Commit @618d888f3db2edb1e06a5be57b84c83c8496fde0

황원재 2022-10-20

CCCR

@618d888f3db2edb1e06a5be57b84c83c8496fde0

618d888

221020/docker-install.sh (added)

+++ 221020/docker-install.sh

...	...	@@ -0,0 +1,40 @@
	1	+#! /bin/bash
	2	+# sudo로 실행 필요
	3	+# docker 설치
	4	+
	5	+apt-get update
	6	+apt-get install -y ca-certificates curl gnupg lsb-release
	7	+mkdir -p /etc/apt/keyrings
	8	+curl -fsSL https://download.docker.com/linux/ubuntu/gpg \| sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
	9	+echo \
	10	+ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
	11	+ $(lsb_release -cs) stable" \| sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
	12	+apt-get update
	13	+apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
	14	+
	15	+# Cgroup를 systemd로 설정
	16	+cat > /etc/docker/daemon.json <<EOF
	17	+{
	18	+ "exec-opts": ["native.cgroupdriver=systemd"],
	19	+ "log-driver": "json-file",
	20	+ "log-opts": {
	21	+ "max-size": "100m"
	22	+ },
	23	+ "storage-driver": "overlay2"
	24	+}
	25	+EOF
	26	+
	27	+mkdir -p /etc/systemd/system/docker.service.d
	28	+systemctl daemon-reload
	29	+systemctl restart docker
	30	+sudo systemctl enable docker
	31	+
	32	+# 일반유저 Docker 사용
	33	+usermod -aG docker vraptor
	34	+
	35	+apt-get install -y bash-completion
	36	+
	37	+curl https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker -o /etc/bash_completion.d/docker.sh
	38	+
	39	+apt-get install -y docker-compose
	40	+

618d888

221020/edgex/docker-compose.yml (added)

+++ 221020/edgex/docker-compose.yml

...	...	@@ -0,0 +1,403 @@
	1	+# /*******************************************************************************
	2	+# * Copyright 2020 Redis Labs Inc.
	3	+# * Copyright 2020 Intel Corporation.
	4	+# *
	5	+# * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
	6	+# * in compliance with the License. You may obtain a copy of the License at
	7	+# *
	8	+# * http://www.apache.org/licenses/LICENSE-2.0
	9	+# *
	10	+# * Unless required by applicable law or agreed to in writing, software distributed under the License
	11	+# * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
	12	+# * or implied. See the License for the specific language governing permissions and limitations under
	13	+# * the License.
	14	+# *
	15	+# * @author: Jim White, Dell
	16	+# * @author: Andre Srinivasan, Redis Labs
	17	+# * @author: Leonard Goodell, Intel
	18	+# * EdgeX Foundry, Geneva, version 1.2.0
	19	+# * added: May 14, 2020
	20	+# *******************************************************************************/
	21	+
	22	+# NOTE: this Docker Compose file does not contain the security services - namely the API Gateway
	23	+# and Secret Store
	24	+
	25	+version: '3.4'
	26	+
	27	+# all common shared environment variables defined here:
	28	+x-common-env-variables: &common-variables
	29	+ EDGEX_SECURITY_SECRET_STORE: "false"
	30	+ Registry_Host: edgex-core-consul
	31	+ Clients_CoreData_Host: edgex-core-data
	32	+ Clients_Data_Host: edgex-core-data # For device Services
	33	+ Clients_Notifications_Host: edgex-support-notifications
	34	+ Clients_Metadata_Host: edgex-core-metadata
	35	+ Clients_Command_Host: edgex-core-command
	36	+ Clients_Scheduler_Host: edgex-support-scheduler
	37	+ Clients_RulesEngine_Host: edgex-kuiper
	38	+ Databases_Primary_Host: edgex-redis
	39	+
	40	+ # Required in case old configuration from previous release used.
	41	+ # Change to "true" if re-enabling logging service for remote logging
	42	+ Logging_EnableRemote: "false"
	43	+ # Clients_Logging_Host: edgex-support-logging # un-comment if re-enabling logging service for remote logging
	44	+
	45	+volumes:
	46	+ db-data:
	47	+ log-data:
	48	+ consul-config:
	49	+ consul-data:
	50	+
	51	+services:
	52	+ consul:
	53	+ image: edgexfoundry/docker-edgex-consul-arm64:1.2.0
	54	+ ports:
	55	+ - "0.0.0.0:8400:8400"
	56	+ - "0.0.0.0:8500:8500"
	57	+ container_name: edgex-core-consul
	58	+ hostname: edgex-core-consul
	59	+ networks:
	60	+ - edgex-network
	61	+ volumes:
	62	+ - consul-config:/consul/config:z
	63	+ - consul-data:/consul/data:z
	64	+ environment:
	65	+ - EDGEX_DB=redis
	66	+ - EDGEX_SECURE=false
	67	+
	68	+ redis:
	69	+ image: redis:5.0.8-alpine
	70	+ ports:
	71	+ - "0.0.0.0:6379:6379"
	72	+ container_name: edgex-redis
	73	+ hostname: edgex-redis
	74	+ networks:
	75	+ - edgex-network
	76	+ environment:
	77	+ <<: *common-variables
	78	+ volumes:
	79	+ - db-data:/data:z
	80	+
	81	+# The logging service has been deprecated in Geneva release and will be removed in the Hanoi release.
	82	+# All services are configure to send logging to STDOUT, i.e. not remote which requires this logging service
	83	+# If you still must use remote logging, un-comment the block below, all the related depends that have been commented out
	84	+# and the related global override that are commented out at the top.
	85	+#
	86	+# logging:
	87	+# image: edgexfoundry/docker-support-logging-go:1.2.1
	88	+# ports:
	89	+# - "0.0.0.0:48061:48061"
	90	+# container_name: edgex-support-logging
	91	+# hostname: edgex-support-logging
	92	+# networks:
	93	+# - edgex-network
	94	+# environment:
	95	+# <<: *common-variables
	96	+# Service_Host: edgex-support-logging
	97	+# Writable_Persistence: file
	98	+# Databases_Primary_Type: file
	99	+# Logging_EnableRemote: "false"
	100	+# depends_on:
	101	+# - consul
	102	+
	103	+ system:
	104	+ image: edgexfoundry/docker-sys-mgmt-agent-go-arm64:1.2.1
	105	+ ports:
	106	+ - "0.0.0.0:48090:48090"
	107	+ container_name: edgex-sys-mgmt-agent
	108	+ hostname: edgex-sys-mgmt-agent
	109	+ networks:
	110	+ - edgex-network
	111	+ environment:
	112	+ <<: *common-variables
	113	+ Service_Host: edgex-sys-mgmt-agent
	114	+ ExecutorPath: /sys-mgmt-executor
	115	+ MetricsMechanism: executor
	116	+ volumes:
	117	+ - /var/run/docker.sock:/var/run/docker.sock:z
	118	+ depends_on:
	119	+ - consul
	120	+# - logging # uncomment if re-enabled remote logging
	121	+ - scheduler
	122	+ - notifications
	123	+ - metadata
	124	+ - data
	125	+ - command
	126	+ ui:
	127	+ container_name: edgex-ui-go
	128	+ hostname: edgex-ui-go
	129	+ image:
	130	+ #nexus3.edgexfoundry.org:10004/docker-edgex-ui-go-arm64:master
	131	+ edgexfoundry/docker-edgex-ui-go-arm64:1.2.1
	132	+ networks:
	133	+ - edgex-network
	134	+ ports:
	135	+ - "0.0.0.0:4000:4000/tcp"
	136	+ read_only: true
	137	+ notifications:
	138	+ image: edgexfoundry/docker-support-notifications-go-arm64:1.2.1
	139	+ ports:
	140	+ - "0.0.0.0:48060:48060"
	141	+ container_name: edgex-support-notifications
	142	+ hostname: edgex-support-notifications
	143	+ networks:
	144	+ - edgex-network
	145	+ environment:
	146	+ <<: *common-variables
	147	+ Service_Host: edgex-support-notifications
	148	+ depends_on:
	149	+ - consul
	150	+# - logging # uncomment if re-enabled remote logging
	151	+ - redis
	152	+
	153	+ metadata:
	154	+ image: edgexfoundry/docker-core-metadata-go-arm64:1.2.1
	155	+ ports:
	156	+ - "0.0.0.0:48081:48081"
	157	+ container_name: edgex-core-metadata
	158	+ hostname: edgex-core-metadata
	159	+ networks:
	160	+ - edgex-network
	161	+ environment:
	162	+ <<: *common-variables
	163	+ Service_Host: edgex-core-metadata
	164	+ Service_Timeout: "20000"
	165	+ Notifications_Sender: edgex-core-metadata
	166	+ depends_on:
	167	+ - consul
	168	+# - logging # uncomment if re-enabled remote logging
	169	+ - redis
	170	+ - notifications
	171	+
	172	+ data:
	173	+ image: edgexfoundry/docker-core-data-go-arm64:1.2.1
	174	+ ports:
	175	+ - "0.0.0.0:48080:48080"
	176	+ - "0.0.0.0:5563:5563"
	177	+ container_name: edgex-core-data
	178	+ hostname: edgex-core-data
	179	+ networks:
	180	+ - edgex-network
	181	+ environment:
	182	+ <<: *common-variables
	183	+ Service_Host: edgex-core-data
	184	+ depends_on:
	185	+ - consul
	186	+# - logging # uncomment if re-enabled remote logging
	187	+ - redis
	188	+ - metadata
	189	+
	190	+ command:
	191	+ image: edgexfoundry/docker-core-command-go-arm64:1.2.1
	192	+ ports:
	193	+ - "0.0.0.0:48082:48082"
	194	+ container_name: edgex-core-command
	195	+ hostname: edgex-core-command
	196	+ networks:
	197	+ - edgex-network
	198	+ environment:
	199	+ <<: *common-variables
	200	+ Service_Host: edgex-core-command
	201	+ depends_on:
	202	+ - consul
	203	+# - logging # uncomment if re-enabled remote logging
	204	+ - redis
	205	+ - metadata
	206	+
	207	+ scheduler:
	208	+ image: edgexfoundry/docker-support-scheduler-go-arm64:1.2.1
	209	+ ports:
	210	+ - "0.0.0.0:48085:48085"
	211	+ container_name: edgex-support-scheduler
	212	+ hostname: edgex-support-scheduler
	213	+ networks:
	214	+ - edgex-network
	215	+ environment:
	216	+ <<: *common-variables
	217	+ Service_Host: edgex-support-scheduler
	218	+ IntervalActions_ScrubPushed_Host: edgex-core-data
	219	+ IntervalActions_ScrubAged_Host: edgex-core-data
	220	+ depends_on:
	221	+ - consul
	222	+# - logging # uncomment if re-enabled remote logging
	223	+ - redis
	224	+
	225	+ app-service-rules:
	226	+ image: edgexfoundry/docker-app-service-configurable-arm64:1.2.0
	227	+ ports:
	228	+ - "0.0.0.0:48100:48100"
	229	+ container_name: edgex-app-service-configurable-rules
	230	+ hostname: edgex-app-service-configurable-rules
	231	+ networks:
	232	+ - edgex-network
	233	+ environment:
	234	+ <<: *common-variables
	235	+ edgex_profile: rules-engine
	236	+ Service_Host: edgex-app-service-configurable-rules
	237	+ Service_Port: 48100
	238	+ MessageBus_SubscribeHost_Host: edgex-core-data
	239	+ Binding_PublishTopic: events
	240	+ depends_on:
	241	+ - consul
	242	+# - logging # uncomment if re-enabled remote logging
	243	+ - data
	244	+
	245	+
	246	+ app-service-mqtt:
	247	+ image: edgexfoundry/docker-app-service-configurable-arm64:1.1.0
	248	+ ports:
	249	+ - "0.0.0.0:48101:48101"
	250	+ container_name: edgex-app-service-configurable-mqtt
	251	+ hostname: edgex-app-service-configurable-mqtt
	252	+ networks:
	253	+ edgex-network:
	254	+ aliases:
	255	+ - edgex-app-service-configurable-mqtt
	256	+ environment:
	257	+ <<: *common-variables
	258	+ edgex_profile: mqtt-export
	259	+ Service_Host: edgex-app-service-configurable-mqtt
	260	+ Service_Port: 48101
	261	+ MessageBus_SubscribeHost_Host: edgex-core-data
	262	+ Binding_PublishTopic: events
	263	+ # Added for MQTT export using app service
	264	+ WRITABLE_PIPELINE_FUNCTIONS_MQTTSEND_ADDRESSABLE_ADDRESS:
	265	+ WRITABLE_PIPELINE_FUNCTIONS_MQTTSEND_ADDRESSABLE_PORT:
	266	+ WRITABLE_PIPELINE_FUNCTIONS_MQTTSEND_ADDRESSABLE_PROTOCOL: tcp
	267	+ WRITABLE_PIPELINE_FUNCTIONS_MQTTSEND_ADDRESSABLE_TOPIC: "temphum"
	268	+ WRITABLE_PIPELINE_FUNCTIONS_MQTTSEND_PARAMETERS_AUTORECONNECT: "true"
	269	+ WRITABLE_PIPELINE_FUNCTIONS_MQTTSEND_PARAMETERS_RETAIN: "true"
	270	+ WRITABLE_PIPELINE_FUNCTIONS_MQTTSEND_PARAMETERS_PERSISTONERROR: "false"
	271	+ # WRITABLE_PIPELINE_FUNCTIONS_MQTTSEND_ADDRESSABLE_PUBLISHER:
	272	+ # WRITABLE_PIPELINE_FUNCTIONS_MQTTSEND_ADDRESSABLE_USER:
	273	+ # WRITABLE_PIPELINE_FUNCTIONS_MQTTSEND_ADDRESSABLE_PASSWORD:
	274	+ # WRITABLE_PIPELINE_FUNCTIONS_MQTTSEND_PARAMETERS_QOS: ["your quality or service"]
	275	+ # WRITABLE_PIPELINE_FUNCTIONS_MQTTSEND_PARAMETERS_KEY: [your Key]
	276	+ # WRITABLE_PIPELINE_FUNCTIONS_MQTTSEND_PARAMETERS_CERT: [your Certificate]
	277	+
	278	+ depends_on:
	279	+ - consul
	280	+ # - logging # uncomment if re-enabled remote logging
	281	+ - data
	282	+
	283	+
	284	+
	285	+ rulesengine:
	286	+ image: emqx/kuiper:0.4.2-alpine
	287	+ ports:
	288	+ - "0.0.0.0:48075:48075"
	289	+ - "0.0.0.0:20498:20498"
	290	+ container_name: edgex-kuiper
	291	+ hostname: edgex-kuiper
	292	+ networks:
	293	+ - edgex-network
	294	+ environment:
	295	+ # KUIPER_DEBUG: "true"
	296	+ KUIPER_CONSOLE_LOG: "true"
	297	+ KUIPER_REST_PORT: 48075
	298	+ EDGEX_SERVER: edgex-app-service-configurable-rules
	299	+ EDGEX_SERVICE_SERVER: http://edgex-core-data:48080
	300	+ EDGEX_TOPIC: events
	301	+ EDGEX_PROTOCOL: tcp
	302	+ EDGEX_PORT: 5566
	303	+ depends_on:
	304	+ - app-service-rules
	305	+
	306	+ # Support RulesEngine has been deprecated in the Geneva (1.2.0) release
	307	+ # If still required, simply uncomment the block below and comment out the block above.
	308	+ #
	309	+ # rulesengine:
	310	+ # image: edgexfoundry/docker-support-rulesengine:1.2.1
	311	+ # ports:
	312	+ # - "0.0.0.0:48075:48075"
	313	+ # container_name: edgex-support-rulesengine
	314	+ # hostname: edgex-support-rulesengine
	315	+ # networks:
	316	+ # - edgex-network
	317	+ # depends_on:
	318	+ # - app-service-rules
	319	+
	320	+#################################################################
	321	+# Device Services
	322	+#################################################################
	323	+
	324	+ device-rest:
	325	+ image: edgexfoundry/docker-device-rest-go-arm64:1.1.1
	326	+ ports:
	327	+ - "0.0.0.0:49986:49986"
	328	+ container_name: edgex-device-rest
	329	+ hostname: edgex-device-rest
	330	+ networks:
	331	+ - edgex-network
	332	+ environment:
	333	+ <<: *common-variables
	334	+ Service_Host: edgex-device-rest
	335	+ depends_on:
	336	+ - data
	337	+ - command
	338	+ # - logging # uncomment if re-enabled remote logging
	339	+
	340	+# device-random:
	341	+# image: edgexfoundry/docker-device-random-go:1.2.1
	342	+# ports:
	343	+# - "0.0.0.0:49988:49988"
	344	+# container_name: edgex-device-random
	345	+# hostname: edgex-device-random
	346	+# networks:
	347	+# - edgex-network
	348	+# environment:
	349	+# <<: *common-variables
	350	+# Service_Host: edgex-device-random
	351	+# depends_on:
	352	+# - data
	353	+# - command
	354	+#
	355	+ device-mqtt:
	356	+ image: edgexfoundry/docker-device-mqtt-go-arm64:1.2.1
	357	+ ports:
	358	+ - "0.0.0.0:49982:49982"
	359	+ container_name: edgex-device-mqtt
	360	+ hostname: edgex-device-mqtt
	361	+ networks:
	362	+ - edgex-network
	363	+ environment:
	364	+ <<: *common-variables
	365	+ Service_Host: edgex-device-mqtt
	366	+ depends_on:
	367	+ - data
	368	+ - command
	369	+#
	370	+# device-modbus:
	371	+# image: edgexfoundry/docker-device-modbus-go:1.2.1
	372	+# ports:
	373	+# - "0.0.0.0:49991:49991"
	374	+# container_name: edgex-device-modbus
	375	+# hostname: edgex-device-modbus
	376	+# networks:
	377	+# - edgex-network
	378	+# environment:
	379	+# <<: *common-variables
	380	+# Service_Host: edgex-device-modbus
	381	+# depends_on:
	382	+# - data
	383	+# - command
	384	+#
	385	+# device-snmp:
	386	+# image: edgexfoundry/docker-device-snmp-go:1.2.1
	387	+# ports:
	388	+# - "0.0.0.0:49993:49993"
	389	+# container_name: edgex-device-snmp
	390	+# hostname: edgex-device-snmp
	391	+# networks:
	392	+# - edgex-network
	393	+# environment:
	394	+# <<: *common-variables
	395	+# Service_Host: edgex-device-snmp
	396	+# depends_on:
	397	+# - data
	398	+# - command
	399	+
	400	+networks:
	401	+ edgex-network:
	402	+ driver: "bridge"
	403	+

618d888

221020/edgex/edgex-1.2.postman_collection.json (added)

+++ 221020/edgex/edgex-1.2.postman_collection.json

...	...	@@ -0,0 +1,279 @@
	1	+{
	2	+ "info": {
	3	+ "_postman_id": "c3af25a0-a460-46c8-89ae-ec742a9c09ca",
	4	+ "name": "edgex-1.2",
	5	+ "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
	6	+ "_exporter_id": "15354547"
	7	+ },
	8	+ "item": [
	9	+ {
	10	+ "name": "valuedescriptor-humidity",
	11	+ "request": {
	12	+ "method": "POST",
	13	+ "header": [],
	14	+ "body": {
	15	+ "mode": "raw",
	16	+ "raw": "{\n\t\"name\": \"humidity\",\n\t\"description\": \"Ambient humidity in percent\",\n\t\"min\": \"0\",\n\t\"max\": \"100\",\n\t\"type\": \"Int64\",\n\t\"uomLabel\": \"humidity\",\n\t\"defaultValue\": \"0\",\n\t\"formatting\": \"%s\",\n\t\"labels\": [\n\t\t\"environment\",\n\t\t\"humidity\"\n\t]\n}",
	17	+ "options": {
	18	+ "raw": {
	19	+ "language": "json"
	20	+ }
	21	+ }
	22	+ },
	23	+ "url": {
	24	+ "raw": "http://<edgex_ip>:48080/api/v1/valuedescriptor",
	25	+ "protocol": "http",
	26	+ "host": [
	27	+ "<edgex_ip>"
	28	+ ],
	29	+ "port": "48080",
	30	+ "path": [
	31	+ "api",
	32	+ "v1",
	33	+ "valuedescriptor"
	34	+ ]
	35	+ }
	36	+ },
	37	+ "response": []
	38	+ },
	39	+ {
	40	+ "name": "valuedescriptor-temperature",
	41	+ "request": {
	42	+ "method": "POST",
	43	+ "header": [],
	44	+ "body": {
	45	+ "mode": "raw",
	46	+ "raw": "{\n\t\"name\": \"temperature\",\n\t\"description\": \"Ambient temperature in Celsius\",\n\t\"min\": \"-50\",\n\t\"max\": \"100\",\n\t\"type\": \"Int64\",\n\t\"uomLabel\": \"temperature\",\n\t\"defaultValue\": \"0\",\n\t\"formatting\": \"%s\",\n\t\"labels\": [\n\t\t\"environment\",\n\t\t\"temperature\"\n\t]\n}",
	47	+ "options": {
	48	+ "raw": {
	49	+ "language": "json"
	50	+ }
	51	+ }
	52	+ },
	53	+ "url": {
	54	+ "raw": "http://<edgex_ip>:48080/api/v1/valuedescriptor",
	55	+ "protocol": "http",
	56	+ "host": [
	57	+ "<edgex_ip>"
	58	+ ],
	59	+ "port": "48080",
	60	+ "path": [
	61	+ "api",
	62	+ "v1",
	63	+ "valuedescriptor"
	64	+ ]
	65	+ }
	66	+ },
	67	+ "response": []
	68	+ },
	69	+ {
	70	+ "name": "read valuedescriptor",
	71	+ "request": {
	72	+ "method": "GET",
	73	+ "header": [],
	74	+ "url": {
	75	+ "raw": "http://<edgex_ip>:48080/api/v1/valuedescriptor",
	76	+ "protocol": "http",
	77	+ "host": [
	78	+ "<edgex_ip>"
	79	+ ],
	80	+ "port": "48080",
	81	+ "path": [
	82	+ "api",
	83	+ "v1",
	84	+ "valuedescriptor"
	85	+ ]
	86	+ }
	87	+ },
	88	+ "response": []
	89	+ },
	90	+ {
	91	+ "name": "enroll deviceprofile",
	92	+ "request": {
	93	+ "method": "POST",
	94	+ "header": [],
	95	+ "body": {
	96	+ "mode": "formdata",
	97	+ "formdata": [
	98	+ {
	99	+ "key": "file",
	100	+ "type": "file",
	101	+ "src": "sensorClusterDeviceProfile.yaml"
	102	+ }
	103	+ ]
	104	+ },
	105	+ "url": {
	106	+ "raw": "http://<edgex_ip>:48081/api/v1/deviceprofile/uploadfile",
	107	+ "protocol": "http",
	108	+ "host": [
	109	+ "<edgex_ip>"
	110	+ ],
	111	+ "port": "48081",
	112	+ "path": [
	113	+ "api",
	114	+ "v1",
	115	+ "deviceprofile",
	116	+ "uploadfile"
	117	+ ]
	118	+ }
	119	+ },
	120	+ "response": []
	121	+ },
	122	+ {
	123	+ "name": "enroll device",
	124	+ "request": {
	125	+ "method": "POST",
	126	+ "header": [],
	127	+ "body": {
	128	+ "mode": "raw",
	129	+ "raw": "{\n\t\"name\": \"Temp_and_Humidity_sensor_cluster_01\",\n\t\"description\": \"Raspberry Pi sensor cluster\",\n\t\"adminState\": \"unlocked\",\n\t\"operatingState\": \"enabled\",\n\t\"protocols\": {\n\t\t\"example\": {\n\t\t\t\"host\": \"dummy\",\n\t\t\t\"port\": \"1234\",\n\t\t\t\"unitID\": \"1\"\n\t\t}\n\t},\n\t\"labels\": [\n\t\t\"Humidity sensor\",\n\t\t\"Temperature sensor\",\n\t\t\"DHT11\"\n\t],\n\t\"location\": \"Seoul\",\n\t\"service\": {\n\t\t\"name\": \"edgex-device-rest\"\n\t},\n\t\"profile\": {\n\t\t\"name\": \"SensorCluster\"\n\t}\n}",
	130	+ "options": {
	131	+ "raw": {
	132	+ "language": "json"
	133	+ }
	134	+ }
	135	+ },
	136	+ "url": {
	137	+ "raw": "http://<edgex_ip>:48081/api/v1/device",
	138	+ "protocol": "http",
	139	+ "host": [
	140	+ "<edgex_ip>"
	141	+ ],
	142	+ "port": "48081",
	143	+ "path": [
	144	+ "api",
	145	+ "v1",
	146	+ "device"
	147	+ ]
	148	+ }
	149	+ },
	150	+ "response": []
	151	+ },
	152	+ {
	153	+ "name": "temperature test",
	154	+ "request": {
	155	+ "method": "POST",
	156	+ "header": [],
	157	+ "body": {
	158	+ "mode": "raw",
	159	+ "raw": "35"
	160	+ },
	161	+ "url": {
	162	+ "raw": "http://<edgex_ip>:49986/api/v1/resource/Temp_and_Humidity_sensor_cluster_01/temperature",
	163	+ "protocol": "http",
	164	+ "host": [
	165	+ "<edgex_ip>"
	166	+ ],
	167	+ "port": "49986",
	168	+ "path": [
	169	+ "api",
	170	+ "v1",
	171	+ "resource",
	172	+ "Temp_and_Humidity_sensor_cluster_01",
	173	+ "temperature"
	174	+ ]
	175	+ }
	176	+ },
	177	+ "response": []
	178	+ },
	179	+ {
	180	+ "name": "reading sensordata",
	181	+ "request": {
	182	+ "method": "GET",
	183	+ "header": [],
	184	+ "url": {
	185	+ "raw": "http://<edgex_ip>:48080/api/v1/reading",
	186	+ "protocol": "http",
	187	+ "host": [
	188	+ "<edgex_ip>"
	189	+ ],
	190	+ "port": "48080",
	191	+ "path": [
	192	+ "api",
	193	+ "v1",
	194	+ "reading"
	195	+ ]
	196	+ }
	197	+ },
	198	+ "response": []
	199	+ },
	200	+ {
	201	+ "name": "reading event count",
	202	+ "request": {
	203	+ "method": "GET",
	204	+ "header": [],
	205	+ "url": {
	206	+ "raw": "http://<edgex_ip>:48080/api/v1/event/count",
	207	+ "protocol": "http",
	208	+ "host": [
	209	+ "<edgex_ip>"
	210	+ ],
	211	+ "port": "48080",
	212	+ "path": [
	213	+ "api",
	214	+ "v1",
	215	+ "event",
	216	+ "count"
	217	+ ]
	218	+ }
	219	+ },
	220	+ "response": []
	221	+ },
	222	+ {
	223	+ "name": "create streams",
	224	+ "request": {
	225	+ "method": "POST",
	226	+ "header": [],
	227	+ "body": {
	228	+ "mode": "raw",
	229	+ "raw": "{\n\t\"sql\": \"create stream edgex_tutorial() WITH (FORMAT=\\\"JSON\\\", TYPE=\\\"edgex\\\")\"\n}",
	230	+ "options": {
	231	+ "raw": {
	232	+ "language": "json"
	233	+ }
	234	+ }
	235	+ },
	236	+ "url": {
	237	+ "raw": "http://<edgex_ip>:48075/streams",
	238	+ "protocol": "http",
	239	+ "host": [
	240	+ "<edgex_ip>"
	241	+ ],
	242	+ "port": "48075",
	243	+ "path": [
	244	+ "streams"
	245	+ ]
	246	+ }
	247	+ },
	248	+ "response": []
	249	+ },
	250	+ {
	251	+ "name": "create rules",
	252	+ "request": {
	253	+ "method": "POST",
	254	+ "header": [],
	255	+ "body": {
	256	+ "mode": "raw",
	257	+ "raw": "{\n\t\"id\": \"edgex_tutorial\",\n\t\"sql\": \"SELECT * FROM edgex_tutorial\",\n\t\"actions\": [\n\t\t{\n\t\t\"mqtt\": {\n\t\t\t\"server\": \"tcp://192.168.3.101:10101\",\n\t\t\t\"topic\": \"temphum\",\n\t\t\t\"username\": \"cccr\",\n\t\t\t\"password\": \"cccrtest\",\n\t\t\t\"clientId\": \"vraptor\"\n\t\t}\n\t},\n\t{\n\t\t\"log\":{}\n\t}\n\t]\n}",
	258	+ "options": {
	259	+ "raw": {
	260	+ "language": "json"
	261	+ }
	262	+ }
	263	+ },
	264	+ "url": {
	265	+ "raw": "http://<edgex_ip>:48075/rules",
	266	+ "protocol": "http",
	267	+ "host": [
	268	+ "<edgex_ip>"
	269	+ ],
	270	+ "port": "48075",
	271	+ "path": [
	272	+ "rules"
	273	+ ]
	274	+ }
	275	+ },
	276	+ "response": []
	277	+ }
	278	+ ]
	279	+}(파일 끝에 줄바꿈 문자 없음)

