Skip to content

Commit

Permalink
Merge pull request #77 from DockToFuture/update/calico-to-v3.18.1
Browse files Browse the repository at this point in the history
Update calico to v3.18.1
  • Loading branch information
DockToFuture authored Apr 7, 2021
2 parents c9505c3 + d3d2f82 commit ed38e68
Show file tree
Hide file tree
Showing 9 changed files with 61 additions and 32 deletions.
10 changes: 5 additions & 5 deletions charts/images.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ images:
- name: calico-node
sourceRepository: github.com/projectcalico/calico
repository: docker.io/calico/node
tag: v3.17.2
tag: v3.18.1
targetVersion: ">= 1.16"
- name: calico-node
sourceRepository: github.com/projectcalico/calico
Expand All @@ -12,7 +12,7 @@ images:
- name: calico-cni
sourceRepository: github.com/projectcalico/cni-plugin
repository: docker.io/calico/cni
tag: v3.17.2
tag: v3.18.1
targetVersion: ">= 1.16"
- name: calico-cni
sourceRepository: github.com/projectcalico/cni-plugin
Expand All @@ -22,7 +22,7 @@ images:
- name: calico-typha
sourceRepository: github.com/projectcalico/typha
repository: docker.io/calico/typha
tag: v3.17.2
tag: v3.18.1
targetVersion: ">= 1.16"
- name: calico-typha
sourceRepository: github.com/projectcalico/typha
Expand All @@ -32,7 +32,7 @@ images:
- name: calico-kube-controllers
sourceRepository: github.com/projectcalico/kube-controllers
repository: docker.io/calico/kube-controllers
tag: v3.17.2
tag: v3.18.1
targetVersion: ">= 1.16"
- name: calico-kube-controllers
sourceRepository: github.com/projectcalico/kube-controllers
Expand All @@ -42,7 +42,7 @@ images:
- name: calico-podtodaemon-flex
sourceRepository: github.com/projectcalico/pod2daemon
repository: docker.io/calico/pod2daemon-flexvol
tag: v3.17.2
tag: v3.18.1
targetVersion: ">= 1.16"
- name: calico-podtodaemon-flex
sourceRepository: github.com/projectcalico/pod2daemon
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,18 @@ spec:
type: string
type: object
type: array
serviceLoadBalancerIPs:
description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes
Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress
IPs will only be advertised if they are within one of these blocks.
items:
description: ServiceLoadBalancerIPBlock represents a single allowed
LoadBalancer IP CIDR block.
properties:
cidr:
type: string
type: object
type: array
type: object
type: object
served: true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ metadata:
name: bgppeers.crd.projectcalico.org
labels:
gardener.cloud/role: system-component
name: bgppeers.crd.projectcalico.org
spec:
group: crd.projectcalico.org
names:
Expand Down Expand Up @@ -108,6 +109,12 @@ spec:
remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
or the global default if that is not set.
type: string
sourceAddress:
description: Specifies whether and how to configure a source address
for the peerings generated by this BGPPeer resource. Default value
"UseNodeIP" means to configure the node IP as the source address. "None"
means not to configure a source address.
type: string
type: object
type: object
served: true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -153,11 +153,11 @@ spec:
traffic that goes from a workload endpoint to the host itself (after
the traffic hits the endpoint egress policy). By default Calico
blocks traffic from workload endpoints to the host itself with an
iptables DROP action. If you want to allow some or all traffic
iptables "DROP" action. If you want to allow some or all traffic
from endpoint to host, set this parameter to RETURN or ACCEPT. Use
RETURN if you have your own rules in the iptables INPUT chain;
Calico will insert its rules at the top of that chain, then RETURN
packets to the INPUT chain once it has completed processing workload
RETURN if you have your own rules in the iptables "INPUT" chain;
Calico will insert its rules at the top of that chain, then "RETURN"
packets to the "INPUT" chain once it has completed processing workload
endpoint egress policy. Use ACCEPT to unconditionally accept packets
from workloads after processing workload endpoint egress policy.
[Default: Drop]'
Expand Down Expand Up @@ -191,7 +191,7 @@ spec:
accidentally cutting off a host with incorrect configuration. Each
port should be specified as tcp:<port-number> or udp:<port-number>.
For back-compatibility, if the protocol is not specified, it defaults
to tcp. To disable all inbound host ports, use the value none.
to "tcp". To disable all inbound host ports, use the value none.
