diff --git a/CHANGELOG.md b/CHANGELOG.md index 59f139a2da..b888897c1e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -45,6 +45,10 @@ nginx-ingress-controller image has been bump accordingly from v0.41.2 to v0.46.0 (PR[#3371](https://github.com/scality/metalk8s/pull/3371)) +- [#3279](https://github.com/scality/metalk8s/issues/3279) - Bump + Calico version from 3.17.0 to 3.19.0 + (PR [#](https://github.com/scality/metalk8s/pull/)) + ### Breaking changes - [#2199](https://github.com/scality/metalk8s/issues/2199) - Prometheus label diff --git a/buildchain/buildchain/versions.py b/buildchain/buildchain/versions.py index ee8de17ad1..15e83b9256 100644 --- a/buildchain/buildchain/versions.py +++ b/buildchain/buildchain/versions.py @@ -18,7 +18,7 @@ # Project-wide versions {{{ -CALICO_VERSION: str = "3.17.0" +CALICO_VERSION: str = "3.19.0" K8S_VERSION: str = "1.21.0" SALT_VERSION: str = "3002.6" CONTAINERD_VERSION: str = "1.4.3" @@ -97,12 +97,12 @@ def _version_prefix(version: str, prefix: str = "v") -> str: Image( name="calico-node", version=_version_prefix(CALICO_VERSION), - digest="sha256:92227666988edccd1222d463173489fd656c5a37b8dedab0dadfbc22a471893a", + digest="sha256:b6f8efff537a3618a84e715f86b6beac9199217a4b9293dad43adb0ac4bace2e", ), Image( name="calico-kube-controllers", version=_version_prefix(CALICO_VERSION), - digest="sha256:78a6e7648e22b2c87fcc06db610d753e49c6f9b3cf622ab23fdc3a63c1563fc8", + digest="sha256:1f6affe77017e121d7ee1afae8bd9a8476ef860fb238a866401190b62d1808f1", ), Image( name="coredns", diff --git a/packages/redhat/common/calico-cni-plugin.spec b/packages/redhat/common/calico-cni-plugin.spec index 9cf938c830..3ed70bf7db 100644 --- a/packages/redhat/common/calico-cni-plugin.spec +++ b/packages/redhat/common/calico-cni-plugin.spec @@ -6,12 +6,12 @@ %ifarch x86_64 %global built_arch amd64 -%global calico_sha256 9325d1ead70f2afb9222da64f0c7eaa1f3c5f68763241d6b07cff3a853b783f2 -%global calico_ipam_sha256 9325d1ead70f2afb9222da64f0c7eaa1f3c5f68763241d6b07cff3a853b783f2 +%global calico_sha256 78d2e1ef77c81775c907489b4ce174d72c8e04638edf4b0017299b0d2f39b9e5 +%global calico_ipam_sha256 78d2e1ef77c81775c907489b4ce174d72c8e04638edf4b0017299b0d2f39b9e5 %endif Name: calico-cni-plugin -Version: 3.17.0 +Version: 3.19.0 Release: 1%{?dist} Summary: Calico CNI plugin @@ -49,6 +49,9 @@ install -p -m 755 %{SOURCE2} %{buildroot}/opt/cni/bin/calico-ipam %doc README.md %changelog +* Tue May 11 2021 Alexandre Allard - 3.19.0-1 +- Version bump + * Wed Nov 25 2020 Teddy Andrieux - 3.17.0-1 - Version bump diff --git a/salt/metalk8s/kubernetes/cni/calico/deployed.sls b/salt/metalk8s/kubernetes/cni/calico/deployed.sls index 9a4e6d4106..fac2af6719 100644 --- a/salt/metalk8s/kubernetes/cni/calico/deployed.sls +++ b/salt/metalk8s/kubernetes/cni/calico/deployed.sls @@ -71,8 +71,6 @@ data: --- # Source: calico/templates/kdd-crds.yaml - ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -192,6 +190,18 @@ spec: type: string type: object type: array + serviceLoadBalancerIPs: + description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes + Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress + IPs will only be advertised if they are within one of these blocks. + items: + description: ServiceLoadBalancerIPBlock represents a single allowed + LoadBalancer IP CIDR block. + properties: + cidr: + type: string + type: object + type: array type: object type: object served: true @@ -203,8 +213,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -243,7 +251,6 @@ spec: format: int32 type: integer keepOriginalNextHop: - default: false description: Option to keep the original nexthop field when routes are sent to a BGP Peer. Setting "true" configures the selected BGP Peers node to use the "next hop keep;" instead of "next hop self;"(default) @@ -258,6 +265,29 @@ spec: description: Selector for the nodes that should have this peering. When this is set, the Node field must be empty. type: string + password: + description: Optional BGP password for the peerings generated by this + BGPPeer resource. + properties: + secretKeyRef: + description: Selects a key of a secret in the node pod's namespace. + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be + defined + type: boolean + required: + - key + type: object + type: object peerIP: description: The IP address of the peer followed by an optional port number to peer with. If port number is given, format should be `[]:port` @@ -274,6 +304,12 @@ spec: remote AS number comes from the remote node's NodeBGPSpec.ASNumber, or the global default if that is not set. type: string + sourceAddress: + description: Specifies whether and how to configure a source address + for the peerings generated by this BGPPeer resource. Default value + "UseNodeIP" means to configure the node IP as the source address. "None" + means