618d888

221020/edgex/sensorClusterDeviceProfile.yaml (added)

+++ 221020/edgex/sensorClusterDeviceProfile.yaml

...	...	@@ -0,0 +1,21 @@
	1	+name: "SensorCluster"
	2	+manufacturer: "Raspberry Pi Foundation"
	3	+model: "Raspberry Pi 4B"
	4	+labels:
	5	+ - "rpi"
	6	+description: "Sensor cluster providing metrics for temperature and humidity"
	7	+
	8	+deviceResources:
	9	+ -
	10	+ name: temperature
	11	+ description: "Sensor cluster temperature values"
	12	+ properties:
	13	+ value:
	14	+ { type: "Int64", readWrite: "RW", minimum: "-50", maximum: "100", size: "4", LSB: "true", defaultValue: "9"}
	15	+ -
	16	+ name: humidity
	17	+ description: "Sensor cluster humidity values"
	18	+ properties:
	19	+ value:
	20	+ { type: "Int64", readWrite: "RW", minimum: "0", maximum: "100", size: "4", LSB: "true", defaultValue: "9"}
	21	+

618d888

221020/k8s-install-setup.sh (added)

+++ 221020/k8s-install-setup.sh

...	...	@@ -0,0 +1,33 @@
	1	+#! /bin/bash
	2	+# sudo로 실행 필요
	3	+
	4	+# K8s 설치
	5	+# 네트워크 설정
	6	+echo -e "br_netfilter" >> /etc/modules-load.d/k8s.conf
	7	+echo -e "net.bridge.bridge-nf-call-ip6tables = 1\nnet.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.d/k8s.conf
	8	+sysctl --system
	9	+
	10	+# K8s 설치
	11	+apt-get update
	12	+apt-get install -y apt-transport-https ca-certificates curl
	13	+rm -f /usr/share/keyrings/kubernetes-archive-keyring.gpg
	14	+curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg
	15	+echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" \| sudo tee /etc/apt/sources.list.d/kubernetes.list
	16	+apt-get update
	17	+apt-get install -y kubelet kubeadm kubectl
	18	+apt-mark hold kubelet kubeadm kubectl
	19	+rm /etc/containerd/config.toml
	20	+systemctl restart containerd.service
	21	+echo 'source <(kubectl completion bash)' >> /root/.bashrc
	22	+kubectl completion bash >/etc/bash_completion.d/kubectl
	23	+
	24	+MASTER_IP=`hostname -I \| awk '{print $1}'`
	25	+kubeadm init --apiserver-advertise-address="${MASTER_IP}" --pod-network-cidr "10.244.0.0/16" --control-plane-endpoint="${MASTER_IP}"
	26	+export ROOT=/root
	27	+export HOME=/home/vraptor
	28	+mkdir -p $ROOT/.kube
	29	+mkdir -p $HOME/.kube
	30	+cp /etc/kubernetes/admin.conf $ROOT/.kube/config
	31	+cp /etc/kubernetes/admin.conf $HOME/.kube/config
	32	+chown root:root $ROOT/.kube/config
	33	+chown -R vraptor:vraptor $HOME/.kube

018d885

init-k8s.sh (deleted)

--- init-k8s.sh

...	...	@@ -1,103 +0,0 @@
	1	-#! /bin/bash
	2	-
	3	-# LoadBalancer 타입의 서비스와 연결할 외부 IP 대역
	4	-read -p "이름을 입력하세요 : " num
	5	-
	6	-# 이름을 입력
	7	-case ${num} in
	8	- 김대원) range='192.168.11.11-192.168.11.15' ;;
	9	- 문성업) range='192.168.11.15-192.168.11.20' ;;
	10	- 박청우) range='192.168.11.21-192.168.11.25' ;;
	11	- 유조훈) range='192.168.11.25-192.168.11.30' ;;
	12	- 장현정) range='192.168.11.31-192.168.11.35' ;;
	13	- 최승원) range='192.168.11.35-192.168.11.40' ;;
	14	- 조성수) range='192.168.11.41-192.168.11.45' ;;
	15	- admin) range='192.168.11.46-192.168.11.50' ;;
	16	-esac
	17	-
	18	-# LoadBalancer 타입의 서비스와 연결할 외부 IP 대역
	19	-#read -p "수강번호 : " num
	20	-
	21	-# 수강 번호를 입력
	22	-#case ${num} in
	23	-# 1) range='192.168.11.11-192.168.11.12' ;;
	24	-# 2) range='192.168.11.13-192.168.11.14' ;;
	25	-# 3) range='192.168.11.15-192.168.11.16' ;;
	26	-# 4) range='192.168.11.17-192.168.11.18' ;;
	27	-# 5) range='192.168.11.19-192.168.11.20' ;;
	28	-# 6) range='192.168.11.21-192.168.11.22' ;;
	29	-# 7) range='192.168.11.23-192.168.11.24' ;;
	30	-# 8) range='192.168.11.25-192.168.11.26' ;;
	31	-# 9) range='192.168.11.27-192.168.11.28' ;;
	32	-# 10) range='192.168.11.29-192.168.11.30' ;;
	33	-# 11) range='192.168.11.31-192.168.11.32' ;;
	34	-# 12) range='192.168.11.33-192.168.11.34' ;;
	35	-# 13) range='192.168.11.35-192.168.11.36' ;;
	36	-# 14) range='192.168.11.37-192.168.11.38' ;;
	37	-# 15) range='192.168.11.39-192.168.11.40' ;;
	38	-# 16) range='192.168.11.41-192.168.11.42' ;;
	39	-# 17) range='192.168.11.43-192.168.11.44' ;;
	40	-# 18) range='192.168.11.45-192.168.11.46' ;;
	41	-# 19) range='192.168.11.47-192.168.11.48' ;;
	42	-# 20) range='192.168.11.49-192.168.11.50' ;;
	43	-# 21) range='192.168.11.51-192.168.11.52' ;;
	44	-# 22) range='192.168.11.53-192.168.11.54' ;;
	45	-# 23) range='192.168.11.55-192.168.11.56' ;;
	46	-# 24) range='192.168.11.57-192.168.11.58' ;;
	47	-# 25) range='192.168.11.59-192.168.11.60' ;;
	48	-# admin) range='192.168.11.61-192.168.11.62' ;;
	49	-#esac
	50	-
	51	-# 파드를 생성하기 위해 swap off
	52	-swapoff -a
	53	-
	54	-# 노드의 IP 확인
	55	-ip= hostname -I \| awk '{print $1}'
	56	-
	57	-# k8s 초기화
	58	-kubeadm reset --force
	59	-rm -rf /root/.kube
	60	-rm -rf /home/vraptor/.kube
	61	-
	62	-# k8s 클러스터 생성
	63	-kubeadm init --apiserver-advertise-address=$ip --pod-network-cidr=10.244.0.0/16
	64	-# k8s 클러스터를 사용하기 위해 config 파일 복사
	65	-mkdir -p /root/.kube
	66	-mkdir -p /home/vraptor/.kube
	67	-cp /etc/kubernetes/admin.conf /root/.kube/config
	68	-cp /etc/kubernetes/admin.conf /home/vraptor/.kube/config
	69	-chown -R vraptor:vraptor /home/vraptor/.kube
	70	-
	71	-# Master노드에서 파드를 올리기 위한 taint제거
	72	-kubectl taint nodes --all node-role.kubernetes.io/master-
	73	-
	74	-# CNI(Container Network Interface) 플러그인 설치 - Calico
	75	-kubectl apply -f yaml/calico.yaml
	76	-
	77	-# LoadBalancer 타입의 서비스에 연결할 외부 IP할당을 편리하게 하는 MetalLb 플러그인 설치
	78	-kubectl get configmap kube-proxy -n kube-system -o yaml \| sed -e "s/strictARP: false/strictARP: true/" \| kubectl diff -f - -n kube-system
	79	-kubectl apply -f yaml/namespace.yaml
	80	-kubectl apply -f yaml/metallb.yaml
	81	-kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)"
	82	-
	83	-cat <<EOF > metallb-config.yaml
	84	-apiVersion: v1
	85	-kind: ConfigMap
	86	-metadata:
	87	- namespace: metallb-system
	88	- name: config
	89	-data:
	90	- config: \|
	91	- address-pools:
	92	- - name: default
	93	- protocol: layer2
	94	- addresses:
	95	- - ${range}
	96	-EOF
	97	-
	98	-kubectl apply -f metallb-config.yaml
	99	-
	100	-# 로컬에서 사용하는 Storageclass > PVC(Persistence Volume Claim), PV(Persistence Volume)에 사용됨
	101	-kubectl apply -f yaml/local-path-storage.yaml
	102	-kubectl annotate storageclass local-path storageclass.kubernetes.io/is-default-class=true
	103	-

018d885

install-docker-k8s.sh (deleted)

--- install-docker-k8s.sh

...	...	@@ -1,70 +0,0 @@
	1	-#! /bin/bash
	2	-# sudo로 실행 필요
	3	-# docker 설치
	4	-apt-get update
	5	-apt-get -y install \
	6	- apt-transport-https \
	7	- ca-certificates \
	8	- curl \
	9	- gnupg-agent \
	10	- software-properties-common
	11	-curl -fsSL https://download.docker.com/linux/ubuntu/gpg \| apt-key add -
	12	-add-apt-repository "deb [arch=arm64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
	13	-apt-get -y update
	14	-apt-get -y install docker-ce docker-ce-cli containerd.io
	15	-
	16	-# Cgroup를 systemd로 설정
	17	-cat > /etc/docker/daemon.json <<EOF
	18	-{
	19	- "exec-opts": ["native.cgroupdriver=systemd"],
	20	- "log-driver": "json-file",
	21	- "log-opts": {
	22	- "max-size": "100m"
	23	- },
	24	- "storage-driver": "overlay2",
	25	- "insecure-registries" : [ "192.168.11.253:5000","192.168.11.254:5000" ]
	26	-}
	27	-EOF
	28	-
	29	-mkdir -p /etc/systemd/system/docker.service.d
	30	-systemctl daemon-reload
	31	-systemctl restart docker
	32	-sudo systemctl enable docker
	33	-
	34	-# 일반유저 Docker 사용
	35	-usermod -aG docker vraptor
	36	-
	37	-apt install bash-completion
	38	-
	39	-curl https://raw.githubusercontent.com/docker/docker-ce/master/components/cli/contrib/completion/bash/docker -o /etc/bash_completion.d/docker.sh
	40	-
	41	-# K8s 설치
	42	-# 네트워크 설정
	43	-cat <<EOF \| tee /etc/modules-load.d/k8s.conf
	44	-br_netfilter
	45	-EOF
	46	-
	47	-cat <<EOF \| tee /etc/sysctl.d/k8s.conf
	48	-net.bridge.bridge-nf-call-ip6tables = 1
	49	-net.bridge.bridge-nf-call-iptables = 1
	50	-EOF
	51	-
	52	-sysctl --system
	53	-
	54	-apt-get update && apt-get install -y apt-transport-https curl
	55	-
	56	-curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg
	57	-
	58	-echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" \| sudo tee /etc/apt/sources.list.d/kubernetes.list
	59	-
	60	-apt-get update
	61	-
	62	-apt-get install -y kubelet kubeadm kubectl
	63	-
	64	-apt-mark hold kubelet kubeadm kubectl
	65	-
	66	-source /usr/share/bash-completion/bash_completion
	67	-
	68	-echo 'source <(kubectl completion bash)' >> /home/vraptor/.bashrc
	69	-
	70	-kubectl completion bash >/etc/bash_completion.d/kubectl

018d885

kustomization.yaml (deleted)

--- kustomization.yaml

...	...	@@ -1,3 +0,0 @@
	1	-resources:
	2	- - mysql-deployment.yaml
	3	- - wordpress-deployment.yaml

018d885

mysql-deployment.yaml (deleted)

--- mysql-deployment.yaml

...	...	@@ -1,51 +0,0 @@
	1	-# mariadb을 위한 서비스 생성
	2	-apiVersion: v1
	3	-kind: Service
	4	-metadata:
	5	- name: wordpress-mysql
	6	- labels:
	7	- app: wordpress
	8	-spec:
	9	- ports:
	10	- - port: 3306
	11	- selector:
	12	- app: wordpress
	13	- tier: mysql
	14	- clusterIP: None
	15	----
	16	-# mariadb 디플로이먼트 생성
	17	-apiVersion: apps/v1
	18	-# 리소스 종류 : 디플로이먼트
	19	-kind: Deployment
	20	-metadata:
	21	- # 디플로이먼트 이름 설정
	22	- name: wordpress-mysql
	23	- # 레이블 설정
	24	- labels:
	25	- app: wordpress
	26	-spec:
	27	- selector:
	28	- matchLabels:
	29	- app: wordpress
	30	- tier: mysql
	31	- strategy:
	32	- type: Recreate
	33	- template:
	34	- metadata:
	35	- labels:
	36	- app: wordpress
	37	- tier: mysql
	38	- spec:
	39	- containers:
	40	- # 컨테이너 이미지
	41	- - image: 192.168.11.254:5000/mariadb:10.5
	42	- name: mysql
	43	- # mariadb 환경변수 설정
	44	- env:
	45	- # mariaDB 루트 패스워드 입력
	46	- - name: MYSQL_ROOT_PASSWORD
	47	- value: password
	48	- ports:
	49	- # 컨테이너가 사용할 포트 열기
	50	- - containerPort: 3306
	51	- name: mysql

018d885

nodejs.yaml (deleted)

--- nodejs.yaml

...	...	@@ -1,52 +0,0 @@
	1	-# 디플로이먼트 생성
	2	-apiVersion: apps/v1
	3	-kind: Deployment
	4	-metadata:
	5	- # 디플로이먼트의 이름
	6	- name: nodejs-deployment
	7	- # 레이블 설정
	8	- labels:
	9	- app: nodejs
	10	-spec:
	11	- replicas: 5
	12	- selector:
	13	- matchLabels:
	14	- app: nodejs
	15	- template:
	16	- metadata:
	17	- labels:
	18	- app: nodejs
	19	- spec:
	20	- containers:
	21	- # 컨테너 이미지 설정
	22	- - name: nodejs
	23	- image: 192.168.11.254:5000/nodejs:test
	24	- ports:
	25	- # 컨테이너가 사용할 포트
	26	- - containerPort: 8080
	27	- # 파드가 사용할 리소스 제한 설정
	28	- resources:
	29	- limits:
	30	- memory: "500M"
	31	- cpu: "3"
	32	- requests:
	33	- memory: "500M"
	34	- cpu: "3"
	35	----
	36	-# nodejs 서비스 생성
	37	-apiVersion: v1
	38	-kind: Service
	39	-metadata:
	40	- name: nodejs
	41	-spec:
	42	- ports:
	43	- - name: nodejs
	44	- # 외부로 노출할 포트
	45	- port: 80
	46	- protocol: TCP
	47	- # 파드의 컨테이너 포트
	48	- targetPort: 8080
	49	- selector:
	50	- app: nodejs
	51	- # 서비스 타입 : 로드밸런서
	52	- type: LoadBalancer

018d885

wordpress-deployment.yaml (deleted)

--- wordpress-deployment.yaml

...	...	@@ -1,54 +0,0 @@
	1	-# 워드프레스 서비스 생성
	2	-apiVersion: v1
	3	-kind: Service
	4	-metadata:
	5	- name: wordpress
	6	- labels:
	7	- app: wordpress
	8	-spec:
	9	- ports:
	10	- # 외부로 노출할 포트
	11	- - port: 80
	12	- # 연결할 레이블 선택
	13	- selector:
	14	- app: wordpress
	15	- tier: frontend
	16	- # 서비스 타입
	17	- type: LoadBalancer
	18	----
	19	-# 워드프레스 디플로이먼트 생성
	20	-apiVersion: apps/v1
	21	-kind: Deployment
	22	-metadata:
	23	- name: wordpress
	24	- labels:
	25	- app: wordpress
	26	-spec:
	27	- selector:
	28	- matchLabels:
	29	- app: wordpress
	30	- tier: frontend
	31	- strategy:
	32	- type: Recreate
	33	- template:
	34	- metadata:
	35	- labels:
	36	- app: wordpress
	37	- tier: frontend
	38	- spec:
	39	- containers:
	40	- # 사용할 이미지 설정
	41	- - image: 192.168.11.254:5000/wordpress:4.8-apache
	42	- name: wordpress
	43	- # 워드프레스 파드의 환경변수 설정
	44	- env:
	45	- # 워드프레스가 생성할 mariadb파드의 database의 이름 설정
	46	- - name: WORDPRESS_DB_HOST
	47	- value: wordpress-mysql
	48	- # 워드프레스가 생성할 mariadb파드의 database의 패스워드 설정
	49	- - name: WORDPRESS_DB_PASSWORD
	50	- value: password
	51	- # 컨테이너가 사용할 포트 설정
	52	- ports:
	53	- - containerPort: 80
	54	- name: wordpress

018d885

yaml/calico.yaml (deleted)

