From a82fa5872150df35ee195fb2c069fb4982ea7a7d Mon Sep 17 00:00:00 2001 From: Ciprian Hacman Date: Fri, 11 Dec 2020 14:36:53 +0200 Subject: [PATCH] Order by name fields in CalicoNetworkingSpec --- k8s/crds/kops.k8s.io_clusters.yaml | 14 +++--- pkg/apis/kops/networking.go | 44 ++++++++++--------- pkg/apis/kops/v1alpha2/networking.go | 44 ++++++++++--------- .../kops/v1alpha2/zz_generated.conversion.go | 20 ++++----- pkg/apis/kops/validation/validation.go | 26 +++++------ pkg/apis/kops/validation/validation_test.go | 8 ++-- pkg/model/iam/iam_builder.go | 4 +- upup/models/bindata.go | 2 +- .../k8s-1.16.yaml.template | 2 +- 9 files changed, 86 insertions(+), 78 deletions(-) diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml index ed486aa93319c..c8bfafb5c241f 100644 --- a/k8s/crds/kops.k8s.io_clusters.yaml +++ b/k8s/crds/kops.k8s.io_clusters.yaml @@ -2858,12 +2858,12 @@ spec: networking properties: awsSrcDstCheck: - description: 'AwsSrcDstCheck enables/disables source/destination - checks (AWS only) Options: "DoNothing" (default) , "Enable" - or "Disable"' + description: 'AWSSrcDstCheck enables/disables ENI source/destination + checks (AWS only) Options: DoNothing (default), Enable, + or Disable' type: string bpfEnabled: - description: BpfEnabled enables the eBPF dataplane mode. + description: BPFEnabled enables the eBPF dataplane mode. type: boolean bpfExternalServiceMode: description: 'BPFExternalServiceMode controls how traffic @@ -2907,7 +2907,11 @@ spec: when set to true type: boolean ipipMode: - description: IPIPMode is mode for CALICO_IPV4POOL_IPIP + description: IPIPMode is the encapsulation mode to use for + the default Calico IPv4 pool created at start up, determining + when to use IP-in-IP encapsulation, conveyed to the "calico-node" + daemon container via the CALICO_IPV4POOL_IPIP environment + variable type: string iptablesBackend: description: 'IptablesBackend controls which variant of iptables diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go index e1470a84a6f32..57968033a463d 100644 --- a/pkg/apis/kops/networking.go +++ b/pkg/apis/kops/networking.go @@ -103,7 +103,10 @@ type FlannelNetworkingSpec struct { // CalicoNetworkingSpec declares that we want Calico networking type CalicoNetworkingSpec struct { - // BpfEnabled enables the eBPF dataplane mode. + // AWSSrcDstCheck enables/disables ENI source/destination checks (AWS only) + // Options: DoNothing (default), Enable, or Disable + AWSSrcDstCheck string `json:"awsSrcDstCheck,omitempty"` + // BPFEnabled enables the eBPF dataplane mode. BPFEnabled bool `json:"bpfEnabled,omitempty"` // BPFExternalServiceMode controls how traffic from outside the cluster to NodePorts and ClusterIPs is handled. // In Tunnel mode, packet is tunneled from the ingress host to the host with the backing pod and back again. @@ -126,9 +129,25 @@ type CalicoNetworkingSpec struct { CPURequest *resource.Quantity `json:"cpuRequest,omitempty"` // CrossSubnet enables Calico's cross-subnet mode when set to true CrossSubnet bool `json:"crossSubnet,omitempty"` - // AwsSrcDstCheck enables/disables source/destination checks (AWS only) - // Options: "DoNothing" (default) , "Enable" or "Disable" - AwsSrcDstCheck string `json:"awsSrcDstCheck,omitempty"` + // IPIPMode is the encapsulation mode to use for the default Calico IPv4 pool created at start + // up, determining when to use IP-in-IP