in
// alphanumerical order based on the Policy "Name".
Order *float64 `json:"order,omitempty"`
// The ordered set of ingress rules. Each rule contains a set of packet match criteria and
// a corresponding action to apply.
Ingress []Rule `json:"ingress,omitempty" validate:"omitempty,dive"`
// The ordered set of egress rules. Each rule contains a set of packet match criteria and
// a corresponding action to apply.
Egress []Rule `json:"egress,omitempty" validate:"omitempty,dive"`
// The selector is an expression used to pick pick out the endpoints that the policy should
// be applied to.
//
// Selector expressions follow this syntax:
//
// label == "string_literal" -> comparison, e.g. my_label == "foo bar"
// label != "string_literal" -> not equal; also matches if label is not present
// label in { "a", "b", "c", ... } -> true if the value of label X is one of "a", "b", "c"
// label not in { "a", "b", "c", ... } -> true if the value of label X is not one of "a", "b", "c"
// has(label_name) -> True if that label is present
// ! expr -> negation of expr
// expr && expr -> Short-circuit and
// expr || expr -> Short-circuit or
// ( expr ) -> parens for grouping
// all() or the empty selector -> matches all endpoints.
//
// Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive
// but they do not support escape characters.
//
// Examples (with made-up labels):
//
// type == "webserver" && deployment == "prod"
// type in {"frontend", "backend"}
// deployment != "dev"
// ! has(label_name)
Selector string `json:"selector,omitempty" validate:"selector"`
// Types indicates whether this policy applies to ingress, or to egress, or to both. When
// not explicitly specified (and so the value on creation is empty or nil), Calico defaults
// Types according to what Ingress and Egress are present in the policy. The
// default is:
//
// - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are
// also no Ingress rules)
//
// - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules
//
// - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules.
//
// When the policy is read back again, Types will always be one of these values, never empty
// or nil.
Types []PolicyType `json:"types,omitempty" validate:"omitempty,dive,policyType"`
// ServiceAccountSelector is an optional field for an expression used to select a pod based on service accounts.
ServiceAccountSelector string `json:"serviceAccountSelector,omitempty" validate:"selector"`
}
// NewNetworkPolicy creates a new (zeroed) NetworkPolicy struct with the TypeMetadata initialised to the current
// version.
func NewNetworkPolicy() *NetworkPolicy {
return &NetworkPolicy{
TypeMeta: metav1.TypeMeta{
Kind: KindNetworkPolicy,
APIVersion: GroupVersionCurrent,
},
}
}

60
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/networkset.go generated vendored Normal file
View File

@@ -0,0 +1,60 @@
// Copyright (c) 2019,2021 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
KindNetworkSet = "NetworkSet"
KindNetworkSetList = "NetworkSetList"
)
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// NetworkSetList is a list of NetworkSet objects.
type NetworkSetList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Items []NetworkSet `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type NetworkSet struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Spec NetworkSetSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
// NetworkSetSpec contains the specification for a NetworkSet resource.
type NetworkSetSpec struct {
// The list of IP networks that belong to this set.
Nets []string `json:"nets,omitempty" validate:"omitempty,dive,cidr"`
}
// NewNetworkSet creates a new (zeroed) NetworkSet struct with the TypeMetadata initialised to the current version.
func NewNetworkSet() *NetworkSet {
return &NetworkSet{
TypeMeta: metav1.TypeMeta{
Kind: KindNetworkSet,
APIVersion: GroupVersionCurrent,
},
}
}

242
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/nodestatus.go generated vendored Normal file
View File