not to configure a source address. + type: string type: object type: object served: true @@ -285,8 +321,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -348,8 +382,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -414,8 +446,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -450,6 +480,16 @@ spec: spec: description: FelixConfigurationSpec contains the values of the Felix configuration. properties: + allowIPIPPacketsFromWorkloads: + description: 'AllowIPIPPacketsFromWorkloads controls whether Felix + will add a rule to drop IPIP encapsulated traffic from workloads + [Default: false]' + type: boolean + allowVXLANPacketsFromWorkloads: + description: 'AllowVXLANPacketsFromWorkloads controls whether Felix + will add a rule to drop VXLAN encapsulated traffic from workloads + [Default: false]' + type: boolean awsSrcDstCheck: description: 'Set source-destination-check on AWS EC2 instances. Accepted value must be one of "DoNothing", "Enabled" or "Disabled". [Default: @@ -486,6 +526,13 @@ spec: description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. [Default: false]' type: boolean + bpfExtToServiceConnmark: + description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit + mark that is set on connections from an external client to a local + service. This mark allows us to control how packets of that connection + are routed within the host and how is routing intepreted by RPF + check. [Default: 0]' + type: integer bpfExternalServiceMode: description: 'BPFExternalServiceMode in BPF mode, controls how connections from outside the cluster to services (node ports and cluster IPs) @@ -542,11 +589,11 @@ spec: traffic that goes from a workload endpoint to the host itself (after the traffic hits the endpoint egress policy). By default Calico blocks traffic from workload endpoints to the host itself with an - iptables “DROP” action. If you want to allow some or all traffic + iptables "DROP" action. If you want to allow some or all traffic from endpoint to host, set this parameter to RETURN or ACCEPT. Use - RETURN if you have your own rules in the iptables “INPUT” chain; - Calico will insert its rules at the top of that chain, then “RETURN” - packets to the “INPUT” chain once it has completed processing workload + RETURN if you have your own rules in the iptables "INPUT" chain; + Calico will insert its rules at the top of that chain, then "RETURN" + packets to the "INPUT" chain once it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets from workloads after processing workload endpoint egress policy. [Default: Drop]' @@ -574,19 +621,21 @@ spec: type: string type: array failsafeInboundHostPorts: - description: 'FailsafeInboundHostPorts is a comma-delimited list of - UDP/TCP ports that Felix will allow incoming traffic to host endpoints + description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports + and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid - accidentally cutting off a host with incorrect configuration. Each - port should be specified as tcp: or udp:. - For back-compatibility, if the protocol is not specified, it defaults - to “tcp”. To disable all inbound host ports, use the value none. - The default value allows ssh access and DHCP. [Default: tcp:22, + accidentally cutting off a host with incorrect configuration. For + back-compatibility, if the protocol is not specified, it defaults + to "tcp". If a CIDR is not specified, it will allow traffic from + all addresses. To disable all inbound host ports, use the value + none. The default value allows ssh access and DHCP. [Default: tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' items: - description: ProtoPort is combination of protocol and port, both - must be specified. + description: ProtoPort is combination of protocol, port, and CIDR. + Protocol and port must be specified. properties: + net: + type: string port: type: integer protocol: @@ -597,21 +646,23 @@ spec: type: object type: array failsafeOutboundHostPorts: - description: 'FailsafeOutboundHostPorts is a comma-delimited list - of UDP/TCP ports that Felix will allow outgoing traffic from host - endpoints to irrespective of the security policy. This is useful - to avoid accidentally cutting off a host with incorrect configuration. - Each port should be specified as tcp: or udp:. - For back-compatibility, if the protocol is not specified, it defaults - to “tcp”. To disable all outbound host ports, use the value none. - The default value opens etcd''s standard ports to ensure that Felix - does not get cut off from etcd as well as allowing DHCP and DNS. - [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, - udp:53, udp:67]' + description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports + and CIDRs that Felix will allow outgoing traffic from host endpoints + to