Skip to content

Commit

Permalink
adds felixconfig and cni-configuration entries for policy setup timeouts
Browse files Browse the repository at this point in the history
  • Loading branch information
@aaaaaaaalex
aaaaaaaalex committed Mar 13, 2024
1 parent a853d5e commit 8d3dd4c
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 0 deletions.
29 changes: 29 additions & 0 deletions calico/reference/configure-cni-plugins.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,35 @@ you must also run calico/kube-controllers with the policy, profile, and workload

When using `type: k8s`, the {{prodname}} CNI plugin requires read-only Kubernetes API access to the `Pods` resource in all namespaces.

### Enabling Policy Setup Timeout

If you wish for the CNI to delay a new pod from starting until the pod's policy has been programmed to the dataplane,

Check failure on line 253 in calico/reference/configure-cni-plugins.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'dataplane'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'dataplane'?", "location": {"path": "calico/reference/configure-cni-plugins.mdx", "range": {"start": {"line": 253, "column": 108}}}, "severity": "ERROR"}
then you may set a policy-setup timeout, e.g.

```json
{
"name": "any_name",
"cniVersion": "0.1.0",
"type": "calico",
"ipam": {
"type": "calico-ipam"
"policy_setup_timeout_seconds": 10
}
}
```

:::note

A `policy_setup_timeout_seconds` of 0 disables any policy-setup waiting.

:::

:::note

If the pod's policy is not programmed after the number of seconds specified, the CNI will allow the pod to start its containers anyway.

:::

## IPAM

### Using host-local IPAM
Expand Down
1 change: 1 addition & 0 deletions calico/reference/felix/configuration.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ The full list of parameters which can be set is as follows.
| `DisableConntrackInvalidCheck` | `FELIX_DISABLECONNTRACKINVALIDCHECK` | Disable the dropping of packets that aren't either a valid handshake or part of an established connection. [Default: `false`] | boolean |
| `EndpointReportingDelaySecs` | `FELIX_ENDPOINTREPORTINGDELAYSECS` | Set the endpoint reporting delay between status check intervals, in seconds. Only used if endpoint reporting is enabled. [Default: `1`] | int |
| `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean |
| `EndpointStatusPathPrefix` | `FELIX_ENDPOINTSTATUSPATHPREFIX` | Path to use for writing and maintaining endpoint status files. If left empty, disables writing endpoint status to files. [Default: ""] | string |
| `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string |
| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
Expand Down
1 change: 1 addition & 0 deletions calico/reference/resources/felixconfig.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ spec:
| deviceRouteSourceAddress | IPv4 address to set as the source hint for routes programmed by Felix. When not set the source address for local traffic from host to workload will be determined by the kernel. | IPv4 | string | `""` |
| deviceRouteSourceAddressIPv6 | IPv6 address to set as the source hint for routes programmed by Felix. When not set the source address for local traffic from host to workload will be determined by the kernel. | IPv6 | string | `""` |
| deviceRouteProtocol | This defines the route protocol added to programmed device routes. | Protocol | int | RTPROT_BOOT |
| endpointStatusPathPrefix | Path to use for writing and maintaining endpoint status files. If left empty, disables writing endpoint status to files. | Any existing path in the calico-node container | string | `""`| | string |
| externalNodesCIDRList | A comma-delimited list of CIDRs of external non-calico nodes, which can source tunnel traffic for acceptance by calico-nodes. | IPv4 | string | `""` |
| failsafeInboundHostPorts | UDP/TCP/SCTP protocol/cidr/port groupings that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. The default value allows SSH access, etcd, BGP, DHCP and the Kubernetes API. | | List of [ProtoPort](#protoport) | <p><code>- protocol: tcp<br/>&nbsp;&nbsp;port: 22<br/>- protocol: udp<br/>&nbsp;&nbsp;port: 68<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 179<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 2379<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 2380<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 5473<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 6443<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 6666<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 6667</code></p> |
| failsafeOutboundHostPorts | UDP/TCP/SCTP protocol/port groupings that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. | | List of [ProtoPort](#protoport) | <p><code>- protocol: udp<br/>&nbsp;&nbsp;port: 53<br/>- protocol: udp<br/>&nbsp;&nbsp;port: 67<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 179<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 2379<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 2380<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 5473<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 6443<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 6666<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 6667</code></p> |
Expand Down

0 comments on commit 8d3dd4c

Please sign in to comment.