The default value allows ssh access and DHCP. [Default: tcp:22,
udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
items:
Expand All @@ -214,7 +214,7 @@ spec:
to avoid accidentally cutting off a host with incorrect configuration.
Each port should be specified as tcp:<port-number> or udp:<port-number>.
For back-compatibility, if the protocol is not specified, it defaults
to tcp. To disable all outbound host ports, use the value none.
to "tcp". To disable all outbound host ports, use the value none.
The default value opens etcd''s standard ports to ensure that Felix
does not get cut off from etcd as well as allowing DHCP and DNS.
[Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ spec:
action. Both selector-based security Policy and security Profiles
reference rules - separated out as a list of rules for both ingress
and egress packet matching. \n Each positive match criteria has
a negated version, prefixed with Not. All the match criteria
a negated version, prefixed with \"Not\". All the match criteria
within a rule must be satisfied for a packet to match. A single
rule can contain the positive and negative version of a match
and both must be satisfied for the rule to match."
Expand Down Expand Up @@ -151,9 +151,9 @@ spec:
One negates the set of matched endpoints, the other negates
the whole match: \n \tSelector = \"!has(my_label)\" matches
packets that are from other Calico-controlled \tendpoints
that do not have the label my_label. \n \tNotSelector
that do not have the label \"my_label\". \n \tNotSelector
= \"has(my_label)\" matches packets that are not from
Calico-controlled \tendpoints that do have the label my_label.
Calico-controlled \tendpoints that do have the label \"my_label\".
\n The effect is that the latter will accept packets from
non-Calico sources whereas the former is limited to packets
from Calico-controlled endpoints."
Expand Down Expand Up @@ -356,9 +356,9 @@ spec:
One negates the set of matched endpoints, the other negates
the whole match: \n \tSelector = \"!has(my_label)\" matches
packets that are from other Calico-controlled \tendpoints
that do not have the label my_label. \n \tNotSelector
that do not have the label \"my_label\". \n \tNotSelector
= \"has(my_label)\" matches packets that are not from
Calico-controlled \tendpoints that do have the label my_label.
Calico-controlled \tendpoints that do have the label \"my_label\".
\n The effect is that the latter will accept packets from
non-Calico sources whereas the former is limited to packets
from Calico-controlled endpoints."
Expand Down Expand Up @@ -399,7 +399,7 @@ spec:
action. Both selector-based security Policy and security Profiles
reference rules - separated out as a list of rules for both ingress
and egress packet matching. \n Each positive match criteria has
a negated version, prefixed with Not. All the match criteria
a negated version, prefixed with \"Not\". All the match criteria
within a rule must be satisfied for a packet to match. A single
rule can contain the positive and negative version of a match
and both must be satisfied for the rule to match."
Expand Down Expand Up @@ -482,9 +482,9 @@ spec:
One negates the set of matched endpoints, the other negates
the whole match: \n \tSelector = \"!has(my_label)\" matches
packets that are from other Calico-controlled \tendpoints
that do not have the label my_label. \n \tNotSelector
that do not have the label \"my_label\". \n \tNotSelector
= \"has(my_label)\" matches packets that are not from
Calico-controlled \tendpoints that do have the label my_label.
Calico-controlled \tendpoints that do have the label \"my_label\".
\n The effect is that the latter will accept packets from
non-Calico sources whereas the former is limited to packets
from Calico-controlled endpoints."
Expand Down Expand Up @@ -687,9 +687,9 @@ spec:
One negates the set of matched endpoints, the other negates
the whole match: \n \tSelector = \"!has(my_label)\" matches
packets that are from other Calico-controlled \tendpoints
that do not have the label my_label. \n \tNotSelector
that do not have the label \"my_label\". \n \tNotSelector
= \"has(my_label)\" matches packets that are not from
Calico-controlled \tendpoints that do have the label my_label.
Calico-controlled \tendpoints that do have the label \"my_label\".
\n The effect is that the latter will accept packets from
non-Calico sources whereas the former is limited to packets
from Calico-controlled endpoints."
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ spec:
is empty - through the specific interface that has one of the IPs
in ExpectedIPs. Therefore, when InterfaceName is empty, at least
one expected IP must be specified. Only external interfaces (such
as eth0) are supported here; it isn't possible for a HostEndpoint
as \"eth0\") are supported here; it isn't possible for a HostEndpoint
to protect traffic through a specific local workload interface.