--- yaml/calico.yaml

...	...	@@ -1,4097 +0,0 @@
	1	----
	2	-# Source: calico/templates/calico-config.yaml
	3	-# This ConfigMap is used to configure a self-hosted Calico installation.
	4	-kind: ConfigMap
	5	-apiVersion: v1
	6	-metadata:
	7	- name: calico-config
	8	- namespace: kube-system
	9	-data:
	10	- # Typha is disabled.
	11	- typha_service_name: "none"
	12	- # Configure the backend to use.
	13	- calico_backend: "bird"
	14	-
	15	- # Configure the MTU to use for workload interfaces and tunnels.
	16	- # By default, MTU is auto-detected, and explicitly setting this field should not be required.
	17	- # You can override auto-detection by providing a non-zero value.
	18	- veth_mtu: "0"
	19	-
	20	- # The CNI network configuration to install on each node. The special
	21	- # values in this config will be automatically populated.
	22	- cni_network_config: \|-
	23	- {
	24	- "name": "k8s-pod-network",
	25	- "cniVersion": "0.3.1",
	26	- "plugins": [
	27	- {
	28	- "type": "calico",
	29	- "log_level": "info",
	30	- "log_file_path": "/var/log/calico/cni/cni.log",
	31	- "datastore_type": "kubernetes",
	32	- "nodename": "__KUBERNETES_NODE_NAME__",
	33	- "mtu": __CNI_MTU__,
	34	- "ipam": {
	35	- "type": "calico-ipam"
	36	- },
	37	- "policy": {
	38	- "type": "k8s"
	39	- },
	40	- "kubernetes": {
	41	- "kubeconfig": "__KUBECONFIG_FILEPATH__"
	42	- }
	43	- },
	44	- {
	45	- "type": "portmap",
	46	- "snat": true,
	47	- "capabilities": {"portMappings": true}
	48	- },
	49	- {
	50	- "type": "bandwidth",
	51	- "capabilities": {"bandwidth": true}
	52	- }
	53	- ]
	54	- }
	55	-
	56	----
	57	-# Source: calico/templates/kdd-crds.yaml
	58	-
	59	-apiVersion: apiextensions.k8s.io/v1
	60	-kind: CustomResourceDefinition
	61	-metadata:
	62	- name: bgpconfigurations.crd.projectcalico.org
	63	-spec:
	64	- group: crd.projectcalico.org
	65	- names:
	66	- kind: BGPConfiguration
	67	- listKind: BGPConfigurationList
	68	- plural: bgpconfigurations
	69	- singular: bgpconfiguration
	70	- scope: Cluster
	71	- versions:
	72	- - name: v1
	73	- schema:
	74	- openAPIV3Schema:
	75	- description: BGPConfiguration contains the configuration for any BGP routing.
	76	- properties:
	77	- apiVersion:
	78	- description: 'APIVersion defines the versioned schema of this representation
	79	- of an object. Servers should convert recognized schemas to the latest
	80	- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
	81	- type: string
	82	- kind:
	83	- description: 'Kind is a string value representing the REST resource this
	84	- object represents. Servers may infer this from the endpoint the client
	85	- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
	86	- type: string
	87	- metadata:
	88	- type: object
	89	- spec:
	90	- description: BGPConfigurationSpec contains the values of the BGP configuration.
	91	- properties:
	92	- asNumber:
	93	- description: 'ASNumber is the default AS number used by a node. [Default:
	94	- 64512]'
	95	- format: int32
	96	- type: integer
	97	- communities:
	98	- description: Communities is a list of BGP community values and their
	99	- arbitrary names for tagging routes.
	100	- items:
	101	- description: Community contains standard or large community value
	102	- and its name.
	103	- properties:
	104	- name:
	105	- description: Name given to community value.
	106	- type: string
	107	- value:
	108	- description: Value must be of format `aa:nn` or `aa:nn:mm`.
	109	- For standard community use `aa:nn` format, where `aa` and
	110	- `nn` are 16 bit number. For large community use `aa:nn:mm`
	111	- format, where `aa`, `nn` and `mm` are 32 bit number. Where,
	112	- `aa` is an AS Number, `nn` and `mm` are per-AS identifier.
	113	- pattern: ^(\d+):(\d+)$\|^(\d+):(\d+):(\d+)$
	114	- type: string
	115	- type: object
	116	- type: array
	117	- listenPort:
	118	- description: ListenPort is the port where BGP protocol should listen.
	119	- Defaults to 179
	120	- maximum: 65535
	121	- minimum: 1
	122	- type: integer
	123	- logSeverityScreen:
	124	- description: 'LogSeverityScreen is the log severity above which logs
	125	- are sent to the stdout. [Default: INFO]'
	126	- type: string
	127	- nodeToNodeMeshEnabled:
	128	- description: 'NodeToNodeMeshEnabled sets whether full node to node
	129	- BGP mesh is enabled. [Default: true]'
	130	- type: boolean
	131	- prefixAdvertisements:
	132	- description: PrefixAdvertisements contains per-prefix advertisement
	133	- configuration.
	134	- items:
	135	- description: PrefixAdvertisement configures advertisement properties
	136	- for the specified CIDR.
	137	- properties:
	138	- cidr:
	139	- description: CIDR for which properties should be advertised.
	140	- type: string
	141	- communities:
	142	- description: Communities can be list of either community names
	143	- already defined in `Specs.Communities` or community value
	144	- of format `aa:nn` or `aa:nn:mm`. For standard community use
	145	- `aa:nn` format, where `aa` and `nn` are 16 bit number. For
	146	- large community use `aa:nn:mm` format, where `aa`, `nn` and
	147	- `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and
	148	- `mm` are per-AS identifier.
	149	- items:
	150	- type: string
	151	- type: array
	152	- type: object
	153	- type: array
	154	- serviceClusterIPs:
	155	- description: ServiceClusterIPs are the CIDR blocks from which service
	156	- cluster IPs are allocated. If specified, Calico will advertise these
	157	- blocks, as well as any cluster IPs within them.
	158	- items:
	159	- description: ServiceClusterIPBlock represents a single allowed ClusterIP
	160	- CIDR block.
	161	- properties:
	162	- cidr:
	163	- type: string
	164	- type: object
	165	- type: array
	166	- serviceExternalIPs:
	167	- description: ServiceExternalIPs are the CIDR blocks for Kubernetes
	168	- Service External IPs. Kubernetes Service ExternalIPs will only be
	169	- advertised if they are within one of these blocks.
	170	- items:
	171	- description: ServiceExternalIPBlock represents a single allowed
	172	- External IP CIDR block.
	173	- properties:
	174	- cidr:
	175	- type: string
	176	- type: object
	177	- type: array
	178	- serviceLoadBalancerIPs:
	179	- description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes
	180	- Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress
	181	- IPs will only be advertised if they are within one of these blocks.
	182	- items:
	183	- description: ServiceLoadBalancerIPBlock represents a single allowed
	184	- LoadBalancer IP CIDR block.
	185	- properties:
	186	- cidr:
	187	- type: string
	188	- type: object
	189	- type: array
	190	- type: object
	191	- type: object
	192	- served: true
	193	- storage: true
	194	-status:
	195	- acceptedNames:
	196	- kind: ""
	197	- plural: ""
	198	- conditions: []
	199	- storedVersions: []
	200	-
	201	----
	202	-apiVersion: apiextensions.k8s.io/v1
	203	-kind: CustomResourceDefinition
	204	-metadata:
	205	- name: bgppeers.crd.projectcalico.org
	206	-spec:
	207	- group: crd.projectcalico.org
	208	- names:
	209	- kind: BGPPeer
	210	- listKind: BGPPeerList
	211	- plural: bgppeers
	212	- singular: bgppeer
	213	- scope: Cluster
	214	- versions:
	215	- - name: v1
	216	- schema:
	217	- openAPIV3Schema:
	218	- properties:
	219	- apiVersion:
	220	- description: 'APIVersion defines the versioned schema of this representation
	221	- of an object. Servers should convert recognized schemas to the latest
	222	- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
	223	- type: string
	224	- kind:
	225	- description: 'Kind is a string value representing the REST resource this
	226	- object represents. Servers may infer this from the endpoint the client
	227	- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
	228	- type: string
	229	- metadata:
	230	- type: object
	231	- spec:
	232	- description: BGPPeerSpec contains the specification for a BGPPeer resource.
	233	- properties:
	234	- asNumber:
	235	- description: The AS Number of the peer.
	236	- format: int32
	237	- type: integer
	238	- keepOriginalNextHop:
	239	- description: Option to keep the original nexthop field when routes
	240	- are sent to a BGP Peer. Setting "true" configures the selected BGP
	241	- Peers node to use the "next hop keep;" instead of "next hop self;"(default)
	242	- in the specific branch of the Node on "bird.cfg".
	243	- type: boolean
	244	- maxRestartTime:
	245	- description: Time to allow for software restart. When specified, this
	246	- is configured as the graceful restart timeout. When not specified,
	247	- the BIRD default of 120s is used.
	248	- type: string
	249	- node:
	250	- description: The node name identifying the Calico node instance that
	251	- is targeted by this peer. If this is not set, and no nodeSelector
	252	- is specified, then this BGP peer selects all nodes in the cluster.
	253	- type: string
	254	- nodeSelector:
	255	- description: Selector for the nodes that should have this peering. When
	256	- this is set, the Node field must be empty.
	257	- type: string
	258	- password:
	259	- description: Optional BGP password for the peerings generated by this
	260	- BGPPeer resource.
	261	- properties:
	262	- secretKeyRef:
	263	- description: Selects a key of a secret in the node pod's namespace.
	264	- properties:
	265	- key:
	266	- description: The key of the secret to select from. Must be
	267	- a valid secret key.
	268	- type: string
	269	- name:
	270	- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
	271	- TODO: Add other useful fields. apiVersion, kind, uid?'
	272	- type: string
	273	- optional:
	274	- description: Specify whether the Secret or its key must be
	275	- defined
	276	- type: boolean
	277	- required:
	278	- - key
	279	- type: object
	280	- type: object
	281	- peerIP:
	282	- description: The IP address of the peer followed by an optional port
	283	- number to peer with. If port number is given, format should be `[<IPv6>]:port`
	284	- or `<IPv4>:<port>` for IPv4. If optional port number is not set,
	285	- and this peer IP and ASNumber belongs to a calico/node with ListenPort
	286	- set in BGPConfiguration, then we use that port to peer.
	287	- type: string
	288	- peerSelector:
	289	- description: Selector for the remote nodes to peer with. When this
	290	- is set, the PeerIP and ASNumber fields must be empty. For each
	291	- peering between the local node and selected remote nodes, we configure
	292	- an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified,
	293	- and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The
	294	- remote AS number comes from the remote node's NodeBGPSpec.ASNumber,
	295	- or the global default if that is not set.
	296	- type: string
	297	- sourceAddress:
	298	- description: Specifies whether and how to configure a source address
	299	- for the peerings generated by this BGPPeer resource. Default value
	300	- "UseNodeIP" means to configure the node IP as the source address. "None"
	301	- means not to configure a source address.
	302	- type: string
	303	- type: object
	304	- type: object
	305	- served: true
	306	- storage: true
	307	-status:
	308	- acceptedNames:
	309	- kind: ""
	310	- plural: ""
	311	- conditions: []
	312	- storedVersions: []
	313	-
	314	----
	315	-apiVersion: apiextensions.k8s.io/v1
	316	-kind: CustomResourceDefinition
	317	-metadata:
	318	- name: blockaffinities.crd.projectcalico.org
	319	-spec:
	320	- group: crd.projectcalico.org
	321	- names:
	322	- kind: BlockAffinity
	323	- listKind: BlockAffinityList
	324	- plural: blockaffinities
	325	- singular: blockaffinity
	326	- scope: Cluster
	327	- versions:
	328	- - name: v1
	329	- schema:
	330	- openAPIV3Schema:
	331	- properties:
	332	- apiVersion:
	333	- description: 'APIVersion defines the versioned schema of this representation
	334	- of an object. Servers should convert recognized schemas to the latest
	335	- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
	336	- type: string
	337	- kind:
	338	- description: 'Kind is a string value representing the REST resource this
	339	- object represents. Servers may infer this from the endpoint the client
	340	- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
	341	- type: string
	342	- metadata:
	343	- type: object
	344	- spec:
	345	- description: BlockAffinitySpec contains the specification for a BlockAffinity
	346	- resource.
	347	- properties:
	348	- cidr:
	349	- type: string
	350	- deleted:
	351	- description: Deleted indicates that this block affinity is being deleted.
	352	- This field is a string for compatibility with older releases that
	353	- mistakenly treat this field as a string.
	354	- type: string
	355	- node:
	356	- type: string
	357	- state:
	358	- type: string
	359	- required:
	360	- - cidr
	361	- - deleted
	362	- - node
	363	- - state
	364	- type: object
	365	- type: object
	366	- served: true
	367	- storage: true
	368	-status:
	369	- acceptedNames:
	370	- kind: ""
	371	- plural: ""
	372	- conditions: []
	373	- storedVersions: []
	374	-
	375	----
	376	-apiVersion: apiextensions.k8s.io/v1
	377	-kind: CustomResourceDefinition
	378	-metadata:
	379	- name: clusterinformations.crd.projectcalico.org
	380	-spec:
	381	- group: crd.projectcalico.org
	382	- names:
	383	- kind: ClusterInformation
	384	- listKind: ClusterInformationList
	385	- plural: clusterinformations
	386	- singular: clusterinformation
	387	- scope: Cluster
	388	- versions:
	389	- - name: v1
	390	- schema:
	391	- openAPIV3Schema:
	392	- description: ClusterInformation contains the cluster specific information.
	393	- properties:
	394	- apiVersion:
	395	- description: 'APIVersion defines the versioned schema of this representation
	396	- of an object. Servers should convert recognized schemas to the latest
	397	- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
	398	- type: string
	399	- kind:
	400	- description: 'Kind is a string value representing the REST resource this
	401	- object represents. Servers may infer this from the endpoint the client
	402	- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
	403	- type: string
	404	- metadata:
	405	- type: object
	406	- spec:
	407	- description: ClusterInformationSpec contains the values of describing
	408	- the cluster.
	409	- properties:
	410	- calicoVersion:
	411	- description: CalicoVersion is the version of Calico that the cluster
	412	- is running
	413	- type: string
	414	- clusterGUID:
	415	- description: ClusterGUID is the GUID of the cluster
	416	- type: string
	417	- clusterType:
	418	- description: ClusterType describes the type of the cluster
	419	- type: string
	420	- datastoreReady:
	421	- description: DatastoreReady is used during significant datastore migrations
	422	- to signal to components such as Felix that it should wait before
	423	- accessing the datastore.
	424	- type: boolean
	425	- variant:
	426	- description: Variant declares which variant of Calico should be active.
	427	- type: string
	428	- type: object
	429	- type: object
	430	- served: true
	431	- storage: true
	432	-status:
	433	- acceptedNames:
	434	- kind: ""
	435	- plural: ""
	436	- conditions: []
	437	- storedVersions: []
	438	-
	439	----
	440	-apiVersion: apiextensions.k8s.io/v1
	441	-kind: CustomResourceDefinition
	442	-metadata:
	443	- name: felixconfigurations.crd.projectcalico.org
	444	-spec:
	445	- group: crd.projectcalico.org
	446	- names:
	447	- kind: FelixConfiguration
	448	- listKind: FelixConfigurationList
	449	- plural: felixconfigurations
	450	- singular: felixconfiguration
	451	- scope: Cluster
	452	- versions:
	453	- - name: v1
	454	- schema:
	455	- openAPIV3Schema:
	456	- description: Felix Configuration contains the configuration for Felix.
	457	- properties:
	458	- apiVersion:
	459	- description: 'APIVersion defines the versioned schema of this representation
	460	- of an object. Servers should convert recognized schemas to the latest
	461	- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
	462	- type: string
	463	- kind:
	464	- description: 'Kind is a string value representing the REST resource this
	465	- object represents. Servers may infer this from the endpoint the client
	466	- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
	467	- type: string
	468	- metadata:
	469	- type: object
	470	- spec:
	471	- description: FelixConfigurationSpec contains the values of the Felix configuration.
	472	- properties:
	473	- allowIPIPPacketsFromWorkloads:
	474	- description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
	475	- will add a rule to drop IPIP encapsulated traffic from workloads
	476	- [Default: false]'
	477	- type: boolean
	478	- allowVXLANPacketsFromWorkloads:
	479	- description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
	480	- will add a rule to drop VXLAN encapsulated traffic from workloads
	481	- [Default: false]'
	482	- type: boolean
	483	- awsSrcDstCheck:
	484	- description: 'Set source-destination-check on AWS EC2 instances. Accepted
	485	- value must be one of "DoNothing", "Enabled" or "Disabled". [Default:
	486	- DoNothing]'
	487	- enum:
	488	- - DoNothing
	489	- - Enable
	490	- - Disable
	491	- type: string
	492	- bpfConnectTimeLoadBalancingEnabled:
	493	- description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode,
	494	- controls whether Felix installs the connection-time load balancer. The
	495	- connect-time load balancer is required for the host to be able to
	496	- reach Kubernetes services and it improves the performance of pod-to-service
	497	- connections. The only reason to disable it is for debugging purposes. [Default:
	498	- true]'
	499	- type: boolean
	500	- bpfDataIfacePattern:
	501	- description: BPFDataIfacePattern is a regular expression that controls
	502	- which interfaces Felix should attach BPF programs to in order to
	503	- catch traffic to/from the network. This needs to match the interfaces
	504	- that Calico workload traffic flows over as well as any interfaces
	505	- that handle incoming traffic to nodeports and services from outside
	506	- the cluster. It should not match the workload interfaces (usually
	507	- named cali...).
	508	- type: string
	509	- bpfDisableUnprivileged:
	510	- description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled
	511	- sysctl to disable unprivileged use of BPF. This ensures that unprivileged
	512	- users cannot access Calico''s BPF maps and cannot insert their own
	513	- BPF programs to interfere with Calico''s. [Default: true]'
	514	- type: boolean
	515	- bpfEnabled:
	516	- description: 'BPFEnabled, if enabled Felix will use the BPF dataplane.
	517	- [Default: false]'
	518	- type: boolean
	519	- bpfExternalServiceMode:
	520	- description: 'BPFExternalServiceMode in BPF mode, controls how connections
	521	- from outside the cluster to services (node ports and cluster IPs)
	522	- are forwarded to remote workloads. If set to "Tunnel" then both
	523	- request and response traffic is tunneled to the remote node. If
	524	- set to "DSR", the request traffic is tunneled but the response traffic
	525	- is sent directly from the remote node. In "DSR" mode, the remote
	526	- node appears to use the IP of the ingress node; this requires a
	527	- permissive L2 network. [Default: Tunnel]'
	528	- type: string
	529	- bpfExtToServiceConnmark:
	530	- description: 'BPFExtToServiceConnmark in BPF mode, controls a
	531	- 32bit mark that is set on connections from an external client to
	532	- a local service. This mark allows us to control how packets of
	533	- that connection are routed within the host and how is routing
	534	- intepreted by RPF check. [Default: 0]'
	535	- type: integer
	536	-
	537	- bpfKubeProxyEndpointSlicesEnabled:
	538	- description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls
	539	- whether Felix's embedded kube-proxy accepts EndpointSlices or not.
	540	- type: boolean
	541	- bpfKubeProxyIptablesCleanupEnabled:
	542	- description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF
	543	- mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s
	544	- iptables chains. Should only be enabled if kube-proxy is not running. [Default:
	545	- true]'
	546	- type: boolean
	547	- bpfKubeProxyMinSyncPeriod:
	548	- description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the
	549	- minimum time between updates to the dataplane for Felix''s embedded
	550	- kube-proxy. Lower values give reduced set-up latency. Higher values
	551	- reduce Felix CPU usage by batching up more work. [Default: 1s]'
	552	- type: string
	553	- bpfLogLevel:
	554	- description: 'BPFLogLevel controls the log level of the BPF programs
	555	- when in BPF dataplane mode. One of "Off", "Info", or "Debug". The
	556	- logs are emitted to the BPF trace pipe, accessible with the command
	557	- `tc exec bpf debug`. [Default: Off].'
	558	- type: string
	559	- chainInsertMode:
	560	- description: 'ChainInsertMode controls whether Felix hooks the kernel''s
	561	- top-level iptables chains by inserting a rule at the top of the
	562	- chain or by appending a rule at the bottom. insert is the safe default
	563	- since it prevents Calico''s rules from being bypassed. If you switch
	564	- to append mode, be sure that the other rules in the chains signal
	565	- acceptance by falling through to the Calico rules, otherwise the
	566	- Calico policy will be bypassed. [Default: insert]'
	567	- type: string
	568	- dataplaneDriver:
	569	- type: string
	570	- debugDisableLogDropping:
	571	- type: boolean
	572	- debugMemoryProfilePath:
	573	- type: string
	574	- debugSimulateCalcGraphHangAfter:
	575	- type: string
	576	- debugSimulateDataplaneHangAfter:
	577	- type: string
	578	- defaultEndpointToHostAction:
	579	- description: 'DefaultEndpointToHostAction controls what happens to
	580	- traffic that goes from a workload endpoint to the host itself (after
	581	- the traffic hits the endpoint egress policy). By default Calico
	582	- blocks traffic from workload endpoints to the host itself with an
	583	- iptables "DROP" action. If you want to allow some or all traffic
	584	- from endpoint to host, set this parameter to RETURN or ACCEPT. Use
	585	- RETURN if you have your own rules in the iptables "INPUT" chain;
	586	- Calico will insert its rules at the top of that chain, then "RETURN"
	587	- packets to the "INPUT" chain once it has completed processing workload
	588	- endpoint egress policy. Use ACCEPT to unconditionally accept packets
	589	- from workloads after processing workload endpoint egress policy.
	590	- [Default: Drop]'
	591	- type: string
	592	- deviceRouteProtocol:
	593	- description: This defines the route protocol added to programmed device
	594	- routes, by default this will be RTPROT_BOOT when left blank.
	595	- type: integer
	596	- deviceRouteSourceAddress:
	597	- description: This is the source address to use on programmed device
	598	- routes. By default the source address is left blank, leaving the
	599	- kernel to choose the source address used.
	600	- type: string
	601	- disableConntrackInvalidCheck:
	602	- type: boolean
	603	- endpointReportingDelay:
	604	- type: string
	605	- endpointReportingEnabled:
	606	- type: boolean
	607	- externalNodesList:
	608	- description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes
	609	- which may source tunnel traffic and have the tunneled traffic be
	610	- accepted at calico nodes.
	611	- items:
	612	- type: string
	613	- type: array
	614	- failsafeInboundHostPorts:
	615	- description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports
	616	- and CIDRs that Felix will allow incoming traffic to host endpoints
	617	- on irrespective of the security policy. This is useful to avoid
	618	- accidentally cutting off a host with incorrect configuration. For
	619	- back-compatibility, if the protocol is not specified, it defaults
	620	- to "tcp". If a CIDR is not specified, it will allow traffic from
	621	- all addresses. To disable all inbound host ports, use the value
	622	- none. The default value allows ssh access and DHCP. [Default: tcp:22,
	623	- udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]'
	624	- items:
	625	- description: ProtoPort is combination of protocol, port, and CIDR.
	626	- Protocol and port must be specified.
	627	- properties:
	628	- net:
	629	- type: string
	630	- port:
	631	- type: integer
	632	- protocol:
	633	- type: string
	634	- required:
	635	- - port
	636	- - protocol
	637	- type: object
	638	- type: array
	639	- failsafeOutboundHostPorts:
	640	- description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports
	641	- and CIDRs that Felix will allow outgoing traffic from host endpoints
	642	- to irrespective of the security policy. This is useful to avoid
	643	- accidentally cutting off a host with incorrect configuration. For
	644	- back-compatibility, if the protocol is not specified, it defaults
	645	- to "tcp". If a CIDR is not specified, it will allow traffic from
	646	- all addresses. To disable all outbound host ports, use the value
	647	- none. The default value opens etcd''s standard ports to ensure that
	648	- Felix does not get cut off from etcd as well as allowing DHCP and
	649	- DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666,
	650	- tcp:6667, udp:53, udp:67]'
	651	- items:
	652	- description: ProtoPort is combination of protocol, port, and CIDR.
	653	- Protocol and port must be specified.
	654	- properties:
	655	- net:
	656	- type: string
	657	- port:
	658	- type: integer
	659	- protocol:
	660	- type: string
	661	- required:
	662	- - port
	663	- - protocol
	664	- type: object
	665	- type: array
	666	- featureDetectOverride:
	667	- description: FeatureDetectOverride is used to override the feature
	668	- detection. Values are specified in a comma separated list with no
	669	- spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=".
	670	- "true" or "false" will force the feature, empty or omitted values
	671	- are auto-detected.
	672	- type: string
	673	- genericXDPEnabled:
	674	- description: 'GenericXDPEnabled enables Generic XDP so network cards
	675	- that don''t support XDP offload or driver modes can use XDP. This
	676	- is not recommended since it doesn''t provide better performance
	677	- than iptables. [Default: false]'
	678	- type: boolean
	679	- healthEnabled:
	680	- type: boolean
	681	- healthHost:
	682	- type: string
	683	- healthPort:
	684	- type: integer
	685	- interfaceExclude:
	686	- description: 'InterfaceExclude is a comma-separated list of interfaces
	687	- that Felix should exclude when monitoring for host endpoints. The
	688	- default value ensures that Felix ignores Kubernetes'' IPVS dummy
	689	- interface, which is used internally by kube-proxy. If you want to
	690	- exclude multiple interface names using a single value, the list
	691	- supports regular expressions. For regular expressions you must wrap
	692	- the value with ''/''. For example having values ''/^kube/,veth1''
	693	- will exclude all interfaces that begin with ''kube'' and also the
	694	- interface ''veth1''. [Default: kube-ipvs0]'
	695	- type: string
	696	- interfacePrefix:
	697	- description: 'InterfacePrefix is the interface name prefix that identifies
	698	- workload endpoints and so distinguishes them from host endpoint
	699	- interfaces. Note: in environments other than bare metal, the orchestrators
	700	- configure this appropriately. For example our Kubernetes and Docker
	701	- integrations set the ''cali'' value, and our OpenStack integration
	702	- sets the ''tap'' value. [Default: cali]'
	703	- type: string
	704	- interfaceRefreshInterval:
	705	- description: InterfaceRefreshInterval is the period at which Felix
	706	- rescans local interfaces to verify their state. The rescan can be
	707	- disabled by setting the interval to 0.
	708	- type: string
	709	- ipipEnabled:
	710	- type: boolean
	711	- ipipMTU:
	712	- description: 'IPIPMTU is the MTU to set on the tunnel device. See
	713	- Configuring MTU [Default: 1440]'
	714	- type: integer
	715	- ipsetsRefreshInterval:
	716	- description: 'IpsetsRefreshInterval is the period at which Felix re-checks
	717	- all iptables state to ensure that no other process has accidentally
	718	- broken Calico''s rules. Set to 0 to disable iptables refresh. [Default:
	719	- 90s]'
	720	- type: string
	721	- iptablesBackend:
	722	- description: IptablesBackend specifies which backend of iptables will
	723	- be used. The default is legacy.
	724	- type: string
	725	- iptablesFilterAllowAction:
	726	- type: string
	727	- iptablesLockFilePath:
	728	- description: 'IptablesLockFilePath is the location of the iptables
	729	- lock file. You may need to change this if the lock file is not in
	730	- its standard location (for example if you have mapped it into Felix''s
	731	- container at a different path). [Default: /run/xtables.lock]'
	732	- type: string
	733	- iptablesLockProbeInterval:
	734	- description: 'IptablesLockProbeInterval is the time that Felix will
	735	- wait between attempts to acquire the iptables lock if it is not
	736	- available. Lower values make Felix more responsive when the lock
	737	- is contended, but use more CPU. [Default: 50ms]'
	738	- type: string
	739	- iptablesLockTimeout:
	740	- description: 'IptablesLockTimeout is the time that Felix will wait
	741	- for the iptables lock, or 0, to disable. To use this feature, Felix
	742	- must share the iptables lock file with all other processes that
	743	- also take the lock. When running Felix inside a container, this
	744	- requires the /run directory of the host to be mounted into the calico/node
	745	- or calico/felix container. [Default: 0s disabled]'
	746	- type: string
	747	- iptablesMangleAllowAction:
	748	- type: string
	749	- iptablesMarkMask:
	750	- description: 'IptablesMarkMask is the mask that Felix selects its
	751	- IPTables Mark bits from. Should be a 32 bit hexadecimal number with
	752	- at least 8 bits set, none of which clash with any other mark bits
	753	- in use on the system. [Default: 0xff000000]'
	754	- format: int32
	755	- type: integer
	756	- iptablesNATOutgoingInterfaceFilter:
	757	- type: string
	758	- iptablesPostWriteCheckInterval:
	759	- description: 'IptablesPostWriteCheckInterval is the period after Felix
	760	- has done a write to the dataplane that it schedules an extra read
	761	- back in order to check the write was not clobbered by another process.
	762	- This should only occur if another application on the system doesn''t
	763	- respect the iptables lock. [Default: 1s]'
	764	- type: string
	765	- iptablesRefreshInterval:
	766	- description: 'IptablesRefreshInterval is the period at which Felix
	767	- re-checks the IP sets in the dataplane to ensure that no other process
	768	- has accidentally broken Calico''s rules. Set to 0 to disable IP
	769	- sets refresh. Note: the default for this value is lower than the
	770	- other refresh intervals as a workaround for a Linux kernel bug that
	771	- was fixed in kernel version 4.11. If you are using v4.11 or greater
	772	- you may want to set this to, a higher value to reduce Felix CPU
	773	- usage. [Default: 10s]'
	774	- type: string
	775	- ipv6Support:
	776	- type: boolean
	777	- kubeNodePortRanges:
	778	- description: 'KubeNodePortRanges holds list of port ranges used for
	779	- service node ports. Only used if felix detects kube-proxy running
	780	- in ipvs mode. Felix uses these ranges to separate host and workload
	781	- traffic. [Default: 30000:32767].'
	782	- items:
	783	- anyOf:
	784	- - type: integer
	785	- - type: string
	786	- pattern: ^.*
	787	- x-kubernetes-int-or-string: true
	788	- type: array
	789	- logFilePath:
	790	- description: 'LogFilePath is the full path to the Felix log. Set to
	791	- none to disable file logging. [Default: /var/log/calico/felix.log]'
	792	- type: string
	793	- logPrefix:
	794	- description: 'LogPrefix is the log prefix that Felix uses when rendering
	795	- LOG rules. [Default: calico-packet]'
	796	- type: string
	797	- logSeverityFile:
	798	- description: 'LogSeverityFile is the log severity above which logs
