/
antrea-controller.conf
134 lines (109 loc) · 7.44 KB
/
antrea-controller.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# FeatureGates is a map of feature names to bools that enable or disable experimental features.
featureGates:
# AllAlpha is a global toggle for alpha features. Per-feature key values override the default set by AllAlpha.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AllAlpha" "default" false) }}
# AllBeta is a global toggle for beta features. Per-feature key values override the default set by AllBeta.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AllBeta" "default" false) }}
# Enable traceflow which provides packet tracing feature to diagnose network issue.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Traceflow" "default" true) }}
# Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
# to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
# feature that supports priorities, ExternalEntities, FQDN rules and more.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AntreaPolicy" "default" true) }}
# Enable collecting and exposing NetworkPolicy statistics.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "NetworkPolicyStats" "default" true) }}
# Enable multicast traffic.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Multicast" "default" true) }}
# Enable controlling SNAT IPs of Pod egress traffic.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Egress" "default" true) }}
# Run Kubernetes NodeIPAMController with Antrea.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "NodeIPAM" "default" true) }}
# Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the
# bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for
# IPAM when configuring secondary network interfaces with Multus.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AntreaIPAM" "default" false) }}
# Enable managing external IPs of Services of LoadBalancer type.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "ServiceExternalIP" "default" false) }}
# Enable certificate-based authentication for IPSec tunnel.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "IPsecCertAuth" "default" false) }}
# Enable managing ExternalNode for unmanaged VM/BM.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "ExternalNode" "default" false) }}
# Enable collecting support bundle files with SupportBundleCollection CRD.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "SupportBundleCollection" "default" false) }}
# Enable Antrea Multi-cluster features.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "Multicluster" "default" false) }}
# Enable users to protect their applications by specifying how they are allowed to communicate with others, taking
# into account application context.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "L7NetworkPolicy" "default" false) }}
# Enable the use of Network Policy APIs (https://network-policy-api.sigs.k8s.io/api-overview) which helps administrators
# set security postures for their clusters.
{{- include "featureGate" (dict "featureGates" .Values.featureGates "name" "AdminNetworkPolicy" "default" false) }}
# The port for the antrea-controller APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-controller` container must be set to the same value.
apiPort: {{ .Values.controller.apiPort }}
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
enablePrometheusMetrics: {{ .Values.controller.enablePrometheusMetrics }}
# Indicates whether to use auto-generated self-signed TLS certificate.
# If false, a Secret named "antrea-controller-tls" must be provided with the following keys:
# ca.crt: <CA certificate>
# tls.crt: <TLS certificate>
# tls.key: <TLS private key>
selfSignedCert: {{ .Values.controller.selfSignedCert }}
# Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used.
# https://golang.org/pkg/crypto/tls/#pkg-constants
# Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always
# prefer TLS1.3 Cipher Suites whenever possible.
tlsCipherSuites: {{ .Values.tlsCipherSuites | quote }}
# TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
tlsMinVersion: {{ .Values.tlsMinVersion | quote }}
# File path of the certificate bundle for all the signers that is recognized for incoming client
# certificates.
clientCAFile: {{ .Values.clientCAFile | quote }}
# Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
# It is typically used when kube-proxy is not deployed (replaced by AntreaProxy) and kube-controller-manager
# does not run NodeIPAMController (replaced by Antrea NodeIPAM).
# Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
kubeAPIServerOverride: {{ .Values.kubeAPIServerOverride | quote }}
nodeIPAM:
{{- with .Values.nodeIPAM }}
# Enable the integrated Node IPAM controller within the Antrea controller.
enableNodeIPAM: {{ .enable }}
# CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges.
# The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family.
# Value ignored when enableNodeIPAM is false.
clusterCIDRs:
{{- with .clusterCIDRs }}
{{- toYaml . | nindent 4 }}
{{- end }}
# CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs.
# Value ignored when enableNodeIPAM is false.
serviceCIDR: {{ .serviceCIDR | quote }}
serviceCIDRv6: {{ .serviceCIDRv6 | quote }}
# Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false
# or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30.
nodeCIDRMaskSizeIPv4: {{ .nodeCIDRMaskSizeIPv4 }}
# Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false
# or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126.
nodeCIDRMaskSizeIPv6: {{ .nodeCIDRMaskSizeIPv6 }}
{{- end }}
ipsecCSRSigner:
{{- with .Values.ipsec }}
# Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management.
# If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions
# are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled,
# the Pod identity will also be validated to provide maximum security.
# If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved
# manually by `kubectl certificate approve`.
autoApprove: {{ .csrSigner.autoApprove }}
# Indicates whether to use auto-generated self-signed CA certificate.
# If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys:
# tls.crt: <CA certificate>
# tls.key: <CA private key>
selfSignedCA: {{ .csrSigner.selfSignedCA }}
{{- end }}
multicluster:
{{- with .Values.multicluster }}
# Enable Multi-cluster NetworkPolicy.
enableStretchedNetworkPolicy: {{ .enableStretchedNetworkPolicy }}
{{- end }}