\n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
initially just pre-DNAT policy. Please check Calico documentation
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,10 @@ spec:
description: 'LogSeverityScreen is the log severity above which logs
are sent to the stdout. [Default: Info]'
type: string
prometheusMetricsPort:
description: 'PrometheusMetricsPort is the TCP port that the Prometheus
metrics server should bind to. Set to 0 to disable. [Default: 9094]'
type: integer
required:
- controllers
type: object
Expand Down Expand Up @@ -210,6 +214,11 @@ spec:
description: 'LogSeverityScreen is the log severity above which
logs are sent to the stdout. [Default: Info]'
type: string
prometheusMetricsPort:
description: 'PrometheusMetricsPort is the TCP port that the Prometheus
metrics server should bind to. Set to 0 to disable. [Default:
9094]'
type: integer
required:
- controllers
type: object
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ spec:
action. Both selector-based security Policy and security Profiles
reference rules - separated out as a list of rules for both ingress
and egress packet matching. \n Each positive match criteria has
a negated version, prefixed with Not. All the match criteria
a negated version, prefixed with \"Not\". All the match criteria
within a rule must be satisfied for a packet to match. A single
rule can contain the positive and negative version of a match
and both must be satisfied for the rule to match."
Expand Down Expand Up @@ -141,9 +141,9 @@ spec:
One negates the set of matched endpoints, the other negates
the whole match: \n \tSelector = \"!has(my_label)\" matches
packets that are from other Calico-controlled \tendpoints
that do not have the label my_label. \n \tNotSelector
that do not have the label \"my_label\". \n \tNotSelector
= \"has(my_label)\" matches packets that are not from
Calico-controlled \tendpoints that do have the label my_label.
Calico-controlled \tendpoints that do have the label \"my_label\".
\n The effect is that the latter will accept packets from
non-Calico sources whereas the former is limited to packets
from Calico-controlled endpoints."
Expand Down Expand Up @@ -346,9 +346,9 @@ spec:
One negates the set of matched endpoints, the other negates
the whole match: \n \tSelector = \"!has(my_label)\" matches
packets that are from other Calico-controlled \tendpoints
that do not have the label my_label. \n \tNotSelector
that do not have the label \"my_label\". \n \tNotSelector
= \"has(my_label)\" matches packets that are not from
Calico-controlled \tendpoints that do have the label my_label.
Calico-controlled \tendpoints that do have the label \"my_label\".
\n The effect is that the latter will accept packets from
non-Calico sources whereas the former is limited to packets
from Calico-controlled endpoints."
Expand Down Expand Up @@ -389,7 +389,7 @@ spec:
action. Both selector-based security Policy and security Profiles
reference rules - separated out as a list of rules for both ingress
and egress packet matching. \n Each positive match criteria has
a negated version, prefixed with Not. All the match criteria
a negated version, prefixed with \"Not\". All the match criteria
within a rule must be satisfied for a packet to match. A single
rule can contain the positive and negative version of a match
and both must be satisfied for the rule to match."
Expand Down Expand Up @@ -472,9 +472,9 @@ spec:
One negates the set of matched endpoints, the other negates
the whole match: \n \tSelector = \"!has(my_label)\" matches
packets that are from other Calico-controlled \tendpoints
that do not have the label my_label. \n \tNotSelector
that do not have the label \"my_label\". \n \tNotSelector
= \"has(my_label)\" matches packets that are not from
Calico-controlled \tendpoints that do have the label my_label.
Calico-controlled \tendpoints that do have the label \"my_label\".
\n The effect is that the latter will accept packets from
non-Calico sources whereas the former is limited to packets
from Calico-controlled endpoints."
Expand Down Expand Up @@ -677,9 +677,9 @@ spec:
One negates the set of matched endpoints, the other negates
the whole match: \n \tSelector = \"!has(my_label)\" matches
packets that are from other Calico-controlled \tendpoints
that do not have the label my_label. \n \tNotSelector
that do not have the label \"my_label\". \n \tNotSelector
= \"has(my_label)\" matches packets that are not from
Calico-controlled \tendpoints that do have the label my_label.
Calico-controlled \tendpoints that do have the label \"my_label\".
\n The effect is that the latter will accept packets from
non-Calico sources whereas the former is limited to packets
from Calico-controlled endpoints."
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ rules:
- create
- update
- delete
- watch
{{- if semverCompare ">= 1.16" .Capabilities.KubeVersion.GitVersion }}
# kube-controllers manages hostendpoints.
- apiGroups: ["crd.projectcalico.org"]
Expand Down

0 comments on commit ed38e68

Please sign in to comment.