diff --git a/.github/styles/config/vocabularies/CalicoTerminology/accept.txt b/.github/styles/config/vocabularies/CalicoTerminology/accept.txt index cea62847ab..751ae03c6e 100644 --- a/.github/styles/config/vocabularies/CalicoTerminology/accept.txt +++ b/.github/styles/config/vocabularies/CalicoTerminology/accept.txt @@ -4,7 +4,7 @@ adjacencies [aA]nycast [aA]utodetect(ion|ed|s|ing)? [bB]ackport(ed|s)? -[bB]lackhole[ds]? +[bB]lackhol(e[ds]?|ing) [bB]oolean [cC]lient[Ss]et [cC]luster-?wide @@ -76,6 +76,7 @@ navbar [pP]erformant [pP]reconfigured [pP]reload[s]? +[pP]repend(s|ed|ing)? [pP]repopulated [pP]reformatted [pP]reschedule[ds]? diff --git a/.github/styles/config/vocabularies/CalicoTools/accept.txt b/.github/styles/config/vocabularies/CalicoTools/accept.txt index 6186c723fd..11450c88d2 100644 --- a/.github/styles/config/vocabularies/CalicoTools/accept.txt +++ b/.github/styles/config/vocabularies/CalicoTools/accept.txt @@ -42,3 +42,4 @@ ulimit vRouter[s]? vSwitch kdd +Kyverno diff --git a/calico-enterprise/_includes/components/FelixConfig/config-params.json b/calico-enterprise/_includes/components/FelixConfig/config-params.json index 095c6502d4..c5191ba57d 100644 --- a/calico-enterprise/_includes/components/FelixConfig/config-params.json +++ b/calico-enterprise/_includes/components/FelixConfig/config-params.json @@ -1286,8 +1286,8 @@ "Required": false, "OnParseFailure": "ReplaceWithDefault", "AllowedConfigSources": "All", - "Description": "Disables WireGuard metrics collection, which the Prometheus client does by default, when\nset to false. This reduces the number of metrics reported, reducing Prometheus load.", - "DescriptionHTML": "

Disables WireGuard metrics collection, which the Prometheus client does by default, when\nset to false. This reduces the number of metrics reported, reducing Prometheus load.

", + "Description": "Disables wireguard metrics collection, which the Prometheus client does by default, when\nset to false. This reduces the number of metrics reported, reducing Prometheus load.", + "DescriptionHTML": "

Disables wireguard metrics collection, which the Prometheus client does by default, when\nset to false. This reduces the number of metrics reported, reducing Prometheus load.

", "UserEditable": true, "GoType": "*bool", "OpenSourceOnly": false @@ -1295,10 +1295,10 @@ ] }, { - "Name": "Data plane: Common", + "Name": "Dataplane: Common", "Fields": [ { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "AllowIPIPPacketsFromWorkloads", "NameEnvVar": "FELIX_AllowIPIPPacketsFromWorkloads", @@ -1325,7 +1325,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "AllowVXLANPacketsFromWorkloads", "NameEnvVar": "FELIX_AllowVXLANPacketsFromWorkloads", @@ -1352,7 +1352,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "CgroupV2Path", "NameEnvVar": "FELIX_CgroupV2Path", @@ -1379,7 +1379,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "ChainInsertMode", "NameEnvVar": "FELIX_ChainInsertMode", @@ -1409,7 +1409,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "DataplaneDriver", "NameEnvVar": "FELIX_DataplaneDriver", @@ -1436,7 +1436,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "DataplaneWatchdogTimeout", "NameEnvVar": "FELIX_DataplaneWatchdogTimeout", @@ -1463,7 +1463,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "DefaultEndpointToHostAction", "NameEnvVar": "FELIX_DefaultEndpointToHostAction", @@ -1494,7 +1494,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "DeviceRouteProtocol", "NameEnvVar": "FELIX_DeviceRouteProtocol", @@ -1521,7 +1521,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "DeviceRouteSourceAddress", "NameEnvVar": "FELIX_DeviceRouteSourceAddress", @@ -1548,7 +1548,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "DeviceRouteSourceAddressIPv6", "NameEnvVar": "FELIX_DeviceRouteSourceAddressIPv6", @@ -1575,7 +1575,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "DisableConntrackInvalidCheck", "NameEnvVar": "FELIX_DisableConntrackInvalidCheck", @@ -1602,7 +1602,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "DropActionOverride", "NameEnvVar": "FELIX_DropActionOverride", @@ -1634,7 +1634,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "EndpointStatusPathPrefix", "NameEnvVar": "FELIX_EndpointStatusPathPrefix", @@ -1661,7 +1661,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "ExternalNodesCIDRList", "NameEnvVar": "FELIX_ExternalNodesCIDRList", @@ -1688,7 +1688,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "FailsafeInboundHostPorts", "NameEnvVar": "FELIX_FailsafeInboundHostPorts", @@ -1715,7 +1715,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "FailsafeOutboundHostPorts", "NameEnvVar": "FELIX_FailsafeOutboundHostPorts", @@ -1742,7 +1742,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "FloatingIPs", "NameEnvVar": "FELIX_FloatingIPs", @@ -1772,7 +1772,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "IPForwarding", "NameEnvVar": "FELIX_IPForwarding", @@ -1802,7 +1802,115 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "IPv4ElevatedRoutePriority", + "NameEnvVar": "FELIX_IPv4ElevatedRoutePriority", + "NameYAML": "ipv4ElevatedRoutePriority", + "NameGoAPI": "IPv4ElevatedRoutePriority", + "StringSchema": "Integer: [1,2147483646]", + "StringSchemaHTML": "Integer: [1,2147483646]", + "StringDefault": "512", + "ParsedDefault": "512", + "ParsedDefaultJSON": "512", + "ParsedType": "int", + "YAMLType": "integer", + "YAMLSchema": "Integer: [1,2147483646]", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "Integer: [1,2147483646]", + "YAMLDefault": "512", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Route Priority value for an elevated priority Calico-programmed IPv4 route. Note, higher\nvalues mean lower priority. Elevated priority is used during VM live migration, and for\noptimal behaviour IPv4ElevatedRoutePriority must be less than IPv4NormalRoutePriority.", + "DescriptionHTML": "

Route Priority value for an elevated priority Calico-programmed IPv4 route. Note, higher\nvalues mean lower priority. Elevated priority is used during VM live migration, and for\noptimal behaviour IPv4ElevatedRoutePriority must be less than IPv4NormalRoutePriority.

", + "UserEditable": true, + "GoType": "*int", + "OpenSourceOnly": false + }, + { + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "IPv4NormalRoutePriority", + "NameEnvVar": "FELIX_IPv4NormalRoutePriority", + "NameYAML": "ipv4NormalRoutePriority", + "NameGoAPI": "IPv4NormalRoutePriority", + "StringSchema": "Integer: [1,2147483646]", + "StringSchemaHTML": "Integer: [1,2147483646]", + "StringDefault": "1024", + "ParsedDefault": "1024", + "ParsedDefaultJSON": "1024", + "ParsedType": "int", + "YAMLType": "integer", + "YAMLSchema": "Integer: [1,2147483646]", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "Integer: [1,2147483646]", + "YAMLDefault": "1024", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Route Priority value for a normal priority Calico-programmed IPv4 route. Note, higher\nvalues mean lower priority.", + "DescriptionHTML": "

Route Priority value for a normal priority Calico-programmed IPv4 route. Note, higher\nvalues mean lower priority.

", + "UserEditable": true, + "GoType": "*int", + "OpenSourceOnly": false + }, + { + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "IPv6ElevatedRoutePriority", + "NameEnvVar": "FELIX_IPv6ElevatedRoutePriority", + "NameYAML": "ipv6ElevatedRoutePriority", + "NameGoAPI": "IPv6ElevatedRoutePriority", + "StringSchema": "Integer: [1,2147483646]", + "StringSchemaHTML": "Integer: [1,2147483646]", + "StringDefault": "512", + "ParsedDefault": "512", + "ParsedDefaultJSON": "512", + "ParsedType": "int", + "YAMLType": "integer", + "YAMLSchema": "Integer: [1,2147483646]", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "Integer: [1,2147483646]", + "YAMLDefault": "512", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Route Priority value for an elevated priority Calico-programmed IPv6 route. Note, higher\nvalues mean lower priority. Elevated priority is used during VM live migration, and for\noptimal behaviour IPv6ElevatedRoutePriority must be less than IPv6NormalRoutePriority.", + "DescriptionHTML": "

Route Priority value for an elevated priority Calico-programmed IPv6 route. Note, higher\nvalues mean lower priority. Elevated priority is used during VM live migration, and for\noptimal behaviour IPv6ElevatedRoutePriority must be less than IPv6NormalRoutePriority.

", + "UserEditable": true, + "GoType": "*int", + "OpenSourceOnly": false + }, + { + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "IPv6NormalRoutePriority", + "NameEnvVar": "FELIX_IPv6NormalRoutePriority", + "NameYAML": "ipv6NormalRoutePriority", + "NameGoAPI": "IPv6NormalRoutePriority", + "StringSchema": "Integer: [1,2147483646]", + "StringSchemaHTML": "Integer: [1,2147483646]", + "StringDefault": "1024", + "ParsedDefault": "1024", + "ParsedDefaultJSON": "1024", + "ParsedType": "int", + "YAMLType": "integer", + "YAMLSchema": "Integer: [1,2147483646]", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "Integer: [1,2147483646]", + "YAMLDefault": "1024", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Route Priority value for a normal priority Calico-programmed IPv6 route. Note, higher\nvalues mean lower priority.", + "DescriptionHTML": "

Route Priority value for a normal priority Calico-programmed IPv6 route. Note, higher\nvalues mean lower priority.

", + "UserEditable": true, + "GoType": "*int", + "OpenSourceOnly": false + }, + { + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "InterfaceExclude", "NameEnvVar": "FELIX_InterfaceExclude", @@ -1829,7 +1937,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "InterfacePrefix", "NameEnvVar": "FELIX_InterfacePrefix", @@ -1856,7 +1964,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "InterfaceRefreshInterval", "NameEnvVar": "FELIX_InterfaceRefreshInterval", @@ -1883,7 +1991,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "Ipv6Support", "NameEnvVar": "FELIX_Ipv6Support", @@ -1910,7 +2018,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "IstioAmbientMode", "NameEnvVar": "FELIX_IstioAmbientMode", @@ -1940,7 +2048,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "IstioDSCPMark", "NameEnvVar": "FELIX_IstioDSCPMark", @@ -1967,7 +2075,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "KubeMasqueradeBit", "NameEnvVar": "FELIX_KubeMasqueradeBit", @@ -1994,7 +2102,34 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "LiveMigrationRouteConvergenceTime", + "NameEnvVar": "FELIX_LiveMigrationRouteConvergenceTime", + "NameYAML": "liveMigrationRouteConvergenceTime", + "NameGoAPI": "LiveMigrationRouteConvergenceTime", + "StringSchema": "Seconds (floating point)", + "StringSchemaHTML": "Seconds (floating point)", + "StringDefault": "30", + "ParsedDefault": "30s", + "ParsedDefaultJSON": "30000000000", + "ParsedType": "time.Duration", + "YAMLType": "string", + "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.", + "YAMLDefault": "30s", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "The time to keep elevated route priority after a\nVM live migration completes. This allows routes to converge across the cluster before\nreverting to normal priority.", + "DescriptionHTML": "

The time to keep elevated route priority after a\nVM live migration completes. This allows routes to converge across the cluster before\nreverting to normal priority.

", + "UserEditable": true, + "GoType": "*v1.Duration", + "OpenSourceOnly": false + }, + { + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "MTUIfacePattern", "NameEnvVar": "FELIX_MTUIfacePattern", @@ -2021,7 +2156,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "NATOutgoingAddress", "NameEnvVar": "FELIX_NATOutgoingAddress", @@ -2048,7 +2183,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "NATOutgoingExclusions", "NameEnvVar": "FELIX_NATOutgoingExclusions", @@ -2078,7 +2213,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "NATPortRange", "NameEnvVar": "FELIX_NATPortRange", @@ -2105,7 +2240,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "NFTablesDNSPolicyMode", "NameEnvVar": "FELIX_NFTablesDNSPolicyMode", @@ -2136,7 +2271,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "NFTablesMode", "NameEnvVar": "FELIX_NFTablesMode", @@ -2167,7 +2302,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "NetlinkTimeoutSecs", "NameEnvVar": "FELIX_NetlinkTimeoutSecs", @@ -2194,7 +2329,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "NfNetlinkBufSize", "NameEnvVar": "FELIX_NfNetlinkBufSize", @@ -2221,7 +2356,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "PolicyActivityLogsFileDirectory", "NameEnvVar": "FELIX_PolicyActivityLogsFileDirectory", @@ -2248,7 +2383,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "PolicyActivityLogsFileEnabled", "NameEnvVar": "FELIX_PolicyActivityLogsFileEnabled", @@ -2275,7 +2410,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "PolicyActivityLogsFileMaxFileSizeMB", "NameEnvVar": "FELIX_PolicyActivityLogsFileMaxFileSizeMB", @@ -2302,7 +2437,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "PolicyActivityLogsFileMaxFiles", "NameEnvVar": "FELIX_PolicyActivityLogsFileMaxFiles", @@ -2329,7 +2464,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "PolicyActivityLogsFlushInterval", "NameEnvVar": "FELIX_PolicyActivityLogsFlushInterval", @@ -2356,7 +2491,34 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "PolicyActivityRefreshInterval", + "NameEnvVar": "FELIX_PolicyActivityRefreshInterval", + "NameYAML": "", + "NameGoAPI": "", + "StringSchema": "Seconds (floating point)", + "StringSchemaHTML": "Seconds (floating point)", + "StringDefault": "3600", + "ParsedDefault": "1h0m0s", + "ParsedDefaultJSON": "3600000000000", + "ParsedType": "time.Duration", + "YAMLType": "", + "YAMLSchema": "", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "", + "YAMLDefault": "", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "LocalOnly", + "Description": "Controls how often Felix re-evaluates policies for\nlong-lived connections to keep policy activity timestamps current.", + "DescriptionHTML": "

Controls how often Felix re-evaluates policies for\nlong-lived connections to keep policy activity timestamps current.

", + "UserEditable": true, + "GoType": "", + "OpenSourceOnly": false + }, + { + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "PolicySyncPathPrefix", "NameEnvVar": "FELIX_PolicySyncPathPrefix", @@ -2383,7 +2545,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "ProgramClusterRoutes", "NameEnvVar": "FELIX_ProgramClusterRoutes", @@ -2406,14 +2568,14 @@ "Required": false, "OnParseFailure": "ReplaceWithDefault", "AllowedConfigSources": "All", - "Description": "Specifies whether Felix should program IPIP routes instead of BIRD.\nFelix always programs VXLAN routes.", - "DescriptionHTML": "

Specifies whether Felix should program IPIP routes instead of BIRD.\nFelix always programs VXLAN routes.

", + "Description": "Controls how a cluster node gets a route to a workload on another node,\nwhen that workload's IP comes from an IP Pool with vxlanMode: Never. When ProgramClusterRoutes is Disabled,\nit is expected that confd and BIRD will program that route. When ProgramClusterRoutes is Enabled, Felix program that route.\nFelix always programs such routes for IP Pools with vxlanMode: Always or vxlanMode: CrossSubnet.", + "DescriptionHTML": "

Controls how a cluster node gets a route to a workload on another node,\nwhen that workload's IP comes from an IP Pool with vxlanMode: Never. When ProgramClusterRoutes is Disabled,\nit is expected that confd and BIRD will program that route. When ProgramClusterRoutes is Enabled, Felix program that route.\nFelix always programs such routes for IP Pools with vxlanMode: Always or vxlanMode: CrossSubnet.