@@ -0,0 +1,242 @@
// Copyright (c) 2021 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
KindCalicoNodeStatus = "CalicoNodeStatus"
KindCalicoNodeStatusList = "CalicoNodeStatusList"
)
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// CalicoNodeStatusList is a list of CalicoNodeStatus resources.
type CalicoNodeStatusList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Items []CalicoNodeStatus `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type CalicoNodeStatus struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Spec CalicoNodeStatusSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
Status CalicoNodeStatusStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"`
}
// CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus resource.
type CalicoNodeStatusSpec struct {
// The node name identifies the Calico node instance for node status.
Node string `json:"node,omitempty" validate:"required,name"`
// Classes declares the types of information to monitor for this calico/node,
// and allows for selective status reporting about certain subsets of information.
Classes []NodeStatusClassType `json:"classes,omitempty" validate:"required,unique"`
// UpdatePeriodSeconds is the period at which CalicoNodeStatus should be updated.
// Set to 0 to disable CalicoNodeStatus refresh. Maximum update period is one day.
UpdatePeriodSeconds *uint32 `json:"updatePeriodSeconds,omitempty" validate:"required,gte=0,lte=86400"`
}
// CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus.
// No validation needed for status since it is updated by Calico.
type CalicoNodeStatusStatus struct {
// LastUpdated is a timestamp representing the server time when CalicoNodeStatus object
// last updated. It is represented in RFC3339 form and is in UTC.
// +nullable
LastUpdated metav1.Time `json:"lastUpdated,omitempty"`
// Agent holds agent status on the node.
Agent CalicoNodeAgentStatus `json:"agent,omitempty"`
// BGP holds node BGP status.
BGP CalicoNodeBGPStatus `json:"bgp,omitempty"`
// Routes reports routes known to the Calico BGP daemon on the node.
Routes CalicoNodeBGPRouteStatus `json:"routes,omitempty"`
}
// CalicoNodeAgentStatus defines the observed state of agent status on the node.
type CalicoNodeAgentStatus struct {
// BIRDV4 represents the latest observed status of bird4.
BIRDV4 BGPDaemonStatus `json:"birdV4,omitempty"`
// BIRDV6 represents the latest observed status of bird6.
BIRDV6 BGPDaemonStatus `json:"birdV6,omitempty"`
}
// CalicoNodeBGPStatus defines the observed state of BGP status on the node.
type CalicoNodeBGPStatus struct {
// The total number of IPv4 established bgp sessions.
NumberEstablishedV4 int `json:"numberEstablishedV4"`
// The total number of IPv4 non-established bgp sessions.
NumberNotEstablishedV4 int `json:"numberNotEstablishedV4"`
// The total number of IPv6 established bgp sessions.
NumberEstablishedV6 int `json:"numberEstablishedV6"`
// The total number of IPv6 non-established bgp sessions.
NumberNotEstablishedV6 int `json:"numberNotEstablishedV6"`
// PeersV4 represents IPv4 BGP peers status on the node.
PeersV4 []CalicoNodePeer `json:"peersV4,omitempty"`
// PeersV6 represents IPv6 BGP peers status on the node.
PeersV6 []CalicoNodePeer `json:"peersV6,omitempty"`
}
// CalicoNodeBGPRouteStatus defines the observed state of routes status on the node.
type CalicoNodeBGPRouteStatus struct {
// RoutesV4 represents IPv4 routes on the node.
RoutesV4 []CalicoNodeRoute `json:"routesV4,omitempty"`
// RoutesV6 represents IPv6 routes on the node.
RoutesV6 []CalicoNodeRoute `json:"routesV6,omitempty"`
