admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
84f66199edfaa6712b81d6124e43f8d1664b966e
kubesphere/vendor/github.com/projectcalico/libcalico-go/lib/apis/v3/felixconfig.go
zryfish ea88c8803d use istio client-go library instead of knative (#1661) 
use istio client-go library instead of knative
bump kubernetes dependency version
change code coverage to codecov
2019-12-13 11:26:18 +08:00

306 lines
20 KiB
Go
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
// Copyright (c) 2017-2019 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v3
import (
"github.com/projectcalico/libcalico-go/lib/numorstring"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
type IptablesBackend string
const (
KindFelixConfiguration = "FelixConfiguration"
KindFelixConfigurationList = "FelixConfigurationList"
IptablesBackendLegacy = "Legacy"
IptablesBackendNFTables = "NFT"
)
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// Felix Configuration contains the configuration for Felix.
type FelixConfiguration struct {
metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
metav1.ObjectMeta `json:"metadata,omitempty"`
// Specification of the FelixConfiguration.
Spec FelixConfigurationSpec `json:"spec,omitempty"`
}
// FelixConfigurationSpec contains the values of the Felix configuration.
type FelixConfigurationSpec struct {
UseInternalDataplaneDriver *bool `json:"useInternalDataplaneDriver,omitempty"`
DataplaneDriver string `json:"dataplaneDriver,omitempty"`
IPv6Support *bool `json:"ipv6Support,omitempty" confignamev1:"Ipv6Support"`
IgnoreLooseRPF *bool `json:"ignoreLooseRPF,omitempty"`
// RouterefreshInterval is the period at which Felix re-checks the routes
// in the dataplane to ensure that no other process has accidentally broken Calicos rules.
// Set to 0 to disable route refresh. [Default: 90s]
RouteRefreshInterval *metav1.Duration `json:"routeRefreshInterval,omitempty" configv1timescale:"seconds"`
// IptablesRefreshInterval is the period at which Felix re-checks the IP sets
// in the dataplane to ensure that no other process has accidentally broken Calicos rules.
// Set to 0 to disable IP sets refresh. Note: the default for this value is lower than the
// other refresh intervals as a workaround for a Linux kernel bug that was fixed in kernel
// version 4.11. If you are using v4.11 or greater you may want to set this to, a higher value
// to reduce Felix CPU usage. [Default: 10s]
IptablesRefreshInterval *metav1.Duration `json:"iptablesRefreshInterval,omitempty" configv1timescale:"seconds"`
// IptablesPostWriteCheckInterval is the period after Felix has done a write
// to the dataplane that it schedules an extra read back in order to check the write was not
// clobbered by another process. This should only occur if another application on the system
// doesnt respect the iptables lock. [Default: 1s]
IptablesPostWriteCheckInterval *metav1.Duration `json:"iptablesPostWriteCheckInterval,omitempty" configv1timescale:"seconds" confignamev1:"IptablesPostWriteCheckIntervalSecs"`
// IptablesLockFilePath is the location of the iptables lock file. You may need to change this
// if the lock file is not in its standard location (for example if you have mapped it into Felixs
// container at a different path). [Default: /run/xtables.lock]
IptablesLockFilePath string `json:"iptablesLockFilePath,omitempty"`
// IptablesLockTimeout is the time that Felix will wait for the iptables lock,
// or 0, to disable. To use this feature, Felix must share the iptables lock file with all other
// processes that also take the lock. When running Felix inside a container, this requires the
// /run directory of the host to be mounted into the calico/node or calico/felix container.
