Add allowedSourcePrefixes annotation documentation#2613
Add allowedSourcePrefixes annotation documentation#2613tomastigera wants to merge 1 commit intotigera:mainfrom
Conversation
Document the cni.projectcalico.org/allowedSourcePrefixes pod annotation across all three products (Calico, Calico Enterprise, Calico Cloud). This annotation allows pods to send egress traffic with source IPs outside their own address, requiring workloadSourceSpoofing: Any in FelixConfiguration. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
❌ Deploy Preview for tigera failed. Why did it fail? →Built without sensitive environment variables
|
✅ Deploy Preview for calico-docs-preview-next ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull request overview
Adds new documentation pages across Calico OSS, Calico Enterprise, and Calico Cloud describing the cni.projectcalico.org/allowedSourcePrefixes pod annotation and links them into each product’s “Configure networking” sidebar.
Changes:
- Added
allowed-source-prefixes.mdxundernetworking/configuring/for Calico, Enterprise, and Cloud. - Documented the required FelixConfiguration setting (
workloadSourceSpoofing: Any) and included a security caution about admission control. - Added sidebar entries in all three products so the new page is discoverable.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| sidebars-calico.js | Adds the new “allowed-source-prefixes” page to the Calico OSS networking/configuring sidebar. |
| sidebars-calico-enterprise.js | Adds the new page to the Calico Enterprise networking/configuring sidebar. |
| sidebars-calico-cloud.js | Adds the new page to the Calico Cloud networking/configuring sidebar. |
| calico/networking/configuring/allowed-source-prefixes.mdx | New OSS doc page for the allowedSourcePrefixes annotation and Felix prerequisite. |
| calico-enterprise/networking/configuring/allowed-source-prefixes.mdx | New Enterprise doc page for the allowedSourcePrefixes annotation and Felix prerequisite. |
| calico-cloud/networking/configuring/allowed-source-prefixes.mdx | New Cloud doc page for the allowedSourcePrefixes annotation and Felix prerequisite. |
| Enable `workloadSourceSpoofing` in the FelixConfiguration resource: | ||
|
|
There was a problem hiding this comment.
This page documents a Calico CNI pod annotation, but the prerequisites don’t mention that the cluster must be using Calico CNI (as is done in other annotation docs in this section). Add that prerequisite (and optionally link to the CNI plugin configuration page) before the FelixConfiguration step.
| Enable `workloadSourceSpoofing` in the FelixConfiguration resource: | |
| Ensure the following prerequisites are met: | |
| - Your cluster is configured to use the Calico CNI plugin. | |
| - `workloadSourceSpoofing` is enabled in the FelixConfiguration resource: |
| Enable `workloadSourceSpoofing` in the FelixConfiguration resource: | ||
|
|
||
| ```yaml | ||
| apiVersion: crd.projectcalico.org/v1 |
There was a problem hiding this comment.
The FelixConfiguration YAML example uses apiVersion: crd.projectcalico.org/v1, but other docs in this product use projectcalico.org/v3 for FelixConfiguration. Please align the apiVersion here (or explicitly call out when each apiVersion applies) to avoid users applying the wrong manifest.
| apiVersion: crd.projectcalico.org/v1 | |
| apiVersion: projectcalico.org/v3 |
| Because allowing non-pod source IPs is a security-sensitive operation, Felix disables support for the annotation by default. You must explicitly opt in by setting `workloadSourceSpoofing: Any` in the FelixConfiguration resource before the annotation takes effect. | ||
|
|
||
| ## Before you begin... | ||
|
|
There was a problem hiding this comment.
This page documents a Calico CNI pod annotation, but the prerequisites don’t mention that the cluster must be using Calico CNI (as is done in other annotation docs in this section). Add that prerequisite (and optionally link to the CNI plugin configuration page) before the FelixConfiguration step.
| Ensure your Kubernetes cluster is using the Calico CNI plugin. |
| Enable `workloadSourceSpoofing` in the FelixConfiguration resource: | ||
|
|
||
| ```yaml | ||
| apiVersion: crd.projectcalico.org/v1 |
There was a problem hiding this comment.
The FelixConfiguration YAML example uses apiVersion: crd.projectcalico.org/v1, but other docs in this product use projectcalico.org/v3 for FelixConfiguration. Please align the apiVersion here (or explicitly call out when each apiVersion applies) to avoid users applying the wrong manifest.
| apiVersion: crd.projectcalico.org/v1 | |
| apiVersion: projectcalico.org/v3 |
| Because allowing non-pod source IPs is a security-sensitive operation, Felix disables support for the annotation by default. You must explicitly opt in by setting `workloadSourceSpoofing: Any` in the FelixConfiguration resource before the annotation takes effect. | ||
|
|
||
| ## Before you begin... | ||
|
|
There was a problem hiding this comment.
This page documents a Calico CNI pod annotation, but the prerequisites don’t mention that the cluster must be using Calico CNI (as is done in other annotation docs in this section). Add that prerequisite (and optionally link to the CNI plugin configuration page) before the FelixConfiguration step.
| Ensure your cluster is configured to use the Calico CNI plugin. |
| Enable `workloadSourceSpoofing` in the FelixConfiguration resource: | ||
|
|
||
| ```yaml | ||
| apiVersion: crd.projectcalico.org/v1 |
There was a problem hiding this comment.
The FelixConfiguration YAML example uses apiVersion: crd.projectcalico.org/v1, but other docs in this product use projectcalico.org/v3 for FelixConfiguration. Please align the apiVersion here (or explicitly call out when each apiVersion applies) to avoid users applying the wrong manifest.
| apiVersion: crd.projectcalico.org/v1 | |
| apiVersion: projectcalico.org/v3 |
Summary
allowed-source-prefixes.mdxpage undernetworking/configuring/for all three products (Calico, Calico Enterprise, Calico Cloud)cni.projectcalico.org/allowedSourcePrefixespod annotation, which allows pods to send egress traffic with source IPs outside their own addressworkloadSourceSpoofing: AnyFelixConfiguration setting and security caution about admission controlTest plan
🤖 Generated with Claude Code