}
// BGPDaemonStatus defines the observed state of BGP daemon.
type BGPDaemonStatus struct {
// The state of the BGP Daemon.
State BGPDaemonState `json:"state,omitempty"`
// Version of the BGP daemon
Version string `json:"version,omitempty"`
// Router ID used by bird.
RouterID string `json:"routerID,omitempty"`
// LastBootTime holds the value of lastBootTime from bird.ctl output.
LastBootTime string `json:"lastBootTime,omitempty"`
// LastReconfigurationTime holds the value of lastReconfigTime from bird.ctl output.
LastReconfigurationTime string `json:"lastReconfigurationTime,omitempty"`
}
// CalicoNodePeer contains the status of BGP peers on the node.
type CalicoNodePeer struct {
// IP address of the peer whose condition we are reporting.
PeerIP string `json:"peerIP,omitempty" validate:"omitempty,ip"`
// Type indicates whether this peer is configured via the node-to-node mesh,
// or via en explicit global or per-node BGPPeer object.
Type BGPPeerType `json:"type,omitempty"`
// State is the BGP session state.
State BGPSessionState `json:"state,omitempty"`
// Since the state or reason last changed.
Since string `json:"since,omitempty"`
}
// CalicoNodeRoute contains the status of BGP routes on the node.
type CalicoNodeRoute struct {
// Type indicates if the route is being used for forwarding or not.
Type CalicoNodeRouteType `json:"type,omitempty"`
// Destination of the route.
Destination string `json:"destination,omitempty"`
// Gateway for the destination.
Gateway string `json:"gateway,omitempty"`
// Interface for the destination
Interface string `json:"interface,omitempty"`
// LearnedFrom contains information regarding where this route originated.
LearnedFrom CalicoNodeRouteLearnedFrom `json:"learnedFrom,omitempty"`
}
// CalicoNodeRouteLearnedFrom contains the information of the source from which a routes has been learned.
type CalicoNodeRouteLearnedFrom struct {
// Type of the source where a route is learned from.
SourceType CalicoNodeRouteSourceType `json:"sourceType,omitempty"`
// If sourceType is NodeMesh or BGPPeer, IP address of the router that sent us this route.
PeerIP string `json:"peerIP,omitempty, validate:"omitempty,ip"`
}
// NewCalicoNodeStatus creates a new (zeroed) CalicoNodeStatus struct with the TypeMetadata initialised to the current
// version.
func NewCalicoNodeStatus() *CalicoNodeStatus {
return &CalicoNodeStatus{
TypeMeta: metav1.TypeMeta{
Kind: KindCalicoNodeStatus,
APIVersion: GroupVersionCurrent,
},
}
}
type CalicoNodeRouteType string
const (
RouteTypeFIB CalicoNodeRouteType = "FIB"
RouteTypeRIB = "RIB"
)
type CalicoNodeRouteSourceType string
const (
RouteSourceTypeKernel CalicoNodeRouteSourceType = "Kernel"
RouteSourceTypeStatic = "Static"
RouteSourceTypeDirect = "Direct"
RouteSourceTypeNodeMesh = "NodeMesh"
RouteSourceTypeBGPPeer = "BGPPeer"
)
type NodeStatusClassType string
const (
NodeStatusClassTypeAgent NodeStatusClassType = "Agent"
NodeStatusClassTypeBGP = "BGP"
NodeStatusClassTypeRoutes = "Routes"
)
type BGPPeerType string
const (
BGPPeerTypeNodeMesh BGPPeerType = "NodeMesh"
BGPPeerTypeNodePeer = "NodePeer"
BGPPeerTypeGlobalPeer = "GlobalPeer"
)
type BGPDaemonState string
const (
BGPDaemonStateReady BGPDaemonState = "Ready"
BGPDaemonStateNotReady = "NotReady"
)
type BGPSessionState string
const (
BGPSessionStateIdle BGPSessionState = "Idle"
BGPSessionStateConnect = "Connect"
BGPSessionStateActive = "Active"
BGPSessionStateOpenSent = "OpenSent"
BGPSessionStateOpenConfirm = "OpenConfirm"
BGPSessionStateEstablished = "Established"
BGPSessionStateClose = "Close"
)