// [Default: 0s disabled]
IptablesLockTimeout *metav1.Duration `json:"iptablesLockTimeout,omitempty" configv1timescale:"seconds" confignamev1:"IptablesLockTimeoutSecs"`
// IptablesLockProbeInterval is the time that Felix will wait between
// attempts to acquire the iptables lock if it is not available. Lower values make Felix more
// responsive when the lock is contended, but use more CPU. [Default: 50ms]
IptablesLockProbeInterval *metav1.Duration `json:"iptablesLockProbeInterval,omitempty" configv1timescale:"milliseconds" confignamev1:"IptablesLockProbeIntervalMillis"`
// IpsetsRefreshInterval is the period at which Felix re-checks all iptables
// state to ensure that no other process has accidentally broken Calicos rules. Set to 0 to
// disable iptables refresh. [Default: 90s]
IpsetsRefreshInterval *metav1.Duration `json:"ipsetsRefreshInterval,omitempty" configv1timescale:"seconds"`
MaxIpsetSize *int `json:"maxIpsetSize,omitempty"`
// IptablesBackend specifies which backend of iptables will be used. The default is legacy.
IptablesBackend *IptablesBackend `json:"iptablesBackend,omitempty" validate:"omitempty,iptablesBackend"`
// XDPRefreshInterval is the period at which Felix re-checks all XDP state to ensure that no
// other process has accidentally broken Calico's BPF maps or attached programs. Set to 0 to
// disable XDP refresh. [Default: 90s]
XDPRefreshInterval *metav1.Duration `json"xdpRefreshInterval,omitempty" configv1timescale:"seconds"`
NetlinkTimeout *metav1.Duration `json:"netlinkTimeout,omitempty" configv1timescale:"seconds" confignamev1:"NetlinkTimeoutSecs"`
// MetadataAddr is the IP address or domain name of the server that can answer VM queries for
// cloud-init metadata. In OpenStack, this corresponds to the machine running nova-api (or in
// Ubuntu, nova-api-metadata). A value of none (case insensitive) means that Felix should not
// set up any NAT rule for the metadata path. [Default: 127.0.0.1]
MetadataAddr string `json:"metadataAddr,omitempty"`
// MetadataPort is the port of the metadata server. This, combined with global.MetadataAddr (if
// not None), is used to set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
// In most cases this should not need to be changed [Default: 8775].
MetadataPort *int `json:"metadataPort,omitempty"`
// OpenstackRegion is the name of the region that a particular Felix belongs to. In a multi-region
// Calico/OpenStack deployment, this must be configured somehow for each Felix (here in the datamodel,
// or in felix.cfg or the environment on each compute node), and must match the [calico]
// openstack_region value configured in neutron.conf on each node. [Default: Empty]
OpenstackRegion string `json:"openstackRegion,omitempty"`
// InterfacePrefix is the interface name prefix that identifies workload endpoints and so distinguishes
// them from host endpoint interfaces. Note: in environments other than bare metal, the orchestrators
// configure this appropriately. For example our Kubernetes and Docker integrations set the cali value,
// and our OpenStack integration sets the tap value. [Default: cali]
InterfacePrefix string `json:"interfacePrefix,omitempty"`
// InterfaceExclude is a comma-separated list of interfaces that Felix should exclude when monitoring for host
// endpoints. The default value ensures that Felix ignores Kubernetes' IPVS dummy interface, which is used
// internally by kube-proxy. If you want to exclude multiple interface names using a single value, the list
// supports regular expressions. For regular expressions you must wrap the value with '/'. For example
// having values '/^kube/,veth1' will exclude all interfaces that begin with 'kube' and also the interface
// 'veth1'. [Default: kube-ipvs0]
InterfaceExclude string `json:"interfaceExclude,omitempty"`
// ChainInsertMode controls whether Felix hooks the kernels top-level iptables chains by inserting a rule
// at the top of the chain or by appending a rule at the bottom. insert is the safe default since it prevents
// Calicos rules from being bypassed. If you switch to append mode, be sure that the other rules in the chains
// signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed.