", "UserEditable": true, "GoType": "*string", "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "RemoveExternalRoutes", "NameEnvVar": "FELIX_RemoveExternalRoutes", @@ -2440,7 +2602,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "RequireMTUFile", "NameEnvVar": "FELIX_RequireMTUFile", @@ -2467,7 +2629,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "RouteRefreshInterval", "NameEnvVar": "FELIX_RouteRefreshInterval", @@ -2494,7 +2656,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "RouteSource", "NameEnvVar": "FELIX_RouteSource", @@ -2524,7 +2686,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "RouteSyncDisabled", "NameEnvVar": "FELIX_RouteSyncDisabled", @@ -2551,7 +2713,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "RouteTableRange", "NameEnvVar": "FELIX_RouteTableRange", @@ -2578,7 +2740,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "RouteTableRanges", "NameEnvVar": "FELIX_RouteTableRanges", @@ -2605,7 +2767,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "ServiceLoopPrevention", "NameEnvVar": "FELIX_ServiceLoopPrevention", @@ -2636,7 +2798,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "SidecarAccelerationEnabled", "NameEnvVar": "FELIX_SidecarAccelerationEnabled", @@ -2663,7 +2825,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "UseInternalDataplaneDriver", "NameEnvVar": "FELIX_UseInternalDataplaneDriver", @@ -2690,7 +2852,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "WAFEventLogsFileDirectory", "NameEnvVar": "FELIX_WAFEventLogsFileDirectory", @@ -2717,7 +2879,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "WAFEventLogsFileEnabled", "NameEnvVar": "FELIX_WAFEventLogsFileEnabled", @@ -2744,7 +2906,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "WAFEventLogsFileMaxFileSizeMB", "NameEnvVar": "FELIX_WAFEventLogsFileMaxFileSizeMB", @@ -2771,7 +2933,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "WAFEventLogsFileMaxFiles", "NameEnvVar": "FELIX_WAFEventLogsFileMaxFiles", @@ -2798,7 +2960,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "WAFEventLogsFlushInterval", "NameEnvVar": "FELIX_WAFEventLogsFlushInterval", @@ -2825,7 +2987,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "WorkloadSourceSpoofing", "NameEnvVar": "FELIX_WorkloadSourceSpoofing", @@ -2857,10 +3019,10 @@ ] }, { - "Name": "Data plane: iptables", + "Name": "Dataplane: iptables", "Fields": [ { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IpsetsRefreshInterval", "NameEnvVar": "FELIX_IpsetsRefreshInterval", @@ -2887,7 +3049,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IptablesBackend", "NameEnvVar": "FELIX_IptablesBackend", @@ -2921,7 +3083,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IptablesFilterAllowAction", "NameEnvVar": "FELIX_IptablesFilterAllowAction", @@ -2951,7 +3113,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IptablesFilterDenyAction", "NameEnvVar": "FELIX_IptablesFilterDenyAction", @@ -2981,7 +3143,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IptablesLockProbeIntervalMillis", "NameEnvVar": "FELIX_IptablesLockProbeIntervalMillis", @@ -3008,7 +3170,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IptablesMangleAllowAction", "NameEnvVar": "FELIX_IptablesMangleAllowAction", @@ -3038,7 +3200,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IptablesMarkMask", "NameEnvVar": "FELIX_IptablesMarkMask", @@ -3065,7 +3227,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IptablesNATOutgoingInterfaceFilter", "NameEnvVar": "FELIX_IptablesNATOutgoingInterfaceFilter", @@ -3092,7 +3254,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IptablesPostWriteCheckIntervalSecs", "NameEnvVar": "FELIX_IptablesPostWriteCheckIntervalSecs", @@ -3119,7 +3281,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IptablesRefreshInterval", "NameEnvVar": "FELIX_IptablesRefreshInterval", @@ -3146,7 +3308,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "KubeNodePortRanges", "NameEnvVar": "FELIX_KubeNodePortRanges", @@ -3173,7 +3335,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "MaxIpsetSize", "NameEnvVar": "FELIX_MaxIpsetSize", @@ -3202,10 +3364,10 @@ ] }, { - "Name": "Data plane: nftables", + "Name": "Dataplane: nftables", "Fields": [ { - "Group": "Data plane: nftables", + "Group": "Dataplane: nftables", "GroupWithSortPrefix": "21 Dataplane: nftables", "NameConfigFile": "NftablesFilterAllowAction", "NameEnvVar": "FELIX_NftablesFilterAllowAction", @@ -3235,7 +3397,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: nftables", + "Group": "Dataplane: nftables", "GroupWithSortPrefix": "21 Dataplane: nftables", "NameConfigFile": "NftablesFilterDenyAction", "NameEnvVar": "FELIX_NftablesFilterDenyAction", @@ -3265,7 +3427,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: nftables", + "Group": "Dataplane: nftables", "GroupWithSortPrefix": "21 Dataplane: nftables", "NameConfigFile": "NftablesMangleAllowAction", "NameEnvVar": "FELIX_NftablesMangleAllowAction", @@ -3295,7 +3457,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: nftables", + "Group": "Dataplane: nftables", "GroupWithSortPrefix": "21 Dataplane: nftables", "NameConfigFile": "NftablesMarkMask", "NameEnvVar": "FELIX_NftablesMarkMask", @@ -3322,7 +3484,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: nftables", + "Group": "Dataplane: nftables", "GroupWithSortPrefix": "21 Dataplane: nftables", "NameConfigFile": "NftablesRefreshInterval", "NameEnvVar": "FELIX_NftablesRefreshInterval", @@ -3351,10 +3513,10 @@ ] }, { - "Name": "Data plane: eBPF", + "Name": "Dataplane: eBPF", "Fields": [ { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFAttachType", "NameEnvVar": "FELIX_BPFAttachType", @@ -3384,7 +3546,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFCTLBLogFilter", "NameEnvVar": "FELIX_BPFCTLBLogFilter", @@ -3411,7 +3573,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFConnectTimeLoadBalancing", "NameEnvVar": "FELIX_BPFConnectTimeLoadBalancing", @@ -3442,7 +3604,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFConnectTimeLoadBalancingEnabled", "NameEnvVar": "FELIX_BPFConnectTimeLoadBalancingEnabled", @@ -3469,7 +3631,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFConntrackCleanupMode", "NameEnvVar": "FELIX_BPFConntrackCleanupMode", @@ -3500,7 +3662,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFConntrackLogLevel", "NameEnvVar": "FELIX_BPFConntrackLogLevel", @@ -3530,7 +3692,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFConntrackTimeouts", "NameEnvVar": "FELIX_BPFConntrackTimeouts", @@ -3557,7 +3719,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFDNSPolicyMode", "NameEnvVar": "FELIX_BPFDNSPolicyMode", @@ -3584,7 +3746,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFDSROptoutCIDRs", "NameEnvVar": "FELIX_BPFDSROptoutCIDRs", @@ -3611,7 +3773,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFDataIfacePattern", "NameEnvVar": "FELIX_BPFDataIfacePattern", @@ -3638,7 +3800,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFDisableGROForIfaces", "NameEnvVar": "FELIX_BPFDisableGROForIfaces", @@ -3665,7 +3827,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFDisableUnprivileged", "NameEnvVar": "FELIX_BPFDisableUnprivileged", @@ -3692,7 +3854,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFEnabled", "NameEnvVar": "FELIX_BPFEnabled", @@ -3719,7 +3881,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFEnforceRPF", "NameEnvVar": "FELIX_BPFEnforceRPF", @@ -3750,7 +3912,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFExcludeCIDRsFromNAT", "NameEnvVar": "FELIX_BPFExcludeCIDRsFromNAT", @@ -3777,7 +3939,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFExportBufferSizeMB", "NameEnvVar": "FELIX_BPFExportBufferSizeMB", @@ -3804,7 +3966,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFExtToServiceConnmark", "NameEnvVar": "FELIX_BPFExtToServiceConnmark", @@ -3831,7 +3993,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFExternalServiceMode", "NameEnvVar": "FELIX_BPFExternalServiceMode", @@ -3861,7 +4023,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFForceTrackPacketsFromIfaces", "NameEnvVar": "FELIX_BPFForceTrackPacketsFromIfaces", @@ -3888,7 +4050,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFHostConntrackBypass", "NameEnvVar": "FELIX_BPFHostConntrackBypass", @@ -3915,7 +4077,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFHostNetworkedNATWithoutCTLB", "NameEnvVar": "FELIX_BPFHostNetworkedNATWithoutCTLB", @@ -3942,7 +4104,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFJITHardening", "NameEnvVar": "FELIX_BPFJITHardening", @@ -3969,7 +4131,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFKubeProxyHealthzPort", "NameEnvVar": "FELIX_BPFKubeProxyHealthzPort", @@ -3986,17 +4148,17 @@ "YAMLEnumValues": null, "YAMLSchemaHTML": "Integer", "YAMLDefault": "10256", - "Required": true, + "Required": false, "OnParseFailure": "ReplaceWithDefault", "AllowedConfigSources": "All", - "Description": "In BPF mode, controls the port that Felix's embedded kube-proxy health check server binds to.\nThe health check server is used by external load balancers to determine if this node should receive traffic.", - "DescriptionHTML": "

In BPF mode, controls the port that Felix's embedded kube-proxy health check server binds to.\nThe health check server is used by external load balancers to determine if this node should receive traffic.

", + "Description": "In BPF mode, controls the port that Felix's embedded kube-proxy health check server binds to.\nThe health check server is used by external load balancers to determine if this node should receive traffic.\nSet to 0 to disable the health check server.", + "DescriptionHTML": "

In BPF mode, controls the port that Felix's embedded kube-proxy health check server binds to.\nThe health check server is used by external load balancers to determine if this node should receive traffic.\nSet to 0 to disable the health check server.

", "UserEditable": true, "GoType": "*int", "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFKubeProxyIptablesCleanupEnabled", "NameEnvVar": "FELIX_BPFKubeProxyIptablesCleanupEnabled", @@ -4023,7 +4185,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFKubeProxyMinSyncPeriod", "NameEnvVar": "FELIX_BPFKubeProxyMinSyncPeriod", @@ -4050,7 +4212,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFL3IfacePattern", "NameEnvVar": "FELIX_BPFL3IfacePattern", @@ -4070,14 +4232,14 @@ "Required": false, "OnParseFailure": "ReplaceWithDefault", "AllowedConfigSources": "All", - "Description": "A regular expression that allows to list tunnel devices like WireGuard or vxlan (i.e., L3 devices)\nin addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows\nover as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster.", - "DescriptionHTML": "

A regular expression that allows to list tunnel devices like WireGuard or vxlan (i.e., L3 devices)\nin addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows\nover as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster.

", + "Description": "A regular expression that allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices)\nin addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows\nover as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster.", + "DescriptionHTML": "

A regular expression that allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices)\nin addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows\nover as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster.

", "UserEditable": true, "GoType": "string", "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFLogFilters", "NameEnvVar": "FELIX_BPFLogFilters", @@ -4104,7 +4266,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFLogLevel", "NameEnvVar": "FELIX_BPFLogLevel", @@ -4135,7 +4297,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMaglevMaxEndpointsPerService", "NameEnvVar": "FELIX_BPFMaglevMaxEndpointsPerService", @@ -4162,7 +4324,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMaglevMaxServices", "NameEnvVar": "FELIX_BPFMaglevMaxServices", @@ -4189,7 +4351,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizeConntrack", "NameEnvVar": "FELIX_BPFMapSizeConntrack", @@ -4216,7 +4378,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizeConntrackCleanupQueue", "NameEnvVar": "FELIX_BPFMapSizeConntrackCleanupQueue", @@ -4243,7 +4405,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizeConntrackScaling", "NameEnvVar": "FELIX_BPFMapSizeConntrackScaling", @@ -4273,7 +4435,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizeIPSets", "NameEnvVar": "FELIX_BPFMapSizeIPSets", @@ -4300,7 +4462,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizeIfState", "NameEnvVar": "FELIX_BPFMapSizeIfState", @@ -4327,7 +4489,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizeNATAffinity", "NameEnvVar": "FELIX_BPFMapSizeNATAffinity", @@ -4354,7 +4516,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizeNATBackend", "NameEnvVar": "FELIX_BPFMapSizeNATBackend", @@ -4381,7 +4543,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizeNATFrontend", "NameEnvVar": "FELIX_BPFMapSizeNATFrontend", @@ -4408,7 +4570,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizePerCPUConntrack", "NameEnvVar": "FELIX_BPFMapSizePerCPUConntrack", @@ -4435,7 +4597,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizeRoute", "NameEnvVar": "FELIX_BPFMapSizeRoute", @@ -4462,7 +4624,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFPSNATPorts", "NameEnvVar": "FELIX_BPFPSNATPorts", @@ -4489,7 +4651,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFPolicyDebugEnabled", "NameEnvVar": "FELIX_BPFPolicyDebugEnabled", @@ -4516,7 +4678,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFProfiling", "NameEnvVar": "FELIX_BPFProfiling", @@ -4546,7 +4708,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFRedirectToPeer", "NameEnvVar": "FELIX_BPFRedirectToPeer", @@ -4578,10 +4740,10 @@ ] }, { - "Name": "Data plane: Windows", + "Name": "Dataplane: Windows", "Fields": [ { - "Group": "Data plane: Windows", + "Group": "Dataplane: Windows", "GroupWithSortPrefix": "23 Dataplane: Windows", "NameConfigFile": "WindowsDNSCacheFile", "NameEnvVar": "FELIX_WindowsDNSCacheFile", @@ -4608,7 +4770,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Windows", + "Group": "Dataplane: Windows", "GroupWithSortPrefix": "23 Dataplane: Windows", "NameConfigFile": "WindowsDNSExtraTTL", "NameEnvVar": "FELIX_WindowsDNSExtraTTL", @@ -4635,7 +4797,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Windows", + "Group": "Dataplane: Windows", "GroupWithSortPrefix": "23 Dataplane: Windows", "NameConfigFile": "WindowsFlowLogsFileDirectory", "NameEnvVar": "FELIX_WindowsFlowLogsFileDirectory", @@ -4662,7 +4824,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Windows", + "Group": "Dataplane: Windows", "GroupWithSortPrefix": "23 Dataplane: Windows", "NameConfigFile": "WindowsFlowLogsPositionFilePath", "NameEnvVar": "FELIX_WindowsFlowLogsPositionFilePath", @@ -4689,7 +4851,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Windows", + "Group": "Dataplane: Windows", "GroupWithSortPrefix": "23 Dataplane: Windows", "NameConfigFile": "WindowsManageFirewallRules", "NameEnvVar": "FELIX_WindowsManageFirewallRules", @@ -4719,7 +4881,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Windows", + "Group": "Dataplane: Windows", "GroupWithSortPrefix": "23 Dataplane: Windows", "NameConfigFile": "WindowsNetworkName", "NameEnvVar": "FELIX_WindowsNetworkName", @@ -4746,7 +4908,7 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: Windows", + "Group": "Dataplane: Windows", "GroupWithSortPrefix": "23 Dataplane: Windows", "NameConfigFile": "WindowsStatsDumpFilePath", "NameEnvVar": "FELIX_WindowsStatsDumpFilePath", @@ -4775,10 +4937,10 @@ ] }, { - "Name": "Data plane: OpenStack support", + "Name": "Dataplane: OpenStack support", "Fields": [ { - "Group": "Data plane: OpenStack support", + "Group": "Dataplane: OpenStack support", "GroupWithSortPrefix": "25 Dataplane: OpenStack support", "NameConfigFile": "EndpointReportingDelaySecs", "NameEnvVar": "FELIX_EndpointReportingDelaySecs", @@ -4805,7 +4967,7 @@ "OpenSourceOnly": true }, { - "Group": "Data plane: OpenStack support", + "Group": "Dataplane: OpenStack support", "GroupWithSortPrefix": "25 Dataplane: OpenStack support", "NameConfigFile": "EndpointReportingEnabled", "NameEnvVar": "FELIX_EndpointReportingEnabled", @@ -4832,7 +4994,7 @@ "OpenSourceOnly": true }, { - "Group": "Data plane: OpenStack support", + "Group": "Dataplane: OpenStack support", "GroupWithSortPrefix": "25 Dataplane: OpenStack support", "NameConfigFile": "MetadataAddr", "NameEnvVar": "FELIX_MetadataAddr", @@ -4859,7 +5021,7 @@ "OpenSourceOnly": true }, { - "Group": "Data plane: OpenStack support", + "Group": "Dataplane: OpenStack support", "GroupWithSortPrefix": "25 Dataplane: OpenStack support", "NameConfigFile": "MetadataPort", "NameEnvVar": "FELIX_MetadataPort", @@ -4886,7 +5048,7 @@ "OpenSourceOnly": true }, { - "Group": "Data plane: OpenStack support", + "Group": "Dataplane: OpenStack support", "GroupWithSortPrefix": "25 Dataplane: OpenStack support", "NameConfigFile": "OpenstackRegion", "NameEnvVar": "FELIX_OpenstackRegion", @@ -4913,7 +5075,7 @@ "OpenSourceOnly": true }, { - "Group": "Data plane: OpenStack support", + "Group": "Dataplane: OpenStack support", "GroupWithSortPrefix": "25 Dataplane: OpenStack support", "NameConfigFile": "ReportingIntervalSecs", "NameEnvVar": "FELIX_ReportingIntervalSecs", @@ -4940,7 +5102,7 @@ "OpenSourceOnly": true }, { - "Group": "Data plane: OpenStack support", + "Group": "Dataplane: OpenStack support", "GroupWithSortPrefix": "25 Dataplane: OpenStack support", "NameConfigFile": "ReportingTTLSecs", "NameEnvVar": "FELIX_ReportingTTLSecs", @@ -4969,11 +5131,11 @@ ] }, { - "Name": "Data plane: XDP acceleration for iptables data plane", + "Name": "Dataplane: XDP acceleration for iptables dataplane", "Fields": [ { - "Group": "Data plane: XDP acceleration for iptables data plane", - "GroupWithSortPrefix": "25 Dataplane: XDP acceleration for iptables data plane", + "Group": "Dataplane: XDP acceleration for iptables dataplane", + "GroupWithSortPrefix": "25 Dataplane: XDP acceleration for iptables dataplane", "NameConfigFile": "GenericXDPEnabled", "NameEnvVar": "FELIX_GenericXDPEnabled", "NameYAML": "genericXDPEnabled", @@ -4999,8 +5161,8 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: XDP acceleration for iptables data plane", - "GroupWithSortPrefix": "25 Dataplane: XDP acceleration for iptables data plane", + "Group": "Dataplane: XDP acceleration for iptables dataplane", + "GroupWithSortPrefix": "25 Dataplane: XDP acceleration for iptables dataplane", "NameConfigFile": "XDPEnabled", "NameEnvVar": "FELIX_XDPEnabled", "NameYAML": "xdpEnabled", @@ -5026,8 +5188,8 @@ "OpenSourceOnly": false }, { - "Group": "Data plane: XDP acceleration for iptables data plane", - "GroupWithSortPrefix": "25 Dataplane: XDP acceleration for iptables data plane", + "Group": "Dataplane: XDP acceleration for iptables dataplane", + "GroupWithSortPrefix": "25 Dataplane: XDP acceleration for iptables dataplane", "NameConfigFile": "XDPRefreshInterval", "NameEnvVar": "FELIX_XDPRefreshInterval", "NameYAML": "xdpRefreshInterval", @@ -5774,8 +5936,8 @@ "Required": false, "OnParseFailure": "ReplaceWithDefault", "AllowedConfigSources": "All", - "Description": "The interval at which Felix will check the kernel's IPsec policy tables and\nrepair any inconsistencies.", - "DescriptionHTML": "

The interval at which Felix will check the kernel's IPsec policy tables and\nrepair any inconsistencies.

", + "Description": "The interval at which Felix will check the kernel’s IPsec policy tables and\nrepair any inconsistencies.", + "DescriptionHTML": "

The interval at which Felix will check the kernel’s IPsec policy tables and\nrepair any inconsistencies.

", "UserEditable": true, "GoType": "*v1.Duration", "OpenSourceOnly": false @@ -6773,8 +6935,8 @@ "Required": false, "OnParseFailure": "ReplaceWithDefault", "AllowedConfigSources": "All", - "Description": "Configures local Unix socket for reporting flow data from each node.", - "DescriptionHTML": "

Configures local Unix socket for reporting flow data from each node.

", + "Description": "Configures local unix socket for reporting flow data from each node.", + "DescriptionHTML": "

Configures local unix socket for reporting flow data from each node.