irrespective of the security policy. This is useful to avoid + accidentally cutting off a host with incorrect configuration. For + back-compatibility, if the protocol is not specified, it defaults + to "tcp". If a CIDR is not specified, it will allow traffic from + all addresses. To disable all outbound host ports, use the value + none. The default value opens etcd''s standard ports to ensure that + Felix does not get cut off from etcd as well as allowing DHCP and + DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, + tcp:6667, udp:53, udp:67]' items: - description: ProtoPort is combination of protocol and port, both - must be specified. + description: ProtoPort is combination of protocol, port, and CIDR. + Protocol and port must be specified. properties: + net: + type: string port: type: integer protocol: @@ -958,8 +1009,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -1011,7 +1060,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -1094,9 +1143,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -1299,9 +1348,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -1342,7 +1391,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -1425,9 +1474,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -1630,9 +1679,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -1731,8 +1780,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -1786,8 +1833,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -1847,7 +1892,7 @@ spec: is empty - through the specific interface that has one of the IPs in ExpectedIPs. Therefore, when InterfaceName is empty, at least one expected IP must be specified. Only external interfaces (such - as “eth0”) are supported here; it isn't possible for a HostEndpoint + as \"eth0\") are supported here; it isn't possible for a HostEndpoint to protect traffic through a specific local workload interface. \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; initially just pre-DNAT policy. Please check Calico documentation @@ -1896,8 +1941,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -1966,7 +2009,6 @@ spec: - allocations - attributes - cidr - - deleted - strictAffinity - unallocated type: object @@ -1980,8 +2022,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2038,8 +2078,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2096,8 +2134,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2197,8 +2233,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2308,6 +2342,10 @@ spec: description: 'LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]' type: string + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. Set to 0 to disable. [Default: 9094]' + type: integer required: - controllers type: object @@ -2408,6 +2446,11 @@ spec: description: 'LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]' type: string + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. Set to 0 to disable. [Default: + 9094]' + type: integer required: - controllers type: object @@ -2422,8 +2465,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -2464,7 +2505,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -2547,9 +2588,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -2752,9 +2793,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -2795,7 +2836,7 @@ spec: action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria + a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match." @@ -2878,9 +2919,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -3083,9 +3124,9 @@ spec: One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector + that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. + Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints." @@ -3176,8 +3217,6 @@ status: conditions: [] storedVersions: [] ---- - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -3271,6 +3310,7 @@ rules: - create - update - delete + - watch # kube-controllers manages hostendpoints. - apiGroups: ["crd.projectcalico.org"] resources: @@ -3477,7 +3517,6 @@ subjects: kind: Group name: metalk8s:calico-node - --- # Source: calico/templates/calico-node.yaml # This manifest installs the calico-node container, as well @@ -3642,6 +3681,8 @@ spec: # NOTE: Use all workload CIDRs value: cidr={{ networks.workload_plane.cidr | join(',') }} # Enable IPIP + # Note: In MetalK8s we want to use IPIP encapsulation + # only for cross subnet communication. - name: CALICO_IPV4POOL_IPIP value: "CrossSubnet" # Enable or Disable VXLAN on the default IP pool. @@ -3844,11 +3885,20 @@ spec: value: node - name: DATASTORE_TYPE value: kubernetes + livenessProbe: + exec: + command: + - /usr/bin/check-status + - -l + periodSeconds: 10 + initialDelaySeconds: 10 + failureThreshold: 6 readinessProbe: exec: command: - /usr/bin/check-status - -r + periodSeconds: 10 --- @@ -3883,3 +3933,5 @@ spec: --- # Source: calico/templates/configure-canal.yaml + +