// [Default: insert]
ChainInsertMode string `json:"chainInsertMode,omitempty"`
// DefaultEndpointToHostAction controls what happens to traffic that goes from a workload endpoint to the host
// itself (after the traffic hits the endpoint egress policy). By default Calico blocks traffic from workload
// endpoints to the host itself with an iptables “DROP” action. If you want to allow some or all traffic from
// endpoint to host, set this parameter to RETURN or ACCEPT. Use RETURN if you have your own rules in the iptables
// “INPUT” chain; Calico will insert its rules at the top of that chain, then “RETURN” packets to the “INPUT” chain
// once it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets
// from workloads after processing workload endpoint egress policy. [Default: Drop]
DefaultEndpointToHostAction string `json:"defaultEndpointToHostAction,omitempty" validate:"omitempty,dropAcceptReturn"`
IptablesFilterAllowAction string `json:"iptablesFilterAllowAction,omitempty" validate:"omitempty,acceptReturn"`
IptablesMangleAllowAction string `json:"iptablesMangleAllowAction,omitempty" validate:"omitempty,acceptReturn"`
// LogPrefix is the log prefix that Felix uses when rendering LOG rules. [Default: calico-packet]
LogPrefix string `json:"logPrefix,omitempty"`
// LogFilePath is the full path to the Felix log. Set to none to disable file logging. [Default: /var/log/calico/felix.log]
LogFilePath string `json:"logFilePath,omitempty"`
// LogSeverityFile is the log severity above which logs are sent to the log file. [Default: Info]
LogSeverityFile string `json:"logSeverityFile,omitempty" validate:"omitempty,logLevel"`
// LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]
LogSeverityScreen string `json:"logSeverityScreen,omitempty" validate:"omitempty,logLevel"`
// LogSeveritySys is the log severity above which logs are sent to the syslog. Set to None for no logging to syslog.
// [Default: Info]
LogSeveritySys string `json:"logSeveritySys,omitempty" validate:"omitempty,logLevel"`
IPIPEnabled *bool `json:"ipipEnabled,omitempty" confignamev1:"IpInIpEnabled"`
// IPIPMTU is the MTU to set on the tunnel device. See Configuring MTU [Default: 1440]
IPIPMTU *int `json:"ipipMTU,omitempty" confignamev1:"IpInIpMtu"`
VXLANEnabled *bool `json:"vxlanEnabled,omitempty"`
// VXLANMTU is the MTU to set on the tunnel device. See Configuring MTU [Default: 1440]
VXLANMTU *int `json:"vxlanMTU,omitempty"`
VXLANPort *int `json:"vxlanPort,omitempty"`
VXLANVNI *int `json:"vxlanVNI,omitempty"`
// ReportingInterval is the interval at which Felix reports its status into the datastore or 0 to disable.
// Must be non-zero in OpenStack deployments. [Default: 30s]
ReportingInterval *metav1.Duration `json:"reportingInterval,omitempty" configv1timescale:"seconds" confignamev1:"ReportingIntervalSecs"`
// ReportingTTL is the time-to-live setting for process-wide status reports. [Default: 90s]
ReportingTTL *metav1.Duration `json:"reportingTTL,omitempty" configv1timescale:"seconds" confignamev1:"ReportingTTLSecs"`
EndpointReportingEnabled *bool `json:"endpointReportingEnabled,omitempty"`
EndpointReportingDelay *metav1.Duration `json:"endpointReportingDelay,omitempty" configv1timescale:"seconds" confignamev1:"EndpointReportingDelaySecs"`
// IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal
// number with at least 8 bits set, none of which clash with any other mark bits in use on the system.