", "UserEditable": true, "GoType": "*string", "OpenSourceOnly": false diff --git a/calico-enterprise/networking/kubevirt/index.mdx b/calico-enterprise/networking/kubevirt/index.mdx new file mode 100644 index 0000000000..9b3c43935e --- /dev/null +++ b/calico-enterprise/networking/kubevirt/index.mdx @@ -0,0 +1,11 @@ +--- +description: Configure Calico Enterprise networking for KubeVirt virtual machines. +hide_table_of_contents: true +--- + +# $[prodname] networking for KubeVirt + +import DocCardList from '@theme/DocCardList'; +import { useCurrentSidebarCategory } from '@docusaurus/theme-common'; + + diff --git a/calico-enterprise/networking/kubevirt/kubevirt-networking.mdx b/calico-enterprise/networking/kubevirt/kubevirt-networking.mdx new file mode 100644 index 0000000000..c00f797976 --- /dev/null +++ b/calico-enterprise/networking/kubevirt/kubevirt-networking.mdx @@ -0,0 +1,227 @@ +--- +description: Configure Calico Enterprise to provide networking for KubeVirt virtual machines, including IP address persistence and live migration support. +--- + +# KubeVirt networking + +## Big picture + +$[prodname] provides networking for KubeVirt virtual machines (VMs) running on your Kubernetes cluster, +including persistent IP addresses across VM lifecycle events and support for live migration. + +## Value + +KubeVirt runs VMs inside Kubernetes pods. When a VM reboots, is evicted, or live-migrates to +another host, the underlying pod is destroyed and recreated. Without IP persistence, each new pod +would receive a fresh IP address, which would break existing connections and change the VM's network identity. + +$[prodname]'s KubeVirt support ensures that: + +- A VM retains the same IP address across reboots, pod evictions, and live migrations. +- Live migration completes without breaking TCP connections or changing the VM's network identity. +- Network policy is correctly applied to the VM on the destination host before migration traffic is switched. + +## Concepts + +### Supported networking mode: bridge + +$[prodname] supports KubeVirt live migration using the **bridge** binding mode. In bridge mode, +the VM is connected to the pod network through a Linux bridge, and the VM uses the same IP address +that $[prodname] assigns to the pod. This is required because: + +- **IP address persistence** depends on the VM IP matching the pod IP. Bridge mode ensures + the VM sees and uses the pod IP directly. +- **Network policy** in KubeVirt bridge mode is applied on the pod's veth interface, so + policy enforcement works correctly for VM traffic. +- **Live migration** in KubeVirt bridge mode relies on detecting gratuitous ARP (GARP) packets + from the VM on the pod's veth interface to know when the VM has activated on the target host. + +Other KubeVirt networking modes (such as masquerade) are not supported for live migration +because the VM would use a different IP than the pod IP, breaking IP persistence and +policy enforcement. + +### BGP networking required + +Live migration currently requires BGP networking without overlay. Overlay networking (VXLAN, IP-in-IP) +support is planned for a future release. + +### KubeVirt VM IP address persistence + +$[prodname] uses the VM's identity (rather than the pod's identity) as the IPAM allocation handle. +When a VM's pod is recreated, the new pod is allocated the same IP address as the original. +This is a cluster-wide setting controlled by the `IPAMConfiguration` resource. + +### Live migration + +When a KubeVirt VM live-migrates from one host to another, $[prodname] coordinates the network +transition: + +1. The target pod is created on the destination host and assigned the same IP as the source pod. +2. Network policy is programmed on the destination host before the VM becomes active. +3. Once the VM activates on the target host, $[prodname] adjusts route priorities so that + traffic is steered to the new host. +4. After a configurable convergence period (default 30 seconds), route priorities return to normal. + +### Policy setup timeout + +During live migration, KubeVirt needs to know when the destination host is ready for the VM. +The `policy_setup_timeout_seconds` CNI configuration parameter interlocks the progress of the +live migration with policy programming. The CNI plugin delays reporting success until network +policy is in place on the destination, or until the timeout expires. + +### Limitations + +- **WireGuard** is not supported with live migration. +- **DNS policy is not supported with live migration.** DNS policy enforcement relies on + local conntrack state on the node. After a live migration, the conntrack state from the + source node is not transferred to the destination node, so DNS policy rules that depend + on connection tracking will not function correctly. Support for DNS policy with live + migration is planned for a future release. + +## Before you begin + +- A working Kubernetes cluster with KubeVirt installed. +- $[prodname] installed with BGP networking without overlay. +- Access to `projectcalico.org/v3` resources using + [calicoctl](../../operations/clis/calicoctl/install.mdx). + +## How to + +### Enable live migration on VMs with bridge mode + +By default, KubeVirt does not allow [live migration](https://kubevirt.io/user-guide/compute/live_migration/) +for VMs that use bridge binding on the pod network. To enable it, annotate your `VirtualMachine` +template with `kubevirt.io/allow-pod-bridge-network-live-migration`: + +```yaml +apiVersion: kubevirt.io/v1 +kind: VirtualMachine +metadata: + name: my-vm +spec: + template: + metadata: + annotations: + kubevirt.io/allow-pod-bridge-network-live-migration: "" + spec: + domain: + devices: + interfaces: + - name: default + bridge: {} + networks: + - name: default + pod: {} +``` + +The annotation must be placed in `spec.template.metadata.annotations` (the VMI template, not the +VM itself). Without this annotation, KubeVirt rejects live migration attempts for VMs using +bridge binding with an error like: +`cannot migrate VMI which does not use masquerade to connect to the pod network`. + +### Enable KubeVirt VM IP address persistence + +IP address persistence is enabled by default. If it has been previously disabled, re-enable +it by setting `kubeVirtVMAddressPersistence` to `Enabled` in the `IPAMConfiguration` resource: + +```bash +kubectl patch ipamconfigurations default --type='merge' -p '{"spec": {"kubeVirtVMAddressPersistence": "Enabled"}}' +``` + +Or using `calicoctl`: + +```bash +calicoctl ipam configure --kubevirt-ip-persistence=Enabled +``` + +:::note + +IP address persistence must be enabled for live migration to work. If persistence is disabled, +the CNI plugin rejects migration target pods. + +::: + +### Allow live migration ports through host endpoint policy + +If you use [host endpoint policies](../../reference/host-endpoints/overview.mdx), you must +allow the KubeVirt live migration ports (TCP 49152 and 49153) between hosts. These ports are +used by libvirt/QEMU to transfer VM memory and block storage directly between the source and +destination nodes during live migration. + +Add them to the Felix `FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts` configuration, +or create appropriate host endpoint policies to allow this traffic. See +[Failsafe rules](../../reference/host-endpoints/failsafe.mdx) for more details. + +### Configure policy setup timeout for live migration + +To ensure network policy is programmed on the destination host before the VM starts receiving +traffic, configure the policy setup timeout. This value specifies how long (in seconds) the +CNI plugin waits for policy to be programmed before reporting success. + +If you installed $[prodname] using the operator, configure the +[`linuxPolicySetupTimeoutSeconds`](../../reference/installation/api.mdx#caliconetworkspec) field +in the [`Installation`](../../reference/installation/api.mdx#installation) resource's `calicoNetwork` settings: + +```yaml +kind: Installation +apiVersion: operator.tigera.io/v1 +metadata: + name: default +spec: + calicoNetwork: + linuxPolicySetupTimeoutSeconds: 10 +``` + +For manifest-based installations, set `policy_setup_timeout_seconds` directly in +the CNI network configuration (typically `/etc/cni/net.d/10-calico.conflist`): + +```json +{ + "name": "k8s-pod-network", + "cniVersion": "0.3.1", + "plugins": [ + { + "type": "calico", + "policy_setup_timeout_seconds": 10, + ... + } + ] +} +``` + +## Security considerations + +### VM identity verification + +$[prodname]'s CNI plugin verifies the identity of VM pods using Kubernetes `ownerReferences`. +When a pod claims to be a KubeVirt VM (to receive a persistent IP), the CNI plugin checks that +the pod's `ownerReferences` point to a valid `VirtualMachineInstance` resource. This prevents +arbitrary pods from claiming VM IP addresses. + +### RBAC recommendations + +A user who can create pods and read `VirtualMachineInstance` resources could potentially forge +`ownerReferences` to claim a VM's IP address. To mitigate this: + +- Restrict pod creation permissions in namespaces that run KubeVirt VMs. +- Limit `get`/`list` access to `VirtualMachineInstance` resources to trusted users and service accounts. + +### Admission controllers + +For production deployments, consider using admission controllers such as +[Kyverno](https://kyverno.io/) or [OPA/Gatekeeper](https://open-policy-agent.github.io/gatekeeper/) +to enforce that only KubeVirt controllers can set `ownerReferences` pointing to +`VirtualMachineInstance` resources on pods. + +### $[prodname] component permissions + +$[prodname] components (Felix, confd, the CNI plugin) require only **read** access to KubeVirt +resources (`VirtualMachineInstance`, `VirtualMachineInstanceMigration`, etc.). They do not create, modify, or delete any KubeVirt resources. + +## Additional resources + +- [`IPAMConfiguration` reference](../../reference/resources/ipamconfig.mdx) +- [FelixConfiguration reference](../../reference/resources/felixconfig.mdx) +- [BGPConfiguration reference](../../reference/resources/bgpconfig.mdx) +- [BGP routing for KubeVirt live migration](./live-migration-bgp.mdx) +- [Configure BGP peering](../configuring/bgp.mdx) diff --git a/calico-enterprise/networking/kubevirt/live-migration-bgp.mdx b/calico-enterprise/networking/kubevirt/live-migration-bgp.mdx new file mode 100644 index 0000000000..9152163b6c --- /dev/null +++ b/calico-enterprise/networking/kubevirt/live-migration-bgp.mdx @@ -0,0 +1,202 @@ +--- +description: Configure BGP routing to support KubeVirt live migration across racks and AS boundaries. +--- + +# BGP routing for KubeVirt live migration + +## Big picture + +When you live-migrate a KubeVirt VM to a new host, $[prodname] uses route priority to steer traffic to +the new host. In single-rack deployments with iBGP, this works automatically. In multi-rack +topologies or AS puddling setups where eBGP is used between racks, you must configure +[BGPFilter](../../reference/resources/bgpfilter.mdx) resources to propagate route priority +information across AS boundaries. + +## Value + +Without proper BGP route engineering, live migration across rack boundaries can cause traffic +blackholing or split-brain routing. This guide explains how to configure BGP so that +elevated-priority routes from the target host are correctly propagated to all nodes in the cluster, +ensuring seamless live migration regardless of your BGP topology. + +## Concepts + +### Route priority and BGP + +During live migration, $[prodname] programs routes on the target host with an elevated priority +(lower kernel metric, default 512) compared to the normal priority on the source host (default 1024). +In the Linux kernel, a lower route metric means higher priority, so traffic is directed to the +target host. + +For this to work cluster-wide, the route priority information must be propagated via BGP: + +- **Within an AS (iBGP):** $[prodname] automatically maps the kernel route metric (`krt_metric`) + to BGP `local_pref` using the formula `local_pref = 2147483647 - krt_metric`. This mapping is + hardcoded and works for both node-to-node mesh and explicit `BGPPeer` resources. No user + configuration is needed. + +- **Across AS boundaries (eBGP):** BGP `local_pref` is not carried across AS boundaries. You must + configure `BGPFilter` resources to encode priority information using BGP communities or other + attributes that cross AS boundaries. + +### Downward default model supported with exceptions + +The [downward default model](../../reference/architecture/design/l3-interconnect-fabric.mdx#the-downward-default-model) +is supported for normal routes, but the ToR must also pass through elevated-priority /32 routes +for live migration. Live migration requires specific /32 routes with elevated priority to be +propagated across racks so that all nodes can route traffic to the new host. A pure downward +default configuration where *only* a default route is advertised downward is not compatible +with live migration. + +### Route aggregation + +Under normal conditions, $[prodname] aggregates individual /32 workload routes into larger CIDR +blocks for BGP advertisement, reducing the number of routes in the network. During live migration, +elevated-priority /32 routes **bypass aggregation** so that the per-route priority information is +preserved. This is handled automatically by $[prodname]. + +## Before you begin + +- KubeVirt VM IP address persistence is [enabled](./kubevirt-networking.mdx). +- $[prodname] is configured with [BGP networking](../configuring/bgp.mdx). +- You are familiar with [BGPFilter](../../reference/resources/bgpfilter.mdx) and + [BGPPeer](../../reference/resources/bgppeer.mdx) resources. + +## How to + +### Single-rack or iBGP mesh + +If all your nodes are within the same AS (using either node-to-node mesh or explicit iBGP peerings), +**no additional configuration is needed**. $[prodname] automatically: + +1. Maps `krt_metric` to `bgp_local_pref` on export. +2. Maps `bgp_local_pref` back to `krt_metric` on import. +3. Bypasses route aggregation for elevated-priority /32 routes. +4. Sets a higher BIRD route preference for imported elevated-priority routes so they override + existing kernel routes. + +### Multi-rack with eBGP to ToR + +In a multi-rack topology where compute nodes peer with their ToR switch over eBGP, you need to +configure `BGPFilter` resources to carry route priority information across the AS boundary. + +#### Route priority signaling across AS boundaries + +There are two common techniques to carry route priority information across eBGP boundaries where +`local_pref` is not available: + +- **BGP communities**: A community is a tag attached to a route that carries no inherent routing + meaning — its interpretation is defined by agreement between network operators. By assigning a + community value to represent elevated priority (e.g., `65000:100`), the exporting node marks + which routes are preferred. The receiving node matches on that community and restores the + appropriate kernel route metric. Communities are the most explicit and flexible approach because + they carry an arbitrary signal that both sides interpret identically. + +- **AS path prepending**: BGP's default best-path selection prefers routes with shorter AS paths. + By prepending extra AS numbers to lower-priority routes on export, you make those routes appear + longer and therefore less preferred. This technique works without any configuration on + intermediate routers — they naturally prefer the shorter path. However, it is less precise than + communities because it relies on the standard BGP decision process, which may be overridden by + other attributes (e.g., MED, weight). + +You can use either technique or combine them. The example below uses **communities only**, which +is the recommended approach for most deployments. + +#### Step 1: Create a BGPFilter for the ToR peering + +Create a `BGPFilter` that uses the `priority` and `operations` fields to tag routes with +BGP communities on export, and reconstruct priority from communities on import. The exact +community values depend on your network infrastructure; coordinate with your network team. + +The following example uses community `65000:100` to mark elevated-priority routes (the migration +target). Normal-priority routes are indicated by the absence of this community: + +```yaml +apiVersion: projectcalico.org/v3 +kind: BGPFilter +metadata: + name: kubevirt-live-migration +spec: + exportV4: + # Elevated-priority route (target pod): tag with community 65000:100 + - action: Accept + peerType: eBGP + priority: 512 + operations: + - addCommunity: + value: "65000:100" + importV4: + # Match elevated-priority community: restore priority 512 + - action: Accept + communities: + values: ["65000:100"] + operations: + - setPriority: + value: 512 + exportV6: + - action: Accept + peerType: eBGP + priority: 512 + operations: + - addCommunity: + value: "65000:100" + importV6: + - action: Accept + communities: + values: ["65000:100"] + operations: + - setPriority: + value: 512 +``` + +Key fields used in this filter: + +- **`priority`** (export rules): Matches routes by their kernel route metric. Only routes with the + specified priority value match this rule. +- **`peerType: eBGP`** (export rules): Ensures the community tagging only applies to eBGP peers, + not iBGP peers (which use the automatic `local_pref` mapping). +- **`communities`** (import rules): Matches routes carrying the specified BGP community. +- **`operations`**: An ordered list of route modifications applied to matching routes: + - `addCommunity`: Adds a BGP community to the route. + - `setPriority`: Sets the route's kernel metric (priority). + +:::note + +The `priority` values in the BGPFilter (512) must match the `ipv4ElevatedRoutePriority` +and `ipv4NormalRoutePriority` values in your `FelixConfiguration`. In case you customized those values, +update the BGPFilter accordingly. + +::: + +#### Step 2: Attach the BGPFilter to the ToR BGPPeer + +Add the filter to your existing `BGPPeer` resource for the ToR: + +```yaml +apiVersion: projectcalico.org/v3 +kind: BGPPeer +metadata: + name: node-tor-peer +spec: + peerIP: + asNumber: + filters: + - kubevirt-live-migration +``` + +#### Step 3: Configure ToR to propagate routes with communities + +Ensure your ToR switches are configured to pass through the BGP communities used in the +`BGPFilter` (e.g., `65000:100`). The ToR must re-advertise these /32 routes +with their communities intact to compute nodes in other racks, so that the receiving nodes' +import filters can reconstruct the correct route priority. This configuration is done on the +ToR switch itself (outside of $[prodname]) and depends on your switch vendor and network OS. + +## Additional resources + +- [KubeVirt networking overview](./kubevirt-networking.mdx) +- [Configure BGP peering](../configuring/bgp.mdx) +- [BGP L3 interconnect fabric](../../reference/architecture/design/l3-interconnect-fabric.mdx) +- [BGPFilter reference](../../reference/resources/bgpfilter.mdx) +- [BGPPeer reference](../../reference/resources/bgppeer.mdx) +- [Configure BGP peering with nested clusters on KubeVirt VMs](../configuring/bgp-to-workload.mdx) diff --git a/calico-enterprise/reference/resources/bgpconfig.mdx b/calico-enterprise/reference/resources/bgpconfig.mdx index 095b4b537a..dc15b6e9e0 100644 --- a/calico-enterprise/reference/resources/bgpconfig.mdx +++ b/calico-enterprise/reference/resources/bgpconfig.mdx @@ -44,7 +44,7 @@ spec: | Field | Description | Accepted Values | Schema | | ----- | --------------------------------------------------------- | --------------------------------------------------- | ------ | -| name | Unique name to describe this resource instance. Required. | Alphanumeric string with optional `.`, `_`, or `-`. | string | +| `name` | Unique name to describe this resource instance. Required. | Alphanumeric string with optional `.`, `_`, or `-`. | string | - The resource with the name `default` has a specific meaning - this contains the BGP global default configuration. - The resources with the name `node.