encapsulation, conveyed to the "calico-node" daemon + // container via the CALICO_IPV4POOL_IPIP environment variable + IPIPMode string `json:"ipipMode,omitempty"` + // IPv4AutoDetectionMethod configures how Calico chooses the IP address used to route + // between nodes. This should be set when the host has multiple interfaces + // and it is important to select the interface used. + // Options: "first-found" (default), "can-reach=DESTINATION", + // "interface=INTERFACE-REGEX", or "skip-interface=INTERFACE-REGEX" + IPv4AutoDetectionMethod string `json:"ipv4AutoDetectionMethod,omitempty"` + // IPv6AutoDetectionMethod configures how Calico chooses the IP address used to route + // between nodes. This should be set when the host has multiple interfaces + // and it is important to select the interface used. + // Options: "first-found" (default), "can-reach=DESTINATION", + // "interface=INTERFACE-REGEX", or "skip-interface=INTERFACE-REGEX" + IPv6AutoDetectionMethod string `json:"ipv6AutoDetectionMethod,omitempty"` + // IptablesBackend controls which variant of iptables binary Felix uses + // Default: Auto (other options: Legacy, NFT) + IptablesBackend string `json:"iptablesBackend,omitempty"` // LogSeverityScreen lets us set the desired log level. (Default: info) LogSeverityScreen string `json:"logSeverityScreen,omitempty"` // MTU to be set in the cni-network-config for calico. @@ -145,23 +164,6 @@ type CalicoNetworkingSpec struct { PrometheusProcessMetricsEnabled bool `json:"prometheusProcessMetricsEnabled,omitempty"` // MajorVersion is deprecated as of kOps 1.20 and has no effect MajorVersion string `json:"majorVersion,omitempty"` - // IPv4AutoDetectionMethod configures how Calico chooses the IP address used to route - // between nodes. This should be set when the host has multiple interfaces - // and it is important to select the interface used. - // Options: "first-found" (default), "can-reach=DESTINATION", - // "interface=INTERFACE-REGEX", or "skip-interface=INTERFACE-REGEX" - IPv4AutoDetectionMethod string `json:"ipv4AutoDetectionMethod,omitempty"` - // IPv6AutoDetectionMethod configures how Calico chooses the IP address used to route - // between nodes. This should be set when the host has multiple interfaces - // and it is important to select the interface used. - // Options: "first-found" (default), "can-reach=DESTINATION", - // "interface=INTERFACE-REGEX", or "skip-interface=INTERFACE-REGEX" - IPv6AutoDetectionMethod string `json:"ipv6AutoDetectionMethod,omitempty"` - // IptablesBackend controls which variant of iptables binary Felix uses - // Default: Auto (other options: Legacy, NFT) - IptablesBackend string `json:"iptablesBackend,omitempty"` - // IPIPMode is mode for CALICO_IPV4POOL_IPIP - IPIPMode string `json:"ipipMode,omitempty"` // TyphaPrometheusMetricsEnabled enables Prometheus metrics collection from Typha // (default: false) TyphaPrometheusMetricsEnabled bool `json:"typhaPrometheusMetricsEnabled,omitempty"` diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go index 834b688997509..81ce723bd969e 100644 --- a/pkg/apis/kops/v1alpha2/networking.go +++ b/pkg/apis/kops/v1alpha2/networking.go @@ -103,7 +103,10 @@ type FlannelNetworkingSpec struct { // CalicoNetworkingSpec declares that we want Calico networking type CalicoNetworkingSpec struct { - // BpfEnabled enables the eBPF dataplane mode. + // AWSSrcDstCheck enables/disables