// [Default: 0xff000000]
IptablesMarkMask *uint32 `json:"iptablesMarkMask,omitempty"`
DisableConntrackInvalidCheck *bool `json:"disableConntrackInvalidCheck,omitempty"`
HealthEnabled *bool `json:"healthEnabled,omitempty"`
HealthHost *string `json:"healthHost,omitempty"`
HealthPort *int `json:"healthPort,omitempty"`
// PrometheusMetricsEnabled enables the Prometheus metrics server in Felix if set to true. [Default: false]
PrometheusMetricsEnabled *bool `json:"prometheusMetricsEnabled,omitempty"`
// PrometheusMetricsHost is the host that the Prometheus metrics server should bind to. [Default: empty]
PrometheusMetricsHost string `json:"prometheusMetricsHost,omitempty" validate:"omitempty,prometheusHost"`
// PrometheusMetricsPort is the TCP port that the Prometheus metrics server should bind to. [Default: 9091]
PrometheusMetricsPort *int `json:"prometheusMetricsPort,omitempty"`
// PrometheusGoMetricsEnabled disables Go runtime metrics collection, which the Prometheus client does by default, when
// set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]
PrometheusGoMetricsEnabled *bool `json:"prometheusGoMetricsEnabled,omitempty"`
// PrometheusProcessMetricsEnabled disables process metrics collection, which the Prometheus client does by default, when
// set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]
PrometheusProcessMetricsEnabled *bool `json:"prometheusProcessMetricsEnabled,omitempty"`
// FailsafeInboundHostPorts is a comma-delimited list of UDP/TCP ports that Felix will allow incoming traffic to host endpoints
// on irrespective of the security policy. This is useful to avoid accidently cutting off a host with incorrect configuration. Each
// port should be specified as tcp:<port-number> or udp:<port-number>. For back-compatibility, if the protocol is not specified, it
// defaults to “tcp”. To disable all inbound host ports, use the value none. The default value allows ssh access and DHCP.
// [Default: tcp:22, udp:68]
FailsafeInboundHostPorts *[]ProtoPort `json:"failsafeInboundHostPorts,omitempty"`
// FailsafeOutboundHostPorts is a comma-delimited list of UDP/TCP ports that Felix will allow outgoing traffic from host endpoints to
// irrespective of the security policy. This is useful to avoid accidently cutting off a host with incorrect configuration. Each port
// should be specified as tcp:<port-number> or udp:<port-number>. For back-compatibility, if the protocol is not specified, it defaults
// to “tcp”. To disable all outbound host ports, use the value none. The default value opens etcds standard ports to ensure that Felix
// does not get cut off from etcd as well as allowing DHCP and DNS. [Default: tcp:2379, tcp:2380, tcp:4001, tcp:7001, udp:53, udp:67]
FailsafeOutboundHostPorts *[]ProtoPort `json:"failsafeOutboundHostPorts,omitempty"`
// KubeNodePortRanges holds list of port ranges used for service node ports. Only used if felix detects kube-proxy running in ipvs mode.
// Felix uses these ranges to separate host and workload traffic. [Default: 30000:32767].
KubeNodePortRanges *[]numorstring.Port `json:"kubeNodePortRanges,omitempty" validate:"omitempty,dive"`
// PolicySyncPathPrefix is used to by Felix to communicate policy changes to external services,
// like Application layer policy. [Default: Empty]
PolicySyncPathPrefix string `json:"policySyncPathPrefix,omitempty"`
// UsageReportingEnabled reports anonymous Calico version number and cluster size to projectcalico.org. Logs warnings returned by the usage
// server. For example, if a significant security vulnerability has been discovered in the version of Calico being used. [Default: true]
UsageReportingEnabled *bool `json:"usageReportingEnabled,omitempty"`
// UsageReportingInitialDelay controls the minimum delay before Felix makes a report. [Default: 300s]
UsageReportingInitialDelay *metav1.Duration `json:"usageReportingInitialDelay,omitempty" configv1timescale:"seconds" confignamev1:"UsageReportingInitialDelaySecs"`
// UsageReportingInterval controls the interval at which Felix makes reports. [Default: 86400s]
UsageReportingInterval *metav1.Duration `json:"usageReportingInterval,omitempty" configv1timescale:"seconds" confignamev1:"UsageReportingIntervalSecs"`
// NATPortRange specifies the range of ports that is used for port mapping when doing outgoing NAT. When unset the default behavior of the
// network stack is used.
