Skip to content

Commit

Permalink
adds felixconfig and cni-configuration entries for policy setup timeouts
Browse files Browse the repository at this point in the history
  • Loading branch information
aaaaaaaalex committed Mar 15, 2024
1 parent a853d5e commit eca5361
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 0 deletions.
46 changes: 46 additions & 0 deletions calico/reference/configure-cni-plugins.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,52 @@ you must also run calico/kube-controllers with the policy, profile, and workload

When using `type: k8s`, the {{prodname}} CNI plugin requires read-only Kubernetes API access to the `Pods` resource in all namespaces.


### Enabling policy setup timeout

The `policy_setup_timeout_seconds` option makes the {{prodname}} CNI plugin wait to start a new pod until one of the following conditions occurs:

- The pod's policy has finished being programmed.
- A specified amount of time has elapsed.

By setting this option, you can avoid errors that can occur when a pod tries to start before the pod's policy is programmed.

Example CNI config:

Check failure on line 261 in calico/reference/configure-cni-plugins.mdx

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'config'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'config'?", "location": {"path": "calico/reference/configure-cni-plugins.mdx", "range": {"start": {"line": 261, "column": 13}}}, "severity": "ERROR"}

```json
{
"name": "any_name",
"cniVersion": "0.1.0",
"type": "calico",
"ipam": {
"type": "calico-ipam",
"policy_setup_timeout_seconds": 10
}
}
```

The {{prodname}} CNI plugin uses {{prodname}}'s `endpoint-status` directory to determine when the dataplane has been programmed for a pod.

Check failure on line 275 in calico/reference/configure-cni-plugins.mdx

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'dataplane'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'dataplane'?", "location": {"path": "calico/reference/configure-cni-plugins.mdx", "range": {"start": {"line": 275, "column": 99}}}, "severity": "ERROR"}
By default, the {{prodname}} CNI plugin will look for the directory at: `/var/run/calico/endpoint-status`.
To enable and adjust where {{prodname}} writes `endpoint-status`, the `endpointStatusPathPrefix` option must be configured for [Felix](./felix/configuration.mdx).

To adjust where the {{prodname}} CNI plugin looks for {{prodname}}'s `endpoint-status` directory, you must set the `endpoint_status_dir` option.

Example CNI config:

Check failure on line 281 in calico/reference/configure-cni-plugins.mdx

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'config'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'config'?", "location": {"path": "calico/reference/configure-cni-plugins.mdx", "range": {"start": {"line": 281, "column": 13}}}, "severity": "ERROR"}

```json
{
"name": "any_name",
"cniVersion": "0.1.0",
"type": "calico",
"ipam": {
"type": "calico-ipam",
"policy_setup_timeout_seconds": 10,
"endpoint_status_dir": "/path/to/endpoint-status"
}
}
```


## IPAM

### Using host-local IPAM
Expand Down
1 change: 1 addition & 0 deletions calico/reference/felix/configuration.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ The full list of parameters which can be set is as follows.
| `DisableConntrackInvalidCheck` | `FELIX_DISABLECONNTRACKINVALIDCHECK` | Disable the dropping of packets that aren't either a valid handshake or part of an established connection. [Default: `false`] | boolean |
| `EndpointReportingDelaySecs` | `FELIX_ENDPOINTREPORTINGDELAYSECS` | Set the endpoint reporting delay between status check intervals, in seconds. Only used if endpoint reporting is enabled. [Default: `1`] | int |
| `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean |
| `EndpointStatusPathPrefix` | `FELIX_ENDPOINTSTATUSPATHPREFIX` | Path to the directory where Felix should create the `endpoint-status` directory. Choosing a mounted volume such as `/var/run/calico` is recommended as the directory can then be monitored by host processes such as the Calico CNI. Leaving this field empty disables endpoint-status files. [Default: ""] | string |
| `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string |
| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
Expand Down
1 change: 1 addition & 0 deletions calico/reference/resources/felixconfig.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ spec:
| deviceRouteSourceAddress | IPv4 address to set as the source hint for routes programmed by Felix. When not set the source address for local traffic from host to workload will be determined by the kernel. | IPv4 | string | `""` |
| deviceRouteSourceAddressIPv6 | IPv6 address to set as the source hint for routes programmed by Felix. When not set the source address for local traffic from host to workload will be determined by the kernel. | IPv6 | string | `""` |
| deviceRouteProtocol | This defines the route protocol added to programmed device routes. | Protocol | int | RTPROT_BOOT |
| endpointStatusPathPrefix | Path to the directory where Felix should create the `endpoint-status` directory. Choosing a mounted volume such as `/var/run/calico` is recommended as the directory can then be monitored by host processes such as the Calico CNI. Leaving this field empty disables endpoint-status files. | Any existing path in the calico-node container | string | `""`| | string |
| externalNodesCIDRList | A comma-delimited list of CIDRs of external non-calico nodes, which can source tunnel traffic for acceptance by calico-nodes. | IPv4 | string | `""` |
| failsafeInboundHostPorts | UDP/TCP/SCTP protocol/cidr/port groupings that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. The default value allows SSH access, etcd, BGP, DHCP and the Kubernetes API. | | List of [ProtoPort](#protoport) | <p><code>- protocol: tcp<br/>&nbsp;&nbsp;port: 22<br/>- protocol: udp<br/>&nbsp;&nbsp;port: 68<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 179<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 2379<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 2380<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 5473<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 6443<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 6666<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 6667</code></p> |
| failsafeOutboundHostPorts | UDP/TCP/SCTP protocol/port groupings that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. | | List of [ProtoPort](#protoport) | <p><code>- protocol: udp<br/>&nbsp;&nbsp;port: 53<br/>- protocol: udp<br/>&nbsp;&nbsp;port: 67<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 179<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 2379<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 2380<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 5473<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 6443<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 6666<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 6667</code></p> |
Expand Down

0 comments on commit eca5361

Please sign in to comment.