214
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/policy_common.go generated vendored Normal file
View File

@@ -0,0 +1,214 @@
// Copyright (c) 2017-2018,2020-2021 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
import (
"github.com/projectcalico/api/pkg/lib/numorstring"
)
// PolicyType enumerates the possible values of the PolicySpec Types field.
type PolicyType string
const (
PolicyTypeIngress PolicyType = "Ingress"
PolicyTypeEgress PolicyType = "Egress"
)
// A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy
// and security Profiles reference rules - separated out as a list of rules for both
// ingress and egress packet matching.
//
// Each positive match criteria has a negated version, prefixed with "Not". All the match
// criteria within a rule must be satisfied for a packet to match. A single rule can contain
// the positive and negative version of a match and both must be satisfied for the rule to match.
type Rule struct {
Action Action `json:"action" validate:"action"`
// IPVersion is an optional field that restricts the rule to only match a specific IP
// version.
IPVersion *int `json:"ipVersion,omitempty" validate:"omitempty,ipVersion"`
// Protocol is an optional field that restricts the rule to only apply to traffic of
// a specific IP protocol. Required if any of the EntityRules contain Ports
// (because ports only apply to certain protocols).
//
// Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite"
// or an integer in the range 1-255.
Protocol *numorstring.Protocol `json:"protocol,omitempty" validate:"omitempty"`
// ICMP is an optional field that restricts the rule to apply to a specific type and
// code of ICMP traffic. This should only be specified if the Protocol field is set to
// "ICMP" or "ICMPv6".
ICMP *ICMPFields `json:"icmp,omitempty" validate:"omitempty"`
// NotProtocol is the negated version of the Protocol field.
NotProtocol *numorstring.Protocol `json:"notProtocol,omitempty" validate:"omitempty"`
// NotICMP is the negated version of the ICMP field.
NotICMP *ICMPFields `json:"notICMP,omitempty" validate:"omitempty"`
// Source contains the match criteria that apply to source entity.
Source EntityRule `json:"source,omitempty" validate:"omitempty"`
// Destination contains the match criteria that apply to destination entity.
Destination EntityRule `json:"destination,omitempty" validate:"omitempty"`
// HTTP contains match criteria that apply to HTTP requests.
HTTP *HTTPMatch `json:"http,omitempty" validate:"omitempty"`
// Metadata contains additional information for this rule
Metadata *RuleMetadata `json:"metadata,omitempty" validate:"omitempty"`
}
// HTTPPath specifies an HTTP path to match. It may be either of the form:
// exact: <path>: which matches the path exactly or
// prefix: <path-prefix>: which matches the path prefix
type HTTPPath struct {
Exact string `json:"exact,omitempty" validate:"omitempty"`
Prefix string `json:"prefix,omitempty" validate:"omitempty"`
}
// HTTPMatch is an optional field that apply only to HTTP requests
// The Methods and Path fields are joined with AND
type HTTPMatch struct {
// Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed
// HTTP Methods (e.g. GET, PUT, etc.)
// Multiple methods are OR'd together.
Methods []string `json:"methods,omitempty" validate:"omitempty"`
// Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed
// HTTP Paths.
// Multiple paths are OR'd together.
// e.g:
// - exact: /foo
// - prefix: /bar
// NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.
Paths []HTTPPath `json:"paths,omitempty" validate:"omitempty"`
}
// ICMPFields defines structure for ICMP and NotICMP sub-struct for ICMP code and type
type ICMPFields struct {
// Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
// (i.e. pings).
Type *int `json:"type,omitempty" validate:"omitempty,gte=0,lte=254"`
// Match on a specific ICMP code. If specified, the Type value must also be specified.
// This is a technical limitation imposed by the kernel's iptables firewall, which
// Calico uses to enforce the rule.
Code *int `json:"code,omitempty" validate:"omitempty,gte=0,lte=255"`
}
// An EntityRule is a sub-component of a Rule comprising the match criteria specific
// to a particular entity (that is either the source or destination).
//
// A source EntityRule matches the source endpoint and originating traffic.
// A destination EntityRule matches the destination endpoint and terminating traffic.
type EntityRule struct {
// Nets is an optional field that restricts the rule to only apply to traffic that
// originates from (or terminates at) IP addresses in any of the given subnets.
Nets []string `json:"nets,omitempty" validate:"omitempty,dive,net"`
// Selector is an optional field that contains a selector expression (see Policy for