	799	- are sent to the log file. [Default: Info]'
	800	- type: string
	801	- logSeverityScreen:
	802	- description: 'LogSeverityScreen is the log severity above which logs
	803	- are sent to the stdout. [Default: Info]'
	804	- type: string
	805	- logSeveritySys:
	806	- description: 'LogSeveritySys is the log severity above which logs
	807	- are sent to the syslog. Set to None for no logging to syslog. [Default:
	808	- Info]'
	809	- type: string
	810	- maxIpsetSize:
	811	- type: integer
	812	- metadataAddr:
	813	- description: 'MetadataAddr is the IP address or domain name of the
	814	- server that can answer VM queries for cloud-init metadata. In OpenStack,
	815	- this corresponds to the machine running nova-api (or in Ubuntu,
	816	- nova-api-metadata). A value of none (case insensitive) means that
	817	- Felix should not set up any NAT rule for the metadata path. [Default:
	818	- 127.0.0.1]'
	819	- type: string
	820	- metadataPort:
	821	- description: 'MetadataPort is the port of the metadata server. This,
	822	- combined with global.MetadataAddr (if not ''None''), is used to
	823	- set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort.
	824	- In most cases this should not need to be changed [Default: 8775].'
	825	- type: integer
	826	- mtuIfacePattern:
	827	- description: MTUIfacePattern is a regular expression that controls
	828	- which interfaces Felix should scan in order to calculate the host's
	829	- MTU. This should not match workload interfaces (usually named cali...).
	830	- type: string
	831	- natOutgoingAddress:
	832	- description: NATOutgoingAddress specifies an address to use when performing
	833	- source NAT for traffic in a natOutgoing pool that is leaving the
	834	- network. By default the address used is an address on the interface
	835	- the traffic is leaving on (ie it uses the iptables MASQUERADE target)
	836	- type: string
	837	- natPortRange:
	838	- anyOf:
	839	- - type: integer
	840	- - type: string
	841	- description: NATPortRange specifies the range of ports that is used
	842	- for port mapping when doing outgoing NAT. When unset the default
	843	- behavior of the network stack is used.
	844	- pattern: ^.*
	845	- x-kubernetes-int-or-string: true
	846	- netlinkTimeout:
	847	- type: string
	848	- openstackRegion:
	849	- description: 'OpenstackRegion is the name of the region that a particular
	850	- Felix belongs to. In a multi-region Calico/OpenStack deployment,
	851	- this must be configured somehow for each Felix (here in the datamodel,
	852	- or in felix.cfg or the environment on each compute node), and must
	853	- match the [calico] openstack_region value configured in neutron.conf
	854	- on each node. [Default: Empty]'
	855	- type: string
	856	- policySyncPathPrefix:
	857	- description: 'PolicySyncPathPrefix is used to by Felix to communicate
	858	- policy changes to external services, like Application layer policy.
	859	- [Default: Empty]'
	860	- type: string
	861	- prometheusGoMetricsEnabled:
	862	- description: 'PrometheusGoMetricsEnabled disables Go runtime metrics
	863	- collection, which the Prometheus client does by default, when set
	864	- to false. This reduces the number of metrics reported, reducing
	865	- Prometheus load. [Default: true]'
	866	- type: boolean
	867	- prometheusMetricsEnabled:
	868	- description: 'PrometheusMetricsEnabled enables the Prometheus metrics
	869	- server in Felix if set to true. [Default: false]'
	870	- type: boolean
	871	- prometheusMetricsHost:
	872	- description: 'PrometheusMetricsHost is the host that the Prometheus
	873	- metrics server should bind to. [Default: empty]'
	874	- type: string
	875	- prometheusMetricsPort:
	876	- description: 'PrometheusMetricsPort is the TCP port that the Prometheus
	877	- metrics server should bind to. [Default: 9091]'
	878	- type: integer
	879	- prometheusProcessMetricsEnabled:
	880	- description: 'PrometheusProcessMetricsEnabled disables process metrics
	881	- collection, which the Prometheus client does by default, when set
	882	- to false. This reduces the number of metrics reported, reducing
	883	- Prometheus load. [Default: true]'
	884	- type: boolean
	885	- removeExternalRoutes:
	886	- description: Whether or not to remove device routes that have not
	887	- been programmed by Felix. Disabling this will allow external applications
	888	- to also add device routes. This is enabled by default which means
	889	- we will remove externally added routes.
	890	- type: boolean
	891	- reportingInterval:
	892	- description: 'ReportingInterval is the interval at which Felix reports
	893	- its status into the datastore or 0 to disable. Must be non-zero
	894	- in OpenStack deployments. [Default: 30s]'
	895	- type: string
	896	- reportingTTL:
	897	- description: 'ReportingTTL is the time-to-live setting for process-wide
	898	- status reports. [Default: 90s]'
	899	- type: string
	900	- routeRefreshInterval:
	901	- description: 'RouteRefreshInterval is the period at which Felix re-checks
	902	- the routes in the dataplane to ensure that no other process has
	903	- accidentally broken Calico''s rules. Set to 0 to disable route refresh.
	904	- [Default: 90s]'
	905	- type: string
	906	- routeSource:
	907	- description: 'RouteSource configures where Felix gets its routing
	908	- information. - WorkloadIPs: use workload endpoints to construct
	909	- routes. - CalicoIPAM: the default - use IPAM data to construct routes.'
	910	- type: string
	911	- routeTableRange:
	912	- description: Calico programs additional Linux route tables for various
	913	- purposes. RouteTableRange specifies the indices of the route tables
	914	- that Calico should use.
	915	- properties:
	916	- max:
	917	- type: integer
	918	- min:
	919	- type: integer
	920	- required:
	921	- - max
	922	- - min
	923	- type: object
	924	- serviceLoopPrevention:
	925	- description: 'When service IP advertisement is enabled, prevent routing
	926	- loops to service IPs that are not in use, by dropping or rejecting
	927	- packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled",
	928	- in which case such routing loops continue to be allowed. [Default:
	929	- Drop]'
	930	- type: string
	931	- sidecarAccelerationEnabled:
	932	- description: 'SidecarAccelerationEnabled enables experimental sidecar
	933	- acceleration [Default: false]'
	934	- type: boolean
	935	- usageReportingEnabled:
	936	- description: 'UsageReportingEnabled reports anonymous Calico version
	937	- number and cluster size to projectcalico.org. Logs warnings returned
	938	- by the usage server. For example, if a significant security vulnerability
	939	- has been discovered in the version of Calico being used. [Default:
	940	- true]'
	941	- type: boolean
	942	- usageReportingInitialDelay:
	943	- description: 'UsageReportingInitialDelay controls the minimum delay
	944	- before Felix makes a report. [Default: 300s]'
	945	- type: string
	946	- usageReportingInterval:
	947	- description: 'UsageReportingInterval controls the interval at which
	948	- Felix makes reports. [Default: 86400s]'
	949	- type: string
	950	- useInternalDataplaneDriver:
	951	- type: boolean
	952	- vxlanEnabled:
	953	- type: boolean
	954	- vxlanMTU:
	955	- description: 'VXLANMTU is the MTU to set on the tunnel device. See
	956	- Configuring MTU [Default: 1440]'
	957	- type: integer
	958	- vxlanPort:
	959	- type: integer
	960	- vxlanVNI:
	961	- type: integer
	962	- wireguardEnabled:
	963	- description: 'WireguardEnabled controls whether Wireguard is enabled.
	964	- [Default: false]'
	965	- type: boolean
	966	- wireguardInterfaceName:
	967	- description: 'WireguardInterfaceName specifies the name to use for
	968	- the Wireguard interface. [Default: wg.calico]'
	969	- type: string
	970	- wireguardListeningPort:
	971	- description: 'WireguardListeningPort controls the listening port used
	972	- by Wireguard. [Default: 51820]'
	973	- type: integer
	974	- wireguardMTU:
	975	- description: 'WireguardMTU controls the MTU on the Wireguard interface.
	976	- See Configuring MTU [Default: 1420]'
	977	- type: integer
	978	- wireguardRoutingRulePriority:
	979	- description: 'WireguardRoutingRulePriority controls the priority value
	980	- to use for the Wireguard routing rule. [Default: 99]'
	981	- type: integer
	982	- xdpEnabled:
	983	- description: 'XDPEnabled enables XDP acceleration for suitable untracked
	984	- incoming deny rules. [Default: true]'
	985	- type: boolean
	986	- xdpRefreshInterval:
	987	- description: 'XDPRefreshInterval is the period at which Felix re-checks
	988	- all XDP state to ensure that no other process has accidentally broken
	989	- Calico''s BPF maps or attached programs. Set to 0 to disable XDP
	990	- refresh. [Default: 90s]'
	991	- type: string
	992	- type: object
	993	- type: object
	994	- served: true
	995	- storage: true
	996	-status:
	997	- acceptedNames:
	998	- kind: ""
	999	- plural: ""
	1000	- conditions: []
	1001	- storedVersions: []
	1002	-
	1003	----
	1004	-apiVersion: apiextensions.k8s.io/v1
	1005	-kind: CustomResourceDefinition
	1006	-metadata:
	1007	- name: globalnetworkpolicies.crd.projectcalico.org
	1008	-spec:
	1009	- group: crd.projectcalico.org
	1010	- names:
	1011	- kind: GlobalNetworkPolicy
	1012	- listKind: GlobalNetworkPolicyList
	1013	- plural: globalnetworkpolicies
	1014	- singular: globalnetworkpolicy
	1015	- scope: Cluster
	1016	- versions:
	1017	- - name: v1
	1018	- schema:
	1019	- openAPIV3Schema:
	1020	- properties:
	1021	- apiVersion:
	1022	- description: 'APIVersion defines the versioned schema of this representation
	1023	- of an object. Servers should convert recognized schemas to the latest
	1024	- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
	1025	- type: string
	1026	- kind:
	1027	- description: 'Kind is a string value representing the REST resource this
	1028	- object represents. Servers may infer this from the endpoint the client
	1029	- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
	1030	- type: string
	1031	- metadata:
	1032	- type: object
	1033	- spec:
	1034	- properties:
	1035	- applyOnForward:
	1036	- description: ApplyOnForward indicates to apply the rules in this policy
	1037	- on forward traffic.
	1038	- type: boolean
	1039	- doNotTrack:
	1040	- description: DoNotTrack indicates whether packets matched by the rules
	1041	- in this policy should go through the data plane's connection tracking,
	1042	- such as Linux conntrack. If True, the rules in this policy are
	1043	- applied before any data plane connection tracking, and packets allowed
	1044	- by this policy are marked as not to be tracked.
	1045	- type: boolean
	1046	- egress:
	1047	- description: The ordered set of egress rules. Each rule contains
	1048	- a set of packet match criteria and a corresponding action to apply.
	1049	- items:
	1050	- description: "A Rule encapsulates a set of match criteria and an
	1051	- action. Both selector-based security Policy and security Profiles
	1052	- reference rules - separated out as a list of rules for both ingress
	1053	- and egress packet matching. \n Each positive match criteria has
	1054	- a negated version, prefixed with \"Not\". All the match criteria
	1055	- within a rule must be satisfied for a packet to match. A single
	1056	- rule can contain the positive and negative version of a match
	1057	- and both must be satisfied for the rule to match."
	1058	- properties:
	1059	- action:
	1060	- type: string
	1061	- destination:
	1062	- description: Destination contains the match criteria that apply
	1063	- to destination entity.
	1064	- properties:
	1065	- namespaceSelector:
	1066	- description: "NamespaceSelector is an optional field that
	1067	- contains a selector expression. Only traffic that originates
	1068	- from (or terminates at) endpoints within the selected
	1069	- namespaces will be matched. When both NamespaceSelector
	1070	- and another selector are defined on the same rule, then
	1071	- only workload endpoints that are matched by both selectors
	1072	- will be selected by the rule. \n For NetworkPolicy, an
	1073	- empty NamespaceSelector implies that the Selector is limited
	1074	- to selecting only workload endpoints in the same namespace
	1075	- as the NetworkPolicy. \n For NetworkPolicy, `global()`
	1076	- NamespaceSelector implies that the Selector is limited
	1077	- to selecting only GlobalNetworkSet or HostEndpoint. \n
	1078	- For GlobalNetworkPolicy, an empty NamespaceSelector implies
	1079	- the Selector applies to workload endpoints across all
	1080	- namespaces."
	1081	- type: string
	1082	- nets:
	1083	- description: Nets is an optional field that restricts the
	1084	- rule to only apply to traffic that originates from (or
	1085	- terminates at) IP addresses in any of the given subnets.
	1086	- items:
	1087	- type: string
	1088	- type: array
	1089	- notNets:
	1090	- description: NotNets is the negated version of the Nets
	1091	- field.
	1092	- items:
	1093	- type: string
	1094	- type: array
	1095	- notPorts:
	1096	- description: NotPorts is the negated version of the Ports
	1097	- field. Since only some protocols have ports, if any ports
	1098	- are specified it requires the Protocol match in the Rule
	1099	- to be set to "TCP" or "UDP".
	1100	- items:
	1101	- anyOf:
	1102	- - type: integer
	1103	- - type: string
	1104	- pattern: ^.*
	1105	- x-kubernetes-int-or-string: true
	1106	- type: array
	1107	- notSelector:
	1108	- description: NotSelector is the negated version of the Selector
	1109	- field. See Selector field for subtleties with negated
	1110	- selectors.
	1111	- type: string
	1112	- ports:
	1113	- description: "Ports is an optional field that restricts
	1114	- the rule to only apply to traffic that has a source (destination)
	1115	- port that matches one of these ranges/values. This value
	1116	- is a list of integers or strings that represent ranges
	1117	- of ports. \n Since only some protocols have ports, if
	1118	- any ports are specified it requires the Protocol match
	1119	- in the Rule to be set to \"TCP\" or \"UDP\"."
	1120	- items:
	1121	- anyOf:
	1122	- - type: integer
	1123	- - type: string
	1124	- pattern: ^.*
	1125	- x-kubernetes-int-or-string: true
	1126	- type: array
	1127	- selector:
	1128	- description: "Selector is an optional field that contains
	1129	- a selector expression (see Policy for sample syntax).
	1130	- \ Only traffic that originates from (terminates at) endpoints
	1131	- matching the selector will be matched. \n Note that: in
	1132	- addition to the negated version of the Selector (see NotSelector
	1133	- below), the selector expression syntax itself supports
	1134	- negation. The two types of negation are subtly different.
	1135	- One negates the set of matched endpoints, the other negates
	1136	- the whole match: \n \tSelector = \"!has(my_label)\" matches
	1137	- packets that are from other Calico-controlled \tendpoints
	1138	- that do not have the label \"my_label\". \n \tNotSelector
	1139	- = \"has(my_label)\" matches packets that are not from
	1140	- Calico-controlled \tendpoints that do have the label \"my_label\".
	1141	- \n The effect is that the latter will accept packets from
	1142	- non-Calico sources whereas the former is limited to packets
	1143	- from Calico-controlled endpoints."
	1144	- type: string
	1145	- serviceAccounts:
	1146	- description: ServiceAccounts is an optional field that restricts
	1147	- the rule to only apply to traffic that originates from
	1148	- (or terminates at) a pod running as a matching service
	1149	- account.
	1150	- properties:
	1151	- names:
	1152	- description: Names is an optional field that restricts
	1153	- the rule to only apply to traffic that originates
	1154	- from (or terminates at) a pod running as a service
	1155	- account whose name is in the list.
	1156	- items:
	1157	- type: string
	1158	- type: array
	1159	- selector:
	1160	- description: Selector is an optional field that restricts
	1161	- the rule to only apply to traffic that originates
	1162	- from (or terminates at) a pod running as a service
	1163	- account that matches the given label selector. If
	1164	- both Names and Selector are specified then they are
	1165	- AND'ed.
	1166	- type: string
	1167	- type: object
	1168	- services:
	1169	- description: "Services is an optional field that contains
	1170	- options for matching Kubernetes Services. If specified,
	1171	- only traffic that originates from or terminates at endpoints
	1172	- within the selected service(s) will be matched, and only
	1173	- to/from each endpoint's port. \n Services cannot be specified
	1174	- on the same rule as Selector, NotSelector, NamespaceSelector,
	1175	- Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
	1176	- Only valid on egress rules."
	1177	- properties:
	1178	- name:
	1179	- description: Name specifies the name of a Kubernetes
	1180	- Service to match.
	1181	- type: string
	1182	- namespace:
	1183	- description: Namespace specifies the namespace of the
	1184	- given Service. If left empty, the rule will match
	1185	- within this policy's namespace.
	1186	- type: string
	1187	- type: object
	1188	- type: object
	1189	- http:
	1190	- description: HTTP contains match criteria that apply to HTTP
	1191	- requests.
	1192	- properties:
	1193	- methods:
	1194	- description: Methods is an optional field that restricts
	1195	- the rule to apply only to HTTP requests that use one of
	1196	- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
	1197	- methods are OR'd together.
	1198	- items:
	1199	- type: string
	1200	- type: array
	1201	- paths:
	1202	- description: 'Paths is an optional field that restricts
	1203	- the rule to apply to HTTP requests that use one of the
	1204	- listed HTTP Paths. Multiple paths are OR''d together.
	1205	- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
	1206	- ONLY specify either a `exact` or a `prefix` match. The
	1207	- validator will check for it.'
	1208	- items:
	1209	- description: 'HTTPPath specifies an HTTP path to match.
	1210	- It may be either of the form: exact: <path>: which matches
	1211	- the path exactly or prefix: <path-prefix>: which matches
	1212	- the path prefix'
	1213	- properties:
	1214	- exact:
	1215	- type: string
	1216	- prefix:
	1217	- type: string
	1218	- type: object
	1219	- type: array
	1220	- type: object
	1221	- icmp:
	1222	- description: ICMP is an optional field that restricts the rule
	1223	- to apply to a specific type and code of ICMP traffic. This
	1224	- should only be specified if the Protocol field is set to "ICMP"
	1225	- or "ICMPv6".
	1226	- properties:
	1227	- code:
	1228	- description: Match on a specific ICMP code. If specified,
	1229	- the Type value must also be specified. This is a technical
	1230	- limitation imposed by the kernel's iptables firewall,
	1231	- which Calico uses to enforce the rule.
	1232	- type: integer
	1233	- type:
	1234	- description: Match on a specific ICMP type. For example
	1235	- a value of 8 refers to ICMP Echo Request (i.e. pings).
	1236	- type: integer
	1237	- type: object
	1238	- ipVersion:
	1239	- description: IPVersion is an optional field that restricts the
	1240	- rule to only match a specific IP version.
	1241	- type: integer
	1242	- metadata:
	1243	- description: Metadata contains additional information for this
	1244	- rule
	1245	- properties:
	1246	- annotations:
	1247	- additionalProperties:
	1248	- type: string
	1249	- description: Annotations is a set of key value pairs that
	1250	- give extra information about the rule
	1251	- type: object
	1252	- type: object
	1253	- notICMP:
	1254	- description: NotICMP is the negated version of the ICMP field.
	1255	- properties:
	1256	- code:
	1257	- description: Match on a specific ICMP code. If specified,
	1258	- the Type value must also be specified. This is a technical
	1259	- limitation imposed by the kernel's iptables firewall,
	1260	- which Calico uses to enforce the rule.
	1261	- type: integer
	1262	- type:
	1263	- description: Match on a specific ICMP type. For example
	1264	- a value of 8 refers to ICMP Echo Request (i.e. pings).
	1265	- type: integer
	1266	- type: object
	1267	- notProtocol:
	1268	- anyOf:
	1269	- - type: integer
	1270	- - type: string
	1271	- description: NotProtocol is the negated version of the Protocol
	1272	- field.
	1273	- pattern: ^.*
	1274	- x-kubernetes-int-or-string: true
	1275	- protocol:
	1276	- anyOf:
	1277	- - type: integer
	1278	- - type: string
	1279	- description: "Protocol is an optional field that restricts the
	1280	- rule to only apply to traffic of a specific IP protocol. Required
	1281	- if any of the EntityRules contain Ports (because ports only
	1282	- apply to certain protocols). \n Must be one of these string
	1283	- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
	1284	- \"UDPLite\" or an integer in the range 1-255."
	1285	- pattern: ^.*
	1286	- x-kubernetes-int-or-string: true
	1287	- source:
	1288	- description: Source contains the match criteria that apply to
	1289	- source entity.
	1290	- properties:
	1291	- namespaceSelector:
	1292	- description: "NamespaceSelector is an optional field that
	1293	- contains a selector expression. Only traffic that originates
	1294	- from (or terminates at) endpoints within the selected
	1295	- namespaces will be matched. When both NamespaceSelector
	1296	- and another selector are defined on the same rule, then
	1297	- only workload endpoints that are matched by both selectors
	1298	- will be selected by the rule. \n For NetworkPolicy, an
	1299	- empty NamespaceSelector implies that the Selector is limited
	1300	- to selecting only workload endpoints in the same namespace
	1301	- as the NetworkPolicy. \n For NetworkPolicy, `global()`
	1302	- NamespaceSelector implies that the Selector is limited
	1303	- to selecting only GlobalNetworkSet or HostEndpoint. \n
	1304	- For GlobalNetworkPolicy, an empty NamespaceSelector implies
	1305	- the Selector applies to workload endpoints across all
	1306	- namespaces."
	1307	- type: string
	1308	- nets:
	1309	- description: Nets is an optional field that restricts the
	1310	- rule to only apply to traffic that originates from (or
	1311	- terminates at) IP addresses in any of the given subnets.
	1312	- items:
	1313	- type: string
	1314	- type: array
	1315	- notNets:
	1316	- description: NotNets is the negated version of the Nets
	1317	- field.
	1318	- items:
	1319	- type: string
	1320	- type: array
	1321	- notPorts:
	1322	- description: NotPorts is the negated version of the Ports
	1323	- field. Since only some protocols have ports, if any ports
	1324	- are specified it requires the Protocol match in the Rule
	1325	- to be set to "TCP" or "UDP".
	1326	- items:
	1327	- anyOf:
	1328	- - type: integer
	1329	- - type: string
	1330	- pattern: ^.*
	1331	- x-kubernetes-int-or-string: true
	1332	- type: array
	1333	- notSelector:
	1334	- description: NotSelector is the negated version of the Selector
	1335	- field. See Selector field for subtleties with negated
	1336	- selectors.
	1337	- type: string
	1338	- ports:
	1339	- description: "Ports is an optional field that restricts
	1340	- the rule to only apply to traffic that has a source (destination)
	1341	- port that matches one of these ranges/values. This value
	1342	- is a list of integers or strings that represent ranges
	1343	- of ports. \n Since only some protocols have ports, if
	1344	- any ports are specified it requires the Protocol match
	1345	- in the Rule to be set to \"TCP\" or \"UDP\"."
	1346	- items:
	1347	- anyOf:
	1348	- - type: integer
	1349	- - type: string
	1350	- pattern: ^.*
	1351	- x-kubernetes-int-or-string: true
	1352	- type: array
	1353	- selector:
	1354	- description: "Selector is an optional field that contains
	1355	- a selector expression (see Policy for sample syntax).
	1356	- \ Only traffic that originates from (terminates at) endpoints
	1357	- matching the selector will be matched. \n Note that: in
	1358	- addition to the negated version of the Selector (see NotSelector
	1359	- below), the selector expression syntax itself supports
	1360	- negation. The two types of negation are subtly different.
	1361	- One negates the set of matched endpoints, the other negates
	1362	- the whole match: \n \tSelector = \"!has(my_label)\" matches
	1363	- packets that are from other Calico-controlled \tendpoints
	1364	- that do not have the label \"my_label\". \n \tNotSelector
	1365	- = \"has(my_label)\" matches packets that are not from
	1366	- Calico-controlled \tendpoints that do have the label \"my_label\".
	1367	- \n The effect is that the latter will accept packets from
	1368	- non-Calico sources whereas the former is limited to packets
	1369	- from Calico-controlled endpoints."
	1370	- type: string
	1371	- serviceAccounts:
	1372	- description: ServiceAccounts is an optional field that restricts
	1373	- the rule to only apply to traffic that originates from
	1374	- (or terminates at) a pod running as a matching service
	1375	- account.
	1376	- properties:
	1377	- names:
	1378	- description: Names is an optional field that restricts
	1379	- the rule to only apply to traffic that originates
	1380	- from (or terminates at) a pod running as a service
	1381	- account whose name is in the list.
	1382	- items:
	1383	- type: string
	1384	- type: array
	1385	- selector:
	1386	- description: Selector is an optional field that restricts
	1387	- the rule to only apply to traffic that originates
	1388	- from (or terminates at) a pod running as a service
	1389	- account that matches the given label selector. If
	1390	- both Names and Selector are specified then they are
	1391	- AND'ed.
	1392	- type: string
	1393	- type: object
	1394	- services:
	1395	- description: "Services is an optional field that contains
	1396	- options for matching Kubernetes Services. If specified,
	1397	- only traffic that originates from or terminates at endpoints
	1398	- within the selected service(s) will be matched, and only
	1399	- to/from each endpoint's port. \n Services cannot be specified
	1400	- on the same rule as Selector, NotSelector, NamespaceSelector,
	1401	- Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
	1402	- Only valid on egress rules."
	1403	- properties:
	1404	- name:
	1405	- description: Name specifies the name of a Kubernetes
	1406	- Service to match.
	1407	- type: string
	1408	- namespace:
	1409	- description: Namespace specifies the namespace of the
	1410	- given Service. If left empty, the rule will match
	1411	- within this policy's namespace.
	1412	- type: string
	1413	- type: object
	1414	- type: object
	1415	- required:
	1416	- - action
	1417	- type: object
	1418	- type: array
	1419	- ingress:
	1420	- description: The ordered set of ingress rules. Each rule contains
	1421	- a set of packet match criteria and a corresponding action to apply.
	1422	- items:
	1423	- description: "A Rule encapsulates a set of match criteria and an
	1424	- action. Both selector-based security Policy and security Profiles
	1425	- reference rules - separated out as a list of rules for both ingress
	1426	- and egress packet matching. \n Each positive match criteria has
	1427	- a negated version, prefixed with \"Not\". All the match criteria
	1428	- within a rule must be satisfied for a packet to match. A single
	1429	- rule can contain the positive and negative version of a match
	1430	- and both must be satisfied for the rule to match."
	1431	- properties:
	1432	- action:
	1433	- type: string
	1434	- destination:
	1435	- description: Destination contains the match criteria that apply
	1436	- to destination entity.
	1437	- properties:
	1438	- namespaceSelector:
	1439	- description: "NamespaceSelector is an optional field that
	1440	- contains a selector expression. Only traffic that originates
	1441	- from (or terminates at) endpoints within the selected
	1442	- namespaces will be matched. When both NamespaceSelector
	1443	- and another selector are defined on the same rule, then
	1444	- only workload endpoints that are matched by both selectors
	1445	- will be selected by the rule. \n For NetworkPolicy, an
	1446	- empty NamespaceSelector implies that the Selector is limited
	1447	- to selecting only workload endpoints in the same namespace
	1448	- as the NetworkPolicy. \n For NetworkPolicy, `global()`
	1449	- NamespaceSelector implies that the Selector is limited
	1450	- to selecting only GlobalNetworkSet or HostEndpoint. \n
	1451	- For GlobalNetworkPolicy, an empty NamespaceSelector implies
	1452	- the Selector applies to workload endpoints across all
	1453	- namespaces."
	1454	- type: string
	1455	- nets:
	1456	- description: Nets is an optional field that restricts the
	1457	- rule to only apply to traffic that originates from (or
	1458	- terminates at) IP addresses in any of the given subnets.
	1459	- items:
	1460	- type: string
	1461	- type: array
	1462	- notNets:
	1463	- description: NotNets is the negated version of the Nets
	1464	- field.
	1465	- items:
	1466	- type: string
	1467	- type: array
	1468	- notPorts:
	1469	- description: NotPorts is the negated version of the Ports
	1470	- field. Since only some protocols have ports, if any ports
	1471	- are specified it requires the Protocol match in the Rule
	1472	- to be set to "TCP" or "UDP".
	1473	- items:
	1474	- anyOf:
	1475	- - type: integer
	1476	- - type: string
	1477	- pattern: ^.*
	1478	- x-kubernetes-int-or-string: true
	1479	- type: array
	1480	- notSelector:
	1481	- description: NotSelector is the negated version of the Selector
	1482	- field. See Selector field for subtleties with negated
	1483	- selectors.
	1484	- type: string
	1485	- ports:
	1486	- description: "Ports is an optional field that restricts
	1487	- the rule to only apply to traffic that has a source (destination)
	1488	- port that matches one of these ranges/values. This value
	1489	- is a list of integers or strings that represent ranges
	1490	- of ports. \n Since only some protocols have ports, if
	1491	- any ports are specified it requires the Protocol match
	1492	- in the Rule to be set to \"TCP\" or \"UDP\"."
	1493	- items:
	1494	- anyOf:
	1495	- - type: integer
	1496	- - type: string
	1497	- pattern: ^.*
	1498	- x-kubernetes-int-or-string: true
	1499	- type: array
	1500	- selector:
	1501	- description: "Selector is an optional field that contains
	1502	- a selector expression (see Policy for sample syntax).
	1503	- \ Only traffic that originates from (terminates at) endpoints
	1504	- matching the selector will be matched. \n Note that: in
	1505	- addition to the negated version of the Selector (see NotSelector
	1506	- below), the selector expression syntax itself supports
	1507	- negation. The two types of negation are subtly different.
	1508	- One negates the set of matched endpoints, the other negates
	1509	- the whole match: \n \tSelector = \"!has(my_label)\" matches
	1510	- packets that are from other Calico-controlled \tendpoints
	1511	- that do not have the label \"my_label\". \n \tNotSelector
	1512	- = \"has(my_label)\" matches packets that are not from
	1513	- Calico-controlled \tendpoints that do have the label \"my_label\".
	1514	- \n The effect is that the latter will accept packets from
	1515	- non-Calico sources whereas the former is limited to packets
	1516	- from Calico-controlled endpoints."
	1517	- type: string
	1518	- serviceAccounts:
	1519	- description: ServiceAccounts is an optional field that restricts
	1520	- the rule to only apply to traffic that originates from
	1521	- (or terminates at) a pod running as a matching service
	1522	- account.
	1523	- properties:
	1524	- names:
	1525	- description: Names is an optional field that restricts
	1526	- the rule to only apply to traffic that originates
	1527	- from (or terminates at) a pod running as a service
	1528	- account whose name is in the list.
	1529	- items:
	1530	- type: string
	1531	- type: array
	1532	- selector:
	1533	- description: Selector is an optional field that restricts
	1534	- the rule to only apply to traffic that originates
	1535	- from (or terminates at) a pod running as a service
	1536	- account that matches the given label selector. If
	1537	- both Names and Selector are specified then they are
	1538	- AND'ed.
	1539	- type: string
	1540	- type: object
	1541	- services:
	1542	- description: "Services is an optional field that contains
	1543	- options for matching Kubernetes Services. If specified,
	1544	- only traffic that originates from or terminates at endpoints
	1545	- within the selected service(s) will be matched, and only
	1546	- to/from each endpoint's port. \n Services cannot be specified
	1547	- on the same rule as Selector, NotSelector, NamespaceSelector,
	1548	- Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
	1549	- Only valid on egress rules."
	1550	- properties:
	1551	- name:
	1552	- description: Name specifies the name of a Kubernetes
	1553	- Service to match.
	1554	- type: string
	1555	- namespace:
	1556	- description: Namespace specifies the namespace of the
	1557	- given Service. If left empty, the rule will match
	1558	- within this policy's namespace.
	1559	- type: string
	1560	- type: object
	1561	- type: object
	1562	- http:
	1563	- description: HTTP contains match criteria that apply to HTTP
	1564	- requests.
	1565	- properties:
	1566	- methods:
	1567	- description: Methods is an optional field that restricts
	1568	- the rule to apply only to HTTP requests that use one of
	1569	- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
	1570	- methods are OR'd together.
	1571	- items:
	1572	- type: string
	1573	- type: array
	1574	- paths:
	1575	- description: 'Paths is an optional field that restricts
	1576	- the rule to apply to HTTP requests that use one of the
	1577	- listed HTTP Paths. Multiple paths are OR''d together.
	1578	- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
	1579	- ONLY specify either a `exact` or a `prefix` match. The
	1580	- validator will check for it.'
	1581	- items:
	1582	- description: 'HTTPPath specifies an HTTP path to match.
	1583	- It may be either of the form: exact: <path>: which matches
	1584	- the path exactly or prefix: <path-prefix>: which matches
	1585	- the path prefix'
	1586	- properties:
	1587	- exact:
	1588	- type: string
	1589	- prefix:
	1590	- type: string
	1591	- type: object
	1592	- type: array
	1593	- type: object
	1594	- icmp:
	1595	- description: ICMP is an optional field that restricts the rule
	1596	- to apply to a specific type and code of ICMP traffic. This
	1597	- should only be specified if the Protocol field is set to "ICMP"
	1598	- or "ICMPv6".
	1599	- properties:
	1600	- code:
	1601	- description: Match on a specific ICMP code. If specified,
	1602	- the Type value must also be specified. This is a technical
	1603	- limitation imposed by the kernel's iptables firewall,
	1604	- which Calico uses to enforce the rule.
	1605	- type: integer
	1606	- type:
	1607	- description: Match on a specific ICMP type. For example
	1608	- a value of 8 refers to ICMP Echo Request (i.e. pings).
	1609	- type: integer
	1610	- type: object
	1611	- ipVersion:
	1612	- description: IPVersion is an optional field that restricts the
	1613	- rule to only match a specific IP version.
	1614	- type: integer
	1615	- metadata:
	1616	- description: Metadata contains additional information for this
	1617	- rule
	1618	- properties:
	1619	- annotations:
	1620	- additionalProperties:
	1621	- type: string
	1622	- description: Annotations is a set of key value pairs that
	1623	- give extra information about the rule
	1624	- type: object
	1625	- type: object
	1626	- notICMP:
	1627	- description: NotICMP is the negated version of the ICMP field.
	1628	- properties:
	1629	- code:
	1630	- description: Match on a specific ICMP code. If specified,
	1631	- the Type value must also be specified. This is a technical
	1632	- limitation imposed by the kernel's iptables firewall,
	1633	- which Calico uses to enforce the rule.
	1634	- type: integer
	1635	- type:
	1636	- description: Match on a specific ICMP type. For example
	1637	- a value of 8 refers to ICMP Echo Request (i.e. pings).
	1638	- type: integer
	1639	- type: object
	1640	- notProtocol:
	1641	- anyOf:
	1642	- - type: integer
	1643	- - type: string
	1644	- description: NotProtocol is the negated version of the Protocol
	1645	- field.
	1646	- pattern: ^.*
	1647	- x-kubernetes-int-or-string: true
	1648	- protocol:
	1649	- anyOf:
	1650	- - type: integer
	1651	- - type: string
	1652	- description: "Protocol is an optional field that restricts the
	1653	- rule to only apply to traffic of a specific IP protocol. Required
	1654	- if any of the EntityRules contain Ports (because ports only
	1655	- apply to certain protocols). \n Must be one of these string
	1656	- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
	1657	- \"UDPLite\" or an integer in the range 1-255."
	1658	- pattern: ^.*
	1659	- x-kubernetes-int-or-string: true
	1660	- source:
	1661	- description: Source contains the match criteria that apply to
	1662	- source entity.
	1663	- properties:
	1664	- namespaceSelector:
	1665	- description: "NamespaceSelector is an optional field that
	1666	- contains a selector expression. Only traffic that originates
	1667	- from (or terminates at) endpoints within the selected
	1668	- namespaces will be matched. When both NamespaceSelector
	1669	- and another selector are defined on the same rule, then
	1670	- only workload endpoints that are matched by both selectors
	1671	- will be selected by the rule. \n For NetworkPolicy, an
	1672	- empty NamespaceSelector implies that the Selector is limited
	1673	- to selecting only workload endpoints in the same namespace
	1674	- as the NetworkPolicy. \n For NetworkPolicy, `global()`
	1675	- NamespaceSelector implies that the Selector is limited
	1676	- to selecting only GlobalNetworkSet or HostEndpoint. \n
	1677	- For GlobalNetworkPolicy, an empty NamespaceSelector implies
	1678	- the Selector applies to workload endpoints across all
	1679	- namespaces."
	1680	- type: string
	1681	- nets:
	1682	- description: Nets is an optional field that restricts the
	1683	- rule to only apply to traffic that originates from (or
	1684	- terminates at) IP addresses in any of the given subnets.
	1685	- items:
	1686	- type: string
	1687	- type: array
	1688	- notNets:
	1689	- description: NotNets is the negated version of the Nets
	1690	- field.
	1691	- items:
	1692	- type: string
	1693	- type: array
	1694	- notPorts:
	1695	- description: NotPorts is the negated version of the Ports
	1696	- field. Since only some protocols have ports, if any ports
	1697	- are specified it requires the Protocol match in the Rule
	1698	- to be set to "TCP" or "UDP".
	1699	- items:
	1700	- anyOf:
	1701	- - type: integer
	1702	- - type: string
	1703	- pattern: ^.*
	1704	- x-kubernetes-int-or-string: true
	1705	- type: array
	1706	- notSelector:
	1707	- description: NotSelector is the negated version of the Selector
	1708	- field. See Selector field for subtleties with negated
	1709	- selectors.
	1710	- type: string
	1711	- ports:
	1712	- description: "Ports is an optional field that restricts
	1713	- the rule to only apply to traffic that has a source (destination)
	1714	- port that matches one of these ranges/values. This value
	1715	- is a list of integers or strings that represent ranges
	1716	- of ports. \n Since only some protocols have ports, if
	1717	- any ports are specified it requires the Protocol match
	1718	- in the Rule to be set to \"TCP\" or \"UDP\"."
	1719	- items:
	1720	- anyOf:
	1721	- - type: integer
	1722	- - type: string
	1723	- pattern: ^.*
	1724	- x-kubernetes-int-or-string: true
	1725	- type: array
	1726	- selector:
	1727	- description: "Selector is an optional field that contains
	1728	- a selector expression (see Policy for sample syntax).
	1729	- \ Only traffic that originates from (terminates at) endpoints
	1730	- matching the selector will be matched. \n Note that: in
	1731	- addition to the negated version of the Selector (see NotSelector
	1732	- below), the selector expression syntax itself supports
	1733	- negation. The two types of negation are subtly different.
	1734	- One negates the set of matched endpoints, the other negates
	1735	- the whole match: \n \tSelector = \"!has(my_label)\" matches
	1736	- packets that are from other Calico-controlled \tendpoints
	1737	- that do not have the label \"my_label\". \n \tNotSelector
	1738	- = \"has(my_label)\" matches packets that are not from
	1739	- Calico-controlled \tendpoints that do have the label \"my_label\".
	1740	- \n The effect is that the latter will accept packets from
	1741	- non-Calico sources whereas the former is limited to packets
	1742	- from Calico-controlled endpoints."
	1743	- type: string
	1744	- serviceAccounts:
	1745	- description: ServiceAccounts is an optional field that restricts
	1746	- the rule to only apply to traffic that originates from
	1747	- (or terminates at) a pod running as a matching service
	1748	- account.
	1749	- properties:
	1750	- names:
	1751	- description: Names is an optional field that restricts
	1752	- the rule to only apply to traffic that originates
	1753	- from (or terminates at) a pod running as a service
	1754	- account whose name is in the list.
	1755	- items:
	1756	- type: string
	1757	- type: array
	1758	- selector:
	1759	- description: Selector is an optional field that restricts
	1760	- the rule to only apply to traffic that originates
	1761	- from (or terminates at) a pod running as a service
	1762	- account that matches the given label selector. If
	1763	- both Names and Selector are specified then they are
	1764	- AND'ed.
	1765	- type: string
	1766	- type: object
	1767	- services:
	1768	- description: "Services is an optional field that contains
	1769	- options for matching Kubernetes Services. If specified,
	1770	- only traffic that originates from or terminates at endpoints
	1771	- within the selected service(s) will be matched, and only
	1772	- to/from each endpoint's port. \n Services cannot be specified
	1773	- on the same rule as Selector, NotSelector, NamespaceSelector,
	1774	- Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
	1775	- Only valid on egress rules."
	1776	- properties:
	1777	- name:
	1778	- description: Name specifies the name of a Kubernetes
	1779	- Service to match.
	1780	- type: string
	1781	- namespace:
	1782	- description: Namespace specifies the namespace of the
	1783	- given Service. If left empty, the rule will match
	1784	- within this policy's namespace.
	1785	- type: string
	1786	- type: object
	1787	- type: object
	1788	- required:
	1789	- - action
	1790	- type: object
	1791	- type: array
	1792	- namespaceSelector:
	1793	- description: NamespaceSelector is an optional field for an expression
	1794	- used to select a pod based on namespaces.
	1795	- type: string
	1796	- order:
	1797	- description: Order is an optional field that specifies the order in
	1798	- which the policy is applied. Policies with higher "order" are applied
	1799	- after those with lower order. If the order is omitted, it may be
	1800	- considered to be "infinite" - i.e. the policy will be applied last. Policies
	1801	- with identical order will be applied in alphanumerical order based
	1802	- on the Policy "Name".
	1803	- type: number
	1804	- preDNAT:
	1805	- description: PreDNAT indicates to apply the rules in this policy before
	1806	- any DNAT.
	1807	- type: boolean
	1808	- selector:
	1809	- description: "The selector is an expression used to pick pick out
	1810	- the endpoints that the policy should be applied to. \n Selector
	1811	- expressions follow this syntax: \n \tlabel == \"string_literal\"
	1812	- \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
	1813	- \ -> not equal; also matches if label is not present \tlabel in
	1814	- { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
	1815	- one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
	1816	- ... } -> true if the value of label X is not one of \"a\", \"b\",
	1817	- \"c\" \thas(label_name) -> True if that label is present \t! expr
	1818	- -> negation of expr \texpr && expr -> Short-circuit and \texpr
	1819	- \|\| expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
	1820	- or the empty selector -> matches all endpoints. \n Label names are
	1821	- allowed to contain alphanumerics, -, _ and /. String literals are
	1822	- more permissive but they do not support escape characters. \n Examples
	1823	- (with made-up labels): \n \ttype == \"webserver\" && deployment
	1824	- == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
	1825	- \"dev\" \t! has(label_name)"
	1826	- type: string
	1827	- serviceAccountSelector:
	1828	- description: ServiceAccountSelector is an optional field for an expression
	1829	- used to select a pod based on service accounts.
	1830	- type: string
	1831	- types:
	1832	- description: "Types indicates whether this policy applies to ingress,
	1833	- or to egress, or to both. When not explicitly specified (and so
	1834	- the value on creation is empty or nil), Calico defaults Types according
	1835	- to what Ingress and Egress rules are present in the policy. The
	1836	- default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
	1837	- (including the case where there are also no Ingress rules) \n
	1838	- - [ PolicyTypeEgress ], if there are Egress rules but no Ingress
	1839	- rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
	1840	- both Ingress and Egress rules. \n When the policy is read back again,
	1841	- Types will always be one of these values, never empty or nil."
	1842	- items:
	1843	- description: PolicyType enumerates the possible values of the PolicySpec
	1844	- Types field.
	1845	- type: string
	1846	- type: array
	1847	- type: object
	1848	- type: object
	1849	- served: true
	1850	- storage: true
	1851	-status:
	1852	- acceptedNames:
	1853	- kind: ""
	1854	- plural: ""
	1855	- conditions: []
	1856	- storedVersions: []
	1857	-
	1858	----
	1859	-apiVersion: apiextensions.k8s.io/v1
	1860	-kind: CustomResourceDefinition
	1861	-metadata:
	1862	- name: globalnetworksets.crd.projectcalico.org
	1863	-spec:
	1864	- group: crd.projectcalico.org
	1865	- names:
	1866	- kind: GlobalNetworkSet
	1867	- listKind: GlobalNetworkSetList
	1868	- plural: globalnetworksets
	1869	- singular: globalnetworkset
	1870	- scope: Cluster
	1871	- versions:
	1872	- - name: v1
	1873	- schema:
	1874	- openAPIV3Schema:
	1875	- description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs
	1876	- that share labels to allow rules to refer to them via selectors. The labels
	1877	- of GlobalNetworkSet are not namespaced.
	1878	- properties:
	1879	- apiVersion:
	1880	- description: 'APIVersion defines the versioned schema of this representation
	1881	- of an object. Servers should convert recognized schemas to the latest
	1882	- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
	1883	- type: string
	1884	- kind:
	1885	- description: 'Kind is a string value representing the REST resource this
	1886	- object represents. Servers may infer this from the endpoint the client
	1887	- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
	1888	- type: string
	1889	- metadata:
	1890	- type: object
	1891	- spec:
	1892	- description: GlobalNetworkSetSpec contains the specification for a NetworkSet
	1893	- resource.
	1894	- properties:
	1895	- nets:
	1896	- description: The list of IP networks that belong to this set.
	1897	- items:
	1898	- type: string
	1899	- type: array
	1900	- type: object
	1901	- type: object
	1902	- served: true
	1903	- storage: true
	1904	-status:
	1905	- acceptedNames:
	1906	- kind: ""
	1907	- plural: ""
	1908	- conditions: []
	1909	- storedVersions: []
	1910	-
	1911	----
	1912	-apiVersion: apiextensions.k8s.io/v1
	1913	-kind: CustomResourceDefinition
	1914	-metadata:
	1915	- name: hostendpoints.crd.projectcalico.org
	1916	-spec:
	1917	- group: crd.projectcalico.org
	1918	- names:
	1919	- kind: HostEndpoint
	1920	- listKind: HostEndpointList
	1921	- plural: hostendpoints
	1922	- singular: hostendpoint
	1923	- scope: Cluster
	1924	- versions:
	1925	- - name: v1
	1926	- schema:
	1927	- openAPIV3Schema:
	1928	- properties:
	1929	- apiVersion:
	1930	- description: 'APIVersion defines the versioned schema of this representation
	1931	- of an object. Servers should convert recognized schemas to the latest
	1932	- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
	1933	- type: string
	1934	- kind:
	1935	- description: 'Kind is a string value representing the REST resource this
	1936	- object represents. Servers may infer this from the endpoint the client
	1937	- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
	1938	- type: string
	1939	- metadata:
	1940	- type: object
	1941	- spec:
	1942	- description: HostEndpointSpec contains the specification for a HostEndpoint
	1943	- resource.
	1944	- properties:
	1945	- expectedIPs:
	1946	- description: "The expected IP addresses (IPv4 and IPv6) of the endpoint.
	1947	- If \"InterfaceName\" is not present, Calico will look for an interface
	1948	- matching any of the IPs in the list and apply policy to that. Note:
	1949	- \tWhen using the selector match criteria in an ingress or egress
	1950	- security Policy \tor Profile, Calico converts the selector into
	1951	- a set of IP addresses. For host \tendpoints, the ExpectedIPs field
	1952	- is used for that purpose. (If only the interface \tname is specified,
	1953	- Calico does not learn the IPs of the interface for use in match
	1954	- \tcriteria.)"
	1955	- items:
	1956	- type: string
	1957	- type: array
	1958	- interfaceName:
	1959	- description: "Either \"*\", or the name of a specific Linux interface
	1960	- to apply policy to; or empty. \"*\" indicates that this HostEndpoint
	1961	- governs all traffic to, from or through the default network namespace
	1962	- of the host named by the \"Node\" field; entering and leaving that
	1963	- namespace via any interface, including those from/to non-host-networked
	1964	- local workloads. \n If InterfaceName is not \"*\", this HostEndpoint
	1965	- only governs traffic that enters or leaves the host through the
	1966	- specific interface named by InterfaceName, or - when InterfaceName
	1967	- is empty - through the specific interface that has one of the IPs
	1968	- in ExpectedIPs. Therefore, when InterfaceName is empty, at least
	1969	- one expected IP must be specified. Only external interfaces (such
	1970	- as \"eth0\") are supported here; it isn't possible for a HostEndpoint
	1971	- to protect traffic through a specific local workload interface.
	1972	- \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints;
	1973	- initially just pre-DNAT policy. Please check Calico documentation
	1974	- for the latest position."
	1975	- type: string
	1976	- node:
	1977	- description: The node name identifying the Calico node instance.
	1978	- type: string
	1979	- ports:
	1980	- description: Ports contains the endpoint's named ports, which may
	1981	- be referenced in security policy rules.
	1982	- items:
	1983	- properties:
	1984	- name:
	1985	- type: string
	1986	- port:
	1987	- type: integer
	1988	- protocol:
	1989	- anyOf:
	1990	- - type: integer
	1991	- - type: string
	1992	- pattern: ^.*
	1993	- x-kubernetes-int-or-string: true
	1994	- required:
	1995	- - name
	1996	- - port
	1997	- - protocol
	1998	- type: object
	1999	- type: array
	2000	- profiles:
	2001	- description: A list of identifiers of security Profile objects that
	2002	- apply to this endpoint. Each profile is applied in the order that
	2003	- they appear in this list. Profile rules are applied after the selector-based
	2004	- security policy.
	2005	- items:
	2006	- type: string
	2007	- type: array
	2008	- type: object
	2009	- type: object
	2010	- served: true
	2011	- storage: true
	2012	-status:
	2013	- acceptedNames:
	2014	- kind: ""
	2015	- plural: ""
	2016	- conditions: []
	2017	- storedVersions: []
	2018	-
	2019	----
	2020	-apiVersion: apiextensions.k8s.io/v1
	2021	-kind: CustomResourceDefinition
	2022	-metadata:
	2023	- name: ipamblocks.crd.projectcalico.org
	2024	-spec:
	2025	- group: crd.projectcalico.org
	2026	- names:
	2027	- kind: IPAMBlock
	2028	- listKind: IPAMBlockList
	2029	- plural: ipamblocks
	2030	- singular: ipamblock
	2031	- scope: Cluster
	2032	- versions:
	2033	- - name: v1
	2034	- schema:
	2035	- openAPIV3Schema:
	2036	- properties:
	2037	- apiVersion:
	2038	- description: 'APIVersion defines the versioned schema of this representation
	2039	- of an object. Servers should convert recognized schemas to the latest
	2040	- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
	2041	- type: string
	2042	- kind:
	2043	- description: 'Kind is a string value representing the REST resource this
	2044	- object represents. Servers may infer this from the endpoint the client
	2045	- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
	2046	- type: string
	2047	- metadata:
	2048	- type: object
	2049	- spec:
	2050	- description: IPAMBlockSpec contains the specification for an IPAMBlock
	2051	- resource.
	2052	- properties:
	2053	- affinity:
	2054	- type: string
	2055	- allocations:
	2056	- items:
	2057	- type: integer
	2058	- # TODO: This nullable is manually added in. We should update controller-gen
	2059	- # to handle []*int properly itself.
	2060	- nullable: true
	2061	- type: array
	2062	- attributes:
	2063	- items:
	2064	- properties:
	2065	- handle_id:
	2066	- type: string
	2067	- secondary:
	2068	- additionalProperties:
	2069	- type: string
	2070	- type: object
	2071	- type: object
	2072	- type: array
	2073	- cidr:
	2074	- type: string
	2075	- deleted:
	2076	- type: boolean
	2077	- strictAffinity:
	2078	- type: boolean
	2079	- unallocated:
	2080	- items:
	2081	- type: integer
	2082	- type: array
	2083	- required:
	2084	- - allocations
	2085	- - attributes
	2086	- - cidr
	2087	- - strictAffinity
	2088	- - unallocated
	2089	- type: object
	2090	- type: object
	2091	- served: true
	2092	- storage: true
	2093	-status:
	2094	- acceptedNames:
	2095	- kind: ""
	2096	- plural: ""
	2097	- conditions: []
	2098	- storedVersions: []
	2099	-
	2100	----
	2101	-apiVersion: apiextensions.k8s.io/v1
	2102	-kind: CustomResourceDefinition
	2103	-metadata:
	2104	- name: ipamconfigs.crd.projectcalico.org
	2105	-spec:
	2106	- group: crd.projectcalico.org
	2107	- names:
	2108	- kind: IPAMConfig
	2109	- listKind: IPAMConfigList
	2110	- plural: ipamconfigs
	2111	- singular: ipamconfig
	2112	- scope: Cluster
	2113	- versions:
	2114	- - name: v1
	2115	- schema:
	2116	- openAPIV3Schema:
	2117	- properties:
	2118	- apiVersion:
	2119	- description: 'APIVersion defines the versioned schema of this representation
	2120	- of an object. Servers should convert recognized schemas to the latest
	2121	- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
	2122	- type: string
	2123	- kind:
	2124	- description: 'Kind is a string value representing the REST resource this
	2125	- object represents. Servers may infer this from the endpoint the client
	2126	- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
	2127	- type: string
	2128	- metadata:
	2129	- type: object
	2130	- spec:
	2131	- description: IPAMConfigSpec contains the specification for an IPAMConfig
	2132	- resource.
	2133	- properties:
	2134	- autoAllocateBlocks:
	2135	- type: boolean
	2136	- maxBlocksPerHost:
	2137	- description: MaxBlocksPerHost, if non-zero, is the max number of blocks
	2138	- that can be affine to each host.
	2139	- type: integer
	2140	- strictAffinity:
	2141	- type: boolean
	2142	- required:
	2143	- - autoAllocateBlocks
	2144	- - strictAffinity
	2145	- type: object
	2146	- type: object
	2147	- served: true
	2148	- storage: true
	2149	-status:
	2150	- acceptedNames:
	2151	- kind: ""
	2152	- plural: ""
	2153	- conditions: []
	2154	- storedVersions: []
	2155	-
	2156	----
	2157	-apiVersion: apiextensions.k8s.io/v1
	2158	-kind: CustomResourceDefinition
	2159	-metadata:
	2160	- name: ipamhandles.crd.projectcalico.org
	2161	-spec:
	2162	- group: crd.projectcalico.org
	2163	- names:
	2164	- kind: IPAMHandle
	2165	- listKind: IPAMHandleList
	2166	- plural: ipamhandles
	2167	- singular: ipamhandle
	2168	- scope: Cluster
	2169	- versions:
	2170	- - name: v1
	2171	- schema:
	2172	- openAPIV3Schema:
	2173	- properties:
	2174	- apiVersion:
	2175	- description: 'APIVersion defines the versioned schema of this representation
	2176	- of an object. Servers should convert recognized schemas to the latest
	2177	- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
	2178	- type: string
	2179	- kind:
	2180	- description: 'Kind is a string value representing the REST resource this
	2181	- object represents. Servers may infer this from the endpoint the client
	2182	- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
	2183	- type: string
	2184	- metadata:
	2185	- type: object
	2186	- spec:
	2187	- description: IPAMHandleSpec contains the specification for an IPAMHandle
	2188	- resource.
	2189	- properties:
	2190	- block:
	2191	- additionalProperties:
	2192	- type: integer
	2193	- type: object
	2194	- deleted:
	2195	- type: boolean
	2196	- handleID:
	2197	- type: string
	2198	- required:
	2199	- - block
	2200	- - handleID
	2201	- type: object
	2202	- type: object
	2203	- served: true
	2204	- storage: true
	2205	-status:
	2206	- acceptedNames:
	2207	- kind: ""
	2208	- plural: ""
	2209	- conditions: []
	2210	- storedVersions: []
	2211	-
	2212	----
	2213	-apiVersion: apiextensions.k8s.io/v1
	2214	-kind: CustomResourceDefinition
	2215	-metadata:
	2216	- name: ippools.crd.projectcalico.org
	2217	-spec:
	2218	- group: crd.projectcalico.org
	2219	- names:
	2220	- kind: IPPool
	2221	- listKind: IPPoolList
	2222	- plural: ippools
	2223	- singular: ippool
	2224	- scope: Cluster
	2225	- versions:
	2226	- - name: v1
	2227	- schema:
	2228	- openAPIV3Schema:
	2229	- properties:
	2230	- apiVersion:
	2231	- description: 'APIVersion defines the versioned schema of this representation
	2232	- of an object. Servers should convert recognized schemas to the latest
	2233	- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
	2234	- type: string
	2235	- kind:
	2236	- description: 'Kind is a string value representing the REST resource this
	2237	- object represents. Servers may infer this from the endpoint the client
	2238	- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
	2239	- type: string
	2240	- metadata:
	2241	- type: object
	2242	- spec:
	2243	- description: IPPoolSpec contains the specification for an IPPool resource.
	2244	- properties:
	2245	- blockSize:
	2246	- description: The block size to use for IP address assignments from
	2247	- this pool. Defaults to 26 for IPv4 and 112 for IPv6.
	2248	- type: integer
	2249	- cidr:
	2250	- description: The pool CIDR.
	2251	- type: string
	2252	- disabled:
	2253	- description: When disabled is true, Calico IPAM will not assign addresses
	2254	- from this pool.
	2255	- type: boolean
	2256	- ipip:
	2257	- description: 'Deprecated: this field is only used for APIv1 backwards
	2258	- compatibility. Setting this field is not allowed, this field is
	2259	- for internal use only.'
	2260	- properties:
	2261	- enabled:
	2262	- description: When enabled is true, ipip tunneling will be used
	2263	- to deliver packets to destinations within this pool.
	2264	- type: boolean
	2265	- mode:
	2266	- description: The IPIP mode. This can be one of "always" or "cross-subnet". A
	2267	- mode of "always" will also use IPIP tunneling for routing to
	2268	- destination IP addresses within this pool. A mode of "cross-subnet"
	2269	- will only use IPIP tunneling when the destination node is on
	2270	- a different subnet to the originating node. The default value
	2271	- (if not specified) is "always".
	2272	- type: string
	2273	- type: object
	2274	- ipipMode:
	2275	- description: Contains configuration for IPIP tunneling for this pool.
	2276	- If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling
	2277	- is disabled).
	2278	- type: string
	2279	- nat-outgoing:
	2280	- description: 'Deprecated: this field is only used for APIv1 backwards
	2281	- compatibility. Setting this field is not allowed, this field is
	2282	- for internal use only.'
	2283	- type: boolean
	2284	- natOutgoing:
	2285	- description: When nat-outgoing is true, packets sent from Calico networked
	2286	- containers in this pool to destinations outside of this pool will
	2287	- be masqueraded.
	2288	- type: boolean
	2289	- nodeSelector:
	2290	- description: Allows IPPool to allocate for a specific node by label
	2291	- selector.
	2292	- type: string
	2293	- vxlanMode:
	2294	- description: Contains configuration for VXLAN tunneling for this pool.
	2295	- If not specified, then this is defaulted to "Never" (i.e. VXLAN
	2296	- tunneling is disabled).
	2297	- type: string
	2298	- required:
	2299	- - cidr
	2300	- type: object
	2301	- type: object
	2302	- served: true
	2303	- storage: true
	2304	-status:
	2305	- acceptedNames:
	2306	- kind: ""
	2307	- plural: ""
	2308	- conditions: []
	2309	- storedVersions: []
	2310	-
	2311	----
	2312	-apiVersion: apiextensions.k8s.io/v1
	2313	-kind: CustomResourceDefinition
	2314	-metadata:
	2315	- name: kubecontrollersconfigurations.crd.projectcalico.org
	2316	-spec:
	2317	- group: crd.projectcalico.org
	2318	- names:
	2319	- kind: KubeControllersConfiguration
	2320	- listKind: KubeControllersConfigurationList
	2321	- plural: kubecontrollersconfigurations
	2322	- singular: kubecontrollersconfiguration
	2323	- scope: Cluster
	2324	- versions:
	2325	- - name: v1
	2326	- schema:
	2327	- openAPIV3Schema:
	2328	- properties:
	2329	- apiVersion:
	2330	- description: 'APIVersion defines the versioned schema of this representation
	2331	- of an object. Servers should convert recognized schemas to the latest
	2332	- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
	2333	- type: string
	2334	- kind:
	2335	- description: 'Kind is a string value representing the REST resource this
	2336	- object represents. Servers may infer this from the endpoint the client
	2337	- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
	2338	- type: string
	2339	- metadata:
	2340	- type: object
	2341	- spec:
	2342	- description: KubeControllersConfigurationSpec contains the values of the
	2343	- Kubernetes controllers configuration.
	2344	- properties:
	2345	- controllers:
	2346	- description: Controllers enables and configures individual Kubernetes
	2347	- controllers
	2348	- properties:
	2349	- namespace:
	2350	- description: Namespace enables and configures the namespace controller.
	2351	- Enabled by default, set to nil to disable.
	2352	- properties:
	2353	- reconcilerPeriod:
	2354	- description: 'ReconcilerPeriod is the period to perform reconciliation
	2355	- with the Calico datastore. [Default: 5m]'
	2356	- type: string
	2357	- type: object
	2358	- node:
	2359	- description: Node enables and configures the node controller.
	2360	- Enabled by default, set to nil to disable.
	2361	- properties:
	2362	- hostEndpoint:
	2363	- description: HostEndpoint controls syncing nodes to host endpoints.
	2364	- Disabled by default, set to nil to disable.
	2365	- properties:
	2366	- autoCreate:
	2367	- description: 'AutoCreate enables automatic creation of
	2368	- host endpoints for every node. [Default: Disabled]'
	2369	- type: string
	2370	- type: object
	2371	- leakGracePeriod:
	2372	- description: 'LeakGracePeriod is the period used by the controller
	2373	- to determine if an IP address has been leaked. Set to 0
	2374	- to disable IP garbage collection. [Default: 15m]'
	2375	- type: string
	2376	- reconcilerPeriod:
	2377	- description: 'ReconcilerPeriod is the period to perform reconciliation
	2378	- with the Calico datastore. [Default: 5m]'
	2379	- type: string
	2380	- syncLabels:
	2381	- description: 'SyncLabels controls whether to copy Kubernetes
	2382	- node labels to Calico nodes. [Default: Enabled]'
	2383	- type: string
	2384	- type: object
	2385	- policy:
	2386	- description: Policy enables and configures the policy controller.
	2387	- Enabled by default, set to nil to disable.
	2388	- properties:
	2389	- reconcilerPeriod:
	2390	- description: 'ReconcilerPeriod is the period to perform reconciliation
	2391	- with the Calico datastore. [Default: 5m]'
	2392	- type: string
	2393	- type: object
	2394	- serviceAccount:
	2395	- description: ServiceAccount enables and configures the service
	2396	- account controller. Enabled by default, set to nil to disable.
	2397	- properties:
	2398	- reconcilerPeriod:
	2399	- description: 'ReconcilerPeriod is the period to perform reconciliation
	2400	- with the Calico datastore. [Default: 5m]'
	2401	- type: string
	2402	- type: object
	2403	- workloadEndpoint:
	2404	- description: WorkloadEndpoint enables and configures the workload
	2405	- endpoint controller. Enabled by default, set to nil to disable.
	2406	- properties:
	2407	- reconcilerPeriod:
	2408	- description: 'ReconcilerPeriod is the period to perform reconciliation
	2409	- with the Calico datastore. [Default: 5m]'
	2410	- type: string
	2411	- type: object
	2412	- type: object
	2413	- etcdV3CompactionPeriod:
	2414	- description: 'EtcdV3CompactionPeriod is the period between etcdv3
	2415	- compaction requests. Set to 0 to disable. [Default: 10m]'
	2416	- type: string
	2417	- healthChecks:
	2418	- description: 'HealthChecks enables or disables support for health
	2419	- checks [Default: Enabled]'
	2420	- type: string
	2421	- logSeverityScreen:
	2422	- description: 'LogSeverityScreen is the log severity above which logs
	2423	- are sent to the stdout. [Default: Info]'
	2424	- type: string
	2425	- prometheusMetricsPort:
	2426	- description: 'PrometheusMetricsPort is the TCP port that the Prometheus
	2427	- metrics server should bind to. Set to 0 to disable. [Default: 9094]'
	2428	- type: integer
	2429	- required:
	2430	- - controllers
	2431	- type: object
	2432	- status:
	2433	- description: KubeControllersConfigurationStatus represents the status
	2434	- of the configuration. It's useful for admins to be able to see the actual
	2435	- config that was applied, which can be modified by environment variables
	2436	- on the kube-controllers process.
	2437	- properties:
	2438	- environmentVars:
	2439	- additionalProperties:
	2440	- type: string
	2441	- description: EnvironmentVars contains the environment variables on
	2442	- the kube-controllers that influenced the RunningConfig.
	2443	- type: object
	2444	- runningConfig:
	2445	- description: RunningConfig contains the effective config that is running
	2446	- in the kube-controllers pod, after merging the API resource with
	2447	- any environment variables.
	2448	- properties:
	2449	- controllers:
	2450	- description: Controllers enables and configures individual Kubernetes
	2451	- controllers
	2452	- properties:
	2453	- namespace:
	2454	- description: Namespace enables and configures the namespace
	2455	- controller. Enabled by default, set to nil to disable.
	2456	- properties:
	2457	- reconcilerPeriod:
	2458	- description: 'ReconcilerPeriod is the period to perform
	2459	- reconciliation with the Calico datastore. [Default:
	2460	- 5m]'
	2461	- type: string
	2462	- type: object
	2463	- node:
	2464	- description: Node enables and configures the node controller.
	2465	- Enabled by default, set to nil to disable.
	2466	- properties:
	2467	- hostEndpoint:
	2468	- description: HostEndpoint controls syncing nodes to host
	2469	- endpoints. Disabled by default, set to nil to disable.
	2470	- properties:
	2471	- autoCreate:
	2472	- description: 'AutoCreate enables automatic creation
	2473	- of host endpoints for every node. [Default: Disabled]'
	2474	- type: string
	2475	- type: object
	2476	- leakGracePeriod:
	2477	- description: 'LeakGracePeriod is the period used by the
	2478	- controller to determine if an IP address has been leaked.
	2479	- Set to 0 to disable IP garbage collection. [Default:
	2480	- 15m]'
	2481	- type: string
	2482	- reconcilerPeriod:
	2483	- description: 'ReconcilerPeriod is the period to perform
	2484	- reconciliation with the Calico datastore. [Default:
	2485	- 5m]'
	2486	- type: string
	2487	- syncLabels:
	2488	- description: 'SyncLabels controls whether to copy Kubernetes
	2489	- node labels to Calico nodes. [Default: Enabled]'
	2490	- type: string
	2491	- type: object
	2492	- policy:
	2493	- description: Policy enables and configures the policy controller.
	2494	- Enabled by default, set to nil to disable.
	2495	- properties:
	2496	- reconcilerPeriod:
	2497	- description: 'ReconcilerPeriod is the period to perform
	2498	- reconciliation with the Calico datastore. [Default:
	2499	- 5m]'
	2500	- type: string
	2501	- type: object
	2502	- serviceAccount:
	2503	- description: ServiceAccount enables and configures the service
	2504	- account controller. Enabled by default, set to nil to disable.
	2505	- properties:
	2506	- reconcilerPeriod:
	2507	- description: 'ReconcilerPeriod is the period to perform
	2508	- reconciliation with the Calico datastore. [Default:
	2509	- 5m]'
	2510	- type: string
	2511	- type: object
	2512	- workloadEndpoint:
	2513	- description: WorkloadEndpoint enables and configures the workload
	2514	- endpoint controller. Enabled by default, set to nil to disable.
	2515	- properties:
	2516	- reconcilerPeriod:
	2517	- description: 'ReconcilerPeriod is the period to perform
	2518	- reconciliation with the Calico datastore. [Default:
	2519	- 5m]'
	2520	- type: string
	2521	- type: object
	2522	- type: object
	2523	- etcdV3CompactionPeriod:
	2524	- description: 'EtcdV3CompactionPeriod is the period between etcdv3
	2525	- compaction requests. Set to 0 to disable. [Default: 10m]'
	2526	- type: string
	2527	- healthChecks:
	2528	- description: 'HealthChecks enables or disables support for health
	2529	- checks [Default: Enabled]'
	2530	- type: string
	2531	- logSeverityScreen:
	2532	- description: 'LogSeverityScreen is the log severity above which
	2533	- logs are sent to the stdout. [Default: Info]'
	2534	- type: string
	2535	- prometheusMetricsPort:
	2536	- description: 'PrometheusMetricsPort is the TCP port that the Prometheus
	2537	- metrics server should bind to. Set to 0 to disable. [Default:
	2538	- 9094]'
	2539	- type: integer
	2540	- required:
	2541	- - controllers
	2542	- type: object
	2543	- type: object
	2544	- type: object
	2545	- served: true
	2546	- storage: true
	2547	-status:
	2548	- acceptedNames:
	2549	- kind: ""
	2550	- plural: ""
	2551	- conditions: []
	2552	- storedVersions: []
	2553	-
	2554	----
	2555	-apiVersion: apiextensions.k8s.io/v1
	2556	-kind: CustomResourceDefinition
	2557	-metadata:
	2558	- name: networkpolicies.crd.projectcalico.org
	2559	-spec:
	2560	- group: crd.projectcalico.org
	2561	- names:
	2562	- kind: NetworkPolicy
	2563	- listKind: NetworkPolicyList
	2564	- plural: networkpolicies
	2565	- singular: networkpolicy
	2566	- scope: Namespaced
	2567	- versions:
	2568	- - name: v1
	2569	- schema:
	2570	- openAPIV3Schema:
	2571	- properties:
	2572	- apiVersion:
	2573	- description: 'APIVersion defines the versioned schema of this representation
	2574	- of an object. Servers should convert recognized schemas to the latest
	2575	- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
	2576	- type: string
	2577	- kind:
	2578	- description: 'Kind is a string value representing the REST resource this
	2579	- object represents. Servers may infer this from the endpoint the client
	2580	- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
	2581	- type: string
	2582	- metadata:
	2583	- type: object
	2584	- spec:
	2585	- properties:
	2586	- egress:
	2587	- description: The ordered set of egress rules. Each rule contains
	2588	- a set of packet match criteria and a corresponding action to apply.
	2589	- items:
	2590	- description: "A Rule encapsulates a set of match criteria and an
	2591	- action. Both selector-based security Policy and security Profiles
	2592	- reference rules - separated out as a list of rules for both ingress
	2593	- and egress packet matching. \n Each positive match criteria has
	2594	- a negated version, prefixed with \"Not\". All the match criteria
	2595	- within a rule must be satisfied for a packet to match. A single
	2596	- rule can contain the positive and negative version of a match
	2597	- and both must be satisfied for the rule to match."
	2598	- properties:
	2599	- action:
	2600	- type: string
	2601	- destination:
	2602	- description: Destination contains the match criteria that apply
	2603	- to destination entity.
	2604	- properties:
	2605	- namespaceSelector:
	2606	- description: "NamespaceSelector is an optional field that
	2607	- contains a selector expression. Only traffic that originates
	2608	- from (or terminates at) endpoints within the selected
	2609	- namespaces will be matched. When both NamespaceSelector
	2610	- and another selector are defined on the same rule, then
	2611	- only workload endpoints that are matched by both selectors
	2612	- will be selected by the rule. \n For NetworkPolicy, an
	2613	- empty NamespaceSelector implies that the Selector is limited
	2614	- to selecting only workload endpoints in the same namespace
	2615	- as the NetworkPolicy. \n For NetworkPolicy, `global()`
	2616	- NamespaceSelector implies that the Selector is limited
	2617	- to selecting only GlobalNetworkSet or HostEndpoint. \n
	2618	- For GlobalNetworkPolicy, an empty NamespaceSelector implies
	2619	- the Selector applies to workload endpoints across all
	2620	- namespaces."
	2621	- type: string
	2622	- nets:
	2623	- description: Nets is an optional field that restricts the
	2624	- rule to only apply to traffic that originates from (or
	2625	- terminates at) IP addresses in any of the given subnets.
	2626	- items:
	2627	- type: string
	2628	- type: array
	2629	- notNets:
	2630	- description: NotNets is the negated version of the Nets
	2631	- field.
	2632	- items:
	2633	- type: string
	2634	- type: array
	2635	- notPorts:
	2636	- description: NotPorts is the negated version of the Ports
	2637	- field. Since only some protocols have ports, if any ports
	2638	- are specified it requires the Protocol match in the Rule
	2639	- to be set to "TCP" or "UDP".
	2640	- items:
	2641	- anyOf:
	2642	- - type: integer
	2643	- - type: string
	2644	- pattern: ^.*
	2645	- x-kubernetes-int-or-string: true
	2646	- type: array
	2647	- notSelector:
	2648	- description: NotSelector is the negated version of the Selector
	2649	- field. See Selector field for subtleties with negated
	2650	- selectors.
	2651	- type: string
	2652	- ports:
	2653	- description: "Ports is an optional field that restricts
	2654	- the rule to only apply to traffic that has a source (destination)
	2655	- port that matches one of these ranges/values. This value
	2656	- is a list of integers or strings that represent ranges
	2657	- of ports. \n Since only some protocols have ports, if
	2658	- any ports are specified it requires the Protocol match
	2659	- in the Rule to be set to \"TCP\" or \"UDP\"."
	2660	- items:
	2661	- anyOf:
	2662	- - type: integer
	2663	- - type: string
	2664	- pattern: ^.*
	2665	- x-kubernetes-int-or-string: true
	2666	- type: array
	2667	- selector:
	2668	- description: "Selector is an optional field that contains
	2669	- a selector expression (see Policy for sample syntax).
	2670	- \ Only traffic that originates from (terminates at) endpoints
	2671	- matching the selector will be matched. \n Note that: in
	2672	- addition to the negated version of the Selector (see NotSelector
	2673	- below), the selector expression syntax itself supports
	2674	- negation. The two types of negation are subtly different.
	2675	- One negates the set of matched endpoints, the other negates
	2676	- the whole match: \n \tSelector = \"!has(my_label)\" matches
	2677	- packets that are from other Calico-controlled \tendpoints
	2678	- that do not have the label \"my_label\". \n \tNotSelector
	2679	- = \"has(my_label)\" matches packets that are not from
	2680	- Calico-controlled \tendpoints that do have the label \"my_label\".
	2681	- \n The effect is that the latter will accept packets from
	2682	- non-Calico sources whereas the former is limited to packets
	2683	- from Calico-controlled endpoints."
	2684	- type: string
	2685	- serviceAccounts:
	2686	- description: ServiceAccounts is an optional field that restricts
	2687	- the rule to only apply to traffic that originates from
	2688	- (or terminates at) a pod running as a matching service
	2689	- account.
	2690	- properties:
	2691	- names:
	2692	- description: Names is an optional field that restricts
	2693	- the rule to only apply to traffic that originates
	2694	- from (or terminates at) a pod running as a service
	2695	- account whose name is in the list.
	2696	- items:
	2697	- type: string
	2698	- type: array
	2699	- selector:
	2700	- description: Selector is an optional field that restricts
	2701	- the rule to only apply to traffic that originates
	2702	- from (or terminates at) a pod running as a service
	2703	- account that matches the given label selector. If
	2704	- both Names and Selector are specified then they are
	2705	- AND'ed.
	2706	- type: string
	2707	- type: object
	2708	- services:
	2709	- description: "Services is an optional field that contains
	2710	- options for matching Kubernetes Services. If specified,
	2711	- only traffic that originates from or terminates at endpoints
	2712	- within the selected service(s) will be matched, and only
	2713	- to/from each endpoint's port. \n Services cannot be specified
	2714	- on the same rule as Selector, NotSelector, NamespaceSelector,
	2715	- Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
	2716	- Only valid on egress rules."
	2717	- properties:
	2718	- name:
	2719	- description: Name specifies the name of a Kubernetes
	2720	- Service to match.
	2721	- type: string
	2722	- namespace:
	2723	- description: Namespace specifies the namespace of the
	2724	- given Service. If left empty, the rule will match
	2725	- within this policy's namespace.
	2726	- type: string
	2727	- type: object
	2728	- type: object
	2729	- http:
	2730	- description: HTTP contains match criteria that apply to HTTP
	2731	- requests.
	2732	- properties:
	2733	- methods:
	2734	- description: Methods is an optional field that restricts
	2735	- the rule to apply only to HTTP requests that use one of
	2736	- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
	2737	- methods are OR'd together.
	2738	- items:
	2739	- type: string
	2740	- type: array
	2741	- paths:
	2742	- description: 'Paths is an optional field that restricts
	2743	- the rule to apply to HTTP requests that use one of the
	2744	- listed HTTP Paths. Multiple paths are OR''d together.
	2745	- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
	2746	- ONLY specify either a `exact` or a `prefix` match. The
	2747	- validator will check for it.'
	2748	- items:
	2749	- description: 'HTTPPath specifies an HTTP path to match.
	2750	- It may be either of the form: exact: <path>: which matches
	2751	- the path exactly or prefix: <path-prefix>: which matches
	2752	- the path prefix'
	2753	- properties:
	2754	- exact:
	2755	- type: string
	2756	- prefix:
	2757	- type: string
	2758	- type: object
	2759	- type: array
	2760	- type: object
	2761	- icmp:
	2762	- description: ICMP is an optional field that restricts the rule
	2763	- to apply to a specific type and code of ICMP traffic. This
	2764	- should only be specified if the Protocol field is set to "ICMP"
	2765	- or "ICMPv6".
	2766	- properties:
	2767	- code:
	2768	- description: Match on a specific ICMP code. If specified,
	2769	- the Type value must also be specified. This is a technical
	2770	- limitation imposed by the kernel's iptables firewall,
	2771	- which Calico uses to enforce the rule.
	2772	- type: integer
	2773	- type:
	2774	- description: Match on a specific ICMP type. For example
	2775	- a value of 8 refers to ICMP Echo Request (i.e. pings).
	2776	- type: integer
	2777	- type: object
	2778	- ipVersion:
	2779	- description: IPVersion is an optional field that restricts the
	2780	- rule to only match a specific IP version.
	2781	- type: integer
	2782	- metadata:
	2783	- description: Metadata contains additional information for this
	2784	- rule
	2785	- properties:
	2786	- annotations:
	2787	- additionalProperties:
	2788	- type: string
	2789	- description: Annotations is a set of key value pairs that
	2790	- give extra information about the rule
	2791	- type: object
	2792	- type: object
	2793	- notICMP:
	2794	- description: NotICMP is the negated version of the ICMP field.
	2795	- properties:
	2796	- code:
	2797	- description: Match on a specific ICMP code. If specified,
	2798	- the Type value must also be specified. This is a technical
	2799	- limitation imposed by the kernel's iptables firewall,
	2800	- which Calico uses to enforce the rule.
	2801	- type: integer
	2802	- type:
	2803	- description: Match on a specific ICMP type. For example
	2804	- a value of 8 refers to ICMP Echo Request (i.e. pings).
	2805	- type: integer
	2806	- type: object
	2807	- notProtocol:
	2808	- anyOf:
	2809	- - type: integer
	2810	- - type: string
	2811	- description: NotProtocol is the negated version of the Protocol
	2812	- field.
	2813	- pattern: ^.*
	2814	- x-kubernetes-int-or-string: true
	2815	- protocol:
	2816	- anyOf:
	2817	- - type: integer
	2818	- - type: string
	2819	- description: "Protocol is an optional field that restricts the
	2820	- rule to only apply to traffic of a specific IP protocol. Required
	2821	- if any of the EntityRules contain Ports (because ports only
	2822	- apply to certain protocols). \n Must be one of these string
	2823	- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
	2824	- \"UDPLite\" or an integer in the range 1-255."
	2825	- pattern: ^.*
	2826	- x-kubernetes-int-or-string: true
	2827	- source:
	2828	- description: Source contains the match criteria that apply to
	2829	- source entity.
	2830	- properties:
	2831	- namespaceSelector:
	2832	- description: "NamespaceSelector is an optional field that
	2833	- contains a selector expression. Only traffic that originates
	2834	- from (or terminates at) endpoints within the selected
	2835	- namespaces will be matched. When both NamespaceSelector
	2836	- and another selector are defined on the same rule, then
	2837	- only workload endpoints that are matched by both selectors
	2838	- will be selected by the rule. \n For NetworkPolicy, an
	2839	- empty NamespaceSelector implies that the Selector is limited
	2840	- to selecting only workload endpoints in the same namespace
	2841	- as the NetworkPolicy. \n For NetworkPolicy, `global()`
	2842	- NamespaceSelector implies that the Selector is limited
	2843	- to selecting only GlobalNetworkSet or HostEndpoint. \n
	2844	- For GlobalNetworkPolicy, an empty NamespaceSelector implies
	2845	- the Selector applies to workload endpoints across all
	2846	- namespaces."
	2847	- type: string
	2848	- nets:
	2849	- description: Nets is an optional field that restricts the
	2850	- rule to only apply to traffic that originates from (or
	2851	- terminates at) IP addresses in any of the given subnets.
	2852	- items:
	2853	- type: string
	2854	- type: array
	2855	- notNets:
	2856	- description: NotNets is the negated version of the Nets
	2857	- field.
	2858	- items:
	2859	- type: string
	2860	- type: array
	2861	- notPorts:
	2862	- description: NotPorts is the negated version of the Ports
	2863	- field. Since only some protocols have ports, if any ports
	2864	- are specified it requires the Protocol match in the Rule
	2865	- to be set to "TCP" or "UDP".
	2866	- items:
	2867	- anyOf:
	2868	- - type: integer
	2869	- - type: string
	2870	- pattern: ^.*
	2871	- x-kubernetes-int-or-string: true
	2872	- type: array
	2873	- notSelector:
	2874	- description: NotSelector is the negated version of the Selector
	2875	- field. See Selector field for subtleties with negated
	2876	- selectors.
	2877	- type: string
	2878	- ports:
	2879	- description: "Ports is an optional field that restricts
	2880	- the rule to only apply to traffic that has a source (destination)
	2881	- port that matches one of these ranges/values. This value
	2882	- is a list of integers or strings that represent ranges
	2883	- of ports. \n Since only some protocols have ports, if
	2884	- any ports are specified it requires the Protocol match
	2885	- in the Rule to be set to \"TCP\" or \"UDP\"."
	2886	- items:
	2887	- anyOf:
	2888	- - type: integer
	2889	- - type: string
	2890	- pattern: ^.*
	2891	- x-kubernetes-int-or-string: true
	2892	- type: array
	2893	- selector:
	2894	- description: "Selector is an optional field that contains
	2895	- a selector expression (see Policy for sample syntax).
	2896	- \ Only traffic that originates from (terminates at) endpoints
	2897	- matching the selector will be matched. \n Note that: in
	2898	- addition to the negated version of the Selector (see NotSelector
	2899	- below), the selector expression syntax itself supports
	2900	- negation. The two types of negation are subtly different.
	2901	- One negates the set of matched endpoints, the other negates
	2902	- the whole match: \n \tSelector = \"!has(my_label)\" matches
	2903	- packets that are from other Calico-controlled \tendpoints
	2904	- that do not have the label \"my_label\". \n \tNotSelector
	2905	- = \"has(my_label)\" matches packets that are not from
	2906	- Calico-controlled \tendpoints that do have the label \"my_label\".
	2907	- \n The effect is that the latter will accept packets from
	2908	- non-Calico sources whereas the former is limited to packets
	2909	- from Calico-controlled endpoints."
	2910	- type: string
	2911	- serviceAccounts:
	2912	- description: ServiceAccounts is an optional field that restricts
	2913	- the rule to only apply to traffic that originates from
	2914	- (or terminates at) a pod running as a matching service
	2915	- account.
	2916	- properties:
	2917	- names:
	2918	- description: Names is an optional field that restricts
	2919	- the rule to only apply to traffic that originates
	2920	- from (or terminates at) a pod running as a service
	2921	- account whose name is in the list.
	2922	- items:
	2923	- type: string
	2924	- type: array
	2925	- selector:
	2926	- description: Selector is an optional field that restricts
	2927	- the rule to only apply to traffic that originates
	2928	- from (or terminates at) a pod running as a service
	2929	- account that matches the given label selector. If
	2930	- both Names and Selector are specified then they are
	2931	- AND'ed.
	2932	- type: string
	2933	- type: object
	2934	- services:
	2935	- description: "Services is an optional field that contains
	2936	- options for matching Kubernetes Services. If specified,
	2937	- only traffic that originates from or terminates at endpoints
	2938	- within the selected service(s) will be matched, and only
	2939	- to/from each endpoint's port. \n Services cannot be specified
	2940	- on the same rule as Selector, NotSelector, NamespaceSelector,
	2941	- Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
	2942	- Only valid on egress rules."
	2943	- properties:
	2944	- name:
	2945	- description: Name specifies the name of a Kubernetes
	2946	- Service to match.
	2947	- type: string
	2948	- namespace:
	2949	- description: Namespace specifies the namespace of the
	2950	- given Service. If left empty, the rule will match
	2951	- within this policy's namespace.
	2952	- type: string
	2953	- type: object
	2954	- type: object
	2955	- required:
	2956	- - action
	2957	- type: object
	2958	- type: array
	2959	- ingress:
	2960	- description: The ordered set of ingress rules. Each rule contains
	2961	- a set of packet match criteria and a corresponding action to apply.
	2962	- items:
	2963	- description: "A Rule encapsulates a set of match criteria and an
	2964	- action. Both selector-based security Policy and security Profiles
	2965	- reference rules - separated out as a list of rules for both ingress
	2966	- and egress packet matching. \n Each positive match criteria has
	2967	- a negated version, prefixed with \"Not\". All the match criteria
	2968	- within a rule must be satisfied for a packet to match. A single
	2969	- rule can contain the positive and negative version of a match
	2970	- and both must be satisfied for the rule to match."
	2971	- properties:
	2972	- action:
	2973	- type: string
	2974	- destination:
	2975	- description: Destination contains the match criteria that apply
	2976	- to destination entity.
	2977	- properties:
	2978	- namespaceSelector:
	2979	- description: "NamespaceSelector is an optional field that
	2980	- contains a selector expression. Only traffic that originates
	2981	- from (or terminates at) endpoints within the selected
	2982	- namespaces will be matched. When both NamespaceSelector
	2983	- and another selector are defined on the same rule, then
	2984	- only workload endpoints that are matched by both selectors
	2985	- will be selected by the rule. \n For NetworkPolicy, an
	2986	- empty NamespaceSelector implies that the Selector is limited
	2987	- to selecting only workload endpoints in the same namespace
	2988	- as the NetworkPolicy. \n For NetworkPolicy, `global()`
	2989	- NamespaceSelector implies that the Selector is limited
	2990	- to selecting only GlobalNetworkSet or HostEndpoint. \n
	2991	- For GlobalNetworkPolicy, an empty NamespaceSelector implies
	2992	- the Selector applies to workload endpoints across all
	2993	- namespaces."
	2994	- type: string
	2995	- nets:
	2996	- description: Nets is an optional field that restricts the
	2997	- rule to only apply to traffic that originates from (or
	2998	- terminates at) IP addresses in any of the given subnets.
	2999	- items:
	3000	- type: string
	3001	- type: array
	3002	- notNets:
	3003	- description: NotNets is the negated version of the Nets
	3004	- field.
	3005	- items:
	3006	- type: string
	3007	- type: array
	3008	- notPorts:
	3009	- description: NotPorts is the negated version of the Ports
	3010	- field. Since only some protocols have ports, if any ports
	3011	- are specified it requires the Protocol match in the Rule
	3012	- to be set to "TCP" or "UDP".
	3013	- items:
	3014	- anyOf:
	3015	- - type: integer
	3016	- - type: string
	3017	- pattern: ^.*
	3018	- x-kubernetes-int-or-string: true
	3019	- type: array
	3020	- notSelector:
	3021	- description: NotSelector is the negated version of the Selector
	3022	- field. See Selector field for subtleties with negated
	3023	- selectors.
	3024	- type: string
	3025	- ports:
	3026	- description: "Ports is an optional field that restricts
	3027	- the rule to only apply to traffic that has a source (destination)
	3028	- port that matches one of these ranges/values. This value
	3029	- is a list of integers or strings that represent ranges
	3030	- of ports. \n Since only some protocols have ports, if
	3031	- any ports are specified it requires the Protocol match
	3032	- in the Rule to be set to \"TCP\" or \"UDP\"."
	3033	- items:
	3034	- anyOf:
	3035	- - type: integer
	3036	- - type: string
	3037	- pattern: ^.*
	3038	- x-kubernetes-int-or-string: true
	3039	- type: array
	3040	- selector:
	3041	- description: "Selector is an optional field that contains
	3042	- a selector expression (see Policy for sample syntax).
	3043	- \ Only traffic that originates from (terminates at) endpoints
	3044	- matching the selector will be matched. \n Note that: in
	3045	- addition to the negated version of the Selector (see NotSelector
	3046	- below), the selector expression syntax itself supports
	3047	- negation. The two types of negation are subtly different.
	3048	- One negates the set of matched endpoints, the other negates
	3049	- the whole match: \n \tSelector = \"!has(my_label)\" matches
	3050	- packets that are from other Calico-controlled \tendpoints
	3051	- that do not have the label \"my_label\". \n \tNotSelector
	3052	- = \"has(my_label)\" matches packets that are not from
	3053	- Calico-controlled \tendpoints that do have the label \"my_label\".
	3054	- \n The effect is that the latter will accept packets from
	3055	- non-Calico sources whereas the former is limited to packets
	3056	- from Calico-controlled endpoints."
	3057	- type: string
	3058	- serviceAccounts:
	3059	- description: ServiceAccounts is an optional field that restricts
	3060	- the rule to only apply to traffic that originates from
	3061	- (or terminates at) a pod running as a matching service
	3062	- account.
	3063	- properties:
	3064	- names:
	3065	- description: Names is an optional field that restricts
	3066	- the rule to only apply to traffic that originates
	3067	- from (or terminates at) a pod running as a service
	3068	- account whose name is in the list.
	3069	- items:
	3070	- type: string
	3071	- type: array
	3072	- selector:
	3073	- description: Selector is an optional field that restricts
	3074	- the rule to only apply to traffic that originates
	3075	- from (or terminates at) a pod running as a service
	3076	- account that matches the given label selector. If
	3077	- both Names and Selector are specified then they are
	3078	- AND'ed.
	3079	- type: string
	3080	- type: object
	3081	- services:
	3082	- description: "Services is an optional field that contains
	3083	- options for matching Kubernetes Services. If specified,
	3084	- only traffic that originates from or terminates at endpoints
	3085	- within the selected service(s) will be matched, and only
	3086	- to/from each endpoint's port. \n Services cannot be specified
	3087	- on the same rule as Selector, NotSelector, NamespaceSelector,
	3088	- Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
	3089	- Only valid on egress rules."
	3090	- properties:
	3091	- name:
	3092	- description: Name specifies the name of a Kubernetes
	3093	- Service to match.
	3094	- type: string
	3095	- namespace:
	3096	- description: Namespace specifies the namespace of the
	3097	- given Service. If left empty, the rule will match
	3098	- within this policy's namespace.
	3099	- type: string
	3100	- type: object
	3101	- type: object
	3102	- http:
	3103	- description: HTTP contains match criteria that apply to HTTP
	3104	- requests.
	3105	- properties:
	3106	- methods:
	3107	- description: Methods is an optional field that restricts
	3108	- the rule to apply only to HTTP requests that use one of
	3109	- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
	3110	- methods are OR'd together.
	3111	- items:
	3112	- type: string
	3113	- type: array
	3114	- paths:
	3115	- description: 'Paths is an optional field that restricts
	3116	- the rule to apply to HTTP requests that use one of the
	3117	- listed HTTP Paths. Multiple paths are OR''d together.
	3118	- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
	3119	- ONLY specify either a `exact` or a `prefix` match. The
	3120	- validator will check for it.'
	3121	- items:
	3122	- description: 'HTTPPath specifies an HTTP path to match.
	3123	- It may be either of the form: exact: <path>: which matches
	3124	- the path exactly or prefix: <path-prefix>: which matches
	3125	- the path prefix'
	3126	- properties:
	3127	- exact:
	3128	- type: string
	3129	- prefix:
	3130	- type: string
	3131	- type: object
	3132	- type: array
	3133	- type: object
	3134	- icmp:
	3135	- description: ICMP is an optional field that restricts the rule
	3136	- to apply to a specific type and code of ICMP traffic. This
	3137	- should only be specified if the Protocol field is set to "ICMP"
	3138	- or "ICMPv6".
	3139	- properties:
	3140	- code:
	3141	- description: Match on a specific ICMP code. If specified,
	3142	- the Type value must also be specified. This is a technical