ENI source/destination checks (AWS only) + // Options: DoNothing (default), Enable, or Disable + AWSSrcDstCheck string `json:"awsSrcDstCheck,omitempty"` + // BPFEnabled enables the eBPF dataplane mode. BPFEnabled bool `json:"bpfEnabled,omitempty"` // BPFExternalServiceMode controls how traffic from outside the cluster to NodePorts and ClusterIPs is handled. // In Tunnel mode, packet is tunneled from the ingress host to the host with the backing pod and back again. @@ -126,9 +129,25 @@ type CalicoNetworkingSpec struct { CPURequest *resource.Quantity `json:"cpuRequest,omitempty"` // CrossSubnet enables Calico's cross-subnet mode when set to true CrossSubnet bool `json:"crossSubnet,omitempty"` - // AwsSrcDstCheck enables/disables source/destination checks (AWS only) - // Options: "DoNothing" (default) , "Enable" or "Disable" - AwsSrcDstCheck string `json:"awsSrcDstCheck,omitempty"` + // IPIPMode is the encapsulation mode to use for the default Calico IPv4 pool created at start + // up, determining when to use IP-in-IP encapsulation, conveyed to the "calico-node" daemon + // container via the CALICO_IPV4POOL_IPIP environment variable + IPIPMode string `json:"ipipMode,omitempty"` + // IPv4AutoDetectionMethod configures how Calico chooses the IP address used to route + // between nodes. This should be set when the host has multiple interfaces + // and it is important to select the interface used. + // Options: "first-found" (default), "can-reach=DESTINATION", + // "interface=INTERFACE-REGEX", or "skip-interface=INTERFACE-REGEX" + IPv4AutoDetectionMethod string `json:"ipv4AutoDetectionMethod,omitempty"` + // IPv6AutoDetectionMethod configures how Calico chooses the IP address used to route + // between nodes. This should be set when the host has multiple interfaces + // and it is important to select the interface used. + // Options: "first-found" (default), "can-reach=DESTINATION", + // "interface=INTERFACE-REGEX", or "skip-interface=INTERFACE-REGEX" + IPv6AutoDetectionMethod string `json:"ipv6AutoDetectionMethod,omitempty"` + // IptablesBackend controls which variant of iptables binary Felix uses + // Default: Auto (other options: Legacy, NFT) + IptablesBackend string `json:"iptablesBackend,omitempty"` // LogSeverityScreen lets us set the desired log level. (Default: info) LogSeverityScreen string `json:"logSeverityScreen,omitempty"` // MTU to be set in the cni-network-config for calico. @@ -145,23 +164,6 @@ type CalicoNetworkingSpec struct { PrometheusProcessMetricsEnabled bool `json:"prometheusProcessMetricsEnabled,omitempty"` // MajorVersion is deprecated as of kOps 1.20 and has no effect MajorVersion string `json:"majorVersion,omitempty"` - // IptablesBackend controls which variant of iptables binary Felix uses - // Default: Auto (other options: Legacy, NFT) - IptablesBackend string `json:"iptablesBackend,omitempty"` - // IPIPMode is mode for CALICO_IPV4POOL_IPIP - IPIPMode string `json:"ipipMode,omitempty"` - // IPv4AutoDetectionMethod configures how Calico chooses the IP address used to route - // between nodes. This should be set when the host has multiple interfaces - // and it is important to select the interface used. - // Options: "first-found" (default), "can-reach=DESTINATION", - // "interface=INTERFACE-REGEX", or "skip-interface=INTERFACE-REGEX" - IPv4AutoDetectionMethod string `json:"ipv4AutoDetectionMethod,omitempty"` - // IPv6AutoDetectionMethod