From bdbb11f633c058e5cfe43d8e148f3181d3461e30 Mon Sep 17 00:00:00 2001 From: Akhilesh Sarda Date: Wed, 26 Jun 2024 06:36:54 -0400 Subject: [PATCH 1/2] Add ACI-CNI 6.0.4.2 template --- pkg/rke/k8s_rke_system_images.go | 48 +- pkg/rke/templates/aci-v6.0.4.2.go | 2661 +++++++++++++++++++++++++++++ pkg/rke/templates/templates.go | 77 +- 3 files changed, 2726 insertions(+), 60 deletions(-) create mode 100644 pkg/rke/templates/aci-v6.0.4.2.go diff --git a/pkg/rke/k8s_rke_system_images.go b/pkg/rke/k8s_rke_system_images.go index f3ae1bf13..acd8a133a 100644 --- a/pkg/rke/k8s_rke_system_images.go +++ b/pkg/rke/k8s_rke_system_images.go @@ -10336,12 +10336,12 @@ func loadK8sRKESystemImages() map[string]v3.RKESystemImages { CanalFlexVol: "rancher/mirrored-calico-pod2daemon-flexvol:v3.26.3", WeaveNode: "weaveworks/weave-kube:2.8.1", WeaveCNI: "weaveworks/weave-npc:2.8.1", - AciCniDeployContainer: "noiro/cnideploy:6.0.4.1.81c2369", - AciHostContainer: "noiro/aci-containers-host:6.0.4.1.81c2369", - AciOpflexContainer: "noiro/opflex:6.0.4.1.81c2369", - AciMcastContainer: "noiro/opflex:6.0.4.1.81c2369", - AciOpenvSwitchContainer: "noiro/openvswitch:6.0.4.1.81c2369", - AciControllerContainer: "noiro/aci-containers-controller:6.0.4.1.81c2369", + AciCniDeployContainer: "noiro/cnideploy:6.0.4.2.81c2369", + AciHostContainer: "noiro/aci-containers-host:6.0.4.2.81c2369", + AciOpflexContainer: "noiro/opflex:6.0.4.2.81c2369", + AciMcastContainer: "noiro/opflex:6.0.4.2.81c2369", + AciOpenvSwitchContainer: "noiro/openvswitch:6.0.4.2.81c2369", + AciControllerContainer: "noiro/aci-containers-controller:6.0.4.2.81c2369", PodInfraContainer: "rancher/mirrored-pause:3.7", Ingress: "rancher/nginx-ingress-controller:nginx-1.9.4-rancher1", IngressBackend: "rancher/mirrored-nginx-ingress-controller-defaultbackend:1.5-rancher1", @@ -10546,12 +10546,12 @@ func loadK8sRKESystemImages() map[string]v3.RKESystemImages { CanalFlexVol: "rancher/mirrored-calico-pod2daemon-flexvol:v3.27.0", WeaveNode: "weaveworks/weave-kube:2.8.1", WeaveCNI: "weaveworks/weave-npc:2.8.1", - AciCniDeployContainer: "noiro/cnideploy:6.0.4.1.81c2369", - AciHostContainer: "noiro/aci-containers-host:6.0.4.1.81c2369", - AciOpflexContainer: "noiro/opflex:6.0.4.1.81c2369", - AciMcastContainer: "noiro/opflex:6.0.4.1.81c2369", - AciOpenvSwitchContainer: "noiro/openvswitch:6.0.4.1.81c2369", - AciControllerContainer: "noiro/aci-containers-controller:6.0.4.1.81c2369", + AciCniDeployContainer: "noiro/cnideploy:6.0.4.2.81c2369", + AciHostContainer: "noiro/aci-containers-host:6.0.4.2.81c2369", + AciOpflexContainer: "noiro/opflex:6.0.4.2.81c2369", + AciMcastContainer: "noiro/opflex:6.0.4.2.81c2369", + AciOpenvSwitchContainer: "noiro/openvswitch:6.0.4.2.81c2369", + AciControllerContainer: "noiro/aci-containers-controller:6.0.4.2.81c2369", PodInfraContainer: "rancher/mirrored-pause:3.7", Ingress: "rancher/nginx-ingress-controller:nginx-1.9.6-rancher1", IngressBackend: "rancher/mirrored-nginx-ingress-controller-defaultbackend:1.5-rancher1", @@ -10588,12 +10588,12 @@ func loadK8sRKESystemImages() map[string]v3.RKESystemImages { CanalFlexVol: "rancher/mirrored-calico-pod2daemon-flexvol:v3.27.3", WeaveNode: "weaveworks/weave-kube:2.8.1", WeaveCNI: "weaveworks/weave-npc:2.8.1", - AciCniDeployContainer: "noiro/cnideploy:6.0.4.1.81c2369", - AciHostContainer: "noiro/aci-containers-host:6.0.4.1.81c2369", - AciOpflexContainer: "noiro/opflex:6.0.4.1.81c2369", - AciMcastContainer: "noiro/opflex:6.0.4.1.81c2369", - AciOpenvSwitchContainer: "noiro/openvswitch:6.0.4.1.81c2369", - AciControllerContainer: "noiro/aci-containers-controller:6.0.4.1.81c2369", + AciCniDeployContainer: "noiro/cnideploy:6.0.4.2.81c2369", + AciHostContainer: "noiro/aci-containers-host:6.0.4.2.81c2369", + AciOpflexContainer: "noiro/opflex:6.0.4.2.81c2369", + AciMcastContainer: "noiro/opflex:6.0.4.2.81c2369", + AciOpenvSwitchContainer: "noiro/openvswitch:6.0.4.2.81c2369", + AciControllerContainer: "noiro/aci-containers-controller:6.0.4.2.81c2369", PodInfraContainer: "rancher/mirrored-pause:3.7", Ingress: "rancher/nginx-ingress-controller:nginx-1.9.6-rancher1", IngressBackend: "rancher/mirrored-nginx-ingress-controller-defaultbackend:1.5-rancher1", @@ -10628,12 +10628,12 @@ func loadK8sRKESystemImages() map[string]v3.RKESystemImages { CanalControllers: "rancher/mirrored-calico-kube-controllers:v3.28.0", CanalFlannel: "rancher/mirrored-flannel-flannel:v0.25.1", CanalFlexVol: "rancher/mirrored-calico-pod2daemon-flexvol:v3.28.0", - AciCniDeployContainer: "noiro/cnideploy:6.0.4.1.81c2369", - AciHostContainer: "noiro/aci-containers-host:6.0.4.1.81c2369", - AciOpflexContainer: "noiro/opflex:6.0.4.1.81c2369", - AciMcastContainer: "noiro/opflex:6.0.4.1.81c2369", - AciOpenvSwitchContainer: "noiro/openvswitch:6.0.4.1.81c2369", - AciControllerContainer: "noiro/aci-containers-controller:6.0.4.1.81c2369", + AciCniDeployContainer: "noiro/cnideploy:6.0.4.2.81c2369", + AciHostContainer: "noiro/aci-containers-host:6.0.4.2.81c2369", + AciOpflexContainer: "noiro/opflex:6.0.4.2.81c2369", + AciMcastContainer: "noiro/opflex:6.0.4.2.81c2369", + AciOpenvSwitchContainer: "noiro/openvswitch:6.0.4.2.81c2369", + AciControllerContainer: "noiro/aci-containers-controller:6.0.4.2.81c2369", PodInfraContainer: "rancher/mirrored-pause:3.7", Ingress: "rancher/nginx-ingress-controller:nginx-1.10.1-rancher1", IngressBackend: "rancher/mirrored-nginx-ingress-controller-defaultbackend:1.5-rancher1", diff --git a/pkg/rke/templates/aci-v6.0.4.2.go b/pkg/rke/templates/aci-v6.0.4.2.go new file mode 100644 index 000000000..942b20dbd --- /dev/null +++ b/pkg/rke/templates/aci-v6.0.4.2.go @@ -0,0 +1,2661 @@ +package templates + +const AciTemplateV6042 = ` +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: acicontainersoperators.aci.ctrl +spec: + group: aci.ctrl + names: + kind: AciContainersOperator + listKind: AciContainersOperatorList + plural: acicontainersoperators + singular: acicontainersoperator + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + description: acicontainersoperator owns the lifecycle of ACI