// sample syntax). Only traffic that originates from (terminates at) endpoints matching
// the selector will be matched.
//
// Note that: in addition to the negated version of the Selector (see NotSelector below), the
// selector expression syntax itself supports negation. The two types of negation are subtly
// different. One negates the set of matched endpoints, the other negates the whole match:
//
// Selector = "!has(my_label)" matches packets that are from other Calico-controlled
// endpoints that do not have the label "my_label".
//
// NotSelector = "has(my_label)" matches packets that are not from Calico-controlled
// endpoints that do have the label "my_label".
//
// The effect is that the latter will accept packets from non-Calico sources whereas the
// former is limited to packets from Calico-controlled endpoints.
Selector string `json:"selector,omitempty" validate:"omitempty,selector"`
// NamespaceSelector is an optional field that contains a selector expression. Only traffic
// that originates from (or terminates at) endpoints within the selected namespaces will be
// matched. When both NamespaceSelector and another selector are defined on the same rule, then only
// workload endpoints that are matched by both selectors will be selected by the rule.
//
// For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting
// only workload endpoints in the same namespace as the NetworkPolicy.
//
// For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting
// only GlobalNetworkSet or HostEndpoint.
//
// For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload
// endpoints across all namespaces.
NamespaceSelector string `json:"namespaceSelector,omitempty" validate:"omitempty,selector"`
// Services is an optional field that contains options for matching Kubernetes Services.
// If specified, only traffic that originates from or terminates at endpoints within the selected
// service(s) will be matched, and only to/from each endpoint's port.
//
// Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets,
// NotNets or ServiceAccounts.
//
// Ports and NotPorts can only be specified with Services on ingress rules.
Services *ServiceMatch `json:"services,omitempty" validate:"omitempty"`
// Ports is an optional field that restricts the rule to only apply to traffic that has a
// source (destination) port that matches one of these ranges/values. This value is a
// list of integers or strings that represent ranges of ports.
//
// Since only some protocols have ports, if any ports are specified it requires the
// Protocol match in the Rule to be set to "TCP" or "UDP".
Ports []numorstring.Port `json:"ports,omitempty" validate:"omitempty,dive"`
// NotNets is the negated version of the Nets field.
NotNets []string `json:"notNets,omitempty" validate:"omitempty,dive,net"`
// NotSelector is the negated version of the Selector field. See Selector field for
// subtleties with negated selectors.
NotSelector string `json:"notSelector,omitempty" validate:"omitempty,selector"`
// NotPorts is the negated version of the Ports field.
// Since only some protocols have ports, if any ports are specified it requires the
// Protocol match in the Rule to be set to "TCP" or "UDP".
NotPorts []numorstring.Port `json:"notPorts,omitempty" validate:"omitempty,dive"`
// ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or
// terminates at) a pod running as a matching service account.
ServiceAccounts *ServiceAccountMatch `json:"serviceAccounts,omitempty" validate:"omitempty"`
}
type ServiceMatch struct {
// Name specifies the name of a Kubernetes Service to match.
Name string `json:"name,omitempty" validate:"omitempty,name"`
// Namespace specifies the namespace of the given Service. If left empty, the rule
// will match within this policy's namespace.
Namespace string `json:"namespace,omitempty" validate:"omitempty,name"`
}
type ServiceAccountMatch struct {
// Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates
// at) a pod running as a service account whose name is in the list.
Names []string `json:"names,omitempty" validate:"omitempty"`
// Selector is an optional field that restricts the rule to only apply to traffic that originates from
// (or terminates at) a pod running as a service account that matches the given label selector.
// If both Names and Selector are specified then they are AND'ed.
Selector string `json:"selector,omitempty" validate:"omitempty,selector"`
}
type Action string
const (
Allow Action = "Allow"
Deny = "Deny"
Log = "Log"
Pass = "Pass"
)
type RuleMetadata struct {
// Annotations is a set of key value pairs that give extra information about the rule
Annotations map[string]string `json:"annotations,omitempty"`
}