	3143	- limitation imposed by the kernel's iptables firewall,
	3144	- which Calico uses to enforce the rule.
	3145	- type: integer
	3146	- type:
	3147	- description: Match on a specific ICMP type. For example
	3148	- a value of 8 refers to ICMP Echo Request (i.e. pings).
	3149	- type: integer
	3150	- type: object
	3151	- ipVersion:
	3152	- description: IPVersion is an optional field that restricts the
	3153	- rule to only match a specific IP version.
	3154	- type: integer
	3155	- metadata:
	3156	- description: Metadata contains additional information for this
	3157	- rule
	3158	- properties:
	3159	- annotations:
	3160	- additionalProperties:
	3161	- type: string
	3162	- description: Annotations is a set of key value pairs that
	3163	- give extra information about the rule
	3164	- type: object
	3165	- type: object
	3166	- notICMP:
	3167	- description: NotICMP is the negated version of the ICMP field.
	3168	- properties:
	3169	- code:
	3170	- description: Match on a specific ICMP code. If specified,
	3171	- the Type value must also be specified. This is a technical
	3172	- limitation imposed by the kernel's iptables firewall,
	3173	- which Calico uses to enforce the rule.
	3174	- type: integer
	3175	- type:
	3176	- description: Match on a specific ICMP type. For example
	3177	- a value of 8 refers to ICMP Echo Request (i.e. pings).
	3178	- type: integer
	3179	- type: object
	3180	- notProtocol:
	3181	- anyOf:
	3182	- - type: integer
	3183	- - type: string
	3184	- description: NotProtocol is the negated version of the Protocol
	3185	- field.
	3186	- pattern: ^.*
	3187	- x-kubernetes-int-or-string: true
	3188	- protocol:
	3189	- anyOf:
	3190	- - type: integer
	3191	- - type: string
	3192	- description: "Protocol is an optional field that restricts the
	3193	- rule to only apply to traffic of a specific IP protocol. Required
	3194	- if any of the EntityRules contain Ports (because ports only
	3195	- apply to certain protocols). \n Must be one of these string
	3196	- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
	3197	- \"UDPLite\" or an integer in the range 1-255."
	3198	- pattern: ^.*
	3199	- x-kubernetes-int-or-string: true
	3200	- source:
	3201	- description: Source contains the match criteria that apply to
	3202	- source entity.
	3203	- properties:
	3204	- namespaceSelector:
	3205	- description: "NamespaceSelector is an optional field that
	3206	- contains a selector expression. Only traffic that originates
	3207	- from (or terminates at) endpoints within the selected
	3208	- namespaces will be matched. When both NamespaceSelector
	3209	- and another selector are defined on the same rule, then
	3210	- only workload endpoints that are matched by both selectors
	3211	- will be selected by the rule. \n For NetworkPolicy, an
	3212	- empty NamespaceSelector implies that the Selector is limited
	3213	- to selecting only workload endpoints in the same namespace
	3214	- as the NetworkPolicy. \n For NetworkPolicy, `global()`
	3215	- NamespaceSelector implies that the Selector is limited
	3216	- to selecting only GlobalNetworkSet or HostEndpoint. \n
	3217	- For GlobalNetworkPolicy, an empty NamespaceSelector implies
	3218	- the Selector applies to workload endpoints across all
	3219	- namespaces."
	3220	- type: string
	3221	- nets:
	3222	- description: Nets is an optional field that restricts the
	3223	- rule to only apply to traffic that originates from (or
	3224	- terminates at) IP addresses in any of the given subnets.
	3225	- items:
	3226	- type: string
	3227	- type: array
	3228	- notNets:
	3229	- description: NotNets is the negated version of the Nets
	3230	- field.
	3231	- items:
	3232	- type: string
	3233	- type: array
	3234	- notPorts:
	3235	- description: NotPorts is the negated version of the Ports
	3236	- field. Since only some protocols have ports, if any ports
	3237	- are specified it requires the Protocol match in the Rule
	3238	- to be set to "TCP" or "UDP".
	3239	- items:
	3240	- anyOf:
	3241	- - type: integer
	3242	- - type: string
	3243	- pattern: ^.*
	3244	- x-kubernetes-int-or-string: true
	3245	- type: array
	3246	- notSelector:
	3247	- description: NotSelector is the negated version of the Selector
	3248	- field. See Selector field for subtleties with negated
	3249	- selectors.
	3250	- type: string
	3251	- ports:
	3252	- description: "Ports is an optional field that restricts
	3253	- the rule to only apply to traffic that has a source (destination)
	3254	- port that matches one of these ranges/values. This value
	3255	- is a list of integers or strings that represent ranges
	3256	- of ports. \n Since only some protocols have ports, if
	3257	- any ports are specified it requires the Protocol match
	3258	- in the Rule to be set to \"TCP\" or \"UDP\"."
	3259	- items:
	3260	- anyOf:
	3261	- - type: integer
	3262	- - type: string
	3263	- pattern: ^.*
	3264	- x-kubernetes-int-or-string: true
	3265	- type: array
	3266	- selector:
	3267	- description: "Selector is an optional field that contains
	3268	- a selector expression (see Policy for sample syntax).
	3269	- \ Only traffic that originates from (terminates at) endpoints
	3270	- matching the selector will be matched. \n Note that: in
	3271	- addition to the negated version of the Selector (see NotSelector
	3272	- below), the selector expression syntax itself supports
	3273	- negation. The two types of negation are subtly different.
	3274	- One negates the set of matched endpoints, the other negates
	3275	- the whole match: \n \tSelector = \"!has(my_label)\" matches
	3276	- packets that are from other Calico-controlled \tendpoints
	3277	- that do not have the label \"my_label\". \n \tNotSelector
	3278	- = \"has(my_label)\" matches packets that are not from
	3279	- Calico-controlled \tendpoints that do have the label \"my_label\".
	3280	- \n The effect is that the latter will accept packets from
	3281	- non-Calico sources whereas the former is limited to packets
	3282	- from Calico-controlled endpoints."
	3283	- type: string
	3284	- serviceAccounts:
	3285	- description: ServiceAccounts is an optional field that restricts
	3286	- the rule to only apply to traffic that originates from
	3287	- (or terminates at) a pod running as a matching service
	3288	- account.
	3289	- properties:
	3290	- names:
	3291	- description: Names is an optional field that restricts
	3292	- the rule to only apply to traffic that originates
	3293	- from (or terminates at) a pod running as a service
	3294	- account whose name is in the list.
	3295	- items:
	3296	- type: string
	3297	- type: array
	3298	- selector:
	3299	- description: Selector is an optional field that restricts
	3300	- the rule to only apply to traffic that originates
	3301	- from (or terminates at) a pod running as a service
	3302	- account that matches the given label selector. If
	3303	- both Names and Selector are specified then they are
	3304	- AND'ed.
	3305	- type: string
	3306	- type: object
	3307	- services:
	3308	- description: "Services is an optional field that contains
	3309	- options for matching Kubernetes Services. If specified,
	3310	- only traffic that originates from or terminates at endpoints
	3311	- within the selected service(s) will be matched, and only
	3312	- to/from each endpoint's port. \n Services cannot be specified
	3313	- on the same rule as Selector, NotSelector, NamespaceSelector,
	3314	- Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
	3315	- Only valid on egress rules."
	3316	- properties:
	3317	- name:
	3318	- description: Name specifies the name of a Kubernetes
	3319	- Service to match.
	3320	- type: string
	3321	- namespace:
	3322	- description: Namespace specifies the namespace of the
	3323	- given Service. If left empty, the rule will match
	3324	- within this policy's namespace.
	3325	- type: string
	3326	- type: object
	3327	- type: object
	3328	- required:
	3329	- - action
	3330	- type: object
	3331	- type: array
	3332	- order:
	3333	- description: Order is an optional field that specifies the order in
	3334	- which the policy is applied. Policies with higher "order" are applied
	3335	- after those with lower order. If the order is omitted, it may be
	3336	- considered to be "infinite" - i.e. the policy will be applied last. Policies
	3337	- with identical order will be applied in alphanumerical order based
	3338	- on the Policy "Name".
	3339	- type: number
	3340	- selector:
	3341	- description: "The selector is an expression used to pick pick out
	3342	- the endpoints that the policy should be applied to. \n Selector
	3343	- expressions follow this syntax: \n \tlabel == \"string_literal\"
	3344	- \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
	3345	- \ -> not equal; also matches if label is not present \tlabel in
	3346	- { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
	3347	- one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
	3348	- ... } -> true if the value of label X is not one of \"a\", \"b\",
	3349	- \"c\" \thas(label_name) -> True if that label is present \t! expr
	3350	- -> negation of expr \texpr && expr -> Short-circuit and \texpr
	3351	- \|\| expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
	3352	- or the empty selector -> matches all endpoints. \n Label names are
	3353	- allowed to contain alphanumerics, -, _ and /. String literals are
	3354	- more permissive but they do not support escape characters. \n Examples
	3355	- (with made-up labels): \n \ttype == \"webserver\" && deployment
	3356	- == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
	3357	- \"dev\" \t! has(label_name)"
	3358	- type: string
	3359	- serviceAccountSelector:
	3360	- description: ServiceAccountSelector is an optional field for an expression
	3361	- used to select a pod based on service accounts.
	3362	- type: string
	3363	- types:
	3364	- description: "Types indicates whether this policy applies to ingress,
	3365	- or to egress, or to both. When not explicitly specified (and so
	3366	- the value on creation is empty or nil), Calico defaults Types according
	3367	- to what Ingress and Egress are present in the policy. The default
	3368	- is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
	3369	- the case where there are also no Ingress rules) \n - [ PolicyTypeEgress
	3370	- ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
	3371	- PolicyTypeEgress ], if there are both Ingress and Egress rules.
	3372	- \n When the policy is read back again, Types will always be one
	3373	- of these values, never empty or nil."
	3374	- items:
	3375	- description: PolicyType enumerates the possible values of the PolicySpec
	3376	- Types field.
	3377	- type: string
	3378	- type: array
	3379	- type: object
	3380	- type: object
	3381	- served: true
	3382	- storage: true
	3383	-status:
	3384	- acceptedNames:
	3385	- kind: ""
	3386	- plural: ""
	3387	- conditions: []
	3388	- storedVersions: []
	3389	-
	3390	----
	3391	-apiVersion: apiextensions.k8s.io/v1
	3392	-kind: CustomResourceDefinition
	3393	-metadata:
	3394	- name: networksets.crd.projectcalico.org
	3395	-spec:
	3396	- group: crd.projectcalico.org
	3397	- names:
	3398	- kind: NetworkSet
	3399	- listKind: NetworkSetList
	3400	- plural: networksets
	3401	- singular: networkset
	3402	- scope: Namespaced
	3403	- versions:
	3404	- - name: v1
	3405	- schema:
	3406	- openAPIV3Schema:
	3407	- description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.
	3408	- properties:
	3409	- apiVersion:
	3410	- description: 'APIVersion defines the versioned schema of this representation
	3411	- of an object. Servers should convert recognized schemas to the latest
	3412	- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
	3413	- type: string
	3414	- kind:
	3415	- description: 'Kind is a string value representing the REST resource this
	3416	- object represents. Servers may infer this from the endpoint the client
	3417	- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
	3418	- type: string
	3419	- metadata:
	3420	- type: object
	3421	- spec:
	3422	- description: NetworkSetSpec contains the specification for a NetworkSet
	3423	- resource.
	3424	- properties:
	3425	- nets:
	3426	- description: The list of IP networks that belong to this set.
	3427	- items:
	3428	- type: string
	3429	- type: array
	3430	- type: object
	3431	- type: object
	3432	- served: true
	3433	- storage: true
	3434	-status:
	3435	- acceptedNames:
	3436	- kind: ""
	3437	- plural: ""
	3438	- conditions: []
	3439	- storedVersions: []
	3440	-
	3441	----
	3442	----
	3443	-# Source: calico/templates/calico-kube-controllers-rbac.yaml
	3444	-
	3445	-# Include a clusterrole for the kube-controllers component,
	3446	-# and bind it to the calico-kube-controllers serviceaccount.
	3447	-kind: ClusterRole
	3448	-apiVersion: rbac.authorization.k8s.io/v1
	3449	-metadata:
	3450	- name: calico-kube-controllers
	3451	-rules:
	3452	- # Nodes are watched to monitor for deletions.
	3453	- - apiGroups: [""]
	3454	- resources:
	3455	- - nodes
	3456	- verbs:
	3457	- - watch
	3458	- - list
	3459	- - get
	3460	- # Pods are watched to check for existence as part of IPAM controller.
	3461	- - apiGroups: [""]
	3462	- resources:
	3463	- - pods
	3464	- verbs:
	3465	- - get
	3466	- - list
	3467	- - watch
	3468	- # IPAM resources are manipulated when nodes are deleted.
	3469	- - apiGroups: ["crd.projectcalico.org"]
	3470	- resources:
	3471	- - ippools
	3472	- verbs:
	3473	- - list
	3474	- - apiGroups: ["crd.projectcalico.org"]
	3475	- resources:
	3476	- - blockaffinities
	3477	- - ipamblocks
	3478	- - ipamhandles
	3479	- verbs:
	3480	- - get
	3481	- - list
	3482	- - create
	3483	- - update
	3484	- - delete
	3485	- - watch
	3486	- # kube-controllers manages hostendpoints.
	3487	- - apiGroups: ["crd.projectcalico.org"]
	3488	- resources:
	3489	- - hostendpoints
	3490	- verbs:
	3491	- - get
	3492	- - list
	3493	- - create
	3494	- - update
	3495	- - delete
	3496	- # Needs access to update clusterinformations.
	3497	- - apiGroups: ["crd.projectcalico.org"]
	3498	- resources:
	3499	- - clusterinformations
	3500	- verbs:
	3501	- - get
	3502	- - create
	3503	- - update
	3504	- # KubeControllersConfiguration is where it gets its config
	3505	- - apiGroups: ["crd.projectcalico.org"]
	3506	- resources:
	3507	- - kubecontrollersconfigurations
	3508	- verbs:
	3509	- # read its own config
	3510	- - get
	3511	- # create a default if none exists
	3512	- - create
	3513	- # update status
	3514	- - update
	3515	- # watch for changes
	3516	- - watch
	3517	----
	3518	-kind: ClusterRoleBinding
	3519	-apiVersion: rbac.authorization.k8s.io/v1
	3520	-metadata:
	3521	- name: calico-kube-controllers
	3522	-roleRef:
	3523	- apiGroup: rbac.authorization.k8s.io
	3524	- kind: ClusterRole
	3525	- name: calico-kube-controllers
	3526	-subjects:
	3527	-- kind: ServiceAccount
	3528	- name: calico-kube-controllers
	3529	- namespace: kube-system
	3530	----
	3531	-
	3532	----
	3533	-# Source: calico/templates/calico-node-rbac.yaml
	3534	-# Include a clusterrole for the calico-node DaemonSet,
	3535	-# and bind it to the calico-node serviceaccount.
	3536	-kind: ClusterRole
	3537	-apiVersion: rbac.authorization.k8s.io/v1
	3538	-metadata:
	3539	- name: calico-node
	3540	-rules:
	3541	- # The CNI plugin needs to get pods, nodes, and namespaces.
	3542	- - apiGroups: [""]
	3543	- resources:
	3544	- - pods
	3545	- - nodes
	3546	- - namespaces
	3547	- verbs:
	3548	- - get
	3549	- # EndpointSlices are used for Service-based network policy rule
	3550	- # enforcement.
	3551	- - apiGroups: ["discovery.k8s.io"]
	3552	- resources:
	3553	- - endpointslices
	3554	- verbs:
	3555	- - watch
	3556	- - list
	3557	- - apiGroups: [""]
	3558	- resources:
	3559	- - endpoints
	3560	- - services
	3561	- verbs:
	3562	- # Used to discover service IPs for advertisement.
	3563	- - watch
	3564	- - list
	3565	- # Used to discover Typhas.
	3566	- - get
	3567	- # Pod CIDR auto-detection on kubeadm needs access to config maps.
	3568	- - apiGroups: [""]
	3569	- resources:
	3570	- - configmaps
	3571	- verbs:
	3572	- - get
	3573	- - apiGroups: [""]
	3574	- resources:
	3575	- - nodes/status
	3576	- verbs:
	3577	- # Needed for clearing NodeNetworkUnavailable flag.
	3578	- - patch
	3579	- # Calico stores some configuration information in node annotations.
	3580	- - update
	3581	- # Watch for changes to Kubernetes NetworkPolicies.
	3582	- - apiGroups: ["networking.k8s.io"]
	3583	- resources:
	3584	- - networkpolicies
	3585	- verbs:
	3586	- - watch
	3587	- - list
	3588	- # Used by Calico for policy information.
	3589	- - apiGroups: [""]
	3590	- resources:
	3591	- - pods
	3592	- - namespaces
	3593	- - serviceaccounts
	3594	- verbs:
	3595	- - list
	3596	- - watch
	3597	- # The CNI plugin patches pods/status.
	3598	- - apiGroups: [""]
	3599	- resources:
	3600	- - pods/status
	3601	- verbs:
	3602	- - patch
	3603	- # Calico monitors various CRDs for config.
	3604	- - apiGroups: ["crd.projectcalico.org"]
	3605	- resources:
	3606	- - globalfelixconfigs
	3607	- - felixconfigurations
	3608	- - bgppeers
	3609	- - globalbgpconfigs
	3610	- - bgpconfigurations
	3611	- - ippools
	3612	- - ipamblocks
	3613	- - globalnetworkpolicies
	3614	- - globalnetworksets
	3615	- - networkpolicies
	3616	- - networksets
	3617	- - clusterinformations
	3618	- - hostendpoints
	3619	- - blockaffinities
	3620	- verbs:
	3621	- - get
	3622	- - list
	3623	- - watch
	3624	- # Calico must create and update some CRDs on startup.
	3625	- - apiGroups: ["crd.projectcalico.org"]
	3626	- resources:
	3627	- - ippools
	3628	- - felixconfigurations
	3629	- - clusterinformations
	3630	- verbs:
	3631	- - create
	3632	- - update
	3633	- # Calico stores some configuration information on the node.
	3634	- - apiGroups: [""]
	3635	- resources:
	3636	- - nodes
	3637	- verbs:
	3638	- - get
	3639	- - list
	3640	- - watch
	3641	- # These permissions are only required for upgrade from v2.6, and can
	3642	- # be removed after upgrade or on fresh installations.
	3643	- - apiGroups: ["crd.projectcalico.org"]
	3644	- resources:
	3645	- - bgpconfigurations
	3646	- - bgppeers
	3647	- verbs:
	3648	- - create
	3649	- - update
	3650	- # These permissions are required for Calico CNI to perform IPAM allocations.
	3651	- - apiGroups: ["crd.projectcalico.org"]
	3652	- resources:
	3653	- - blockaffinities
	3654	- - ipamblocks
	3655	- - ipamhandles
	3656	- verbs:
	3657	- - get
	3658	- - list
	3659	- - create
	3660	- - update
	3661	- - delete
	3662	- - apiGroups: ["crd.projectcalico.org"]
	3663	- resources:
	3664	- - ipamconfigs
	3665	- verbs:
	3666	- - get
	3667	- # Block affinities must also be watchable by confd for route aggregation.
	3668	- - apiGroups: ["crd.projectcalico.org"]
	3669	- resources:
	3670	- - blockaffinities
	3671	- verbs:
	3672	- - watch
	3673	- # The Calico IPAM migration needs to get daemonsets. These permissions can be
	3674	- # removed if not upgrading from an installation using host-local IPAM.
	3675	- - apiGroups: ["apps"]
	3676	- resources:
	3677	- - daemonsets
	3678	- verbs:
	3679	- - get
	3680	-
	3681	----
	3682	-apiVersion: rbac.authorization.k8s.io/v1
	3683	-kind: ClusterRoleBinding
	3684	-metadata:
	3685	- name: calico-node
	3686	-roleRef:
	3687	- apiGroup: rbac.authorization.k8s.io
	3688	- kind: ClusterRole
	3689	- name: calico-node
	3690	-subjects:
	3691	-- kind: ServiceAccount
	3692	- name: calico-node
	3693	- namespace: kube-system
	3694	-
	3695	----
	3696	-# Source: calico/templates/calico-node.yaml
	3697	-# This manifest installs the calico-node container, as well
	3698	-# as the CNI plugins and network config on
	3699	-# each master and worker node in a Kubernetes cluster.
	3700	-kind: DaemonSet
	3701	-apiVersion: apps/v1
	3702	-metadata:
	3703	- name: calico-node
	3704	- namespace: kube-system
	3705	- labels:
	3706	- k8s-app: calico-node
	3707	-spec:
	3708	- selector:
	3709	- matchLabels:
	3710	- k8s-app: calico-node
	3711	- updateStrategy:
	3712	- type: RollingUpdate
	3713	- rollingUpdate:
	3714	- maxUnavailable: 1
	3715	- template:
	3716	- metadata:
	3717	- labels:
	3718	- k8s-app: calico-node
	3719	- spec:
	3720	- nodeSelector:
	3721	- kubernetes.io/os: linux
	3722	- hostNetwork: true
	3723	- tolerations:
	3724	- # Make sure calico-node gets scheduled on all nodes.
	3725	- - effect: NoSchedule
	3726	- operator: Exists
	3727	- # Mark the pod as a critical add-on for rescheduling.
	3728	- - key: CriticalAddonsOnly
	3729	- operator: Exists
	3730	- - effect: NoExecute
	3731	- operator: Exists
	3732	- serviceAccountName: calico-node
	3733	- # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
	3734	- # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
	3735	- terminationGracePeriodSeconds: 0
	3736	- priorityClassName: system-node-critical
	3737	- initContainers:
	3738	- # This container performs upgrade from host-local IPAM to calico-ipam.
	3739	- # It can be deleted if this is a fresh installation, or if you have already
	3740	- # upgraded to use calico-ipam.
	3741	- - name: upgrade-ipam
	3742	- image: 192.168.11.254:5000/calico/cni:v3.20.2
	3743	- command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
	3744	- envFrom:
	3745	- - configMapRef:
	3746	- # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
	3747	- name: kubernetes-services-endpoint
	3748	- optional: true
	3749	- env:
	3750	- - name: KUBERNETES_NODE_NAME
	3751	- valueFrom:
	3752	- fieldRef:
	3753	- fieldPath: spec.nodeName
	3754	- - name: CALICO_NETWORKING_BACKEND
	3755	- valueFrom:
	3756	- configMapKeyRef:
	3757	- name: calico-config
	3758	- key: calico_backend
	3759	- volumeMounts:
	3760	- - mountPath: /var/lib/cni/networks
	3761	- name: host-local-net-dir
	3762	- - mountPath: /host/opt/cni/bin
	3763	- name: cni-bin-dir
	3764	- securityContext:
	3765	- privileged: true
	3766	- # This container installs the CNI binaries
	3767	- # and CNI network config file on each node.
	3768	- - name: install-cni
	3769	- image: 192.168.11.254:5000/calico/cni:v3.20.2
	3770	- command: ["/opt/cni/bin/install"]
	3771	- envFrom:
	3772	- - configMapRef:
	3773	- # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
	3774	- name: kubernetes-services-endpoint
	3775	- optional: true
	3776	- env:
	3777	- # Name of the CNI config file to create.
	3778	- - name: CNI_CONF_NAME
	3779	- value: "10-calico.conflist"
	3780	- # The CNI network config to install on each node.
	3781	- - name: CNI_NETWORK_CONFIG
	3782	- valueFrom:
	3783	- configMapKeyRef:
	3784	- name: calico-config
	3785	- key: cni_network_config
	3786	- # Set the hostname based on the k8s node name.
	3787	- - name: KUBERNETES_NODE_NAME
	3788	- valueFrom:
	3789	- fieldRef:
	3790	- fieldPath: spec.nodeName
	3791	- # CNI MTU Config variable
	3792	- - name: CNI_MTU
	3793	- valueFrom:
	3794	- configMapKeyRef:
	3795	- name: calico-config
	3796	- key: veth_mtu
	3797	- # Prevents the container from sleeping forever.
	3798	- - name: SLEEP
	3799	- value: "false"
	3800	- volumeMounts:
	3801	- - mountPath: /host/opt/cni/bin
	3802	- name: cni-bin-dir
	3803	- - mountPath: /host/etc/cni/net.d
	3804	- name: cni-net-dir
	3805	- securityContext:
	3806	- privileged: true
	3807	- # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
	3808	- # to communicate with Felix over the Policy Sync API.
	3809	- - name: flexvol-driver
	3810	- image: 192.168.11.254:5000/calico/pod2daemon-flexvol:v3.20.2
	3811	- volumeMounts:
	3812	- - name: flexvol-driver-host
	3813	- mountPath: /host/driver
	3814	- securityContext:
	3815	- privileged: true
	3816	- containers:
	3817	- # Runs calico-node container on each Kubernetes node. This
	3818	- # container programs network policy and routes on each
	3819	- # host.
	3820	- - name: calico-node
	3821	- image: 192.168.11.254:5000/calico/node:v3.20.2
	3822	- envFrom:
	3823	- - configMapRef:
	3824	- # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
	3825	- name: kubernetes-services-endpoint
	3826	- optional: true
	3827	- env:
	3828	- # Use Kubernetes API as the backing datastore.
	3829	- - name: DATASTORE_TYPE
	3830	- value: "kubernetes"
	3831	- # Wait for the datastore.
	3832	- - name: WAIT_FOR_DATASTORE
	3833	- value: "true"
	3834	- # Set based on the k8s node name.
	3835	- - name: NODENAME
	3836	- valueFrom:
	3837	- fieldRef:
	3838	- fieldPath: spec.nodeName
	3839	- # Choose the backend to use.
	3840	- - name: CALICO_NETWORKING_BACKEND
	3841	- valueFrom:
	3842	- configMapKeyRef:
	3843	- name: calico-config
	3844	- key: calico_backend
	3845	- # Cluster type to identify the deployment type
	3846	- - name: CLUSTER_TYPE
	3847	- value: "k8s,bgp"
	3848	- # Auto-detect the BGP IP address.
	3849	- - name: IP
	3850	- value: "autodetect"
	3851	- # Enable IPIP
	3852	- - name: CALICO_IPV4POOL_IPIP
	3853	- value: "Always"
	3854	- # Enable or Disable VXLAN on the default IP pool.
	3855	- - name: CALICO_IPV4POOL_VXLAN
	3856	- value: "Never"
	3857	- # Set MTU for tunnel device used if ipip is enabled
	3858	- - name: FELIX_IPINIPMTU
	3859	- valueFrom:
	3860	- configMapKeyRef:
	3861	- name: calico-config
	3862	- key: veth_mtu
	3863	- # Set MTU for the VXLAN tunnel device.
	3864	- - name: FELIX_VXLANMTU
	3865	- valueFrom:
	3866	- configMapKeyRef:
	3867	- name: calico-config
	3868	- key: veth_mtu
	3869	- # Set MTU for the Wireguard tunnel device.
	3870	- - name: FELIX_WIREGUARDMTU
	3871	- valueFrom:
	3872	- configMapKeyRef:
	3873	- name: calico-config
	3874	- key: veth_mtu
	3875	- # The default IPv4 pool to create on startup if none exists. Pod IPs will be
	3876	- # chosen from this range. Changing this value after installation will have
	3877	- # no effect. This should fall within `--cluster-cidr`.
	3878	- # - name: CALICO_IPV4POOL_CIDR
	3879	- # value: "192.168.0.0/16"
	3880	- # Disable file logging so `kubectl logs` works.
	3881	- - name: CALICO_DISABLE_FILE_LOGGING
	3882	- value: "true"
	3883	- # Set Felix endpoint to host default action to ACCEPT.
	3884	- - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
	3885	- value: "ACCEPT"
	3886	- # Disable IPv6 on Kubernetes.
	3887	- - name: FELIX_IPV6SUPPORT
	3888	- value: "false"
	3889	- - name: FELIX_HEALTHENABLED
	3890	- value: "true"
	3891	- securityContext:
	3892	- privileged: true
	3893	- resources:
	3894	- requests:
	3895	- cpu: 250m
	3896	- lifecycle:
	3897	- preStop:
	3898	- exec:
	3899	- command:
	3900	- - /bin/calico-node
	3901	- - -shutdown
	3902	- livenessProbe:
	3903	- exec:
	3904	- command:
	3905	- - /bin/calico-node
	3906	- - -felix-live
	3907	- - -bird-live
	3908	- periodSeconds: 10
	3909	- initialDelaySeconds: 10
	3910	- failureThreshold: 6
	3911	- timeoutSeconds: 10
	3912	- readinessProbe:
	3913	- exec:
	3914	- command:
	3915	- - /bin/calico-node
	3916	- - -felix-ready
	3917	- - -bird-ready
	3918	- periodSeconds: 10
	3919	- timeoutSeconds: 10
	3920	- volumeMounts:
	3921	- # For maintaining CNI plugin API credentials.
	3922	- - mountPath: /host/etc/cni/net.d
	3923	- name: cni-net-dir
	3924	- readOnly: false
	3925	- - mountPath: /lib/modules
	3926	- name: lib-modules
	3927	- readOnly: true
	3928	- - mountPath: /run/xtables.lock
	3929	- name: xtables-lock
	3930	- readOnly: false
	3931	- - mountPath: /var/run/calico
	3932	- name: var-run-calico
	3933	- readOnly: false
	3934	- - mountPath: /var/lib/calico
	3935	- name: var-lib-calico
	3936	- readOnly: false
	3937	- - name: policysync
	3938	- mountPath: /var/run/nodeagent
	3939	- # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the
	3940	- # parent directory.
	3941	- - name: sysfs
	3942	- mountPath: /sys/fs/
	3943	- # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host.
	3944	- # If the host is known to mount that filesystem already then Bidirectional can be omitted.
	3945	- mountPropagation: Bidirectional
	3946	- - name: cni-log-dir
	3947	- mountPath: /var/log/calico/cni
	3948	- readOnly: true
	3949	- volumes:
	3950	- # Used by calico-node.
	3951	- - name: lib-modules
	3952	- hostPath:
	3953	- path: /lib/modules
	3954	- - name: var-run-calico
	3955	- hostPath:
	3956	- path: /var/run/calico
	3957	- - name: var-lib-calico
	3958	- hostPath:
	3959	- path: /var/lib/calico
	3960	- - name: xtables-lock
	3961	- hostPath:
	3962	- path: /run/xtables.lock
	3963	- type: FileOrCreate
	3964	- - name: sysfs
	3965	- hostPath:
	3966	- path: /sys/fs/
	3967	- type: DirectoryOrCreate
	3968	- # Used to install CNI.
	3969	- - name: cni-bin-dir
	3970	- hostPath:
	3971	- path: /opt/cni/bin
	3972	- - name: cni-net-dir
	3973	- hostPath:
	3974	- path: /etc/cni/net.d
	3975	- # Used to access CNI logs.
	3976	- - name: cni-log-dir
	3977	- hostPath:
	3978	- path: /var/log/calico/cni
	3979	- # Mount in the directory for host-local IPAM allocations. This is
	3980	- # used when upgrading from host-local to calico-ipam, and can be removed
	3981	- # if not using the upgrade-ipam init container.
	3982	- - name: host-local-net-dir
	3983	- hostPath:
	3984	- path: /var/lib/cni/networks
	3985	- # Used to create per-pod Unix Domain Sockets
	3986	- - name: policysync
	3987	- hostPath:
	3988	- type: DirectoryOrCreate
	3989	- path: /var/run/nodeagent
	3990	- # Used to install Flex Volume Driver
	3991	- - name: flexvol-driver-host
	3992	- hostPath:
	3993	- type: DirectoryOrCreate
	3994	- path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds
	3995	----
	3996	-
	3997	-apiVersion: v1
	3998	-kind: ServiceAccount
	3999	-metadata:
	4000	- name: calico-node
	4001	- namespace: kube-system
	4002	-
	4003	----
	4004	-# Source: calico/templates/calico-kube-controllers.yaml
	4005	-# See https://github.com/projectcalico/kube-controllers
	4006	-apiVersion: apps/v1
	4007	-kind: Deployment
	4008	-metadata:
	4009	- name: calico-kube-controllers
	4010	- namespace: kube-system
	4011	- labels:
	4012	- k8s-app: calico-kube-controllers
	4013	-spec:
	4014	- # The controllers can only have a single active instance.
	4015	- replicas: 1
	4016	- selector:
	4017	- matchLabels:
	4018	- k8s-app: calico-kube-controllers
	4019	- strategy:
	4020	- type: Recreate
	4021	- template:
	4022	- metadata:
	4023	- name: calico-kube-controllers
	4024	- namespace: kube-system
	4025	- labels:
	4026	- k8s-app: calico-kube-controllers
	4027	- spec:
	4028	- nodeSelector:
	4029	- kubernetes.io/os: linux
	4030	- tolerations:
	4031	- # Mark the pod as a critical add-on for rescheduling.
	4032	- - key: CriticalAddonsOnly
	4033	- operator: Exists
	4034	- - key: node-role.kubernetes.io/master
	4035	- effect: NoSchedule
	4036	- serviceAccountName: calico-kube-controllers
	4037	- priorityClassName: system-cluster-critical
	4038	- containers:
	4039	- - name: calico-kube-controllers
	4040	- image: 192.168.11.254:5000/calico/kube-controllers:v3.20.2
	4041	- env:
	4042	- # Choose which controllers to run.
	4043	- - name: ENABLED_CONTROLLERS
	4044	- value: node
	4045	- - name: DATASTORE_TYPE
	4046	- value: kubernetes
	4047	- livenessProbe:
	4048	- exec:
	4049	- command:
	4050	- - /usr/bin/check-status
	4051	- - -l
	4052	- periodSeconds: 10
	4053	- initialDelaySeconds: 10
	4054	- failureThreshold: 6
	4055	- timeoutSeconds: 10
	4056	- readinessProbe:
	4057	- exec:
	4058	- command:
	4059	- - /usr/bin/check-status
	4060	- - -r
	4061	- periodSeconds: 10
	4062	-
	4063	----
	4064	-
	4065	-apiVersion: v1
	4066	-kind: ServiceAccount
	4067	-metadata:
	4068	- name: calico-kube-controllers
	4069	- namespace: kube-system
	4070	-
	4071	----
	4072	-
	4073	-# This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict
	4074	-
	4075	-apiVersion: policy/v1beta1
	4076	-kind: PodDisruptionBudget
	4077	-metadata:
	4078	- name: calico-kube-controllers
	4079	- namespace: kube-system
	4080	- labels:
	4081	- k8s-app: calico-kube-controllers
	4082	-spec:
	4083	- maxUnavailable: 1
	4084	- selector:
	4085	- matchLabels:
	4086	- k8s-app: calico-kube-controllers
	4087	-
	4088	----
	4089	-# Source: calico/templates/calico-etcd-secrets.yaml
	4090	-
	4091	----
	4092	-# Source: calico/templates/calico-typha.yaml
	4093	-
	4094	----
	4095	-# Source: calico/templates/configure-canal.yaml
	4096	-
	4097	-