` contain the node-specific overrides, and will be applied to the node ``. When deleting a node the BGPConfiguration resource associated with the node will also be deleted. Only prefixAdvertisements, listenPort, and logSeverityScreen can be overridden this way. @@ -53,36 +53,39 @@ spec: | Field | Description | Accepted Values | Schema | Default | | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------- | ----------------------------------------------------- | --------------------------------------------------------------- | -| logSeverityScreen | Global log level | Debug, Info, Warning, Error, Fatal | string | `Info` | -| nodeToNodeMeshEnabled | Full BGP node-to-node mesh. Only valid on the global `default` BGPConfiguration. | true, false | string | true | -| asNumber | The default local AS Number that $[prodname] should use when speaking with BGP peers. Only valid on the global `default` BGPConfiguration; to set a per-node override, use the `bgp` field on the [Node resource](node.mdx). | A valid AS Number, may be specified in dotted notation. | integer/string | 64512 | -| extensions | Additional mapping of keys and values. Used for setting values in custom BGP configurations. | valid strings for both keys and values | map | | -| serviceClusterIPs | The CIDR blocks for Kubernetes Service Cluster IPs to be advertised over BGP. Only valid on the global `default` BGPConfiguration: will be ignored otherwise. | A list of valid IPv4 or IPv6 CIDR blocks. | List of `cidr: /` values. | Empty List | -| serviceExternalIPs | The CIDR blocks for Kubernetes Service External IPs to be advertised over BGP. Kubernetes Service External IPs will only be advertised if they are within one of these blocks. Only valid on the global `default` BGPConfiguration: will be ignored otherwise. | A list of valid IPv4 or IPv6 CIDR blocks. | List of `cidr: /` values. | Empty List | -| serviceLoadBalancerIPs | The CIDR blocks for Kubernetes Service status.LoadBalancer IPs to be advertised over BGP. Kubernetes LoadBalancer IPs will only be advertised if they are within one of these blocks. Only valid on the global `default` BGPConfiguration: will be ignored otherwise. | A list of valid IPv4 or IPv6 CIDR blocks. | List of `cidr: /` values. | Empty List | -| listenPort | The port where BGP protocol should listen. | A valid port number. | integer | 179 | -| bindMode | Indicates whether to listen for BGP connections on all addresses (None) or only on the node's canonical IP address Node.Spec.BGP.IPvXAddress (NodeIP). If this field is changed when calico-node is already running, the change will not take effect until calico-node is manually restarted. | None, NodeIP. | string | None | -| communities | List of BGP community names and their values, communities are not advertised unless they are used in [prefixAdvertisements](#prefixadvertisements). | | List of [communities](#communities) | -| prefixAdvertisements | List of per-prefix advertisement properties, like BGP communities. | | List of [prefixAdvertisements](#prefixadvertisements) | -| nodeMeshPassword | BGP password for the all the peerings in a full mesh configuration. | | [BGPPassword](bgppeer.mdx#bgppassword) | `nil` (no password) | -| nodeMeshMaxRestartTime | Restart time that is announced by BIRD in the BGP graceful restart capability and that specifies how long the neighbor would wait for the BGP session to re-establish after a restart before deleting stale routes in full mesh configurations. Note: extra care should be taken when changing this configuration, as it may break networking in your cluster. When not specified, BIRD uses the default value of 120 seconds. | `10s`, `120s`, `2m` etc. | [Duration string][parse-duration] | `nil` (empty config, BIRD will use the default value of `120s`) | -| ignoredInterfaces | List of network interfaces to be excluded when reading device routes. | A list of network interface names. The names can contain the wildcard character asterisk `*` to specify groups of interface names. | List of strings | `nil` (no extra interfaces to be ignored) | -| localWorkloadPeeringIPV4 | Single virtual IPv4 address that all nodes will use for peering with local workloads when using `BGPPeer`'s `localWorkloadSelector`. A link local address is recommended but it must not be 169.254.0.1 or 169.254.0.2 because these are used internally by $[prodname]. See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | An IPv4 address. | string | None | -| localWorkloadPeeringIPV6 | Single virtual IPv6 address that all nodes will use for peering with local workloads when using `BGPPeer`'s `localWorkloadSelector`. Must _not_ be a link-local address (because $[prodname] doesn't currently support the required "scope" suffix). See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | An IPv6 address. | string | None | +| `logSeverityScreen` | Global log level | Debug, Info, Warning, Error, Fatal | string | `Info` | +| `nodeToNodeMeshEnabled` | Full BGP node-to-node mesh. Only valid on the global `default` BGPConfiguration. | true, false | string | true | +| `asNumber` | The default local AS Number that $[prodname] should use when speaking with BGP peers. Only valid on the global `default` BGPConfiguration; to set a per-node override, use the `bgp` field on the [Node resource](node.mdx). | A valid AS Number, may be specified in dotted notation. | integer/string | 64512 | +| `extensions` | Additional mapping of keys and values. Used for setting values in custom BGP configurations. | valid strings for both keys and values | map | | +| `serviceClusterIPs` | The CIDR blocks for Kubernetes Service Cluster IPs to be advertised over BGP. Only valid on the global `default` BGPConfiguration: will be ignored otherwise. | A list of valid IPv4 or IPv6 CIDR blocks. | List of `cidr: /` values. | Empty List | +| `serviceExternalIPs` | The CIDR blocks for Kubernetes Service External IPs to be advertised over BGP. Kubernetes Service External IPs will only be advertised if they are within one of these blocks. Only valid on the global `default` BGPConfiguration: will be ignored otherwise. | A list of valid IPv4 or IPv6 CIDR blocks. | List of `cidr: /` values. | Empty List | +| `serviceLoadBalancerIPs` | The CIDR blocks for Kubernetes Service status.LoadBalancer IPs to be advertised over BGP. Kubernetes LoadBalancer IPs will only be advertised if they are within one of these blocks. Only valid on the global `default` BGPConfiguration: will be ignored otherwise. | A list of valid IPv4 or IPv6 CIDR blocks. | List of `cidr: /` values. | Empty List | +| `listenPort` | The port where BGP protocol should listen. | A valid port number. | integer | 179 | +| `bindMode` | Indicates whether to listen for BGP connections on all addresses (None) or only on the node's canonical IP address Node.Spec.BGP.IPvXAddress (NodeIP). If this field is changed when calico-node is already running, the change will not take effect until calico-node is manually restarted. | None, NodeIP. | string | None | +| `communities` | List of BGP community names and their values, communities are not advertised unless they are used in [prefixAdvertisements](#prefixadvertisements). | | List of [communities](#communities) | +| `prefixAdvertisements` | List of per-prefix advertisement properties, like BGP communities. | | List of [prefixAdvertisements](#prefixadvertisements) | +| `nodeMeshPassword` | BGP password for the all the peerings in a full mesh configuration. | | [BGPPassword](bgppeer.mdx#bgppassword) | `nil` (no password) | +| `nodeMeshMaxRestartTime` | Restart time that is announced by BIRD in the BGP graceful restart capability and that specifies how long the neighbor would wait for the BGP session to re-establish after a restart before deleting stale routes in full mesh configurations. Note: extra care should be taken when changing this configuration, as it may break networking in your cluster. When not specified, BIRD uses the default value of 120 seconds. | `10s`, `120s`, `2m` etc. | [Duration string][parse-duration] | `nil` (empty config, BIRD will use the default value of `120s`) | +| `ignoredInterfaces` | List of network interfaces to be excluded when reading device routes. | A list of network interface names. The names can contain the wildcard character asterisk `*` to specify groups of interface names. | List of strings | `nil` (no extra interfaces to be ignored) | +| `localWorkloadPeeringIPV4` | Single virtual IPv4 address that all nodes will use for peering with local workloads when using `BGPPeer`'s `localWorkloadSelector`. A link local address is recommended but it must not be 169.254.0.1 or 169.254.0.2 because these are used internally by $[prodname]. See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | An IPv4 address. | string | None | +| `localWorkloadPeeringIPV6` | Single virtual IPv6 address that all nodes will use for peering with local workloads when using `BGPPeer`'s `localWorkloadSelector`. Must _not_ be a link-local address (because $[prodname] doesn't currently support the required "scope" suffix). See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | An IPv6 address. | string | None | +| `ipv4NormalRoutePriority` | The normal route priority (metric) that Felix uses for IPv4 workload routes. This must match the value configured in FelixConfiguration. BIRD uses this to identify elevated-priority routes during live migration and to override local workload routes with higher-priority BGP-learned routes. | 1-2147483646 | integer | 1024 | +| `ipv6NormalRoutePriority` | The normal route priority (metric) that Felix uses for IPv6 workload routes. This must match the value configured in FelixConfiguration. BIRD uses this to identify elevated-priority routes during live migration and to override local workload routes with higher-priority BGP-learned routes. | 1-2147483646 | integer | 1024 | +| `programClusterRoutes` | Controls whether $[prodname] programs cluster routes for IP Pools with VXLAN or IP-in-IP enabled. Felix always programs such routes for IP Pools with `vxlanMode: Always` or `vxlanMode: CrossSubnet`. | Enabled, Disabled | string | Enabled | ### communities | Field | Description | Accepted Values | Schema | | ----- | -------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | -| name | Name or identifier for the community. This should be used in [prefixAdvertisements](#prefixadvertisements) to advertise the community value. | | string | -| value | Standard or large BGP community value. | For standard community, value should be in `aa:nn` format, where both `aa` and `nn` are 16 bit integers.
For large community, value should be `aa:nn:mm` format, where `aa`, `nn` and `mm` are all 32 bit integers.
Where `aa` is an AS Number, `nn` and `mm` are per-AS identifier. | string | +| `name` | Name or identifier for the community. This should be used in [prefixAdvertisements](#prefixadvertisements) to advertise the community value. | | string | +| `value` | Standard or large BGP community value. | For standard community, value should be in `aa:nn` format, where both `aa` and `nn` are 16 bit integers.
For large community, value should be `aa:nn:mm` format, where `aa`, `nn` and `mm` are all 32 bit integers.
Where `aa` is an AS Number, `nn` and `mm` are per-AS identifier. | string | ### prefixAdvertisements | Field | Description | Accepted Values | Schema | | ----------- | ----------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | -| cidr | CIDR for which properties should be advertised. | `cidr: XXX.XXX.XXX.XXX/XX` | string | -| communities | BGP communities to be advertised. | Communities can be list of either community names already defined in [communities](#communities) or community value of format `aa:nn` or `aa:nn:mm`.
For standard community, value should be in `aa:nn` format, where both `aa` and `nn` are 16 bit integers.
For large community, value should be `aa:nn:mm` format, where `aa`, `nn` and `mm` are all 32 bit integers.
Where `aa` is an AS Number, `nn` and `mm` are per-AS identifier. | List of string | +| `cidr` | CIDR for which properties should be advertised. | `cidr: XXX.XXX.XXX.XXX/XX` | string | +| `communities` | BGP communities to be advertised. | Communities can be list of either community names already defined in [communities](#communities) or community value of format `aa:nn` or `aa:nn:mm`.
For standard community, value should be in `aa:nn` format, where both `aa` and `nn` are 16 bit integers.
For large community, value should be `aa:nn:mm` format, where `aa`, `nn` and `mm` are all 32 bit integers.
Where `aa` is an AS Number, `nn` and `mm` are per-AS identifier. | List of string | ## Supported operations diff --git a/calico-enterprise/reference/resources/bgpfilter.mdx b/calico-enterprise/reference/resources/bgpfilter.mdx index 7d45d10692..d8dde36fbd 100644 --- a/calico-enterprise/reference/resources/bgpfilter.mdx +++ b/calico-enterprise/reference/resources/bgpfilter.mdx @@ -61,45 +61,87 @@ spec: | Field | Description | Accepted Values | Schema | | ----- | ------------------------------------------------------------------ | --------------------------------------------------- | ------ | -| name | Unique name to describe this resource instance. Must be specified. | Alphanumeric string with optional `.`, `_`, or `-`. | string | +| `name` | Unique name to describe this resource instance. Must be specified. | Alphanumeric string with optional `.`, `_`, or `-`. | string | ### Spec | Field | Description | Accepted Values | Schema | Default | | -------- | ---------------------------------- | --------------- | ----------------------------------------- | ------- | -| exportV4 | List of v4 CIDRs and export action | | [BGP Filter Rule v4](#bgp-filter-rule-v4) | | -| importV4 | List of v4 CIDRs and import action | | [BGP Filter Rule v4](#bgp-filter-rule-v4) | | -| exportV6 | List of v6 CIDRs and export action | | [BGP Filter Rule v6](#bgp-filter-rule-v6) | | -| importV6 | List of v6 CIDRs and import action | | [BGP Filter Rule v6](#bgp-filter-rule-v6) | | +| `exportV4` | List of v4 CIDRs and export action | | [BGP Filter Rule v4](#bgp-filter-rule-v4) | | +| `importV4` | List of v4 CIDRs and import action | | [BGP Filter Rule v4](#bgp-filter-rule-v4) | | +| `exportV6` | List of v6 CIDRs and export action | | [BGP Filter Rule v6](#bgp-filter-rule-v6) | | +| `importV6` | List of v6 CIDRs and import action | | [BGP Filter Rule v6](#bgp-filter-rule-v6) | | ### BGP Filter Rule v4 | Field | Description | Accepted Values | Schema | Default | | ------------- | ------------------------------------------ | ------------------------------------------------------------------- | ------ | ------- | -| cidr | IPv6 range | A valid IPv6 CIDR | string | | -| prefixLength | [PrefixLength](#bgp-filter-prefix-length) | Valid integers between 0 and ipv4/6 max (32, 128) | | | -| matchOperator | Method by which to match candidate routes | `In`, `NotIn`, `Equal`, `NotEqual` | string | | -| source | Indicator of the source of route | `RemotePeers` means any route learned from other BGP peers | string | | -| interface | String to match interface names | A valid pattern to match interfaces. "*" can be used as a wildcard. | string | | -| action | Action to be taken for this rule | `Accept` or `Reject` | string | | +| `cidr` | IPv4 range | A valid IPv4 CIDR | string | | +| `prefixLength` | [PrefixLength](#bgp-filter-prefix-length) | Valid integers between 0 and ipv4/6 max (32, 128) | | | +| `matchOperator` | Method by which to match candidate routes | `In`, `NotIn`, `Equal`, `NotEqual` | string | | +| `source` | Indicator of the source of route | `RemotePeers` means any route learned from other BGP peers | string | | +| `interface` | String to match interface names | A valid pattern to match interfaces. "*" can be used as a wildcard. | string | | +| `peerType` | Only apply this rule to routes from/to the specified BGP peer type. If empty, the rule applies to all peers. | `eBGP`, `iBGP` | string | | +| `priority` | Only apply this rule to routes with the given priority (metric). Uses the same units as the `...RoutePriority` fields in FelixConfiguration. | 1-2147483646 | integer | | +| `communities` | Only apply this rule to routes carrying the specified BGP community. | See [BGP Filter Community Match](#bgp-filter-community-match). | object | | +| `action` | Action to be taken for this rule | `Accept` or `Reject` | string | | +| `operations` | Ordered list of route modifications to apply when the rule matches. Only valid when action is `Accept`. Maximum 10 operations. | See [BGP Filter Operation](#bgp-filter-operation). | list | | ### BGP Filter Rule v6 | Field | Description | Accepted Values | Schema | Default | | ------------- | ------------------------------------------ | ------------------------------------------------------------------- | ------ | ------- | -| cidr | IPv6 range | A valid IPv6 CIDR | string | | -| prefixLength | [PrefixLength](#bgp-filter-prefix-length) | Valid integers between 0 and ipv4/6 max (32, 128) | | | -| matchOperator | Method by which to match candidate routes | `In`, `NotIn`, `Equal`, `NotEqual` | string | | -| source | Indicator of the source of route | `RemotePeers` means any route learned from other BGP peers | string | | -| interface | String to match interface names | A valid pattern to match interfaces. "*" can be used as a wildcard. | string | | -| action | Action to be taken for this rule | `Accept` or `Reject` | string | | +| `cidr` | IPv6 range | A valid IPv6 CIDR | string | | +| `prefixLength` | [PrefixLength](#bgp-filter-prefix-length) | Valid integers between 0 and ipv4/6 max (32, 128) | | | +| `matchOperator` | Method by which to match candidate routes | `In`, `NotIn`, `Equal`, `NotEqual` | string | | +| `source` | Indicator of the source of route | `RemotePeers` means any route learned from other BGP peers | string | | +| `interface` | String to match interface names | A valid pattern to match interfaces. "*" can be used as a wildcard. | string | | +| `peerType` | Only apply this rule to routes from/to the specified BGP peer type. If empty, the rule applies to all peers. | `eBGP`, `iBGP` | string | | +| `priority` | Only apply this rule to routes with the given priority (metric). Uses the same units as the `...RoutePriority` fields in FelixConfiguration. | 1-2147483646 | integer | | +| `communities` | Only apply this rule to routes carrying the specified BGP community. | See [BGP Filter Community Match](#bgp-filter-community-match). | object | | +| `action` | Action to be taken for this rule | `Accept` or `Reject` | string | | +| `operations` | Ordered list of route modifications to apply when the rule matches. Only valid when action is `Accept`. Maximum 10 operations. | See [BGP Filter Operation](#bgp-filter-operation). | list | | ### BGP Filter Prefix Length | Field | Description | Accepted Values | Schema | Default | | ------ | --------------------------------------------- | ------------------------------------------------------------------- | ------ | ------- | -| min | Smallest matched mask size (0 by default) | Valid integers between 0 and ipv4/6 max (32, 128) | int | | -| max | Largest matched mask size (32/128 by default) | Valid integers between 1 and ipv4/6 max (32, 128) | int | | +| `min` | Smallest matched mask size (0 by default) | Valid integers between 0 and ipv4/6 max (32, 128) | int | | +| `max` | Largest matched mask size (32/128 by default) | Valid integers between 1 and ipv4/6 max (32, 128) | int | | + +### BGP Filter Community Match + +| Field | Description | Accepted Values | Schema | +| ------ | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ | -------------- | +| `values` | List of BGP community values to match against. The route must carry at least one of these communities. | Standard (`aa:nn`) or large (`aa:nn:mm`) community values. | list of string | + +### BGP Filter Operation + +Each operation is an object with exactly one of the following fields set: + +| Field | Description | Schema | +| ------------- | ------------------------------------------------------------ | --------------------------------------------------- | +| `addCommunity` | Adds a BGP community to the route. | [AddCommunity](#bgp-filter-add-community) | +| `prependASPath` | Prepends AS numbers to the route's AS path. | [PrependASPath](#bgp-filter-prepend-as-path) | +| `setPriority` | Sets the route's priority (metric). | [SetPriority](#bgp-filter-set-priority) | + +### BGP Filter Add Community + +| Field | Description | Accepted Values | Schema | +| ----- | ---------------------------- | ---------------------------------------------------------- | ------ | +| `value` | BGP community value to add. | Standard (`aa:nn`) or large (`aa:nn:mm`) community value. | string | + +### BGP Filter Prepend AS Path + +| Field | Description | Accepted Values | Schema | +| ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | ---------------- | +| `prefix` | Sequence of AS numbers to prepend to the route's AS path. The resulting path starts with these AS numbers in the order listed (e.g., `[65000, 65001]` produces `65000 65001 `). | A list of 1-10 valid AS numbers. | list of integer | + +### BGP Filter Set Priority + +| Field | Description | Accepted Values | Schema | +| ----- | ---------------------------------------------------------------------------------------------------------- | --------------- | ------- | +| `value` | The priority (metric) value to set on the route. Uses the same units as FelixConfiguration RoutePriority fields. | 1-2147483646 | integer | ## Supported operations diff --git a/calico-enterprise/reference/resources/ipamconfig.mdx b/calico-enterprise/reference/resources/ipamconfig.mdx index f0e08dcfa2..07ec7adeb4 100644 --- a/calico-enterprise/reference/resources/ipamconfig.mdx +++ b/calico-enterprise/reference/resources/ipamconfig.mdx @@ -16,7 +16,7 @@ metadata: spec: strictAffinity: false maxBlocksPerHost: 4 - kubeVirtVMAddressPersistence: Disabled + kubeVirtVMAddressPersistence: Enabled ``` ## IPAM configuration definition @@ -25,7 +25,7 @@ spec: | Field | Description | Accepted Values | Schema | | ----- | --------------------------------------------------------- | --------------- | ------ | -| name | Unique name to describe this resource instance. Required. | default | string | +| `name` | Unique name to describe this resource instance. Required. | default | string | The resource is a singleton which must have the name `default`. @@ -33,9 +33,9 @@ The resource is a singleton which must have the name `default`. | Field | Description | Accepted Values | Schema | Default | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ------------------ | ------ | -------- | -| strictAffinity | When StrictAffinity is true, borrowing IP addresses is not allowed. | true, false | bool | false | -| maxBlocksPerHost | The max number of blocks that can be affine to each host. | 0 - max(int32) | int | 20 | -| kubeVirtVMAddressPersistence | Controls whether KubeVirt VMs retain persistent IP addresses across lifecycle events such as restart or migration. Requires KubeVirt. | Enabled, Disabled | string | Disabled | +| `strictAffinity` | When StrictAffinity is true, borrowing IP addresses is not allowed. | true, false | bool | false | +| `maxBlocksPerHost` | The max number of blocks that can be affine to each host. | 0 - max(int32) | int | 20 | +| `kubeVirtVMAddressPersistence` | Controls whether KubeVirt VMs retain persistent IP addresses across lifecycle events such as restart or migration. Requires KubeVirt. | Enabled, Disabled | string | Enabled | ## Supported operations diff --git a/calico/_includes/components/FelixConfig/config-params.json b/calico/_includes/components/FelixConfig/config-params.json index b739c869a4..a17799e6b1 100644 --- a/calico/_includes/components/FelixConfig/config-params.json +++ b/calico/_includes/components/FelixConfig/config-params.json @@ -1215,18 +1215,18 @@ "Required": false, "OnParseFailure": "ReplaceWithDefault", "AllowedConfigSources": "All", - "Description": "Disables WireGuard metrics collection, which the Prometheus client does by default, when\nset to false. This reduces the number of metrics reported, reducing Prometheus load.", - "DescriptionHTML": "