configures how Calico chooses the IP address used to route - // between nodes. This should be set when the host has multiple interfaces - // and it is important to select the interface used. - // Options: "first-found" (default), "can-reach=DESTINATION", - // "interface=INTERFACE-REGEX", or "skip-interface=INTERFACE-REGEX" - IPv6AutoDetectionMethod string `json:"ipv6AutoDetectionMethod,omitempty"` // TyphaPrometheusMetricsEnabled enables Prometheus metrics collection from Typha // (default: false) TyphaPrometheusMetricsEnabled bool `json:"typhaPrometheusMetricsEnabled,omitempty"` diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index 199e9ce790b97..5537cccbf354c 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -1345,6 +1345,7 @@ func Convert_kops_CNINetworkingSpec_To_v1alpha2_CNINetworkingSpec(in *kops.CNINe } func autoConvert_v1alpha2_CalicoNetworkingSpec_To_kops_CalicoNetworkingSpec(in *CalicoNetworkingSpec, out *kops.CalicoNetworkingSpec, s conversion.Scope) error { + out.AWSSrcDstCheck = in.AWSSrcDstCheck out.BPFEnabled = in.BPFEnabled out.BPFExternalServiceMode = in.BPFExternalServiceMode out.BPFKubeProxyIptablesCleanupEnabled = in.BPFKubeProxyIptablesCleanupEnabled @@ -1352,7 +1353,10 @@ func autoConvert_v1alpha2_CalicoNetworkingSpec_To_kops_CalicoNetworkingSpec(in * out.ChainInsertMode = in.ChainInsertMode out.CPURequest = in.CPURequest out.CrossSubnet = in.CrossSubnet - out.AwsSrcDstCheck = in.AwsSrcDstCheck + out.IPIPMode = in.IPIPMode + out.IPv4AutoDetectionMethod = in.IPv4AutoDetectionMethod + out.IPv6AutoDetectionMethod = in.IPv6AutoDetectionMethod + out.IptablesBackend = in.IptablesBackend out.LogSeverityScreen = in.LogSeverityScreen out.MTU = in.MTU out.PrometheusMetricsEnabled = in.PrometheusMetricsEnabled @@ -1360,10 +1364,6 @@ func autoConvert_v1alpha2_CalicoNetworkingSpec_To_kops_CalicoNetworkingSpec(in * out.PrometheusGoMetricsEnabled = in.PrometheusGoMetricsEnabled out.PrometheusProcessMetricsEnabled = in.PrometheusProcessMetricsEnabled out.MajorVersion = in.MajorVersion - out.IptablesBackend = in.IptablesBackend - out.IPIPMode = in.IPIPMode - out.IPv4AutoDetectionMethod = in.IPv4AutoDetectionMethod - out.IPv6AutoDetectionMethod = in.IPv6AutoDetectionMethod out.TyphaPrometheusMetricsEnabled = in.TyphaPrometheusMetricsEnabled out.TyphaPrometheusMetricsPort = in.TyphaPrometheusMetricsPort out.TyphaReplicas = in.TyphaReplicas @@ -1377,6 +1377,7 @@ func Convert_v1alpha2_CalicoNetworkingSpec_To_kops_CalicoNetworkingSpec(in *Cali } func autoConvert_kops_CalicoNetworkingSpec_To_v1alpha2_CalicoNetworkingSpec(in *kops.CalicoNetworkingSpec, out *CalicoNetworkingSpec, s conversion.Scope) error { + out.AWSSrcDstCheck = in.AWSSrcDstCheck out.BPFEnabled = in.BPFEnabled out.BPFExternalServiceMode = in.BPFExternalServiceMode out.BPFKubeProxyIptablesCleanupEnabled = in.BPFKubeProxyIptablesCleanupEnabled @@ -1384,7 +1385,10 @@ func autoConvert_kops_CalicoNetworkingSpec_To_v1alpha2_CalicoNetworkingSpec(in * out.ChainInsertMode = in.ChainInsertMode out.CPURequest = in.CPURequest out.CrossSubnet = in.CrossSubnet - out.AwsSrcDstCheck = in.AwsSrcDstCheck + out.IPIPMode = in.IPIPMode + out.IPv4AutoDetectionMethod = in.IPv4AutoDetectionMethod + out.IPv6AutoDetectionMethod = in.IPv6AutoDetectionMethod + out.IptablesBackend = in.IptablesBackend out.LogSeverityScreen = in.LogSeverityScreen out.MTU = in.MTU