Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1/2] Failsafe docmentaton improvement #1420

Merged
merged 1 commit into from
Apr 15, 2024
Merged

[1/2] Failsafe docmentaton improvement #1420

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 2 additions & 2 deletions calico-cloud/reference/component-resources/node/felix/configuration.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,8 @@ The full list of parameters which can be set is as follows.
| `EndpointReportingDelaySecs` | `FELIX_ENDPOINTREPORTINGDELAYSECS` | Set the endpoint reporting delay between status check intervals, in seconds. Only used if endpoint reporting is enabled. [Default: `1`] | int |
| `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean |
| `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string |
| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `[]`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `[{"port":22,"protocol":"tcp"},{"port":68,"protocol":"udp"},{"port":179,"protocol":"tcp"},{"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port":6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list |
| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | List of PortProto struct objects including UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to `"tcp"`. If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `[]`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `[{"port":53,"protocol":"udp"},{"port":67,"protocol":"udp"}, {"port":179,"protocol":"tcp"}, {"port":2379,"protocol":"tcp"}, {"port":2380,"protocol":"tcp"}, {"port":5473,"protocol":"tcp"}, {"port":6443,"protocol":"tcp"}, {"port": 6666,"protocol":"tcp"}, {"port":6667,"protocol":"tcp"}]`] | list | |
| `FelixHostname` | `FELIX_FELIXHOSTNAME` | The hostname Felix reports to the plugin. Should be used if the hostname Felix autodetects is incorrect or does not match what the plugin will expect. [Default: `socket.gethostname()`] | string |
| `HealthEnabled` | `FELIX_HEALTHENABLED` | When enabled, exposes felix health information via an http endpoint. | boolean |
| `HealthHost` | `FELIX_HEALTHHOST` | The address on which Felix will respond to health requests. [Default: `localhost`] | string |
Expand Down
2 changes: 1 addition & 1 deletion calico-cloud/reference/host-endpoints/failsafe.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ The lists of failsafe ports can be configured via the configuration parameters
`FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts`
described in [Configuring Felix](../component-resources/node/felix/configuration.mdx)
. They
can be disabled by setting each configuration value to "none".
can be disabled by setting each configuration value to "[]".

:::note

Expand Down
19 changes: 19 additions & 0 deletions calico-cloud/reference/resources/felixconfig.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,25 @@ A timeout value of 0 disables the timeout.
| protocol | The protocol match | tcp, udp, sctp | string |
| net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string |

Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement.

```yaml noValidation
...
spec:
failsafeInboundHostPorts:
- net: "192.168.1.1/32"
port: 22
protocol: tcp
- net: ""
port: 67
protocol: udp
failsafeOutboundHostPorts:
- net: "0.0.0.0/0"
port: 67
protocol: udp
...
```

### AggregationKind

| Value | Description |
Expand Down
2 changes: 1 addition & 1 deletion calico-cloud_versioned_docs/version-19-1/reference/host-endpoints/failsafe.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ The lists of failsafe ports can be configured via the configuration parameters
`FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts`
described in [Configuring Felix](../component-resources/node/felix/configuration.mdx)
. They
can be disabled by setting each configuration value to "none".
can be disabled by setting each configuration value to "[]".

:::note

Expand Down
19 changes: 19 additions & 0 deletions calico-cloud_versioned_docs/version-19-1/reference/resources/felixconfig.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,25 @@ A timeout value of 0 disables the timeout.
| protocol | The protocol match | tcp, udp, sctp | string |
| net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string |

Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement.

```yaml noValidation
...
spec:
failsafeInboundHostPorts:
- net: "192.168.1.1/32"
port: 22
protocol: tcp
- net: ""
port: 67
protocol: udp
failsafeOutboundHostPorts:
- net: "0.0.0.0/0"
port: 67
protocol: udp
...
```

### AggregationKind

| Value | Description |
Expand Down
2 changes: 1 addition & 1 deletion calico-enterprise/reference/host-endpoints/failsafe.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ The lists of failsafe ports can be configured via the configuration parameters
`FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts`
described in [Configuring Felix](../component-resources/node/felix/configuration.mdx)
. They
can be disabled by setting each configuration value to "none".
can be disabled by setting each configuration value to "[]".

:::note

Expand Down
19 changes: 19 additions & 0 deletions calico-enterprise/reference/resources/felixconfig.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,25 @@ A timeout value of 0 disables the timeout.
| protocol | The protocol match | tcp, udp, sctp | string |
| net | The CIDR match | any valid CIDR (e.g. 192.168.0.0/16) | string |

Keep in mind that in the following example, `net: ""` and `net: "0.0.0.0/0"` are processed as the same in the policy enforcement.

```yaml noValidation
...
spec:
failsafeInboundHostPorts:
- net: "192.168.1.1/32"
port: 22
protocol: tcp
- net: ""
port: 67
protocol: udp
failsafeOutboundHostPorts:
- net: "0.0.0.0/0"
port: 67
protocol: udp
...
```

### AggregationKind

| Value | Description |
Expand Down