Disables WireGuard metrics collection, which the Prometheus client does by default, when\nset to false. This reduces the number of metrics reported, reducing Prometheus load.

", + "Description": "Disables wireguard metrics collection, which the Prometheus client does by default, when\nset to false. This reduces the number of metrics reported, reducing Prometheus load.", + "DescriptionHTML": "

Disables wireguard metrics collection, which the Prometheus client does by default, when\nset to false. This reduces the number of metrics reported, reducing Prometheus load.

", "UserEditable": true, "GoType": "*bool" } ] }, { - "Name": "Data plane: Common", + "Name": "Dataplane: Common", "Fields": [ { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "AllowIPIPPacketsFromWorkloads", "NameEnvVar": "FELIX_AllowIPIPPacketsFromWorkloads", @@ -1252,7 +1252,7 @@ "GoType": "*bool" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "AllowVXLANPacketsFromWorkloads", "NameEnvVar": "FELIX_AllowVXLANPacketsFromWorkloads", @@ -1278,7 +1278,7 @@ "GoType": "*bool" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "CgroupV2Path", "NameEnvVar": "FELIX_CgroupV2Path", @@ -1304,7 +1304,7 @@ "GoType": "string" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "ChainInsertMode", "NameEnvVar": "FELIX_ChainInsertMode", @@ -1333,7 +1333,7 @@ "GoType": "string" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "DataplaneDriver", "NameEnvVar": "FELIX_DataplaneDriver", @@ -1359,7 +1359,7 @@ "GoType": "string" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "DataplaneWatchdogTimeout", "NameEnvVar": "FELIX_DataplaneWatchdogTimeout", @@ -1385,7 +1385,7 @@ "GoType": "*v1.Duration" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "DefaultEndpointToHostAction", "NameEnvVar": "FELIX_DefaultEndpointToHostAction", @@ -1415,7 +1415,7 @@ "GoType": "string" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "DeviceRouteProtocol", "NameEnvVar": "FELIX_DeviceRouteProtocol", @@ -1441,7 +1441,7 @@ "GoType": "*int" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "DeviceRouteSourceAddress", "NameEnvVar": "FELIX_DeviceRouteSourceAddress", @@ -1467,7 +1467,7 @@ "GoType": "string" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "DeviceRouteSourceAddressIPv6", "NameEnvVar": "FELIX_DeviceRouteSourceAddressIPv6", @@ -1493,7 +1493,7 @@ "GoType": "string" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "DisableConntrackInvalidCheck", "NameEnvVar": "FELIX_DisableConntrackInvalidCheck", @@ -1519,7 +1519,7 @@ "GoType": "*bool" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "EndpointStatusPathPrefix", "NameEnvVar": "FELIX_EndpointStatusPathPrefix", @@ -1545,7 +1545,7 @@ "GoType": "string" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "ExternalNodesCIDRList", "NameEnvVar": "FELIX_ExternalNodesCIDRList", @@ -1571,7 +1571,7 @@ "GoType": "*[]string" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "FailsafeInboundHostPorts", "NameEnvVar": "FELIX_FailsafeInboundHostPorts", @@ -1597,7 +1597,7 @@ "GoType": "*[]v3.ProtoPort" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "FailsafeOutboundHostPorts", "NameEnvVar": "FELIX_FailsafeOutboundHostPorts", @@ -1623,7 +1623,7 @@ "GoType": "*[]v3.ProtoPort" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "FloatingIPs", "NameEnvVar": "FELIX_FloatingIPs", @@ -1652,7 +1652,7 @@ "GoType": "*v3.FloatingIPType" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "IPForwarding", "NameEnvVar": "FELIX_IPForwarding", @@ -1681,7 +1681,111 @@ "GoType": "string" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "IPv4ElevatedRoutePriority", + "NameEnvVar": "FELIX_IPv4ElevatedRoutePriority", + "NameYAML": "ipv4ElevatedRoutePriority", + "NameGoAPI": "IPv4ElevatedRoutePriority", + "StringSchema": "Integer: [1,2147483646]", + "StringSchemaHTML": "Integer: [1,2147483646]", + "StringDefault": "512", + "ParsedDefault": "512", + "ParsedDefaultJSON": "512", + "ParsedType": "int", + "YAMLType": "integer", + "YAMLSchema": "Integer: [1,2147483646]", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "Integer: [1,2147483646]", + "YAMLDefault": "512", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Route Priority value for an elevated priority Calico-programmed IPv4 route. Note, higher\nvalues mean lower priority. Elevated priority is used during VM live migration, and for\noptimal behaviour IPv4ElevatedRoutePriority must be less than IPv4NormalRoutePriority.", + "DescriptionHTML": "

Route Priority value for an elevated priority Calico-programmed IPv4 route. Note, higher\nvalues mean lower priority. Elevated priority is used during VM live migration, and for\noptimal behaviour IPv4ElevatedRoutePriority must be less than IPv4NormalRoutePriority.

", + "UserEditable": true, + "GoType": "*int" + }, + { + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "IPv4NormalRoutePriority", + "NameEnvVar": "FELIX_IPv4NormalRoutePriority", + "NameYAML": "ipv4NormalRoutePriority", + "NameGoAPI": "IPv4NormalRoutePriority", + "StringSchema": "Integer: [1,2147483646]", + "StringSchemaHTML": "Integer: [1,2147483646]", + "StringDefault": "1024", + "ParsedDefault": "1024", + "ParsedDefaultJSON": "1024", + "ParsedType": "int", + "YAMLType": "integer", + "YAMLSchema": "Integer: [1,2147483646]", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "Integer: [1,2147483646]", + "YAMLDefault": "1024", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Route Priority value for a normal priority Calico-programmed IPv4 route. Note, higher\nvalues mean lower priority.", + "DescriptionHTML": "

Route Priority value for a normal priority Calico-programmed IPv4 route. Note, higher\nvalues mean lower priority.

", + "UserEditable": true, + "GoType": "*int" + }, + { + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "IPv6ElevatedRoutePriority", + "NameEnvVar": "FELIX_IPv6ElevatedRoutePriority", + "NameYAML": "ipv6ElevatedRoutePriority", + "NameGoAPI": "IPv6ElevatedRoutePriority", + "StringSchema": "Integer: [1,2147483646]", + "StringSchemaHTML": "Integer: [1,2147483646]", + "StringDefault": "512", + "ParsedDefault": "512", + "ParsedDefaultJSON": "512", + "ParsedType": "int", + "YAMLType": "integer", + "YAMLSchema": "Integer: [1,2147483646]", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "Integer: [1,2147483646]", + "YAMLDefault": "512", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Route Priority value for an elevated priority Calico-programmed IPv6 route. Note, higher\nvalues mean lower priority. Elevated priority is used during VM live migration, and for\noptimal behaviour IPv6ElevatedRoutePriority must be less than IPv6NormalRoutePriority.", + "DescriptionHTML": "

Route Priority value for an elevated priority Calico-programmed IPv6 route. Note, higher\nvalues mean lower priority. Elevated priority is used during VM live migration, and for\noptimal behaviour IPv6ElevatedRoutePriority must be less than IPv6NormalRoutePriority.

", + "UserEditable": true, + "GoType": "*int" + }, + { + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "IPv6NormalRoutePriority", + "NameEnvVar": "FELIX_IPv6NormalRoutePriority", + "NameYAML": "ipv6NormalRoutePriority", + "NameGoAPI": "IPv6NormalRoutePriority", + "StringSchema": "Integer: [1,2147483646]", + "StringSchemaHTML": "Integer: [1,2147483646]", + "StringDefault": "1024", + "ParsedDefault": "1024", + "ParsedDefaultJSON": "1024", + "ParsedType": "int", + "YAMLType": "integer", + "YAMLSchema": "Integer: [1,2147483646]", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "Integer: [1,2147483646]", + "YAMLDefault": "1024", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Route Priority value for a normal priority Calico-programmed IPv6 route. Note, higher\nvalues mean lower priority.", + "DescriptionHTML": "

Route Priority value for a normal priority Calico-programmed IPv6 route. Note, higher\nvalues mean lower priority.

", + "UserEditable": true, + "GoType": "*int" + }, + { + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "InterfaceExclude", "NameEnvVar": "FELIX_InterfaceExclude", @@ -1707,7 +1811,7 @@ "GoType": "string" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "InterfacePrefix", "NameEnvVar": "FELIX_InterfacePrefix", @@ -1733,7 +1837,7 @@ "GoType": "string" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "InterfaceRefreshInterval", "NameEnvVar": "FELIX_InterfaceRefreshInterval", @@ -1759,7 +1863,7 @@ "GoType": "*v1.Duration" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "Ipv6Support", "NameEnvVar": "FELIX_Ipv6Support", @@ -1785,7 +1889,88 @@ "GoType": "*bool" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "IstioAmbientMode", + "NameEnvVar": "FELIX_IstioAmbientMode", + "NameYAML": "istioAmbientMode", + "NameGoAPI": "IstioAmbientMode", + "StringSchema": "One of: `Disabled`, `Enabled` (case insensitive)", + "StringSchemaHTML": "One of: Disabled, Enabled (case insensitive)", + "StringDefault": "Disabled", + "ParsedDefault": "Disabled", + "ParsedDefaultJSON": "\"Disabled\"", + "ParsedType": "string", + "YAMLType": "string", + "YAMLSchema": "One of: `\"Disabled\"`, `\"Enabled\"`.", + "YAMLEnumValues": [ + "`\"Disabled\"`", + "`\"Enabled\"`" + ], + "YAMLSchemaHTML": "One of: \"Disabled\", \"Enabled\".", + "YAMLDefault": "Disabled", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Configures Felix to work together with Tigera's Istio distribution.", + "DescriptionHTML": "

Configures Felix to work together with Tigera's Istio distribution.

", + "UserEditable": true, + "GoType": "*v3.IstioAmbientMode" + }, + { + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "IstioDSCPMark", + "NameEnvVar": "FELIX_IstioDSCPMark", + "NameYAML": "istioDSCPMark", + "NameGoAPI": "IstioDSCPMark", + "StringSchema": "Numeric value: An integer from 0 to 63, representing the 6-bit DSCP code directly; Named value: A case-insensitive string corresponding to a standardized DSCP name (e.g., \"CS0\", \"AF11\", \"AF21\", \"EF\", etc.) as defined in the IANA registry for Differentiated Services Field Codepoints.", + "StringSchemaHTML": "Numeric value: An integer from 0 to 63, representing the 6-bit DSCP code directly; Named value: A case-insensitive string corresponding to a standardized DSCP name (e.g., \"CS0\", \"AF11\", \"AF21\", \"EF\", etc.) as defined in the IANA registry for Differentiated Services Field Codepoints.", + "StringDefault": "23", + "ParsedDefault": "23", + "ParsedDefaultJSON": "23", + "ParsedType": "numorstring.DSCP", + "YAMLType": "integer", + "YAMLSchema": "String.", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "String.", + "YAMLDefault": "", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith other Istio installation.", + "DescriptionHTML": "

Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith other Istio installation.

", + "UserEditable": true, + "GoType": "*numorstring.DSCP" + }, + { + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "LiveMigrationRouteConvergenceTime", + "NameEnvVar": "FELIX_LiveMigrationRouteConvergenceTime", + "NameYAML": "liveMigrationRouteConvergenceTime", + "NameGoAPI": "LiveMigrationRouteConvergenceTime", + "StringSchema": "Seconds (floating point)", + "StringSchemaHTML": "Seconds (floating point)", + "StringDefault": "30", + "ParsedDefault": "30s", + "ParsedDefaultJSON": "30000000000", + "ParsedType": "time.Duration", + "YAMLType": "string", + "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.", + "YAMLDefault": "30s", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "The time to keep elevated route priority after a\nVM live migration completes. This allows routes to converge across the cluster before\nreverting to normal priority.", + "DescriptionHTML": "

The time to keep elevated route priority after a\nVM live migration completes. This allows routes to converge across the cluster before\nreverting to normal priority.

", + "UserEditable": true, + "GoType": "*v1.Duration" + }, + { + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "MTUIfacePattern", "NameEnvVar": "FELIX_MTUIfacePattern", @@ -1811,7 +1996,7 @@ "GoType": "string" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "NATOutgoingAddress", "NameEnvVar": "FELIX_NATOutgoingAddress", @@ -1837,7 +2022,7 @@ "GoType": "string" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "NATOutgoingExclusions", "NameEnvVar": "FELIX_NATOutgoingExclusions", @@ -1866,7 +2051,7 @@ "GoType": "*v3.NATOutgoingExclusionsType" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "NATPortRange", "NameEnvVar": "FELIX_NATPortRange", @@ -1892,7 +2077,7 @@ "GoType": "*numorstring.Port" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "NFTablesMode", "NameEnvVar": "FELIX_NFTablesMode", @@ -1922,7 +2107,7 @@ "GoType": "*v3.NFTablesMode" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "NetlinkTimeoutSecs", "NameEnvVar": "FELIX_NetlinkTimeoutSecs", @@ -1948,7 +2133,7 @@ "GoType": "*v1.Duration" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "PolicySyncPathPrefix", "NameEnvVar": "FELIX_PolicySyncPathPrefix", @@ -1974,7 +2159,7 @@ "GoType": "string" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "ProgramClusterRoutes", "NameEnvVar": "FELIX_ProgramClusterRoutes", @@ -1997,13 +2182,13 @@ "Required": false, "OnParseFailure": "ReplaceWithDefault", "AllowedConfigSources": "All", - "Description": "Specifies whether Felix should program IPIP routes instead of BIRD.\nFelix always programs VXLAN routes.", - "DescriptionHTML": "

Specifies whether Felix should program IPIP routes instead of BIRD.\nFelix always programs VXLAN routes.

", + "Description": "Controls how a cluster node gets a route to a workload on another node,\nwhen that workload's IP comes from an IP Pool with vxlanMode: Never. When ProgramClusterRoutes is Disabled,\nit is expected that confd and BIRD will program that route. When ProgramClusterRoutes is Enabled, Felix program that route.\nFelix always programs such routes for IP Pools with vxlanMode: Always or vxlanMode: CrossSubnet.", + "DescriptionHTML": "

Controls how a cluster node gets a route to a workload on another node,\nwhen that workload's IP comes from an IP Pool with vxlanMode: Never. When ProgramClusterRoutes is Disabled,\nit is expected that confd and BIRD will program that route. When ProgramClusterRoutes is Enabled, Felix program that route.\nFelix always programs such routes for IP Pools with vxlanMode: Always or vxlanMode: CrossSubnet.

