-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updated Canal manifest to v3.5.0 for k8s v1.12+ #6469
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: KashifSaadat The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
(BEFORE) Cluster NetworkingSpec: networking:
canal:
chainInsertMode: append # iptables -nL FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
KUBE-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */
ACCEPT all -- 10.10.0.0/16 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 10.10.0.0/16
cali-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 /* cali:wUHhoiAYhphO9Mso */ (AFTER) Cluster NetworkingSpec: networking:
canal:
chainInsertMode: append
disableFlannelForwardRules: true # iptables -nL FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
KUBE-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */
cali-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 /* cali:wUHhoiAYhphO9Mso */ |
b8061a1
to
7053c56
Compare
7053c56
to
714ebe1
Compare
/retest |
/test pull-kops-e2e-kubernetes-aws |
Notable Changes:
disableFlannelForwardRules
in the Canal networking spec to configure Flannel to not add the defaultACCEPT
rules to the iptables forward chain (fixes Canal on K8s v1.8 with chain append mode no longer respects networkpolicies #4037)Calico release notes:
I have kept the roles / bindings resource names in line with previous updates (they are different in the upstream examples provided on the projectcalico website), because during a rolling-upgrade it causes issues where the
roleRef
cannot be changed without recreating the resource.