018d885

yaml/local-path-storage.yaml (deleted)

--- yaml/local-path-storage.yaml

...	...	@@ -1,158 +0,0 @@
	1	-apiVersion: v1
	2	-kind: Namespace
	3	-metadata:
	4	- name: local-path-storage
	5	-
	6	----
	7	-apiVersion: v1
	8	-kind: ServiceAccount
	9	-metadata:
	10	- name: local-path-provisioner-service-account
	11	- namespace: local-path-storage
	12	-
	13	----
	14	-apiVersion: rbac.authorization.k8s.io/v1
	15	-kind: ClusterRole
	16	-metadata:
	17	- name: local-path-provisioner-role
	18	-rules:
	19	- - apiGroups: [ "" ]
	20	- resources: [ "nodes", "persistentvolumeclaims", "configmaps" ]
	21	- verbs: [ "get", "list", "watch" ]
	22	- - apiGroups: [ "" ]
	23	- resources: [ "endpoints", "persistentvolumes", "pods" ]
	24	- verbs: [ "*" ]
	25	- - apiGroups: [ "" ]
	26	- resources: [ "events" ]
	27	- verbs: [ "create", "patch" ]
	28	- - apiGroups: [ "storage.k8s.io" ]
	29	- resources: [ "storageclasses" ]
	30	- verbs: [ "get", "list", "watch" ]
	31	-
	32	----
	33	-apiVersion: rbac.authorization.k8s.io/v1
	34	-kind: ClusterRoleBinding
	35	-metadata:
	36	- name: local-path-provisioner-bind
	37	-roleRef:
	38	- apiGroup: rbac.authorization.k8s.io
	39	- kind: ClusterRole
	40	- name: local-path-provisioner-role
	41	-subjects:
	42	- - kind: ServiceAccount
	43	- name: local-path-provisioner-service-account
	44	- namespace: local-path-storage
	45	-
	46	----
	47	-apiVersion: apps/v1
	48	-kind: Deployment
	49	-metadata:
	50	- name: local-path-provisioner
	51	- namespace: local-path-storage
	52	-spec:
	53	- replicas: 1
	54	- selector:
	55	- matchLabels:
	56	- app: local-path-provisioner
	57	- template:
	58	- metadata:
	59	- labels:
	60	- app: local-path-provisioner
	61	- spec:
	62	- serviceAccountName: local-path-provisioner-service-account
	63	- containers:
	64	- - name: local-path-provisioner
	65	- image: 192.168.11.254:5000/rancher/local-path-provisioner:v0.0.20
	66	- imagePullPolicy: IfNotPresent
	67	- command:
	68	- - local-path-provisioner
	69	- - --debug
	70	- - start
	71	- - --config
	72	- - /etc/config/config.json
	73	- volumeMounts:
	74	- - name: config-volume
	75	- mountPath: /etc/config/
	76	- env:
	77	- - name: POD_NAMESPACE
	78	- valueFrom:
	79	- fieldRef:
	80	- fieldPath: metadata.namespace
	81	- volumes:
	82	- - name: config-volume
	83	- configMap:
	84	- name: local-path-config
	85	-
	86	----
	87	-apiVersion: storage.k8s.io/v1
	88	-kind: StorageClass
	89	-metadata:
	90	- name: local-path
	91	-provisioner: rancher.io/local-path
	92	-volumeBindingMode: WaitForFirstConsumer
	93	-reclaimPolicy: Delete
	94	-
	95	----
	96	-kind: ConfigMap
	97	-apiVersion: v1
	98	-metadata:
	99	- name: local-path-config
	100	- namespace: local-path-storage
	101	-data:
	102	- config.json: \|-
	103	- {
	104	- "nodePathMap":[
	105	- {
	106	- "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES",
	107	- "paths":["/opt/local-path-provisioner"]
	108	- }
	109	- ]
	110	- }
	111	- setup: \|-
	112	- #!/bin/sh
	113	- while getopts "m:s:p:" opt
	114	- do
	115	- case $opt in
	116	- p)
	117	- absolutePath=$OPTARG
	118	- ;;
	119	- s)
	120	- sizeInBytes=$OPTARG
	121	- ;;
	122	- m)
	123	- volMode=$OPTARG
	124	- ;;
	125	- esac
	126	- done
	127	-
	128	- mkdir -m 0777 -p ${absolutePath}
	129	- teardown: \|-
	130	- #!/bin/sh
	131	- while getopts "m:s:p:" opt
	132	- do
	133	- case $opt in
	134	- p)
	135	- absolutePath=$OPTARG
	136	- ;;
	137	- s)
	138	- sizeInBytes=$OPTARG
	139	- ;;
	140	- m)
	141	- volMode=$OPTARG
	142	- ;;
	143	- esac
	144	- done
	145	-
	146	- rm -rf ${absolutePath}
	147	- helperPod.yaml: \|-
	148	- apiVersion: v1
	149	- kind: Pod
	150	- metadata:
	151	- name: helper-pod
	152	- spec:
	153	- containers:
	154	- - name: helper-pod
	155	- image: 192.168.11.254:5000/busybox
	156	- imagePullPolicy: IfNotPresent
	157	-
	158	-

018d885

yaml/metallb.yaml (deleted)

--- yaml/metallb.yaml

...	...	@@ -1,394 +0,0 @@
	1	-apiVersion: policy/v1beta1
	2	-kind: PodSecurityPolicy
	3	-metadata:
	4	- labels:
	5	- app: metallb
	6	- name: controller
	7	- namespace: metallb-system
	8	-spec:
	9	- allowPrivilegeEscalation: false
	10	- allowedCapabilities: []
	11	- allowedHostPaths: []
	12	- defaultAddCapabilities: []
	13	- defaultAllowPrivilegeEscalation: false
	14	- fsGroup:
	15	- ranges:
	16	- - max: 65535
	17	- min: 1
	18	- rule: MustRunAs
	19	- hostIPC: false
	20	- hostNetwork: false
	21	- hostPID: false
	22	- privileged: false
	23	- readOnlyRootFilesystem: true
	24	- requiredDropCapabilities:
	25	- - ALL
	26	- runAsUser:
	27	- ranges:
	28	- - max: 65535
	29	- min: 1
	30	- rule: MustRunAs
	31	- seLinux:
	32	- rule: RunAsAny
	33	- supplementalGroups:
	34	- ranges:
	35	- - max: 65535
	36	- min: 1
	37	- rule: MustRunAs
	38	- volumes:
	39	- - configMap
	40	- - secret
	41	- - emptyDir
	42	----
	43	-apiVersion: policy/v1beta1
	44	-kind: PodSecurityPolicy
	45	-metadata:
	46	- labels:
	47	- app: metallb
	48	- name: speaker
	49	- namespace: metallb-system
	50	-spec:
	51	- allowPrivilegeEscalation: false
	52	- allowedCapabilities:
	53	- - NET_ADMIN
	54	- - NET_RAW
	55	- - SYS_ADMIN
	56	- allowedHostPaths: []
	57	- defaultAddCapabilities: []
	58	- defaultAllowPrivilegeEscalation: false
	59	- fsGroup:
	60	- rule: RunAsAny
	61	- hostIPC: false
	62	- hostNetwork: true
	63	- hostPID: false
	64	- hostPorts:
	65	- - max: 7472
	66	- min: 7472
	67	- privileged: true
	68	- readOnlyRootFilesystem: true
	69	- requiredDropCapabilities:
	70	- - ALL
	71	- runAsUser:
	72	- rule: RunAsAny
	73	- seLinux:
	74	- rule: RunAsAny
	75	- supplementalGroups:
	76	- rule: RunAsAny
	77	- volumes:
	78	- - configMap
	79	- - secret
	80	- - emptyDir
	81	----
	82	-apiVersion: v1
	83	-kind: ServiceAccount
	84	-metadata:
	85	- labels:
	86	- app: metallb
	87	- name: controller
	88	- namespace: metallb-system
	89	----
	90	-apiVersion: v1
	91	-kind: ServiceAccount
	92	-metadata:
	93	- labels:
	94	- app: metallb
	95	- name: speaker
	96	- namespace: metallb-system
	97	----
	98	-apiVersion: rbac.authorization.k8s.io/v1
	99	-kind: ClusterRole
	100	-metadata:
	101	- labels:
	102	- app: metallb
	103	- name: metallb-system:controller
	104	-rules:
	105	-- apiGroups:
	106	- - ''
	107	- resources:
	108	- - services
	109	- verbs:
	110	- - get
	111	- - list
	112	- - watch
	113	- - update
	114	-- apiGroups:
	115	- - ''
	116	- resources:
	117	- - services/status
	118	- verbs:
	119	- - update
	120	-- apiGroups:
	121	- - ''
	122	- resources:
	123	- - events
	124	- verbs:
	125	- - create
	126	- - patch
	127	-- apiGroups:
	128	- - policy
	129	- resourceNames:
	130	- - controller
	131	- resources:
	132	- - podsecuritypolicies
	133	- verbs:
	134	- - use
	135	----
	136	-apiVersion: rbac.authorization.k8s.io/v1
	137	-kind: ClusterRole
	138	-metadata:
	139	- labels:
	140	- app: metallb
	141	- name: metallb-system:speaker
	142	-rules:
	143	-- apiGroups:
	144	- - ''
	145	- resources:
	146	- - services
	147	- - endpoints
	148	- - nodes
	149	- verbs:
	150	- - get
	151	- - list
	152	- - watch
	153	-- apiGroups:
	154	- - ''
	155	- resources:
	156	- - events
	157	- verbs:
	158	- - create
	159	- - patch
	160	-- apiGroups:
	161	- - policy
	162	- resourceNames:
	163	- - speaker
	164	- resources:
	165	- - podsecuritypolicies
	166	- verbs:
	167	- - use
	168	----
	169	-apiVersion: rbac.authorization.k8s.io/v1
	170	-kind: Role
	171	-metadata:
	172	- labels:
	173	- app: metallb
	174	- name: config-watcher
	175	- namespace: metallb-system
	176	-rules:
	177	-- apiGroups:
	178	- - ''
	179	- resources:
	180	- - configmaps
	181	- verbs:
	182	- - get
	183	- - list
	184	- - watch
	185	----
	186	-apiVersion: rbac.authorization.k8s.io/v1
	187	-kind: Role
	188	-metadata:
	189	- labels:
	190	- app: metallb
	191	- name: pod-lister
	192	- namespace: metallb-system
	193	-rules:
	194	-- apiGroups:
	195	- - ''
	196	- resources:
	197	- - pods
	198	- verbs:
	199	- - list
	200	----
	201	-apiVersion: rbac.authorization.k8s.io/v1
	202	-kind: ClusterRoleBinding
	203	-metadata:
	204	- labels:
	205	- app: metallb
	206	- name: metallb-system:controller
	207	-roleRef:
	208	- apiGroup: rbac.authorization.k8s.io
	209	- kind: ClusterRole
	210	- name: metallb-system:controller
	211	-subjects:
	212	-- kind: ServiceAccount
	213	- name: controller
	214	- namespace: metallb-system
	215	----
	216	-apiVersion: rbac.authorization.k8s.io/v1
	217	-kind: ClusterRoleBinding
	218	-metadata:
	219	- labels:
	220	- app: metallb
	221	- name: metallb-system:speaker
	222	-roleRef:
	223	- apiGroup: rbac.authorization.k8s.io
	224	- kind: ClusterRole
	225	- name: metallb-system:speaker
	226	-subjects:
	227	-- kind: ServiceAccount
	228	- name: speaker
	229	- namespace: metallb-system
	230	----
	231	-apiVersion: rbac.authorization.k8s.io/v1
	232	-kind: RoleBinding
	233	-metadata:
	234	- labels:
	235	- app: metallb
	236	- name: config-watcher
	237	- namespace: metallb-system
	238	-roleRef:
	239	- apiGroup: rbac.authorization.k8s.io
	240	- kind: Role
	241	- name: config-watcher
	242	-subjects:
	243	-- kind: ServiceAccount
	244	- name: controller
	245	-- kind: ServiceAccount
	246	- name: speaker
	247	----
	248	-apiVersion: rbac.authorization.k8s.io/v1
	249	-kind: RoleBinding
	250	-metadata:
	251	- labels:
	252	- app: metallb
	253	- name: pod-lister
	254	- namespace: metallb-system
	255	-roleRef:
	256	- apiGroup: rbac.authorization.k8s.io
	257	- kind: Role
	258	- name: pod-lister
	259	-subjects:
	260	-- kind: ServiceAccount
	261	- name: speaker
	262	----
	263	-apiVersion: apps/v1
	264	-kind: DaemonSet
	265	-metadata:
	266	- labels:
	267	- app: metallb
	268	- component: speaker
	269	- name: speaker
	270	- namespace: metallb-system
	271	-spec:
	272	- selector:
	273	- matchLabels:
	274	- app: metallb
	275	- component: speaker
	276	- template:
	277	- metadata:
	278	- annotations:
	279	- prometheus.io/port: '7472'
	280	- prometheus.io/scrape: 'true'
	281	- labels:
	282	- app: metallb
	283	- component: speaker
	284	- spec:
	285	- containers:
	286	- - args:
	287	- - --port=7472
	288	- - --config=config
	289	- env:
	290	- - name: METALLB_NODE_NAME
	291	- valueFrom:
	292	- fieldRef:
	293	- fieldPath: spec.nodeName
	294	- - name: METALLB_HOST
	295	- valueFrom:
	296	- fieldRef:
	297	- fieldPath: status.hostIP
	298	- - name: METALLB_ML_BIND_ADDR
	299	- valueFrom:
	300	- fieldRef:
	301	- fieldPath: status.podIP
	302	- # needed when another software is also using memberlist / port 7946
	303	- #- name: METALLB_ML_BIND_PORT
	304	- # value: "7946"
	305	- - name: METALLB_ML_LABELS
	306	- value: "app=metallb,component=speaker"
	307	- - name: METALLB_ML_NAMESPACE
	308	- valueFrom:
	309	- fieldRef:
	310	- fieldPath: metadata.namespace
	311	- - name: METALLB_ML_SECRET_KEY
	312	- valueFrom:
	313	- secretKeyRef:
	314	- name: memberlist
	315	- key: secretkey
	316	- image: 192.168.11.254:5000/metallb/speaker:v0.9.4
	317	- imagePullPolicy: Always
	318	- name: speaker
	319	- ports:
	320	- - containerPort: 7472
	321	- name: monitoring
	322	- resources:
	323	- limits:
	324	- cpu: 100m
	325	- memory: 100Mi
	326	- securityContext:
	327	- allowPrivilegeEscalation: false
	328	- capabilities:
	329	- add:
	330	- - NET_ADMIN
	331	- - NET_RAW
	332	- - SYS_ADMIN
	333	- drop:
	334	- - ALL
	335	- readOnlyRootFilesystem: true
	336	- hostNetwork: true
	337	- nodeSelector:
	338	- beta.kubernetes.io/os: linux
	339	- serviceAccountName: speaker
	340	- terminationGracePeriodSeconds: 2
	341	- tolerations:
	342	- - effect: NoSchedule
	343	- key: node-role.kubernetes.io/master
	344	----
	345	-apiVersion: apps/v1
	346	-kind: Deployment
	347	-metadata:
	348	- labels:
	349	- app: metallb
	350	- component: controller
	351	- name: controller
	352	- namespace: metallb-system
	353	-spec:
	354	- revisionHistoryLimit: 3
	355	- selector:
	356	- matchLabels:
	357	- app: metallb
	358	- component: controller
	359	- template:
	360	- metadata:
	361	- annotations:
	362	- prometheus.io/port: '7472'
	363	- prometheus.io/scrape: 'true'
	364	- labels:
	365	- app: metallb
	366	- component: controller
	367	- spec:
	368	- containers:
	369	- - args:
	370	- - --port=7472
	371	- - --config=config
	372	- image: 192.168.11.254:5000/metallb/controller:v0.9.4
	373	- imagePullPolicy: Always
	374	- name: controller
	375	- ports:
	376	- - containerPort: 7472
	377	- name: monitoring
	378	- resources:
	379	- limits:
	380	- cpu: 100m
	381	- memory: 100Mi
	382	- securityContext:
	383	- allowPrivilegeEscalation: false
	384	- capabilities:
	385	- drop:
	386	- - all
	387	- readOnlyRootFilesystem: true
	388	- nodeSelector:
	389	- beta.kubernetes.io/os: linux
	390	- securityContext:
	391	- runAsNonRoot: true
	392	- runAsUser: 65534
	393	- serviceAccountName: controller
	394	- terminationGracePeriodSeconds: 0

018d885

yaml/namespace.yaml (deleted)

--- yaml/namespace.yaml

...	...	@@ -1,6 +0,0 @@
	1	-apiVersion: v1
	2	-kind: Namespace
	3	-metadata:
	4	- name: metallb-system
	5	- labels:
	6	- app: metallb

018d885

시나리오.txt (deleted)

--- 시나리오.txt

...	...	@@ -1,119 +0,0 @@
	1	-1. 도커-쿠버네티스 설치
	2	-- 설치 스크립트 및 yaml파일을 다운받습니다.
	3	-git clone http://112.217.198.156:9000/%EC%97%91%EC%84%B8%EC%8A%A4%EB%9E%A9/CCCR_Lecture
	4	-
	5	-- CCCR_Lecture 디렉토리로 이동합니다.
	6	-cd CCCR_Lecture/
	7	-
	8	-- 도커 쿠버네티스 설치 스크립트를 실행시킵니다. (sudo 권한으로 실행)
	9	-sudo ./install-docker-k8s.sh
	10	-
	11	-- 설치가 완료 되면 명령어 자동완성 활성화 및 일반사용자의 도커 사용을 위해 로그아웃 한 후 로그인을 합니다.\
	12	-exit
	13	-
	14	-------
	15	-
	16	-2. 쿠버네티스 클러스터 구성
	17	-- CCCR_Lecture 디렉토리로 이동합니다.
	18	-cd CCCR_Lecture/
	19	-
	20	-- 원노드 클러스터를 구성하는 스크립트를 실행시킵니다.
	21	-sudo ./init-k8s.sh
	22	-
	23	-- 수강번호를 입력합니다.
	24	-수강번호 : admin
	25	-
	26	-- 스크립트 실행이 끝나면 정상적으로 쿠버네티스 클러스터가 구성이 되었는지 확인합니다.
	27	-kubectl get node
	28	-
	29	-kubectl get all --all-namespaces
	30	-
	31	-NAMESPACE NAME READY STATUS RESTARTS AGE
	32	-kube-system pod/calico-kube-controllers-58497c65d5-6cfcg 1/1 Running 0 24m
	33	-kube-system pod/calico-node-mmg6b 1/1 Running 0 24m
	34	-kube-system pod/coredns-78fcd69978-5jczq 1/1 Running 0 24m
	35	-kube-system pod/coredns-78fcd69978-mbm9z 1/1 Running 0 24m
	36	-kube-system pod/etcd-vraptor 1/1 Running 4 24m
	37	-kube-system pod/kube-apiserver-vraptor 1/1 Running 4 24m
	38	-kube-system pod/kube-controller-manager-vraptor 1/1 Running 4 24m
	39	-kube-system pod/kube-proxy-7lsph 1/1 Running 0 24m
	40	-kube-system pod/kube-scheduler-vraptor 1/1 Running 3 24m
	41	-local-path-storage pod/local-path-provisioner-556d4466c8-qwnvd 1/1 Running 0 24m
	42	-metallb-system pod/controller-8687cdc65-f4r26 1/1 Running 0 24m
	43	-metallb-system pod/speaker-wpwg7 1/1 Running 0 24m
	44	-
	45	-NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
	46	-default service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 24m
	47	-kube-system service/kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 24m
	48	-
	49	-NAMESPACE NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
	50	-kube-system daemonset.apps/calico-node 1 1 1 1 1 kubernetes.io/os=linux 24m
	51	-kube-system daemonset.apps/kube-proxy 1 1 1 1 1 kubernetes.io/os=linux 24m
	52	-metallb-system daemonset.apps/speaker 1 1 1 1 1 beta.kubernetes.io/os=linux 24m
	53	-
	54	-NAMESPACE NAME READY UP-TO-DATE AVAILABLE AGE
	55	-kube-system deployment.apps/calico-kube-controllers 1/1 1 1 24m
	56	-kube-system deployment.apps/coredns 2/2 2 2 24m
	57	-local-path-storage deployment.apps/local-path-provisioner 1/1 1 1 24m
	58	-metallb-system deployment.apps/controller 1/1 1 1 24m
	59	-
	60	-NAMESPACE NAME DESIRED CURRENT READY AGE
	61	-kube-system replicaset.apps/calico-kube-controllers-58497c65d5 1 1 1 24m
	62	-kube-system replicaset.apps/coredns-78fcd69978 2 2 2 24m
	63	-local-path-storage replicaset.apps/local-path-provisioner-556d4466c8 1 1 1 24m
	64	-metallb-system replicaset.apps/controller-8687cdc65 1 1 1 24m
	65	-
	66	-
	67	-
	68	-만약 제대로 구성이 되지 않았다면 다시 한번 스크립트를 실행시킵니다.
	69	-sudo ./init-k8s.sh
	70	-
	71	----
	72	-
	73	-3. nodejs 올려보기
	74	-
	75	-- nodejs.yaml 파일을 통해 디플로이먼트 및 서비스를 생성합니다.
	76	-kubectl create -f nodejs.yaml
	77	-
	78	-- 파드 및 서비스가 정상적으로 생성되었는지 확인합니다.
	79	-kubectl get all -o wide
	80	-
	81	-- 파드의 정보를 자세히 볼 수 있습니다.
	82	-kubectl get pod -o wide
	83	-
	84	-- 외부 접속 IP를 확인합니다.
	85	-kubectl get svc -o wide
	86	-
	87	-- 로드밸런서 타입의 서비스와 연결된 pod의 ip를 확인합니다.
	88	-kubectl get endpoints
	89	-
	90	-- curl 또는 web으로 접속하여 확인합니다.
	91	-watch -n 1 curl 192.168.11.61
	92	-
	93	-http://210.117.126.4:61080 으로 접속
	94	-
	95	----
	96	-
	97	-4. wordpress 구축하기
	98	-
	99	-- kustomization.yaml 을 통해 리소스를 생성합니다.
	100	-kubectl apply -k ./
	101	-
	102	-- 리소스가 생성 되었는지 확인합니다.
	103	-kubectl get all -o wide
	104	-
	105	-- 파드의 정보를 자세히 볼 수 있습니다.
	106	-kubectl get pod -o wide
	107	-
	108	-- 외부 접속 IP를 확인합니다.
	109	-kubectl get svc -o wide
	110	-
	111	-- 로드밸런서 타입의 서비스와 연결된 pod의 ip를 확인합니다.
	112	-kubectl get endpoints
	113	-
	114	-- web으로 접속하여 확인합니다.
	115	-http://210.117.126.4:62080 으로 접속
	116	-
	117	-- 생성된 리소스를 삭제하려면 다음의 명령어를 실행합니다.
	118	-kubectl delete -f nodejs.yaml
	119	-kubectl delete -f -k ./

Add a comment

Open 0
Closed 0

List

Delete comment