", "UserEditable": true, "GoType": "*string" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "RemoveExternalRoutes", "NameEnvVar": "FELIX_RemoveExternalRoutes", @@ -2029,7 +2214,7 @@ "GoType": "*bool" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "RequireMTUFile", "NameEnvVar": "FELIX_RequireMTUFile", @@ -2055,7 +2240,7 @@ "GoType": "*bool" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "RouteRefreshInterval", "NameEnvVar": "FELIX_RouteRefreshInterval", @@ -2081,7 +2266,7 @@ "GoType": "*v1.Duration" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "RouteSource", "NameEnvVar": "FELIX_RouteSource", @@ -2110,7 +2295,7 @@ "GoType": "string" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "RouteSyncDisabled", "NameEnvVar": "FELIX_RouteSyncDisabled", @@ -2136,7 +2321,7 @@ "GoType": "*bool" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "RouteTableRange", "NameEnvVar": "FELIX_RouteTableRange", @@ -2162,7 +2347,7 @@ "GoType": "*v3.RouteTableRange" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "RouteTableRanges", "NameEnvVar": "FELIX_RouteTableRanges", @@ -2188,7 +2373,7 @@ "GoType": "*v3.RouteTableRanges" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "ServiceLoopPrevention", "NameEnvVar": "FELIX_ServiceLoopPrevention", @@ -2218,7 +2403,7 @@ "GoType": "string" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "SidecarAccelerationEnabled", "NameEnvVar": "FELIX_SidecarAccelerationEnabled", @@ -2244,7 +2429,7 @@ "GoType": "*bool" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "UseInternalDataplaneDriver", "NameEnvVar": "FELIX_UseInternalDataplaneDriver", @@ -2270,7 +2455,7 @@ "GoType": "*bool" }, { - "Group": "Data plane: Common", + "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", "NameConfigFile": "WorkloadSourceSpoofing", "NameEnvVar": "FELIX_WorkloadSourceSpoofing", @@ -2301,10 +2486,10 @@ ] }, { - "Name": "Data plane: iptables", + "Name": "Dataplane: iptables", "Fields": [ { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IpsetsRefreshInterval", "NameEnvVar": "FELIX_IpsetsRefreshInterval", @@ -2330,7 +2515,7 @@ "GoType": "*v1.Duration" }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IptablesBackend", "NameEnvVar": "FELIX_IptablesBackend", @@ -2360,7 +2545,7 @@ "GoType": "*v3.IptablesBackend" }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IptablesFilterAllowAction", "NameEnvVar": "FELIX_IptablesFilterAllowAction", @@ -2389,7 +2574,7 @@ "GoType": "string" }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IptablesFilterDenyAction", "NameEnvVar": "FELIX_IptablesFilterDenyAction", @@ -2418,7 +2603,7 @@ "GoType": "string" }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IptablesLockProbeIntervalMillis", "NameEnvVar": "FELIX_IptablesLockProbeIntervalMillis", @@ -2444,7 +2629,7 @@ "GoType": "*v1.Duration" }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IptablesMangleAllowAction", "NameEnvVar": "FELIX_IptablesMangleAllowAction", @@ -2473,7 +2658,7 @@ "GoType": "string" }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IptablesMarkMask", "NameEnvVar": "FELIX_IptablesMarkMask", @@ -2499,7 +2684,7 @@ "GoType": "*uint32" }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IptablesNATOutgoingInterfaceFilter", "NameEnvVar": "FELIX_IptablesNATOutgoingInterfaceFilter", @@ -2525,7 +2710,7 @@ "GoType": "string" }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IptablesPostWriteCheckIntervalSecs", "NameEnvVar": "FELIX_IptablesPostWriteCheckIntervalSecs", @@ -2551,7 +2736,7 @@ "GoType": "*v1.Duration" }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "IptablesRefreshInterval", "NameEnvVar": "FELIX_IptablesRefreshInterval", @@ -2577,7 +2762,7 @@ "GoType": "*v1.Duration" }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "KubeNodePortRanges", "NameEnvVar": "FELIX_KubeNodePortRanges", @@ -2603,7 +2788,7 @@ "GoType": "*[]numorstring.Port" }, { - "Group": "Data plane: iptables", + "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", "NameConfigFile": "MaxIpsetSize", "NameEnvVar": "FELIX_MaxIpsetSize", @@ -2631,10 +2816,10 @@ ] }, { - "Name": "Data plane: nftables", + "Name": "Dataplane: nftables", "Fields": [ { - "Group": "Data plane: nftables", + "Group": "Dataplane: nftables", "GroupWithSortPrefix": "21 Dataplane: nftables", "NameConfigFile": "NftablesFilterAllowAction", "NameEnvVar": "FELIX_NftablesFilterAllowAction", @@ -2663,7 +2848,7 @@ "GoType": "string" }, { - "Group": "Data plane: nftables", + "Group": "Dataplane: nftables", "GroupWithSortPrefix": "21 Dataplane: nftables", "NameConfigFile": "NftablesFilterDenyAction", "NameEnvVar": "FELIX_NftablesFilterDenyAction", @@ -2692,7 +2877,7 @@ "GoType": "string" }, { - "Group": "Data plane: nftables", + "Group": "Dataplane: nftables", "GroupWithSortPrefix": "21 Dataplane: nftables", "NameConfigFile": "NftablesMangleAllowAction", "NameEnvVar": "FELIX_NftablesMangleAllowAction", @@ -2721,7 +2906,7 @@ "GoType": "string" }, { - "Group": "Data plane: nftables", + "Group": "Dataplane: nftables", "GroupWithSortPrefix": "21 Dataplane: nftables", "NameConfigFile": "NftablesMarkMask", "NameEnvVar": "FELIX_NftablesMarkMask", @@ -2747,7 +2932,7 @@ "GoType": "*uint32" }, { - "Group": "Data plane: nftables", + "Group": "Dataplane: nftables", "GroupWithSortPrefix": "21 Dataplane: nftables", "NameConfigFile": "NftablesRefreshInterval", "NameEnvVar": "FELIX_NftablesRefreshInterval", @@ -2775,10 +2960,10 @@ ] }, { - "Name": "Data plane: eBPF", + "Name": "Dataplane: eBPF", "Fields": [ { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFAttachType", "NameEnvVar": "FELIX_BPFAttachType", @@ -2807,7 +2992,7 @@ "GoType": "*v3.BPFAttachOption" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFCTLBLogFilter", "NameEnvVar": "FELIX_BPFCTLBLogFilter", @@ -2833,7 +3018,7 @@ "GoType": "string" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFConnectTimeLoadBalancing", "NameEnvVar": "FELIX_BPFConnectTimeLoadBalancing", @@ -2863,7 +3048,7 @@ "GoType": "*v3.BPFConnectTimeLBType" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFConnectTimeLoadBalancingEnabled", "NameEnvVar": "FELIX_BPFConnectTimeLoadBalancingEnabled", @@ -2889,7 +3074,7 @@ "GoType": "*bool" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFConntrackCleanupMode", "NameEnvVar": "FELIX_BPFConntrackCleanupMode", @@ -2919,7 +3104,7 @@ "GoType": "*v3.BPFConntrackMode" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFConntrackLogLevel", "NameEnvVar": "FELIX_BPFConntrackLogLevel", @@ -2948,7 +3133,7 @@ "GoType": "string" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFConntrackTimeouts", "NameEnvVar": "FELIX_BPFConntrackTimeouts", @@ -2974,7 +3159,7 @@ "GoType": "*v3.BPFConntrackTimeouts" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFDSROptoutCIDRs", "NameEnvVar": "FELIX_BPFDSROptoutCIDRs", @@ -3000,7 +3185,7 @@ "GoType": "*[]string" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFDataIfacePattern", "NameEnvVar": "FELIX_BPFDataIfacePattern", @@ -3026,7 +3211,7 @@ "GoType": "string" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFDisableGROForIfaces", "NameEnvVar": "FELIX_BPFDisableGROForIfaces", @@ -3052,7 +3237,7 @@ "GoType": "string" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFDisableUnprivileged", "NameEnvVar": "FELIX_BPFDisableUnprivileged", @@ -3078,7 +3263,7 @@ "GoType": "*bool" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFEnabled", "NameEnvVar": "FELIX_BPFEnabled", @@ -3104,7 +3289,7 @@ "GoType": "*bool" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFEnforceRPF", "NameEnvVar": "FELIX_BPFEnforceRPF", @@ -3134,7 +3319,7 @@ "GoType": "string" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFExcludeCIDRsFromNAT", "NameEnvVar": "FELIX_BPFExcludeCIDRsFromNAT", @@ -3160,7 +3345,7 @@ "GoType": "*[]string" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFExportBufferSizeMB", "NameEnvVar": "FELIX_BPFExportBufferSizeMB", @@ -3186,7 +3371,7 @@ "GoType": "*int" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFExtToServiceConnmark", "NameEnvVar": "FELIX_BPFExtToServiceConnmark", @@ -3212,7 +3397,7 @@ "GoType": "*int" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFExternalServiceMode", "NameEnvVar": "FELIX_BPFExternalServiceMode", @@ -3241,7 +3426,7 @@ "GoType": "string" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFForceTrackPacketsFromIfaces", "NameEnvVar": "FELIX_BPFForceTrackPacketsFromIfaces", @@ -3267,7 +3452,7 @@ "GoType": "*[]string" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFHostConntrackBypass", "NameEnvVar": "FELIX_BPFHostConntrackBypass", @@ -3293,7 +3478,7 @@ "GoType": "*bool" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFHostNetworkedNATWithoutCTLB", "NameEnvVar": "FELIX_BPFHostNetworkedNATWithoutCTLB", @@ -3322,7 +3507,7 @@ "GoType": "*v3.BPFHostNetworkedNATType" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFJITHardening", "NameEnvVar": "FELIX_BPFJITHardening", @@ -3348,7 +3533,7 @@ "GoType": "*v3.BPFJITHardeningType" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFKubeProxyHealthzPort", "NameEnvVar": "FELIX_BPFKubeProxyHealthzPort", @@ -3365,16 +3550,16 @@ "YAMLEnumValues": null, "YAMLSchemaHTML": "Integer", "YAMLDefault": "10256", - "Required": true, + "Required": false, "OnParseFailure": "ReplaceWithDefault", "AllowedConfigSources": "All", - "Description": "In BPF mode, controls the port that Felix's embedded kube-proxy health check server binds to.\nThe health check server is used by external load balancers to determine if this node should receive traffic.", - "DescriptionHTML": "

In BPF mode, controls the port that Felix's embedded kube-proxy health check server binds to.\nThe health check server is used by external load balancers to determine if this node should receive traffic.

", + "Description": "In BPF mode, controls the port that Felix's embedded kube-proxy health check server binds to.\nThe health check server is used by external load balancers to determine if this node should receive traffic.\nSet to 0 to disable the health check server.", + "DescriptionHTML": "

In BPF mode, controls the port that Felix's embedded kube-proxy health check server binds to.\nThe health check server is used by external load balancers to determine if this node should receive traffic.\nSet to 0 to disable the health check server.

", "UserEditable": true, "GoType": "*int" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFKubeProxyIptablesCleanupEnabled", "NameEnvVar": "FELIX_BPFKubeProxyIptablesCleanupEnabled", @@ -3400,7 +3585,7 @@ "GoType": "*bool" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFKubeProxyMinSyncPeriod", "NameEnvVar": "FELIX_BPFKubeProxyMinSyncPeriod", @@ -3426,7 +3611,7 @@ "GoType": "*v1.Duration" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFL3IfacePattern", "NameEnvVar": "FELIX_BPFL3IfacePattern", @@ -3446,13 +3631,13 @@ "Required": false, "OnParseFailure": "ReplaceWithDefault", "AllowedConfigSources": "All", - "Description": "A regular expression that allows to list tunnel devices like WireGuard or vxlan (i.e., L3 devices)\nin addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows\nover as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster.", - "DescriptionHTML": "

A regular expression that allows to list tunnel devices like WireGuard or vxlan (i.e., L3 devices)\nin addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows\nover as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster.

", + "Description": "A regular expression that allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices)\nin addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows\nover as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster.", + "DescriptionHTML": "

A regular expression that allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices)\nin addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows\nover as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster.

", "UserEditable": true, "GoType": "string" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFLogFilters", "NameEnvVar": "FELIX_BPFLogFilters", @@ -3478,7 +3663,7 @@ "GoType": "*map[string]string" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFLogLevel", "NameEnvVar": "FELIX_BPFLogLevel", @@ -3508,7 +3693,7 @@ "GoType": "string" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMaglevMaxEndpointsPerService", "NameEnvVar": "FELIX_BPFMaglevMaxEndpointsPerService", @@ -3534,7 +3719,7 @@ "GoType": "*int" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMaglevMaxServices", "NameEnvVar": "FELIX_BPFMaglevMaxServices", @@ -3560,7 +3745,7 @@ "GoType": "*int" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizeConntrack", "NameEnvVar": "FELIX_BPFMapSizeConntrack", @@ -3586,7 +3771,7 @@ "GoType": "*int" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizeConntrackCleanupQueue", "NameEnvVar": "FELIX_BPFMapSizeConntrackCleanupQueue", @@ -3612,7 +3797,7 @@ "GoType": "*int" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizeConntrackScaling", "NameEnvVar": "FELIX_BPFMapSizeConntrackScaling", @@ -3641,7 +3826,7 @@ "GoType": "string" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizeIPSets", "NameEnvVar": "FELIX_BPFMapSizeIPSets", @@ -3667,7 +3852,7 @@ "GoType": "*int" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizeIfState", "NameEnvVar": "FELIX_BPFMapSizeIfState", @@ -3693,7 +3878,7 @@ "GoType": "*int" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizeNATAffinity", "NameEnvVar": "FELIX_BPFMapSizeNATAffinity", @@ -3719,7 +3904,7 @@ "GoType": "*int" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizeNATBackend", "NameEnvVar": "FELIX_BPFMapSizeNATBackend", @@ -3745,7 +3930,7 @@ "GoType": "*int" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizeNATFrontend", "NameEnvVar": "FELIX_BPFMapSizeNATFrontend", @@ -3771,7 +3956,7 @@ "GoType": "*int" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizePerCPUConntrack", "NameEnvVar": "FELIX_BPFMapSizePerCPUConntrack", @@ -3797,7 +3982,7 @@ "GoType": "*int" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFMapSizeRoute", "NameEnvVar": "FELIX_BPFMapSizeRoute", @@ -3823,7 +4008,7 @@ "GoType": "*int" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFPSNATPorts", "NameEnvVar": "FELIX_BPFPSNATPorts", @@ -3849,7 +4034,7 @@ "GoType": "*numorstring.Port" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFPolicyDebugEnabled", "NameEnvVar": "FELIX_BPFPolicyDebugEnabled", @@ -3875,7 +4060,7 @@ "GoType": "*bool" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFProfiling", "NameEnvVar": "FELIX_BPFProfiling", @@ -3904,7 +4089,7 @@ "GoType": "string" }, { - "Group": "Data plane: eBPF", + "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", "NameConfigFile": "BPFRedirectToPeer", "NameEnvVar": "FELIX_BPFRedirectToPeer", @@ -3927,18 +4112,18 @@ "Required": true, "OnParseFailure": "ReplaceWithDefault", "AllowedConfigSources": "All", - "Description": "Controls whether traffic may be forwarded directly to the peer side of a workload’s device.\nNote that the legacy \"L2Only\" option is now deprecated and if set it is treated like \"Enabled.\nSetting this option to \"Enabled\" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard),\nwhich can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path.\nAs a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic.", - "DescriptionHTML": "

Controls whether traffic may be forwarded directly to the peer side of a workload’s device.\nNote that the legacy \"L2Only\" option is now deprecated and if set it is treated like \"Enabled.\nSetting this option to \"Enabled\" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard),\nwhich can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path.\nAs a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic.

", + "Description": "Controls whether traffic may be forwarded directly to the peer side of a workload’s device.\nNote that the legacy \"L2Only\" option is now deprecated and if set it is treated like \"Enabled\".\nSetting this option to \"Enabled\" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard),\nwhich can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path.\nAs a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic.", + "DescriptionHTML": "

Controls whether traffic may be forwarded directly to the peer side of a workload’s device.\nNote that the legacy \"L2Only\" option is now deprecated and if set it is treated like \"Enabled\".\nSetting this option to \"Enabled\" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard),\nwhich can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path.\nAs a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic.

", "UserEditable": true, "GoType": "string" } ] }, { - "Name": "Data plane: Windows", + "Name": "Dataplane: Windows", "Fields": [ { - "Group": "Data plane: Windows", + "Group": "Dataplane: Windows", "GroupWithSortPrefix": "23 Dataplane: Windows", "NameConfigFile": "WindowsManageFirewallRules", "NameEnvVar": "FELIX_WindowsManageFirewallRules", @@ -3969,10 +4154,10 @@ ] }, { - "Name": "Data plane: OpenStack support", + "Name": "Dataplane: OpenStack support", "Fields": [ { - "Group": "Data plane: OpenStack support", + "Group": "Dataplane: OpenStack support", "GroupWithSortPrefix": "25 Dataplane: OpenStack support", "NameConfigFile": "EndpointReportingDelaySecs", "NameEnvVar": "FELIX_EndpointReportingDelaySecs", @@ -3998,7 +4183,7 @@ "GoType": "*v1.Duration" }, { - "Group": "Data plane: OpenStack support", + "Group": "Dataplane: OpenStack support", "GroupWithSortPrefix": "25 Dataplane: OpenStack support", "NameConfigFile": "EndpointReportingEnabled", "NameEnvVar": "FELIX_EndpointReportingEnabled", @@ -4024,7 +4209,7 @@ "GoType": "*bool" }, { - "Group": "Data plane: OpenStack support", + "Group": "Dataplane: OpenStack support", "GroupWithSortPrefix": "25 Dataplane: OpenStack support", "NameConfigFile": "MetadataAddr", "NameEnvVar": "FELIX_MetadataAddr", @@ -4050,7 +4235,7 @@ "GoType": "string" }, { - "Group": "Data plane: OpenStack support", + "Group": "Dataplane: OpenStack support", "GroupWithSortPrefix": "25 Dataplane: OpenStack support", "NameConfigFile": "MetadataPort", "NameEnvVar": "FELIX_MetadataPort", @@ -4076,7 +4261,7 @@ "GoType": "*int" }, { - "Group": "Data plane: OpenStack support", + "Group": "Dataplane: OpenStack support", "GroupWithSortPrefix": "25 Dataplane: OpenStack support", "NameConfigFile": "OpenstackRegion", "NameEnvVar": "FELIX_OpenstackRegion", @@ -4102,7 +4287,7 @@ "GoType": "string" }, { - "Group": "Data plane: OpenStack support", + "Group": "Dataplane: OpenStack support", "GroupWithSortPrefix": "25 Dataplane: OpenStack support", "NameConfigFile": "ReportingIntervalSecs", "NameEnvVar": "FELIX_ReportingIntervalSecs", @@ -4128,7 +4313,7 @@ "GoType": "*v1.Duration" }, { - "Group": "Data plane: OpenStack support", + "Group": "Dataplane: OpenStack support", "GroupWithSortPrefix": "25 Dataplane: OpenStack support", "NameConfigFile": "ReportingTTLSecs", "NameEnvVar": "FELIX_ReportingTTLSecs", @@ -4156,11 +4341,11 @@ ] }, { - "Name": "Data plane: XDP acceleration for iptables data plane", + "Name": "Dataplane: XDP acceleration for iptables dataplane", "Fields": [ { - "Group": "Data plane: XDP acceleration for iptables data plane", - "GroupWithSortPrefix": "25 Dataplane: XDP acceleration for iptables data plane", + "Group": "Dataplane: XDP acceleration for iptables dataplane", + "GroupWithSortPrefix": "25 Dataplane: XDP acceleration for iptables dataplane", "NameConfigFile": "GenericXDPEnabled", "NameEnvVar": "FELIX_GenericXDPEnabled", "NameYAML": "genericXDPEnabled", @@ -4185,8 +4370,8 @@ "GoType": "*bool" }, { - "Group": "Data plane: XDP acceleration for iptables data plane", - "GroupWithSortPrefix": "25 Dataplane: XDP acceleration for iptables data plane", + "Group": "Dataplane: XDP acceleration for iptables dataplane", + "GroupWithSortPrefix": "25 Dataplane: XDP acceleration for iptables dataplane", "NameConfigFile": "XDPEnabled", "NameEnvVar": "FELIX_XDPEnabled", "NameYAML": "xdpEnabled", @@ -4211,8 +4396,8 @@ "GoType": "*bool" }, { - "Group": "Data plane: XDP acceleration for iptables data plane", - "GroupWithSortPrefix": "25 Dataplane: XDP acceleration for iptables data plane", + "Group": "Dataplane: XDP acceleration for iptables dataplane", + "GroupWithSortPrefix": "25 Dataplane: XDP acceleration for iptables dataplane", "NameConfigFile": "XDPRefreshInterval", "NameEnvVar": "FELIX_XDPRefreshInterval", "NameYAML": "xdpRefreshInterval", @@ -4852,8 +5037,8 @@ "Required": false, "OnParseFailure": "ReplaceWithDefault", "AllowedConfigSources": "All", - "Description": "Configures local Unix socket for reporting flow data from each node.", - "DescriptionHTML": "

Configures local Unix socket for reporting flow data from each node.

", + "Description": "Configures local unix socket for reporting flow data from each node.", + "DescriptionHTML": "

Configures local unix socket for reporting flow data from each node.