NATPortRange *numorstring.Port `json:"natPortRange,omitempty"`
// NATOutgoingAddress specifies an address to use when performing source NAT for traffic in a natOutgoing pool that
// is leaving the network. By default the address used is an address on the interface the traffic is leaving on
// (ie it uses the iptables MASQUERADE target)
NATOutgoingAddress string `json:"natOutgoingAddress,omitempty"`
// This is the source address to use on programmed device routes. By default the source address is left blank,
// leaving the kernel to choose the source address used.
DeviceRouteSourceAddress string `json:"deviceRouteSourceAddress,omitempty"`
// This defines the route protocol added to programmed device routes, by default this will be RTPROT_BOOT
// when left blank.
DeviceRouteProtocol *int `json:"deviceRouteProtocol,omitempty"`
// Whether or not to remove device routes that have not been programmed by Felix. Disabling this will allow external
// applications to also add device routes. This is enabled by default which means we will remove externally added routes.
RemoveExternalRoutes *bool `json:"removeExternalRoutes,omitempty"`
// ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes which may source tunnel traffic and have
// the tunneled traffic be accepted at calico nodes.
ExternalNodesCIDRList *[]string `json:"externalNodesList,omitempty"`
DebugMemoryProfilePath string `json:"debugMemoryProfilePath,omitempty"`
DebugDisableLogDropping *bool `json:"debugDisableLogDropping,omitempty"`
DebugSimulateCalcGraphHangAfter *metav1.Duration `json:"debugSimulateCalcGraphHangAfter,omitempty" configv1timescale:"seconds"`
DebugSimulateDataplaneHangAfter *metav1.Duration `json:"debugSimulateDataplaneHangAfter,omitempty" configv1timescale:"seconds"`
IptablesNATOutgoingInterfaceFilter string `json:"iptablesNATOutgoingInterfaceFilter,omitempty" validate:"omitempty,ifaceFilter"`
// SidecarAccelerationEnabled enables experimental sidecar acceleration [Default: false]
SidecarAccelerationEnabled *bool `json:"sidecarAccelerationEnabled,omitempty"`
// XDPEnabled enables XDP acceleration for suitable untracked incoming deny rules. [Default: true]
XDPEnabled *bool `json:"xdpEnabled,omitempty" confignamev1:"XDPEnabled"`
// GenericXDPEnabled enables Generic XDP so network cards that don't support XDP offload or driver
// modes can use XDP. This is not recommended since it doesn't provide better performance than
// iptables. [Default: false]
GenericXDPEnabled *bool `json:"genericXDPEnabled,omitempty" confignamev1:"GenericXDPEnabled"`
}
// ProtoPort is combination of protocol and port, both must be specified.
type ProtoPort struct {
Protocol string `json:"protocol"`
Port uint16 `json:"port"`
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// FelixConfigurationList contains a list of FelixConfiguration resources.
type FelixConfigurationList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []FelixConfiguration `json:"items"`
}
// New FelixConfiguration creates a new (zeroed) FelixConfiguration struct with the TypeMetadata
// initialized to the current version.
func NewFelixConfiguration() *FelixConfiguration {
return &FelixConfiguration{
TypeMeta: metav1.TypeMeta{
Kind: KindFelixConfiguration,
APIVersion: GroupVersionCurrent,
},
}
}
// NewFelixConfigurationList creates a new 9zeroed) FelixConfigurationList struct with the TypeMetadata
// initialized to the current version.
func NewFelixConfigurationList() *FelixConfigurationList {
return &FelixConfigurationList{
TypeMeta: metav1.TypeMeta{
Kind: KindFelixConfigurationList,
APIVersion: GroupVersionCurrent,
},
}
}
Reference in New Issue View Git Blame Copy Permalink