71
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/profile.go generated vendored Normal file
View File

@@ -0,0 +1,71 @@
// Copyright (c) 2017,2021 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
KindProfile = "Profile"
KindProfileList = "ProfileList"
)
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// ProfileList is a list of Profile objects.
type ProfileList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Items []Profile `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type Profile struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Spec ProfileSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
// ProfileSpec contains the specification for a security Profile resource.
type ProfileSpec struct {
// The ordered set of ingress rules. Each rule contains a set of packet match criteria and
// a corresponding action to apply.
Ingress []Rule `json:"ingress,omitempty" validate:"omitempty,dive"`
// The ordered set of egress rules. Each rule contains a set of packet match criteria and
// a corresponding action to apply.
Egress []Rule `json:"egress,omitempty" validate:"omitempty,dive"`
// An option set of labels to apply to each endpoint (in addition to their own labels)
// referencing this profile. If labels configured on the endpoint have keys matching those
// labels inherited from the profile, the endpoint label values take precedence.
LabelsToApply map[string]string `json:"labelsToApply,omitempty" validate:"omitempty,labels"`
}
// NewProfile creates a new (zeroed) Profile struct with the TypeMetadata initialised to the current
// version.
func NewProfile() *Profile {
return &Profile{
TypeMeta: metav1.TypeMeta{
Kind: KindProfile,
APIVersion: GroupVersionCurrent,
},
}
}

79
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/register.go generated vendored Normal file
View File

@@ -0,0 +1,79 @@
// Copyright (c) 2019-2022 Tigera, Inc. All rights reserved.
package v3
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
)
// GroupName is the group name use in this package
const GroupName = "projectcalico.org"
// SchemeGroupVersion is group version used to register these objects
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v3"}
var SchemeGroupVersionInternal = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
var (
SchemeBuilder runtime.SchemeBuilder
localSchemeBuilder = &SchemeBuilder
AddToScheme = localSchemeBuilder.AddToScheme
AllKnownTypes = []runtime.Object{
&NetworkPolicy{},
&NetworkPolicyList{},
&GlobalNetworkPolicy{},
&GlobalNetworkPolicyList{},
&GlobalNetworkSet{},
&GlobalNetworkSetList{},
&HostEndpoint{},
&HostEndpointList{},
&IPPool{},
&IPPoolList{},
&IPReservation{},
&IPReservationList{},
&BGPConfiguration{},
&BGPConfigurationList{},
&BGPFilter{},
&BGPFilterList{},
&BGPPeer{},
&BGPPeerList{},
&Profile{},
&ProfileList{},
&FelixConfiguration{},
&FelixConfigurationList{},
&KubeControllersConfiguration{},
&KubeControllersConfigurationList{},
&ClusterInformation{},
&ClusterInformationList{},
&NetworkSet{},
&NetworkSetList{},
&CalicoNodeStatus{},
&CalicoNodeStatusList{},
&IPAMConfiguration{},
&IPAMConfigurationList{},
&BlockAffinity{},
&BlockAffinityList{},
&BGPFilter{},
&BGPFilterList{},
}
)
func init() {
// We only register manually written functions here. The registration of the
// generated functions takes place in the generated files. The separation
// makes the code compile even when the generated files are missing.
localSchemeBuilder.Register(addKnownTypes, addConversionFuncs)
}
// Adds the list of known types to api.Scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion, AllKnownTypes...)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil
}
// Resource takes an unqualified resource and returns a Group qualified GroupResource
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}

2844
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/zz_generated.deepcopy.go generated vendored Normal file
View File

File diff suppressed because it is too large Load Diff

19
vendor/github.com/projectcalico/api/pkg/apis/projectcalico/v3/zz_generated.defaults.go generated vendored Normal file
View File

@@ -0,0 +1,19 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
// Copyright (c) 2023 Tigera, Inc. All rights reserved.
// Code generated by defaulter-gen. DO NOT EDIT.
package v3
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// RegisterDefaults adds defaulters functions to the given scheme.
// Public to allow building arbitrary schemes.
// All generated defaulters are covering - they call all nested defaulters.
func RegisterDefaults(scheme *runtime.Scheme) error {
return nil
}