", "UserEditable": true, "GoType": "*string" }, diff --git a/calico/networking/kubevirt/index.mdx b/calico/networking/kubevirt/index.mdx new file mode 100644 index 0000000000..139a9ff087 --- /dev/null +++ b/calico/networking/kubevirt/index.mdx @@ -0,0 +1,11 @@ +--- +description: Configure Calico networking for KubeVirt virtual machines. +hide_table_of_contents: true +--- + +# $[prodname] networking for KubeVirt + +import DocCardList from '@theme/DocCardList'; +import { useCurrentSidebarCategory } from '@docusaurus/theme-common'; + + diff --git a/calico/networking/kubevirt/kubevirt-networking.mdx b/calico/networking/kubevirt/kubevirt-networking.mdx new file mode 100644 index 0000000000..f3961e1812 --- /dev/null +++ b/calico/networking/kubevirt/kubevirt-networking.mdx @@ -0,0 +1,223 @@ +--- +description: Configure Calico to provide networking for KubeVirt virtual machines, including IP address persistence and live migration support. +--- + +# KubeVirt networking + +## Big picture + +$[prodname] provides networking for KubeVirt virtual machines (VMs) running on your Kubernetes cluster, +including persistent IP addresses across VM lifecycle events and support for live migration. + +## Value + +KubeVirt runs VMs inside Kubernetes pods. When a VM reboots, is evicted, or live-migrates to +another host, the underlying pod is destroyed and recreated. Without IP persistence, each new pod +would receive a fresh IP address, which would break existing connections and change the VM's network identity. + +$[prodname]'s KubeVirt support ensures that: + +- A VM retains the same IP address across reboots, pod evictions, and live migrations. +- Live migration completes without breaking TCP connections or changing the VM's network identity. +- Network policy is correctly applied to the VM on the destination host before migration traffic is switched. + +## Concepts + +### Supported networking mode: bridge + +$[prodname] supports KubeVirt live migration using the **bridge** binding mode. In bridge mode, +the VM is connected to the pod network through a Linux bridge, and the VM uses the same IP address +that $[prodname] assigns to the pod. This is required because: + +- **IP address persistence** depends on the VM IP matching the pod IP. Bridge mode ensures + the VM sees and uses the pod IP directly. +- **Network policy** in KubeVirt bridge mode is applied on the pod's veth interface, so + policy enforcement works correctly for VM traffic. +- **Live migration** in KubeVirt bridge mode relies on detecting gratuitous ARP (GARP) packets + from the VM on the pod's veth interface to know when the VM has activated on the target host. + +Other KubeVirt networking modes (such as masquerade) are not supported for live migration +because the VM would use a different IP than the pod IP, breaking IP persistence and +policy enforcement. + +### BGP networking required + +Live migration currently requires BGP networking without overlay. Overlay networking (VXLAN, IP-in-IP) +support is planned for a future release. + +### KubeVirt VM IP address persistence + +$[prodname] uses the VM's identity (rather than the pod's identity) as the IPAM allocation handle. +When a VM's pod is recreated, the new pod is allocated the same IP address as the original. +This is a cluster-wide setting controlled by the `IPAMConfiguration` resource. + +### Live migration + +When a KubeVirt VM live-migrates from one host to another, $[prodname] coordinates the network +transition: + +1. The target pod is created on the destination host and assigned the same IP as the source pod. +2. Network policy is programmed on the destination host before the VM becomes active. +3. Once the VM activates on the target host, $[prodname] adjusts route priorities so that + traffic is steered to the new host. +4. After a configurable convergence period (default 30 seconds), route priorities return to normal. + +### Policy setup timeout + +During live migration, KubeVirt needs to know when the destination host is ready for the VM. +The `policy_setup_timeout_seconds` CNI configuration parameter interlocks the progress of the +live migration with policy programming. The CNI plugin delays reporting success until network +policy is in place on the destination, or until the timeout expires. + +### Limitations + +- **WireGuard** is not supported with live migration. + +## Before you begin + +- A working Kubernetes cluster with KubeVirt installed. +- $[prodname] installed with BGP networking without overlay. +- Access to `projectcalico.org/v3` resources, either by installing the $[prodname] + [API server](../../operations/install-apiserver.mdx) or by using + [calicoctl](../../operations/calicoctl/install.mdx). + +## How to + +### Enable live migration on VMs with bridge mode + +By default, KubeVirt does not allow [live migration](https://kubevirt.io/user-guide/compute/live_migration/) +for VMs that use bridge binding on the pod network. To enable it, annotate your `VirtualMachine` +template with `kubevirt.io/allow-pod-bridge-network-live-migration`: + +```yaml +apiVersion: kubevirt.io/v1 +kind: VirtualMachine +metadata: + name: my-vm +spec: + template: + metadata: + annotations: + kubevirt.io/allow-pod-bridge-network-live-migration: "" + spec: + domain: + devices: + interfaces: + - name: default + bridge: {} + networks: + - name: default + pod: {} +``` + +The annotation must be placed in `spec.template.metadata.annotations` (the VMI template, not the +VM itself). Without this annotation, KubeVirt rejects live migration attempts for VMs using +bridge binding with an error like: +`cannot migrate VMI which does not use masquerade to connect to the pod network`. + +### Enable KubeVirt VM IP address persistence + +IP address persistence is enabled by default. If it has been previously disabled, re-enable +it by setting `kubeVirtVMAddressPersistence` to `Enabled` in the `IPAMConfiguration` resource: + +```bash +kubectl patch ipamconfigurations default --type='merge' -p '{"spec": {"kubeVirtVMAddressPersistence": "Enabled"}}' +``` + +Or using `calicoctl`: + +```bash +calicoctl ipam configure --kubevirt-ip-persistence=Enabled +``` + +:::note + +IP address persistence must be enabled for live migration to work. If persistence is disabled, +the CNI plugin rejects migration target pods. + +::: + +### Allow live migration ports through host endpoint policy + +If you use [host endpoint policies](../../reference/host-endpoints/overview.mdx), you must +allow the KubeVirt live migration ports (TCP 49152 and 49153) between hosts. These ports are +used by libvirt/QEMU to transfer VM memory and block storage directly between the source and +destination nodes during live migration. + +Add them to the Felix `FailsafeInboundHostPorts` and `FailsafeOutboundHostPorts` configuration, +or create appropriate host endpoint policies to allow this traffic. See +[Failsafe rules](../../reference/host-endpoints/failsafe.mdx) for more details. + +### Configure policy setup timeout for live migration + +To ensure network policy is programmed on the destination host before the VM starts receiving +traffic, configure the policy setup timeout. This value specifies how long (in seconds) the +CNI plugin waits for policy to be programmed before reporting success. + +If you installed $[prodname] using the operator, configure the +[`linuxPolicySetupTimeoutSeconds`](../../reference/installation/api.mdx#caliconetworkspec) field +in the [`Installation`](../../reference/installation/api.mdx#installation) resource's `calicoNetwork` settings: + +```yaml +kind: Installation +apiVersion: operator.tigera.io/v1 +metadata: + name: default +spec: + calicoNetwork: + linuxPolicySetupTimeoutSeconds: 10 +``` + +For manifest-based installations, set `policy_setup_timeout_seconds` directly in +the CNI network configuration (typically `/etc/cni/net.d/10-calico.conflist`): + +```json +{ + "name": "k8s-pod-network", + "cniVersion": "0.3.1", + "plugins": [ + { + "type": "calico", + "policy_setup_timeout_seconds": 10, + ... + } + ] +} +``` + +## Security considerations + +### VM identity verification + +$[prodname]'s CNI plugin verifies the identity of VM pods using Kubernetes `ownerReferences`. +When a pod claims to be a KubeVirt VM (to receive a persistent IP), the CNI plugin checks that +the pod's `ownerReferences` point to a valid `VirtualMachineInstance` resource. This prevents +arbitrary pods from claiming VM IP addresses. + +### RBAC recommendations + +A user who can create pods and read `VirtualMachineInstance` resources could potentially forge +`ownerReferences` to claim a VM's IP address. To mitigate this: + +- Restrict pod creation permissions in namespaces that run KubeVirt VMs. +- Limit `get`/`list` access to `VirtualMachineInstance` resources to trusted users and service accounts. + +### Admission controllers + +For production deployments, consider using admission controllers such as +[Kyverno](https://kyverno.io/) or [OPA/Gatekeeper](https://open-policy-agent.github.io/gatekeeper/) +to enforce that only KubeVirt controllers can set `ownerReferences` pointing to +`VirtualMachineInstance` resources on pods. + +### $[prodname] component permissions + +$[prodname] components (Felix, confd, the CNI plugin) require only **read** access to KubeVirt +resources (`VirtualMachineInstance`, `VirtualMachineInstanceMigration`, etc.). They do not create, modify, or delete any KubeVirt resources. + +## Additional resources + +- [`IPAMConfiguration` reference](../../reference/resources/ipamconfig.mdx) +- [FelixConfiguration reference](../../reference/resources/felixconfig.mdx) +- [BGPConfiguration reference](../../reference/resources/bgpconfig.mdx) +- [BGP routing for KubeVirt live migration](./live-migration-bgp.mdx) +- [Configure BGP peering](../configuring/bgp.mdx) diff --git a/calico/networking/kubevirt/live-migration-bgp.mdx b/calico/networking/kubevirt/live-migration-bgp.mdx new file mode 100644 index 0000000000..9152163b6c --- /dev/null +++ b/calico/networking/kubevirt/live-migration-bgp.mdx @@ -0,0 +1,202 @@ +--- +description: Configure BGP routing to support KubeVirt live migration across racks and AS boundaries. +--- + +# BGP routing for KubeVirt live migration + +## Big picture + +When you live-migrate a KubeVirt VM to a new host, $[prodname] uses route priority to steer traffic to +the new host. In single-rack deployments with iBGP, this works automatically. In multi-rack +topologies or AS puddling setups where eBGP is used between racks, you must configure +[BGPFilter](../../reference/resources/bgpfilter.mdx) resources to propagate route priority +information across AS boundaries. + +## Value + +Without proper BGP route engineering, live migration across rack boundaries can cause traffic +blackholing or split-brain routing. This guide explains how to configure BGP so that +elevated-priority routes from the target host are correctly propagated to all nodes in the cluster, +ensuring seamless live migration regardless of your BGP topology. + +## Concepts + +### Route priority and BGP + +During live migration, $[prodname] programs routes on the target host with an elevated priority +(lower kernel metric, default 512) compared to the normal priority on the source host (default 1024). +In the Linux kernel, a lower route metric means higher priority, so traffic is directed to the +target host. + +For this to work cluster-wide, the route priority information must be propagated via BGP: + +- **Within an AS (iBGP):** $[prodname] automatically maps the kernel route metric (`krt_metric`) + to BGP `local_pref` using the formula `local_pref = 2147483647 - krt_metric`. This mapping is + hardcoded and works for both node-to-node mesh and explicit `BGPPeer` resources. No user + configuration is needed. + +- **Across AS boundaries (eBGP):** BGP `local_pref` is not carried across AS boundaries. You must + configure `BGPFilter` resources to encode priority information using BGP communities or other + attributes that cross AS boundaries. + +### Downward default model supported with exceptions + +The [downward default model](../../reference/architecture/design/l3-interconnect-fabric.mdx#the-downward-default-model) +is supported for normal routes, but the ToR must also pass through elevated-priority /32 routes +for live migration. Live migration requires specific /32 routes with elevated priority to be +propagated across racks so that all nodes can route traffic to the new host. A pure downward +default configuration where *only* a default route is advertised downward is not compatible +with live migration. + +### Route aggregation + +Under normal conditions, $[prodname] aggregates individual /32 workload routes into larger CIDR +blocks for BGP advertisement, reducing the number of routes in the network. During live migration, +elevated-priority /32 routes **bypass aggregation** so that the per-route priority information is +preserved. This is handled automatically by $[prodname]. + +## Before you begin + +- KubeVirt VM IP address persistence is [enabled](./kubevirt-networking.mdx). +- $[prodname] is configured with [BGP networking](../configuring/bgp.mdx). +- You are familiar with [BGPFilter](../../reference/resources/bgpfilter.mdx) and + [BGPPeer](../../reference/resources/bgppeer.mdx) resources. + +## How to + +### Single-rack or iBGP mesh + +If all your nodes are within the same AS (using either node-to-node mesh or explicit iBGP peerings), +**no additional configuration is needed**. $[prodname] automatically: + +1. Maps `krt_metric` to `bgp_local_pref` on export. +2. Maps `bgp_local_pref` back to `krt_metric` on import. +3. Bypasses route aggregation for elevated-priority /32 routes. +4. Sets a higher BIRD route preference for imported elevated-priority routes so they override + existing kernel routes. + +### Multi-rack with eBGP to ToR + +In a multi-rack topology where compute nodes peer with their ToR switch over eBGP, you need to +configure `BGPFilter` resources to carry route priority information across the AS boundary. + +#### Route priority signaling across AS boundaries + +There are two common techniques to carry route priority information across eBGP boundaries where +`local_pref` is not available: + +- **BGP communities**: A community is a tag attached to a route that carries no inherent routing + meaning — its interpretation is defined by agreement between network operators. By assigning a + community value to represent elevated priority (e.g., `65000:100`), the exporting node marks + which routes are preferred. The receiving node matches on that community and restores the + appropriate kernel route metric. Communities are the most explicit and flexible approach because + they carry an arbitrary signal that both sides interpret identically. + +- **AS path prepending**: BGP's default best-path selection prefers routes with shorter AS paths. + By prepending extra AS numbers to lower-priority routes on export, you make those routes appear + longer and therefore less preferred. This technique works without any configuration on + intermediate routers — they naturally prefer the shorter path. However, it is less precise than + communities because it relies on the standard BGP decision process, which may be overridden by + other attributes (e.g., MED, weight). + +You can use either technique or combine them. The example below uses **communities only**, which +is the recommended approach for most deployments. + +#### Step 1: Create a BGPFilter for the ToR peering + +Create a `BGPFilter` that uses the `priority` and `operations` fields to tag routes with +BGP communities on export, and reconstruct priority from communities on import. The exact +community values depend on your network infrastructure; coordinate with your network team. + +The following example uses community `65000:100` to mark elevated-priority routes (the migration +target). Normal-priority routes are indicated by the absence of this community: + +```yaml +apiVersion: projectcalico.org/v3 +kind: BGPFilter +metadata: + name: kubevirt-live-migration +spec: + exportV4: + # Elevated-priority route (target pod): tag with community 65000:100 + - action: Accept + peerType: eBGP + priority: 512 + operations: + - addCommunity: + value: "65000:100" + importV4: + # Match elevated-priority community: restore priority 512 + - action: Accept + communities: + values: ["65000:100"] + operations: + - setPriority: + value: 512 + exportV6: + - action: Accept + peerType: eBGP + priority: 512 + operations: + - addCommunity: + value: "65000:100" + importV6: + - action: Accept + communities: + values: ["65000:100"] + operations: + - setPriority: + value: 512 +``` + +Key fields used in this filter: + +- **`priority`** (export rules): Matches routes by their kernel route metric. Only routes with the + specified priority value match this rule. +- **`peerType: eBGP`** (export rules): Ensures the community tagging only applies to eBGP peers, + not iBGP peers (which use the automatic `local_pref` mapping). +- **`communities`** (import rules): Matches routes carrying the specified BGP community. +- **`operations`**: An ordered list of route modifications applied to matching routes: + - `addCommunity`: Adds a BGP community to the route. + - `setPriority`: Sets the route's kernel metric (priority). + +:::note + +The `priority` values in the BGPFilter (512) must match the `ipv4ElevatedRoutePriority` +and `ipv4NormalRoutePriority` values in your `FelixConfiguration`. In case you customized those values, +update the BGPFilter accordingly. + +::: + +#### Step 2: Attach the BGPFilter to the ToR BGPPeer + +Add the filter to your existing `BGPPeer` resource for the ToR: + +```yaml +apiVersion: projectcalico.org/v3 +kind: BGPPeer +metadata: + name: node-tor-peer +spec: + peerIP: + asNumber: + filters: + - kubevirt-live-migration +``` + +#### Step 3: Configure ToR to propagate routes with communities + +Ensure your ToR switches are configured to pass through the BGP communities used in the +`BGPFilter` (e.g., `65000:100`). The ToR must re-advertise these /32 routes +with their communities intact to compute nodes in other racks, so that the receiving nodes' +import filters can reconstruct the correct route priority. This configuration is done on the +ToR switch itself (outside of $[prodname]) and depends on your switch vendor and network OS. + +## Additional resources + +- [KubeVirt networking overview](./kubevirt-networking.mdx) +- [Configure BGP peering](../configuring/bgp.mdx) +- [BGP L3 interconnect fabric](../../reference/architecture/design/l3-interconnect-fabric.mdx) +- [BGPFilter reference](../../reference/resources/bgpfilter.mdx) +- [BGPPeer reference](../../reference/resources/bgppeer.mdx) +- [Configure BGP peering with nested clusters on KubeVirt VMs](../configuring/bgp-to-workload.mdx) diff --git a/calico/reference/resources/bgpconfig.mdx b/calico/reference/resources/bgpconfig.mdx index fee05fffef..aab0a86d8e 100644 --- a/calico/reference/resources/bgpconfig.mdx +++ b/calico/reference/resources/bgpconfig.mdx @@ -42,7 +42,7 @@ spec: | Field | Description | Accepted Values | Schema | | ----- | --------------------------------------------------------- | --------------------------------------------------- | ------ | -| name | Unique name to describe this resource instance. Required. | Alphanumeric string with optional `.`, `_`, or `-`. | string | +| `name` | Unique name to describe this resource instance. Required. | Alphanumeric string with optional `.`, `_`, or `-`. | string | - The resource with the name `default` has a specific meaning - this contains the BGP global default configuration. - The resources with the name `node.