out.PrometheusMetricsEnabled = in.PrometheusMetricsEnabled @@ -1392,10 +1396,6 @@ func autoConvert_kops_CalicoNetworkingSpec_To_v1alpha2_CalicoNetworkingSpec(in * out.PrometheusGoMetricsEnabled = in.PrometheusGoMetricsEnabled out.PrometheusProcessMetricsEnabled = in.PrometheusProcessMetricsEnabled out.MajorVersion = in.MajorVersion - out.IPv4AutoDetectionMethod = in.IPv4AutoDetectionMethod - out.IPv6AutoDetectionMethod = in.IPv6AutoDetectionMethod - out.IptablesBackend = in.IptablesBackend - out.IPIPMode = in.IPIPMode out.TyphaPrometheusMetricsEnabled = in.TyphaPrometheusMetricsEnabled out.TyphaPrometheusMetricsPort = in.TyphaPrometheusMetricsPort out.TyphaReplicas = in.TyphaReplicas diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go index 1b8c54eaaad2d..134d8bd97a94e 100644 --- a/pkg/apis/kops/validation/validation.go +++ b/pkg/apis/kops/validation/validation.go @@ -969,15 +969,9 @@ func validateEtcdMemberSpec(spec kops.EtcdMemberSpec, fieldPath *field.Path) fie func validateNetworkingCalico(v *kops.CalicoNetworkingSpec, e kops.EtcdClusterSpec, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} - if v.TyphaReplicas < 0 { - allErrs = append(allErrs, - field.Invalid(fldPath.Child("typhaReplicas"), v.TyphaReplicas, - fmt.Sprintf("Unable to set number of Typha replicas to less than 0, you've specified %d", v.TyphaReplicas))) - } - - if v.AwsSrcDstCheck != "" { + if v.AWSSrcDstCheck != "" { valid := []string{"Enable", "Disable", "DoNothing"} - allErrs = append(allErrs, IsValidValue(fldPath.Child("awsSrcDstCheck"), &v.AwsSrcDstCheck, valid)...) + allErrs = append(allErrs, IsValidValue(fldPath.Child("awsSrcDstCheck"), &v.AWSSrcDstCheck, valid)...) } if v.BPFExternalServiceMode != "" { @@ -995,11 +989,6 @@ func validateNetworkingCalico(v *kops.CalicoNetworkingSpec, e kops.EtcdClusterSp allErrs = append(allErrs, IsValidValue(fldPath.Child("chainInsertMode"), &v.ChainInsertMode, valid)...) } - if v.IptablesBackend != "" { - valid := []string{"Auto", "Legacy", "NFT"} - allErrs = append(allErrs, IsValidValue(fldPath.Child("iptablesBackend"), &v.IptablesBackend, valid)...) - } - if v.IPv4AutoDetectionMethod != "" { allErrs = append(allErrs, validateCalicoAutoDetectionMethod(fldPath.Child("ipv4AutoDetectionMethod"), v.IPv4AutoDetectionMethod, ipv4.Version)...) } @@ -1008,6 +997,17 @@ func validateNetworkingCalico(v *kops.CalicoNetworkingSpec, e kops.EtcdClusterSp allErrs = append(allErrs, validateCalicoAutoDetectionMethod(fldPath.Child("ipv6AutoDetectionMethod"), v.IPv6AutoDetectionMethod, ipv6.Version)...) } + if v.IptablesBackend != "" { + valid := []string{"Auto", "Legacy", "NFT"} + allErrs = append(allErrs, IsValidValue(fldPath.Child("iptablesBackend"), &v.IptablesBackend, valid)...) + } + + if v.TyphaReplicas < 0 { + allErrs = append(allErrs, + field.Invalid(fldPath.Child("typhaReplicas"), v.TyphaReplicas, + fmt.Sprintf("Unable to set number of Typha replicas to less than 0, you've specified %d", v.TyphaReplicas))) + } + return allErrs } diff --git a/pkg/apis/kops/validation/validation_test.go b/pkg/apis/kops/validation/validation_test.go index 47a625619ba13..9bdfc21bd6282 100644 --- a/pkg/apis/kops/validation/validation_test.go +++ b/pkg/apis/kops/validation/validation_test.go @@ -506,7 +506,7 @@ func Test_Validate_Calico(t *testing.T) { { Input: caliInput{ Calico: &kops.CalicoNetworkingSpec{ - AwsSrcDstCheck: "off", + AWSSrcDstCheck: "off", }, Etcd: kops.EtcdClusterSpec{}, }, @@ -515,7 +515,7 @@ func Test_Validate_Calico(t *testing.T) { { Input: caliInput{ Calico: &kops.CalicoNetworkingSpec{ - AwsSrcDstCheck: "Enable", + AWSSrcDstCheck: "Enable", }, Etcd: kops.EtcdClusterSpec{}, }, @@ -523,7 +523,7 @@ func Test_Validate_Calico(t *testing.T) { { Input: caliInput{ Calico: &kops.CalicoNetworkingSpec{ - AwsSrcDstCheck: "Disable", + AWSSrcDstCheck: "Disable", }, Etcd: kops.EtcdClusterSpec{}, }, @@ -531,7 +531,7 @@ func Test_Validate_Calico(t *testing.T) { { Input: caliInput{ Calico: &kops.CalicoNetworkingSpec{ - AwsSrcDstCheck: "DoNothing", + AWSSrcDstCheck: "DoNothing", }, Etcd: kops.EtcdClusterSpec{}, }, diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index 3093cc64ef587..e2808fab7b93a 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -280,7 +280,7 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { addCiliumEniPermissions(p, resource, b.Cluster.Spec.IAM.Legacy) } - if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Calico != nil && (b.Cluster.Spec.Networking.Calico.CrossSubnet || b.Cluster.Spec.Networking.Calico.AwsSrcDstCheck != "") { + if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Calico != nil && (b.Cluster.Spec.Networking.Calico.CrossSubnet || b.Cluster.Spec.Networking.Calico.AWSSrcDstCheck != "") { addCalicoSrcDstCheckPermissions(p) } @@ -319,7 +319,7 @@ func (r *NodeRoleNode) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { addLyftVPCPermissions(p, resource, b.Cluster.Spec.IAM.Legacy, b.Cluster.GetName()) } - if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Calico != nil && (b.Cluster.Spec.Networking.Calico.CrossSubnet || b.Cluster.Spec.Networking.Calico.AwsSrcDstCheck != "") { + if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Calico != nil && (b.Cluster.Spec.Networking.Calico.CrossSubnet || b.Cluster.Spec.Networking.Calico.AWSSrcDstCheck != "") { addCalicoSrcDstCheckPermissions(p) } diff --git a/upup/models/bindata.go b/upup/models/bindata.go index b214ca227c46c..5866025cbe136 100644 --- a/upup/models/bindata.go +++ b/upup/models/bindata.go @@ -37240,7 +37240,7 @@ spec: # kops additions # Enable source/destination checks for AWS - name: FELIX_AWSSRCDSTCHECK - value: "{{- if and (eq .CloudProvider "aws") (.Networking.Calico.CrossSubnet) -}}Disable{{- else -}} {{- or .Networking.Calico.AwsSrcDstCheck "DoNothing" -}} {{- end -}}" + value: "{{- if and (eq .CloudProvider "aws") (.Networking.Calico.CrossSubnet) -}}Disable{{- else -}} {{- or .Networking.Calico.AWSSrcDstCheck "DoNothing" -}} {{- end -}}" # Enable eBPF dataplane mode - name: FELIX_BPFENABLED value: "{{ .Networking.Calico.BPFEnabled }}" diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template index 02225fa498a04..c279ab1a3b118 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template @@ -3910,7 +3910,7 @@ spec: # kops additions # Enable source/destination checks for AWS - name: FELIX_AWSSRCDSTCHECK - value: "{{- if and (eq .CloudProvider "aws") (.Networking.Calico.CrossSubnet) -}}Disable{{- else -}} {{- or .Networking.Calico.AwsSrcDstCheck "DoNothing" -}} {{- end -}}" + value: "{{- if and (eq .CloudProvider "aws") (.Networking.Calico.CrossSubnet) -}}Disable{{- else -}} {{- or .Networking.Calico.AWSSrcDstCheck "DoNothing" -}} {{- end -}}" # Enable eBPF dataplane mode - name: FELIX_BPFENABLED value: "{{ .Networking.Calico.BPFEnabled }}"