` contain the node-specific overrides, and will be applied to the node ``. When deleting a node the BGPConfiguration resource associated with the node will also be deleted. Only prefixAdvertisements, listenPort, and logSeverityScreen can be overridden this way. @@ -51,32 +51,35 @@ spec: | Field | Description | Accepted Values | Schema | Default | | ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | --------------------------------------------------------------- | -| logSeverityScreen | Global log level | Debug, Info, Warning, Error, Fatal | string | `Info` | -| nodeToNodeMeshEnabled | Full BGP node-to-node mesh. Only valid on the global `default` BGPConfiguration. | true, false | string | true | -| asNumber | The default local AS Number that $[prodname] should use when speaking with BGP peers. Only valid on the global `default` BGPConfiguration; to set a per-node override, use the `bgp` field on the [Node resource](node.mdx). | A valid AS Number, may be specified in dotted notation. | integer/string | 64512 | -| serviceClusterIPs | The CIDR blocks for Kubernetes Service Cluster IPs to be advertised over BGP. Only valid on the global `default` BGPConfiguration: will be ignored otherwise. | A list of valid IPv4 or IPv6 CIDR blocks. | List of `cidr: /` values. | Empty List | -| serviceExternalIPs | The CIDR blocks for Kubernetes Service External IPs to be advertised over BGP. Kubernetes Service External IPs will only be advertised if they are within one of these blocks. Only valid on the global `default` BGPConfiguration: will be ignored otherwise. | A list of valid IPv4 or IPv6 CIDR blocks. | List of `cidr: /` values. | Empty List | -| serviceLoadBalancerIPs | The CIDR blocks for Kubernetes Service status.LoadBalancer IPs to be advertised over BGP. Kubernetes LoadBalancer IPs will only be advertised if they are within one of these blocks. Only valid on the global `default` BGPConfiguration: will be ignored otherwise. | A list of valid IPv4 or IPv6 CIDR blocks. | List of `cidr: /` values. | Empty List | -| listenPort | The port where BGP protocol should listen. | A valid port number. | integer | 179 | -| bindMode | Indicates whether to listen for BGP connections on all addresses (None) or only on the node's canonical IP address Node.Spec.BGP.IPvXAddress (NodeIP). If this field is changed when calico-node is already running, the change will not take effect until calico-node is manually restarted. | None, NodeIP. | string | None | -| communities | List of BGP community names and their values, communities are not advertised unless they are used in [prefixAdvertisements](#prefixadvertisements). | | List of [communities](#communities) | -| prefixAdvertisements | List of per-prefix advertisement properties, like BGP communities. | | List of [prefixAdvertisements](#prefixadvertisements) | -| nodeMeshPassword | BGP password for the all the peerings in a full mesh configuration. | | [BGPPassword](bgppeer.mdx#bgppassword) | `nil` (no password) | -| nodeMeshMaxRestartTime | Restart time that is announced by BIRD in the BGP graceful restart capability and that specifies how long the neighbor would wait for the BGP session to re-establish after a restart before deleting stale routes in full mesh configurations. Note: extra care should be taken when changing this configuration, as it may break networking in your cluster. When not specified, BIRD uses the default value of 120 seconds. | `10s`, `120s`, `2m` etc. | [Duration string][parse-duration] | `nil` (empty config, BIRD will use the default value of `120s`) | -| ignoredInterfaces | List of network interfaces to be excluded when reading device routes. | A list of network interface names. The names can contain the wildcard character asterisk `*` to specify groups of interface names. | List of strings | `nil` (no extra interfaces to be ignored) | -| localWorkloadPeeringIPV4 | Single virtual IPv4 address that all nodes will use for peering with local workloads when using `BGPPeer`'s `localWorkloadSelector`. A link local address is recommended but it must not be 169.254.0.1 or 169.254.0.2 because these are used internally by $[prodname]. See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | An IPv4 address. | string | None | -| localWorkloadPeeringIPV6 | Single virtual IPv6 address that all nodes will use for peering with local workloads when using `BGPPeer`'s `localWorkloadSelector`. Must _not_ be a link-local address (because $[prodname] doesn't currently support the required "scope" suffix). See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | An IPv6 address. | string | None | +| `logSeverityScreen` | Global log level | Debug, Info, Warning, Error, Fatal | string | `Info` | +| `nodeToNodeMeshEnabled` | Full BGP node-to-node mesh. Only valid on the global `default` BGPConfiguration. | true, false | string | true | +| `asNumber` | The default local AS Number that $[prodname] should use when speaking with BGP peers. Only valid on the global `default` BGPConfiguration; to set a per-node override, use the `bgp` field on the [Node resource](node.mdx). | A valid AS Number, may be specified in dotted notation. | integer/string | 64512 | +| `serviceClusterIPs` | The CIDR blocks for Kubernetes Service Cluster IPs to be advertised over BGP. Only valid on the global `default` BGPConfiguration: will be ignored otherwise. | A list of valid IPv4 or IPv6 CIDR blocks. | List of `cidr: /` values. | Empty List | +| `serviceExternalIPs` | The CIDR blocks for Kubernetes Service External IPs to be advertised over BGP. Kubernetes Service External IPs will only be advertised if they are within one of these blocks. Only valid on the global `default` BGPConfiguration: will be ignored otherwise. | A list of valid IPv4 or IPv6 CIDR blocks. | List of `cidr: /` values. | Empty List | +| `serviceLoadBalancerIPs` | The CIDR blocks for Kubernetes Service status.LoadBalancer IPs to be advertised over BGP. Kubernetes LoadBalancer IPs will only be advertised if they are within one of these blocks. Only valid on the global `default` BGPConfiguration: will be ignored otherwise. | A list of valid IPv4 or IPv6 CIDR blocks. | List of `cidr: /` values. | Empty List | +| `listenPort` | The port where BGP protocol should listen. | A valid port number. | integer | 179 | +| `bindMode` | Indicates whether to listen for BGP connections on all addresses (None) or only on the node's canonical IP address Node.Spec.BGP.IPvXAddress (NodeIP). If this field is changed when calico-node is already running, the change will not take effect until calico-node is manually restarted. | None, NodeIP. | string | None | +| `communities` | List of BGP community names and their values, communities are not advertised unless they are used in [prefixAdvertisements](#prefixadvertisements). | | List of [communities](#communities) | +| `prefixAdvertisements` | List of per-prefix advertisement properties, like BGP communities. | | List of [prefixAdvertisements](#prefixadvertisements) | +| `nodeMeshPassword` | BGP password for the all the peerings in a full mesh configuration. | | [BGPPassword](bgppeer.mdx#bgppassword) | `nil` (no password) | +| `nodeMeshMaxRestartTime` | Restart time that is announced by BIRD in the BGP graceful restart capability and that specifies how long the neighbor would wait for the BGP session to re-establish after a restart before deleting stale routes in full mesh configurations. Note: extra care should be taken when changing this configuration, as it may break networking in your cluster. When not specified, BIRD uses the default value of 120 seconds. | `10s`, `120s`, `2m` etc. | [Duration string][parse-duration] | `nil` (empty config, BIRD will use the default value of `120s`) | +| `ignoredInterfaces` | List of network interfaces to be excluded when reading device routes. | A list of network interface names. The names can contain the wildcard character asterisk `*` to specify groups of interface names. | List of strings | `nil` (no extra interfaces to be ignored) | +| `localWorkloadPeeringIPV4` | Single virtual IPv4 address that all nodes will use for peering with local workloads when using `BGPPeer`'s `localWorkloadSelector`. A link local address is recommended but it must not be 169.254.0.1 or 169.254.0.2 because these are used internally by $[prodname]. See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | An IPv4 address. | string | None | +| `localWorkloadPeeringIPV6` | Single virtual IPv6 address that all nodes will use for peering with local workloads when using `BGPPeer`'s `localWorkloadSelector`. Must _not_ be a link-local address (because $[prodname] doesn't currently support the required "scope" suffix). See the [guide](../../networking/configuring/bgp-to-workload.mdx) for details. | An IPv6 address. | string | None | +| `ipv4NormalRoutePriority` | The normal route priority (metric) that Felix uses for IPv4 workload routes. This must match the value configured in FelixConfiguration. BIRD uses this to identify elevated-priority routes during live migration and to override local workload routes with higher-priority BGP-learned routes. | 1-2147483646 | integer | 1024 | +| `ipv6NormalRoutePriority` | The normal route priority (metric) that Felix uses for IPv6 workload routes. This must match the value configured in FelixConfiguration. BIRD uses this to identify elevated-priority routes during live migration and to override local workload routes with higher-priority BGP-learned routes. | 1-2147483646 | integer | 1024 | +| `programClusterRoutes` | Controls whether $[prodname] programs cluster routes for IP Pools with VXLAN or IP-in-IP enabled. Felix always programs such routes for IP Pools with `vxlanMode: Always` or `vxlanMode: CrossSubnet`. | Enabled, Disabled | string | Enabled | ### communities | Field | Description | Accepted Values | Schema | | ----- | -------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | -| name | Name or identifier for the community. This should be used in [prefixAdvertisements](#prefixAdvertisements) to advertise the community value. | | string | -| value | Standard or large BGP community value. | For standard community, value should be in `aa:nn` format, where both `aa` and `nn` are 16 bit integers.
For large community, value should be `aa:nn:mm` format, where `aa`, `nn` and `mm` are all 32 bit integers.
Where `aa` is an AS Number, `nn` and `mm` are per-AS identifier. | string | +| `name` | Name or identifier for the community. This should be used in [prefixAdvertisements](#prefixAdvertisements) to advertise the community value. | | string | +| `value` | Standard or large BGP community value. | For standard community, value should be in `aa:nn` format, where both `aa` and `nn` are 16 bit integers.
For large community, value should be `aa:nn:mm` format, where `aa`, `nn` and `mm` are all 32 bit integers.
Where `aa` is an AS Number, `nn` and `mm` are per-AS identifier. | string | ### prefixAdvertisements | Field | Description | Accepted Values | Schema | | ----------- | ----------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | -| cidr | CIDR for which properties should be advertised. | `cidr: XXX.XXX.XXX.XXX/XX` | string | -| communities | BGP communities to be advertised. | Communities can be list of either community names already defined in [communities](#communities) or community value of format `aa:nn` or `aa:nn:mm`.
For standard community, value should be in `aa:nn` format, where both `aa` and `nn` are 16 bit integers.
For large community, value should be `aa:nn:mm` format, where `aa`, `nn` and `mm` are all 32 bit integers.
Where `aa` is an AS Number, `nn` and `mm` are per-AS identifier. | List of string | \ No newline at end of file +| `cidr` | CIDR for which properties should be advertised. | `cidr: XXX.XXX.XXX.XXX/XX` | string | +| `communities` | BGP communities to be advertised. | Communities can be list of either community names already defined in [communities](#communities) or community value of format `aa:nn` or `aa:nn:mm`.
For standard community, value should be in `aa:nn` format, where both `aa` and `nn` are 16 bit integers.
For large community, value should be `aa:nn:mm` format, where `aa`, `nn` and `mm` are all 32 bit integers.
Where `aa` is an AS Number, `nn` and `mm` are per-AS identifier. | List of string | \ No newline at end of file diff --git a/calico/reference/resources/bgpfilter.mdx b/calico/reference/resources/bgpfilter.mdx index 27b638e2a2..cde5857e4b 100644 --- a/calico/reference/resources/bgpfilter.mdx +++ b/calico/reference/resources/bgpfilter.mdx @@ -61,42 +61,84 @@ spec: | Field | Description | Accepted Values | Schema | | ----- | ------------------------------------------------------------------ | --------------------------------------------------- | ------ | -| name | Unique name to describe this resource instance. Must be specified. | Alphanumeric string with optional `.`, `_`, or `-`. | string | +| `name` | Unique name to describe this resource instance. Must be specified. | Alphanumeric string with optional `.`, `_`, or `-`. | string | ### Spec | Field | Description | Accepted Values | Schema | Default | | -------- | ---------------------------------- | --------------- | ----------------------------------------- | ------- | -| exportV4 | List of v4 CIDRs and export action | | [BGP Filter Rule v4](#bgp-filter-rule-v4) | | -| importV4 | List of v4 CIDRs and import action | | [BGP Filter Rule v4](#bgp-filter-rule-v4) | | -| exportV6 | List of v6 CIDRs and export action | | [BGP Filter Rule v6](#bgp-filter-rule-v6) | | -| importV6 | List of v6 CIDRs and import action | | [BGP Filter Rule v6](#bgp-filter-rule-v6) | | +| `exportV4` | List of v4 CIDRs and export action | | [BGP Filter Rule v4](#bgp-filter-rule-v4) | | +| `importV4` | List of v4 CIDRs and import action | | [BGP Filter Rule v4](#bgp-filter-rule-v4) | | +| `exportV6` | List of v6 CIDRs and export action | | [BGP Filter Rule v6](#bgp-filter-rule-v6) | | +| `importV6` | List of v6 CIDRs and import action | | [BGP Filter Rule v6](#bgp-filter-rule-v6) | | ### BGP Filter Rule v4 | Field | Description | Accepted Values | Schema | Default | | ------------- | ------------------------------------------ | ------------------------------------------------------------------- | ------ | ------- | -| cidr | IPv6 range | A valid IPv6 CIDR | string | | -| prefixLength | [PrefixLength](#bgp-filter-prefix-length) | Valid integers between 0 and ipv4/6 max (32, 128) | | | -| matchOperator | Method by which to match candidate routes | `In`, `NotIn`, `Equal`, `NotEqual` | string | | -| source | Indicator of the source of route | `RemotePeers` means any route learned from other BGP peers | string | | -| interface | String to match interface names | A valid pattern to match interfaces. "*" can be used as a wildcard. | string | | -| action | Action to be taken for this rule | `Accept` or `Reject` | string | | +| `cidr` | IPv4 range | A valid IPv4 CIDR | string | | +| `prefixLength` | [PrefixLength](#bgp-filter-prefix-length) | Valid integers between 0 and ipv4/6 max (32, 128) | | | +| `matchOperator` | Method by which to match candidate routes | `In`, `NotIn`, `Equal`, `NotEqual` | string | | +| `source` | Indicator of the source of route | `RemotePeers` means any route learned from other BGP peers | string | | +| `interface` | String to match interface names | A valid pattern to match interfaces. "*" can be used as a wildcard. | string | | +| `peerType` | Only apply this rule to routes from/to the specified BGP peer type. If empty, the rule applies to all peers. | `eBGP`, `iBGP` | string | | +| `priority` | Only apply this rule to routes with the given priority (metric). Uses the same units as the `...RoutePriority` fields in FelixConfiguration. | 1-2147483646 | integer | | +| `communities` | Only apply this rule to routes carrying the specified BGP community. | See [BGP Filter Community Match](#bgp-filter-community-match). | object | | +| `action` | Action to be taken for this rule | `Accept` or `Reject` | string | | +| `operations` | Ordered list of route modifications to apply when the rule matches. Only valid when action is `Accept`. Maximum 10 operations. | See [BGP Filter Operation](#bgp-filter-operation). | list | | ### BGP Filter Rule v6 | Field | Description | Accepted Values | Schema | Default | | ------------- | ------------------------------------------ | ------------------------------------------------------------------- | ------ | ------- | -| cidr | IPv6 range | A valid IPv6 CIDR | string | | -| prefixLength | [PrefixLength](#bgp-filter-prefix-length) | Valid integers between 0 and ipv4/6 max (32, 128) | | | -| matchOperator | Method by which to match candidate routes | `In`, `NotIn`, `Equal`, `NotEqual` | string | | -| source | Indicator of the source of route | `RemotePeers` means any route learned from other BGP peers | string | | -| interface | String to match interface names | A valid pattern to match interfaces. "*" can be used as a wildcard. | string | | -| action | Action to be taken for this rule | `Accept` or `Reject` | string | | +| `cidr` | IPv6 range | A valid IPv6 CIDR | string | | +| `prefixLength` | [PrefixLength](#bgp-filter-prefix-length) | Valid integers between 0 and ipv4/6 max (32, 128) | | | +| `matchOperator` | Method by which to match candidate routes | `In`, `NotIn`, `Equal`, `NotEqual` | string | | +| `source` | Indicator of the source of route | `RemotePeers` means any route learned from other BGP peers | string | | +| `interface` | String to match interface names | A valid pattern to match interfaces. "*" can be used as a wildcard. | string | | +| `peerType` | Only apply this rule to routes from/to the specified BGP peer type. If empty, the rule applies to all peers. | `eBGP`, `iBGP` | string | | +| `priority` | Only apply this rule to routes with the given priority (metric). Uses the same units as the `...RoutePriority` fields in FelixConfiguration. | 1-2147483646 | integer | | +| `communities` | Only apply this rule to routes carrying the specified BGP community. | See [BGP Filter Community Match](#bgp-filter-community-match). | object | | +| `action` | Action to be taken for this rule | `Accept` or `Reject` | string | | +| `operations` | Ordered list of route modifications to apply when the rule matches. Only valid when action is `Accept`. Maximum 10 operations. | See [BGP Filter Operation](#bgp-filter-operation). | list | | ### BGP Filter Prefix Length | Field | Description | Accepted Values | Schema | Default | | ------ | --------------------------------------------- | ------------------------------------------------------------------- | ------ | ------- | -| min | Smallest matched mask size (0 by default) | Valid integers between 0 and ipv4/6 max (32, 128) | int | | -| max | Largest matched mask size (32/128 by default) | Valid integers between 1 and ipv4/6 max (32, 128) | int | | +| `min` | Smallest matched mask size (0 by default) | Valid integers between 0 and ipv4/6 max (32, 128) | int | | +| `max` | Largest matched mask size (32/128 by default) | Valid integers between 1 and ipv4/6 max (32, 128) | int | | + +### BGP Filter Community Match + +| Field | Description | Accepted Values | Schema | +| ------ | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ | -------------- | +| `values` | List of BGP community values to match against. The route must carry at least one of these communities. | Standard (`aa:nn`) or large (`aa:nn:mm`) community values. | list of string | + +### BGP Filter Operation + +Each operation is an object with exactly one of the following fields set: + +| Field | Description | Schema | +| ------------- | ------------------------------------------------------------ | --------------------------------------------------- | +| `addCommunity` | Adds a BGP community to the route. | [AddCommunity](#bgp-filter-add-community) | +| `prependASPath` | Prepends AS numbers to the route's AS path. | [PrependASPath](#bgp-filter-prepend-as-path) | +| `setPriority` | Sets the route's priority (metric). | [SetPriority](#bgp-filter-set-priority) | + +### BGP Filter Add Community + +| Field | Description | Accepted Values | Schema | +| ----- | ---------------------------- | ---------------------------------------------------------- | ------ | +| `value` | BGP community value to add. | Standard (`aa:nn`) or large (`aa:nn:mm`) community value. | string | + +### BGP Filter Prepend AS Path + +| Field | Description | Accepted Values | Schema | +| ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | ---------------- | +| `prefix` | Sequence of AS numbers to prepend to the route's AS path. The resulting path starts with these AS numbers in the order listed (e.g., `[65000, 65001]` produces `65000 65001 `). | A list of 1-10 valid AS numbers. | list of integer | + +### BGP Filter Set Priority + +| Field | Description | Accepted Values | Schema | +| ----- | ---------------------------------------------------------------------------------------------------------- | --------------- | ------- | +| `value` | The priority (metric) value to set on the route. Uses the same units as FelixConfiguration RoutePriority fields. | 1-2147483646 | integer | diff --git a/calico/reference/resources/ipamconfig.mdx b/calico/reference/resources/ipamconfig.mdx index 49c55bba95..d35bf22d0c 100644 --- a/calico/reference/resources/ipamconfig.mdx +++ b/calico/reference/resources/ipamconfig.mdx @@ -16,7 +16,7 @@ metadata: spec: strictAffinity: false maxBlocksPerHost: 4 - kubeVirtVMAddressPersistence: Disabled + kubeVirtVMAddressPersistence: Enabled ``` ## IPAM configuration definition @@ -25,7 +25,7 @@ spec: | Field | Description | Accepted Values | Schema | | ----- | --------------------------------------------------------- | --------------- | ------ | -| name | Unique name to describe this resource instance. Required. | default | string | +| `name` | Unique name to describe this resource instance. Required. | default | string | The resource is a singleton which must have the name `default`. @@ -33,6 +33,6 @@ The resource is a singleton which must have the name `default`. | Field | Description | Accepted Values | Schema | Default | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ------------------ | ------ | -------- | -| strictAffinity | When StrictAffinity is true, borrowing IP addresses is not allowed. | true, false | bool | false | -| maxBlocksPerHost | The max number of blocks that can be affine to each host. | 0 - max(int32) | int | 20 | -| kubeVirtVMAddressPersistence | Controls whether KubeVirt VMs retain persistent IP addresses across lifecycle events such as restart or migration. Requires KubeVirt. | Enabled, Disabled | string | Disabled | \ No newline at end of file +| `strictAffinity` | When StrictAffinity is true, borrowing IP addresses is not allowed. | true, false | bool | false | +| `maxBlocksPerHost` | The max number of blocks that can be affine to each host. | 0 - max(int32) | int | 20 | +| `kubeVirtVMAddressPersistence` | Controls whether KubeVirt VMs retain persistent IP addresses across lifecycle events such as restart or migration. Requires KubeVirt. | Enabled, Disabled | string | Enabled | \ No newline at end of file diff --git a/sidebars-calico-enterprise.js b/sidebars-calico-enterprise.js index d9ad115517..21f719dbca 100644 --- a/sidebars-calico-enterprise.js +++ b/sidebars-calico-enterprise.js @@ -187,6 +187,15 @@ module.exports = { 'networking/configuring/mark-lb-node-for-maintenance', ], }, + { + type: 'category', + label: 'Calico Enterprise networking for KubeVirt', + link: { type: 'doc', id: 'networking/kubevirt/index' }, + items: [ + 'networking/kubevirt/kubevirt-networking', + 'networking/kubevirt/live-migration-bgp', + ], + }, { type: 'category', label: 'Egress gateways', diff --git a/sidebars-calico.js b/sidebars-calico.js index f4845c6b89..251998a59a 100644 --- a/sidebars-calico.js +++ b/sidebars-calico.js @@ -329,6 +329,15 @@ module.exports = { 'networking/openstack/neutron-api', ], }, + { + type: 'category', + label: 'Calico networking for KubeVirt', + link: { type: 'doc', id: 'networking/kubevirt/index' }, + items: [ + 'networking/kubevirt/kubevirt-networking', + 'networking/kubevirt/live-migration-bgp', + ], + }, ], }, {