objects in the cluster + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + description: AciContainersOperatorSpec defines the desired spec for ACI Objects + properties: + flavor: + type: string + config: + type: string + type: object + status: + description: AciContainersOperatorStatus defines the successful completion of AciContainersOperator + properties: + status: + type: boolean + type: object + required: + - spec + type: object +--- +apiVersion: v1 +kind: Namespace +metadata: + name: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" + network-plugin: aci-containers +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: nodepodifs.aci.aw +spec: + group: aci.aw + names: + kind: NodePodIF + listKind: NodePodIFList + plural: nodepodifs + singular: nodepodif + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + properties: + podifs: + type: array + items: + type: object + properties: + containerID: + type: string + epg: + type: string + ifname: + type: string + ipaddr: + type: string + macaddr: + type: string + podname: + type: string + podns: + type: string + vtep: + type: string + required: + - spec + type: object +--- +{{- if eq .UseAciCniPriorityClass "true"}} +apiVersion: scheduling.k8s.io/v1beta1 +kind: PriorityClass +metadata: + name: acicni-priority +value: 1000000000 +globalDefault: false +description: "This priority class is used for ACI-CNI resources" +--- +{{- end }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: snatglobalinfos.aci.snat +spec: + group: aci.snat + names: + kind: SnatGlobalInfo + listKind: SnatGlobalInfoList + plural: snatglobalinfos + singular: snatglobalinfo + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + description: SnatGlobalInfo is the Schema for the snatglobalinfos API + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + globalInfos: + additionalProperties: + items: + properties: + macAddress: + type: string + portRanges: + items: + properties: + end: + maximum: 65535 + minimum: 1 + type: integer + start: + maximum: 65535 + minimum: 1 + type: integer + type: object + type: array + snatIp: + type: string + snatIpUid: + type: string + snatPolicyName: + type: string + required: + - macAddress + - portRanges + - snatIp + - snatIpUid + - snatPolicyName + type: object + type: array + type: object + required: + - globalInfos + type: object + status: + description: SnatGlobalInfoStatus defines the observed state of SnatGlobalInfo + type: object + type: object +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: snatlocalinfos.aci.snat +spec: + group: aci.snat + names: + kind: SnatLocalInfo + listKind: SnatLocalInfoList + plural: snatlocalinfos + singular: snatlocalinfo + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + description: SnatLocalInfoSpec defines the desired state of SnatLocalInfo + properties: + localInfos: + items: + properties: + podName: + type: string + podNamespace: + type: string + podUid: + type: string + snatPolicies: + items: + properties: + destIp: + items: + type: string + type: array + name: + type: string + snatIp: + type: string + required: + - destIp + - name + - snatIp + type: object + type: array + required: + - podName + - podNamespace + - podUid + - snatPolicies + type: object + type: array + required: + - localInfos + type: object + type: object +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: snatpolicies.aci.snat +spec: + group: aci.snat + names: + kind: SnatPolicy + listKind: SnatPolicyList + plural: snatpolicies + singular: snatpolicy + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + properties: + selector: + type: object + properties: + labels: + type: object + description: 'Selection of Pods' + properties: + additionalProperties: + type: string + namespace: + type: string + type: object + snatIp: + type: array + items: + type: string + destIp: + type: array + items: + type: string + type: object + status: + type: object + properties: + additionalProperties: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: nodeinfos.aci.snat +spec: + group: aci.snat + names: + kind: NodeInfo + listKind: NodeInfoList + plural: nodeinfos + singular: nodeinfo + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + macaddress: + type: string + snatpolicynames: + additionalProperties: + type: boolean + type: object + type: object + status: + description: NodeinfoStatus defines the observed state of Nodeinfo + type: object + type: object +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: rdconfigs.aci.snat +spec: + group: aci.snat + names: + kind: RdConfig + listKind: RdConfigList + plural: rdconfigs + singular: rdconfig + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + discoveredsubnets: + items: + type: string + type: array + usersubnets: + items: + type: string + type: array + type: object + status: + description: NodeinfoStatus defines the observed state of Nodeinfo + type: object + type: object +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.aci.netpol +spec: + group: aci.netpol + names: + kind: NetworkPolicy + listKind: NetworkPolicyList + plural: networkpolicies + singular: networkpolicy + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Network Policy describes traffic flow at IP address or port level + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + podSelector: + description: allow ingress from the same namespace + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + egress: + description: Set of egress rules evaluated based on the order in which they are set. + items: + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs default to false. + type: boolean + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: Rule is matched if traffic is intended for workloads selected by this field. If this field is empty or missing, this rule matches all destinations. + items: + properties: + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" + type: string + except: + description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range + items: + type: string + type: array + required: + - cidr + type: object + namespaceSelector: + description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + podSelector: + description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + type: array + toFqDn: + properties: + matchNames: + items: + type: string + type: array + required: + - matchNames + type: object + required: + - enableLogging + - toFqDn + type: object + type: array + ingress: + description: Set of ingress rules evaluated based on the order in which they are set. + items: + properties: + action: + description: Action specifies the action to be applied on the rule. + type: string + enableLogging: + description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + type: boolean + from: + description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + items: + properties: + ipBlock: + description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + properties: + cidr: + description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" + type: string + except: + description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range + items: + type: string + type: array + required: + - cidr + type: object + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + podSelector: + description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + properties: + key: + type: string + operator: + description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + type: array + ports: + description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + items: + description: NetworkPolicyPort describes the port and protocol to match in a rule. + properties: + endPort: + description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + type: string + type: object + type: array + type: object + type: array + policyTypes: + items: + description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8 + type: string + type: array + priority: + description: Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies. + type: integer + type: + description: type of the policy. + type: string + required: + - type + type: object + required: + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: dnsnetworkpolicies.aci.dnsnetpol +spec: + group: aci.dnsnetpol + names: + kind: DnsNetworkPolicy + listKind: DnsNetworkPolicyList + plural: dnsnetworkpolicies + singular: dnsnetworkpolicy + scope: Namespaced + versions: + - name: v1beta + schema: + openAPIV3Schema: + description: dns network Policy + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + appliedTo: + properties: + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + podSelector: + description: allow ingress from the same namespace + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + egress: + description: Set of egress rules evaluated based on the order in which they are set. + properties: + toFqdn: + properties: + matchNames: + items: + type: string + type: array + required: + - matchNames + type: object + required: + - toFqdn + type: object + type: object + required: + - spec + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: qospolicies.aci.qos +spec: + group: aci.qos + names: + kind: QosPolicy + listKind: QosPolicyList + plural: qospolicies + singular: qospolicy + scope: Namespaced + preserveUnknownFields: false + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + spec: + type: object + properties: + podSelector: + description: 'Selection of Pods' + type: object + properties: + matchLabels: + type: object + description: + ingress: + type: object + properties: + policing_rate: + type: integer + minimum: 0 + policing_burst: + type: integer + minimum: 0 + egress: + type: object + properties: + policing_rate: + type: integer + minimum: 0 + policing_burst: + type: integer + minimum: 0 + dscpmark: + type: integer + default: 0 + minimum: 0 + maximum: 63 +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: netflowpolicies.aci.netflow +spec: + group: aci.netflow + names: + kind: NetflowPolicy + listKind: NetflowPolicyList + plural: netflowpolicies + singular: netflowpolicy + scope: Cluster + preserveUnknownFields: false + versions: + - name: v1alpha + served: true + storage: true + schema: + # openAPIV3Schema is the schema for validating custom objects. + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + spec: + type: object + properties: + flowSamplingPolicy: + type: object + properties: + destIp: + type: string + destPort: + type: integer + minimum: 0 + maximum: 65535 + default: 2055 + flowType: + type: string + enum: + - netflow + - ipfix + default: netflow + activeFlowTimeOut: + type: integer + minimum: 0 + maximum: 3600 + default: 60 + idleFlowTimeOut: + type: integer + minimum: 0 + maximum: 600 + default: 15 + samplingRate: + type: integer + minimum: 0 + maximum: 1000 + default: 0 + required: + - destIp + type: object +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: erspanpolicies.aci.erspan +spec: + group: aci.erspan + names: + kind: ErspanPolicy + listKind: ErspanPolicyList + plural: erspanpolicies + singular: erspanpolicy + scope: Cluster + preserveUnknownFields: false + versions: + - name: v1alpha + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + spec: + type: object + properties: + selector: + type: object + description: 'Selection of Pods' + properties: + labels: + type: object + properties: + additionalProperties: + type: string + namespace: + type: string + source: + type: object + properties: + adminState: + description: Administrative state. + default: start + type: string + enum: + - start + - stop + direction: + description: Direction of the packets to monitor. + default: both + type: string + enum: + - in + - out + - both + destination: + type: object + properties: + destIP: + description: Destination IP of the ERSPAN packet. + type: string + flowID: + description: Unique flow ID of the ERSPAN packet. + default: 1 + type: integer + minimum: 1 + maximum: 1023 + required: + - destIP + type: object +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: enabledroplogs.aci.droplog +spec: + group: aci.droplog + names: + kind: EnableDropLog + listKind: EnableDropLogList + plural: enabledroplogs + singular: enabledroplog + scope: Cluster + versions: + - name: v1alpha1 + served: true + storage: true + schema: + # openAPIV3Schema is the schema for validating custom objects. + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + spec: + description: Defines the desired state of EnableDropLog + type: object + properties: + disableDefaultDropLog: + description: Disables the default droplog enabled by acc-provision. + default: false + type: boolean + nodeSelector: + type: object + description: Drop logging is enabled on nodes selected based on labels + properties: + labels: + type: object + properties: + additionalProperties: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: prunedroplogs.aci.droplog +spec: + group: aci.droplog + names: + kind: PruneDropLog + listKind: PruneDropLogList + plural: prunedroplogs + singular: prunedroplog + scope: Cluster + versions: + - name: v1alpha1 + served: true + storage: true + schema: + # openAPIV3Schema is the schema for validating custom objects. + openAPIV3Schema: + type: object + properties: + apiVersion: + type: string + kind: + type: string + spec: + description: Defines the desired state of PruneDropLog + type: object + properties: + nodeSelector: + type: object + description: Drop logging filters are applied to nodes selected based on labels + properties: + labels: + type: object + properties: + additionalProperties: + type: string + dropLogFilters: + type: object + properties: + srcIP: + type: string + destIP: + type: string + srcMAC: + type: string + destMAC: + type: string + srcPort: + type: integer + destPort: + type: integer + ipProto: + type: integer +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: accprovisioninputs.aci.ctrl +spec: + group: aci.ctrl + names: + kind: AccProvisionInput + listKind: AccProvisionInputList + plural: accprovisioninputs + singular: accprovisioninput + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + description: accprovisioninput defines the input configuration for ACI CNI + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + description: AccProvisionInputSpec defines the desired spec for accprovisioninput object + properties: + acc_provision_input: + type: object + properties: + operator_managed_config: + type: object + properties: + enable_updates: + type: boolean + aci_config: + type: object + properties: + sync_login: + type: object + properties: + certfile: + type: string + keyfile: + type: string + client_ssl: + type: boolean + net_config: + type: object + properties: + interface_mtu: + type: integer + service_monitor_interval: + type: integer + pbr_tracking_non_snat: + type: boolean + pod_subnet_chunk_size: + type: integer + disable_wait_for_network: + type: boolean + duration_wait_for_network: + type: integer + registry: + type: object + properties: + image_prefix: + type: string + image_pull_secret: + type: string + aci_containers_operator_version: + type: string + aci_containers_controller_version: + type: string + aci_containers_host_version: + type: string + acc_provision_operator_version: + type: string + aci_cni_operator_version: + type: string + cnideploy_version: + type: string + opflex_agent_version: + type: string + openvswitch_version: + type: string + gbp_version: + type: string + logging: + type: object + properties: + controller_log_level: + type: string + hostagent_log_level: + type: string + opflexagent_log_level: + type: string + istio_config: + type: object + properties: + install_profile: + type: string + multus: + type: object + properties: + disable: + type: boolean + drop_log_config: + type: object + properties: + enable: + type: boolean + nodepodif_config: + type: object + properties: + enable: + type: boolean + sriov_config: + type: object + properties: + enable: + type: boolean + kube_config: + type: object + properties: + ovs_memory_limit: + type: string + use_privileged_containers: + type: boolean + image_pull_policy: + type: string + reboot_opflex_with_ovs: + type: string + snat_operator: + type: object + properties: + port_range: + type: object + properties: + start: + type: integer + end: + type: integer + ports_per_node: + type: integer + contract_scope: + type: string + disable_periodic_snat_global_info_sync: + type: boolean + type: object + status: + description: AccProvisionInputStatus defines the successful completion of AccProvisionInput + properties: + status: + type: boolean + type: object + required: + - spec + type: object +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: aci-containers-config + namespace: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" + network-plugin: aci-containers +data: + controller-config: |- + { + "log-level": "{{.ControllerLogLevel}}", + "apic-hosts": {{.ApicHosts}}, +{{- if ne .AciMultipod "false" }} + "aci-multipod": {{.AciMultipod}}, +{{- end}} +{{- if .OpflexDeviceReconnectWaitTimeout }} + "opflex-device-reconnect-wait-timeout": {{.OpflexDeviceReconnectWaitTimeout}}, +{{- end}} + "apic-refreshtime": "{{.ApicRefreshTime}}", + "apic-subscription-delay": {{.ApicSubscriptionDelay}}, + "apic_refreshticker_adjust": "{{.ApicRefreshTickerAdjust}}", + "apic-username": "{{.ApicUserName}}", + "apic-private-key-path": "/usr/local/etc/aci-cert/user.key", + "aci-prefix": "{{.SystemIdentifier}}", + "aci-vmm-type": "Kubernetes", +{{- if ne .VmmDomain ""}} + "aci-vmm-domain": "{{.VmmDomain}}", +{{- else}} + "aci-vmm-domain": "{{.SystemIdentifier}}", +{{- end}} +{{- if ne .VmmController ""}} + "aci-vmm-controller": "{{.VmmController}}", +{{- else}} + "aci-vmm-controller": "{{.SystemIdentifier}}", +{{- end}} + "aci-policy-tenant": "{{.Tenant}}", +{{- if ne .CApic "false"}} + "lb-type": "None", +{{- end}} +{{- if ne .HppOptimization "false"}} + "hpp-optimization": {{.HppOptimization}}, +{{- end}} +{{- if ne .DisableHppRendering "false"}} + "disable-hpp-rendering": {{.DisableHppRendering}}, +{{- end}} +{{- if ne .NoWaitForServiceEpReadiness "false"}} + "no-wait-for-service-ep-readiness": {{.NoWaitForServiceEpReadiness}}, +{{- end}} +{{- if ne .ServiceGraphEndpointAddDelay "0"}} + "service-graph-endpoint-add-delay" : { + "delay": {{.ServiceGraphEndpointAddDelay}}, + "services": [{{- range $index, $item :=.ServiceGraphEndpointAddServices }}{{- if $index}},{{end}}{ {{- range $k, $v := $item }}"{{ $k }}": "{{ $v }}"{{if eq $k "name"}},{{end}}{{- end}}}{{end}}] + }, +{{- end}} +{{- if ne .AddExternalSubnetsToRdconfig "false"}} + "add-external-subnets-to-rdconfig": {{.AddExternalSubnetsToRdconfig}}, +{{- end}} +{{- if ne .DisablePeriodicSnatGlobalInfoSync "false"}} + "disable-periodic-snat-global-info-sync": {{.DisablePeriodicSnatGlobalInfoSync}}, +{{- end}} +{{- if .NodeSnatRedirectExclude }} + "node-snat-redirect-exclude": [{{ range $index,$item := .NodeSnatRedirectExclude}}{{- if $index}}, {{end }}{"group": "{{ index $item "group" }}", "labels": {{ index $item "labels" }}}{{ end }}], +{{- end }} +{{- if .ApicConnectionRetryLimit}} + "apic-connection-retry-limit": {{.ApicConnectionRetryLimit}}, +{{- end}} + "opflex-device-delete-timeout": {{.OpflexDeviceDeleteTimeout}}, + "sleep-time-snat-global-info-sync": {{.SleepTimeSnatGlobalInfoSync}}, +{{- /* Commenting code to disable the install_istio flag as the functionality + is disabled to remove dependency from istio.io/istio package. + Vulnerabilties were detected by quay.io security scan of aci-containers-controller + and aci-containers-operator images for istio.io/istio package + "install-istio": {{.InstallIstio}}, + "istio-profile": "{{.IstioProfile}}", +*/}} +{{- if ne .CApic "true"}} + "aci-podbd-dn": "uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-pod-bd", + "aci-nodebd-dn": "uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-node-bd", +{{- end}} + "aci-service-phys-dom": "{{.SystemIdentifier}}-pdom", + "aci-service-encap": "vlan-{{.ServiceVlan}}", + "aci-service-monitor-interval": {{.ServiceMonitorInterval}}, + "aci-pbr-tracking-non-snat": {{.PBRTrackingNonSnat}}, + "aci-vrf-tenant": "{{.VRFTenant}}", + "aci-l3out": "{{.L3Out}}", + "aci-ext-networks": {{.L3OutExternalNetworks}}, +{{- if ne .CApic "true"}} + "aci-vrf": "{{.VRFName}}", +{{- else}} + "aci-vrf": "{{.OverlayVRFName}}", +{{- end}} + "app-profile": "aci-containers-{{.SystemIdentifier}}", +{{- if ne .AddExternalContractToDefaultEpg "false"}} + "add-external-contract-to-default-epg": {{.AddExternalContractToDefaultEpg}}, +{{- end}} + "default-endpoint-group": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-default" +{{- else}} + "name": "aci-containers-{{.SystemIdentifier}}" +{{- end}} + }, + "max-nodes-svc-graph": {{.MaxNodesSvcGraph}}, + "namespace-default-endpoint-group": { + "aci-containers-system": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + }, + "istio-operator": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-istio" +{{- else}} + "name": "aci-containers-istio" +{{- end}} + }, + "istio-system": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-istio" +{{- else}} + "name": "aci-containers-istio" +{{- end}} + }, + "kube-system": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + }, + "cattle-system": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + }, + "cattle-prometheus": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + }, + "cattle-logging": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + } }, + "service-ip-pool": [{{- range $index, $item := .ServiceIPPool }}{{- if $index}},{{end}}{ "start": "{{ $item.Start }}", "end": "{{ $item.End}}" }{{end}}], + "extern-static": [{{- range $index, $item := .StaticExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}], + "extern-dynamic": [{{- range $index, $item := .DynamicExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}], + "snat-contract-scope": "{{.SnatContractScope}}", + "static-service-ip-pool": [{{- range $index, $item := .StaticServiceIPPool }}{{- if $index}},{{end}}{ "start": "{{ $item.Start }}", "end": "{{ $item.End }}" }{{end}}], +{{- if and (ne .TaintNotReadyNode "false") (ne .TaintNotReadyNode "False") }} + "taint-not-ready": true, +{{- end}} + "pod-ip-pool": [{{- range $index, $item := .PodIPPool }}{{- if $index}},{{end}}{ "start": "{{ $item.Start }}", "end": "{{ $item.End}}" }{{end}}], + "pod-subnet": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}], + "pod-subnet-chunk-size": {{.PodSubnetChunkSize}}, + "node-service-ip-pool": [ + { + "end": "{{.NodeServiceIPEnd}}", + "start": "{{.NodeServiceIPStart}}" + } + ], + "node-service-subnets": [ + "{{.ServiceGraphSubnet}}" + ], + "enable_endpointslice": {{.EnableEndpointSlice}} + } + host-agent-config: |- + { + "app-profile": "aci-containers-{{.SystemIdentifier}}", +{{- if ne .EpRegistry ""}} + "ep-registry": "{{.EpRegistry}}", +{{- else}} + "ep-registry": null, +{{- end}} +{{- if ne .AciMultipod "false" }} + "aci-multipod": {{.AciMultipod}}, +{{- end}} +{{- if ne .DhcpRenewMaxRetryCount "0" }} + "dhcp-renew-max-retry-count": {{.DhcpRenewMaxRetryCount}}, +{{- end}} +{{- if ne .DhcpDelay "0" }} + "dhcp-delay": {{.DhcpDelay}}, +{{- end}} +{{- if ne .EnableOpflexAgentReconnect "false"}} + "enable-opflex-agent-reconnect": {{.EnableOpflexAgentReconnect}}, +{{- end}} +{{- if ne .OpflexMode ""}} + "opflex-mode": "{{.OpflexMode}}", +{{- else}} + "opflex-mode": null, +{{- end}} + "log-level": "{{.HostAgentLogLevel}}", + "aci-snat-namespace": "{{.SnatNamespace}}", + "aci-vmm-type": "Kubernetes", +{{- if ne .VmmDomain ""}} + "aci-vmm-domain": "{{.VmmDomain}}", +{{- else}} + "aci-vmm-domain": "{{.SystemIdentifier}}", +{{- end}} +{{- if ne .VmmController ""}} + "aci-vmm-controller": "{{.VmmController}}", +{{- else}} + "aci-vmm-controller": "{{.SystemIdentifier}}", +{{- end}} + "aci-prefix": "{{.SystemIdentifier}}", +{{- if ne .CApic "true"}} + "aci-vrf": "{{.VRFName}}", +{{- else}} + "aci-vrf": "{{.OverlayVRFName}}", +{{- end}} + "aci-vrf-tenant": "{{.VRFTenant}}", + "service-vlan": {{.ServiceVlan}}, + "kubeapi-vlan": {{.KubeAPIVlan}}, +{{- if ne .HppOptimization "false"}} + "hpp-optimization": {{.HppOptimization}}, +{{- end}} +{{- if ne .DisableHppRendering "false"}} + "disable-hpp-rendering": {{.DisableHppRendering}}, +{{- end}} + "pod-subnet": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}], + "node-subnet": [{{- range $index, $item := .NodeSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}], + "encap-type": "{{.EncapType}}", + "aci-infra-vlan": {{.InfraVlan}}, +{{- if .MTU}} +{{- if ne .MTU 0}} + "interface-mtu": {{.MTU}}, +{{- end}} +{{- end}} +{{- if .MTUHeadRoom}} +{{- if ne .MTUHeadRoom "0"}} + "interface-mtu-headroom": {{.MTUHeadRoom}}, +{{- end}} +{{- end}} + "cni-netconfig": [{{- range $index, $item := .PodNetwork }}{{- if $index}},{{end}}{ "gateway": "{{ $item.Gateway }}", "subnet": "{{ $item.Subnet }}", "routes": [{ "dst": "0.0.0.0/0", "gw": "{{ $item.Gateway }}" }]}{{end}}], + "default-endpoint-group": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-default" +{{- else}} + "name": "aci-containers-default" +{{- end}} + }, + "namespace-default-endpoint-group": { + "aci-containers-system": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + }, + "istio-operator": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-istio" +{{- else}} + "name": "aci-containers-istio" +{{- end}} + }, + "istio-system": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-istio" +{{- else}} + "name": "aci-containers-istio" +{{- end}} + }, + "kube-system": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + }, + "cattle-system": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + }, + "cattle-prometheus": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + }, + "cattle-logging": { + "policy-space": "{{.Tenant}}", +{{- if ne .CApic "true"}} + "name": "aci-containers-{{.SystemIdentifier}}|aci-containers-system" +{{- else}} + "name": "aci-containers-system" +{{- end}} + } }, + "enable-drop-log": {{.DropLogEnable}}, +{{- if and (ne .DropLogDisableEvents "false") (ne .DropLogDisableEvents "False")}} + "packet-event-notification-socket": "", +{{- end}} + "enable_endpointslice": {{.EnableEndpointSlice}}, + "enable-nodepodif": {{.NodePodIfEnable}}, +{{- if and (ne .TaintNotReadyNode "false") (ne .TaintNotReadyNode "False") }} + "taint-not-ready": true, +{{- end}} + "enable-ovs-hw-offload": {{.SriovEnable}} + } + opflex-agent-config: |- + { + "log": { + "level": "{{.OpflexAgentLogLevel}}" + }, + "opflex": { +{{- if eq .OpflexClientSSL "false"}} + "ssl": { "mode": "disabled"}, +{{- end}} +{{- if eq .OpflexAgentStatistics "false"}} + "statistics" : { "mode" : "off" }, +{{- end}} + "timers" : { +{{- if .OpflexAgentPolicyRetryDelayTimer}} + "policy-retry-delay": {{.OpflexAgentPolicyRetryDelayTimer}}, +{{- end}} + "switch-sync-delay": {{.OpflexSwitchSyncDelay}}, + "switch-sync-dynamic": {{.OpflexSwitchSyncDynamic}} + }, + "startup": { + "enabled": "{{.OpflexStartupEnabled}}", + "policy-file": "/usr/local/var/lib/opflex-agent-ovs/startup/pol.json", + "policy-duration": {{.OpflexStartupPolicyDuration}}, + "resolve-aft-conn": "{{.OpflexStartupResolveAftConn}}" + }, + "notif" : { "enabled" : "false" }, + "asyncjson": { "enabled" : {{.OpflexAgentOpflexAsyncjsonEnabled}} } + }, + "ovs": { + "asyncjson": { "enabled" : {{.OpflexAgentOvsAsyncjsonEnabled}} } + } + } +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: snat-operator-config + namespace: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" + network-plugin: aci-containers +data: + "start": "{{.SnatPortRangeStart}}" + "end": "{{.SnatPortRangeEnd}}" + "ports-per-node": "{{.SnatPortsPerNode}}" +--- +apiVersion: v1 +kind: Secret +metadata: + name: aci-user-cert + namespace: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" +data: + user.key: {{.ApicUserKey}} + user.crt: {{.ApicUserCrt}} +--- +{{- if eq .CApic "true"}} +apiVersion: v1 +kind: Secret +metadata: + name: kafka-client-certificates + namespace: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" +data: + ca.crt: {{.KafkaClientCrt}} + kafka-client.crt: {{.KafkaClientCrt}} + kafka-client.key: {{.KafkaClientKey}} +--- +{{- end}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aci-containers-controller + namespace: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aci-containers-host-agent + namespace: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" +--- +{{- if eq .UseClusterRole "true"}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + aci-containers-config-version: "{{.Token}}" + network-plugin: aci-containers + name: aci-containers-controller +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + - pods + - endpoints + - services + - events + - replicationcontrollers + - serviceaccounts + verbs: + - list + - watch + - get + - patch + - create + - update + - delete +- apiGroups: + - "" + resources: + - configmaps + verbs: + - list + - watch + - get + - create + - update + - delete +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - "rbac.authorization.k8s.io" + resources: + - clusterroles + - clusterrolebindings + verbs: + - '*' +{{- /* Commenting code to disable the install_istio flag as the functionality + is disabled to remove dependency from istio.io/istio package. + Vulnerabilties were detected by quay.io security scan of aci-containers-controller + and aci-containers-operator images for istio.io/istio package +{{- if ne .InstallIstio "false"}} +- apiGroups: + - "install.istio.io" + resources: + - istiocontrolplanes + - istiooperators + verbs: + - '*' +- apiGroups: + - "aci.istio" + resources: + - aciistiooperators + - aciistiooperator + verbs: + - '*' +{{- end}} +*/}} +- apiGroups: + - "networking.k8s.io" + resources: + - networkpolicies + verbs: + - list + - watch + - get +- apiGroups: + - "apps" + resources: + - deployments + - replicasets + - daemonsets + - statefulsets + verbs: + - '*' +- apiGroups: + - "" + resources: + - nodes + - services/status + verbs: + - update +- apiGroups: + - "monitoring.coreos.com" + resources: + - servicemonitors + verbs: + - get + - create +- apiGroups: + - "aci.snat" + resources: + - snatpolicies/finalizers + - snatpolicies/status + - nodeinfos + verbs: + - update + - create + - list + - watch + - get + - delete +- apiGroups: + - "aci.snat" + resources: + - snatglobalinfos + - snatpolicies + - nodeinfos + - rdconfigs + verbs: + - list + - watch + - get + - create + - update + - delete +- apiGroups: + - "aci.qos" + resources: + - qospolicies + verbs: + - list + - watch + - get + - create + - update + - delete + - patch +- apiGroups: + - "aci.netflow" + resources: + - netflowpolicies + verbs: + - list + - watch + - get + - update +- apiGroups: + - "aci.erspan" + resources: + - erspanpolicies + verbs: + - list + - watch + - get + - update +- apiGroups: + - "aci.aw" + resources: + - nodepodifs + verbs: + - '*' +- apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - list + - watch + - get +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "aci.netpol" + resources: + - networkpolicies + verbs: + - get + - list + - watch + - create + - update + - delete +- apiGroups: + - "aci.dnsnetpol" + resources: + - dnsnetworkpolicies + verbs: + - get + - list + - watch + - create + - update + - delete +--- +{{- end}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + aci-containers-config-version: "{{.Token}}" + network-plugin: aci-containers + name: aci-containers-host-agent +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + - pods + - endpoints + - services + - replicationcontrollers + verbs: + - list + - watch + - get +{{- if ne .DropLogEnable "false"}} + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end}} +- apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - list + - watch + - get +- apiGroups: + - "networking.k8s.io" + resources: + - networkpolicies + verbs: + - list + - watch + - get +- apiGroups: + - "apps" + resources: + - deployments + - replicasets + verbs: + - list + - watch + - get +- apiGroups: + - "aci.snat" + resources: + - snatpolicies + - snatglobalinfos + - rdconfigs + verbs: + - list + - watch + - get +- apiGroups: + - "aci.qos" + resources: + - qospolicies + verbs: + - list + - watch + - get + - create + - update + - delete + - patch +- apiGroups: + - "aci.droplog" + resources: + - enabledroplogs + - prunedroplogs + verbs: + - list + - watch + - get +- apiGroups: + - "aci.snat" + resources: + - nodeinfos + - snatlocalinfos + verbs: + - create + - update + - list + - watch + - get + - delete +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "aci.netpol" + resources: + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - "aci.aw" + resources: + - nodepodifs + verbs: + - "*" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: aci-containers-controller + labels: + aci-containers-config-version: "{{.Token}}" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: aci-containers-controller +subjects: +- kind: ServiceAccount + name: aci-containers-controller + namespace: aci-containers-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: aci-containers-host-agent + labels: + aci-containers-config-version: "{{.Token}}" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: aci-containers-host-agent +subjects: +- kind: ServiceAccount + name: aci-containers-host-agent + namespace: aci-containers-system +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: aci-containers-host + namespace: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" + network-plugin: aci-containers +spec: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + name: aci-containers-host + network-plugin: aci-containers + template: + metadata: + labels: + name: aci-containers-host + network-plugin: aci-containers + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9612" + spec: + hostNetwork: true + hostPID: true + hostIPC: true + serviceAccountName: aci-containers-host-agent +{{- if ne .ImagePullSecret ""}} + imagePullSecrets: + - name: {{.ImagePullSecret}} +{{- end}} + tolerations: + - operator: Exists + initContainers: + - name: cnideploy + image: {{.AciCniDeployContainer}} + imagePullPolicy: {{.ImagePullPolicy}} + securityContext: +{{- if eq .UsePrivilegedContainer "true"}} + privileged: true +{{- end}} + capabilities: + add: + - SYS_ADMIN + volumeMounts: + - name: cni-bin + mountPath: /mnt/cni-bin +{{- if ne .UseSystemNodePriorityClass "false"}} + priorityClassName: system-node-critical +{{- else if .UseAciContainersHostPriorityClass}} + priorityClassName: aci-containers-host +{{- else}} +{{- if ne .NoPriorityClass "true"}} + priorityClassName: system-cluster-critical +{{- end}} +{{- if eq .UseAciCniPriorityClass "true"}} + priorityClassName: acicni-priority +{{- end}} +{{- end}} + containers: + - name: aci-containers-host + image: {{.AciHostContainer}} + imagePullPolicy: {{.ImagePullPolicy}} +{{- if or ( .AciContainersHostMemoryLimit ) ( .AciContainersHostMemoryRequest )}} + resources: + limits: +{{- if .AciContainersHostMemoryLimit }} + memory: "{{ .AciContainersHostMemoryLimit }}" +{{- else}} + memory: "{{ .AciContainersMemoryLimit }}" +{{- end}} + requests: +{{- if .AciContainersHostMemoryRequest }} + memory: "{{ .AciContainersHostMemoryRequest }}" +{{- else}} + memory: "{{ .AciContainersMemoryRequest }}" +{{- end}} +{{- end}} + securityContext: +{{- if eq .UsePrivilegedContainer "true"}} + privileged: true +{{- end}} + capabilities: + add: + - SYS_ADMIN + - NET_ADMIN + - SYS_PTRACE + - NET_RAW + env: + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: TENANT + value: "{{.Tenant}}" +{{- if ne .MultusDisable "true"}} + - name: MULTUS + value: true +{{- end}} +{{- if eq .DisableWaitForNetwork "true"}} + - name: DISABLE_WAIT_FOR_NETWORK + value: true +{{- else}} + - name: DURATION_WAIT_FOR_NETWORK + value: "{{.DurationWaitForNetwork}}" +{{- end}} + volumeMounts: + - name: cni-bin + mountPath: /mnt/cni-bin + - name: cni-conf + mountPath: /mnt/cni-conf + - name: hostvar + mountPath: /usr/local/var + - name: hostrun + mountPath: /run + - name: hostrun + mountPath: /usr/local/run + - name: opflex-hostconfig-volume + mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d + - name: host-config-volume + mountPath: /usr/local/etc/aci-containers/ + - name: varlogpods + mountPath: /var/log/pods + readOnly: true + - name: varlogcontainers + mountPath: /var/log/containers + readOnly: true + - name: varlibdocker + mountPath: /var/lib/docker + readOnly: true +{{- if eq .AciMultipod "true" }} + - name: dhclient + mountPath: /var/lib/dhclient +{{- end}} +{{- if eq .UseHostNetnsVolume "true"}} + - mountPath: /run/netns + name: host-run-netns + readOnly: true + mountPropagation: HostToContainer +{{- end}} +{{- if ne .MultusDisable "true"}} + - name: multus-cni-conf + mountPath: /mnt/multus-cni-conf +{{- end}} + livenessProbe: + failureThreshold: 10 + httpGet: + path: /status + port: 8090 + scheme: HTTP + initialDelaySeconds: 120 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 30 + - name: opflex-agent + env: + - name: REBOOT_WITH_OVS + value: "true" +{{- if ne .OpflexOpensslCompat "false"}} + - name: OPENSSL_CONF + value: "/etc/pki/tls/openssl11.cnf" +{{- end}} + image: {{.AciOpflexContainer}} + imagePullPolicy: {{.ImagePullPolicy}} +{{- if or ( .OpflexAgentMemoryLimit ) ( .OpflexAgentMemoryRequest )}} + resources: + limits: +{{- if .OpflexAgentMemoryLimit }} + memory: "{{ .OpflexAgentMemoryLimit }}" +{{- else}} + memory: "{{ .AciContainersMemoryLimit }}" +{{- end}} + requests: +{{- if .OpflexAgentMemoryRequest }} + memory: "{{ .OpflexAgentMemoryRequest }}" +{{- else}} + memory: "{{ .AciContainersMemoryRequest }}" +{{- end}} +{{- end}} + securityContext: +{{- if eq .UsePrivilegedContainer "true"}} + privileged: true +{{- end}} + capabilities: + add: + - NET_ADMIN + volumeMounts: + - name: hostvar + mountPath: /usr/local/var + - name: hostrun + mountPath: /run + - name: hostrun + mountPath: /usr/local/run + - name: opflex-hostconfig-volume + mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d + - name: opflex-config-volume + mountPath: /usr/local/etc/opflex-agent-ovs/conf.d +{{- if eq .RunOpflexServerContainer "true"}} + - name: opflex-server + image: {{.AciOpflexContainer}} + command: ["/bin/sh"] + args: ["/usr/local/bin/launch-opflexserver.sh"] + imagePullPolicy: {{.ImagePullPolicy}} + securityContext: + capabilities: + add: + - NET_ADMIN + ports: + - containerPort: {{.OpflexServerPort}} + - name: metrics + containerPort: 9632 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - name: opflex-server-config-volume + mountPath: /usr/local/etc/opflex-server + - name: hostvar + mountPath: /usr/local/var +{{- end}} +{{- if ne .OpflexMode "overlay"}} + - name: mcast-daemon + image: {{.AciMcastContainer}} + command: ["/bin/sh"] + args: ["/usr/local/bin/launch-mcastdaemon.sh"] + imagePullPolicy: {{.ImagePullPolicy}} +{{- if or ( .McastDaemonMemoryLimit ) ( .McastDaemonMemoryRequest )}} + resources: + limits: +{{- if .McastDaemonMemoryLimit }} + memory: "{{ .McastDaemonMemoryLimit }}" +{{- else}} + memory: "{{ .AciContainersMemoryLimit }}" +{{- end}} + requests: +{{- if .McastDaemonMemoryRequest }} + memory: "{{ .McastDaemonMemoryRequest }}" +{{- else}} + memory: "{{ .AciContainersMemoryRequest }}" +{{- end}} +{{- end}} +{{- if eq .UsePrivilegedContainer "true"}} + securityContext: + privileged: true +{{- end}} + volumeMounts: + - name: hostvar + mountPath: /usr/local/var + - name: hostrun + mountPath: /run + - name: hostrun + mountPath: /usr/local/run +{{- end}} + restartPolicy: Always + volumes: + - name: cni-bin + hostPath: + path: /opt + - name: cni-conf + hostPath: + path: /etc + - name: hostvar + hostPath: + path: /var + - name: hostrun + hostPath: + path: /run + - name: host-config-volume + configMap: + name: aci-containers-config + items: + - key: host-agent-config + path: host-agent.conf + - name: opflex-hostconfig-volume + emptyDir: + medium: Memory + - name: varlogpods + hostPath: + path: /var/log/pods + - name: varlogcontainers + hostPath: + path: /var/log/containers + - name: varlibdocker + hostPath: + path: /var/lib/docker +{{- if eq .AciMultipod "true" }} +{{- if eq .AciMultipodUbuntu "true" }} + - name: dhclient + hostPath: + path: /var/lib/dhcp +{{- else}} + - name: dhclient + hostPath: + path: /var/lib/dhclient +{{- end}} +{{- end}} + - name: opflex-config-volume + configMap: + name: aci-containers-config + items: + - key: opflex-agent-config + path: local.conf +{{- if eq .UseOpflexServerVolume "true"}} + - name: opflex-server-config-volume +{{- end}} +{{- if eq .UseHostNetnsVolume "true"}} + - name: host-run-netns + hostPath: + path: /run/netns +{{- end}} +{{- if ne .MultusDisable "true" }} + - name: multus-cni-conf + hostPath: + path: /var/run/multus/ +{{- end}} +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: aci-containers-openvswitch + namespace: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" + network-plugin: aci-containers +spec: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + name: aci-containers-openvswitch + network-plugin: aci-containers + template: + metadata: + labels: + name: aci-containers-openvswitch + network-plugin: aci-containers + spec: + hostNetwork: true + hostPID: true + hostIPC: true + serviceAccountName: aci-containers-host-agent +{{- if ne .ImagePullSecret ""}} + imagePullSecrets: + - name: {{.ImagePullSecret}} +{{end}} + tolerations: + - operator: Exists +{{- if ne .UseSystemNodePriorityClass "false"}} + priorityClassName: system-node-critical +{{- else if .UseAciContainersOpenvswitchPriorityClass}} + priorityClassName: aci-containers-openvswitch +{{- else}} +{{- if ne .NoPriorityClass "true"}} + priorityClassName: system-cluster-critical +{{- end}} +{{- if eq .UseAciCniPriorityClass "true"}} + priorityClassName: acicni-priority +{{- end}} +{{- end}} + containers: + - name: aci-containers-openvswitch + image: {{.AciOpenvSwitchContainer}} + imagePullPolicy: {{.ImagePullPolicy}} + resources: + limits: + memory: "{{.OVSMemoryLimit}}" + requests: + memory: "{{.OVSMemoryRequest}}" + securityContext: +{{- if eq .UsePrivilegedContainer "true"}} + privileged: true +{{- end}} + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + - SYS_NICE + - IPC_LOCK + env: + - name: OVS_RUNDIR + value: /usr/local/var/run/openvswitch + volumeMounts: + - name: hostvar + mountPath: /usr/local/var + - name: hostrun + mountPath: /run + - name: hostrun + mountPath: /usr/local/run + - name: hostetc + mountPath: /usr/local/etc + - name: hostmodules + mountPath: /lib/modules + - name: varlogpods + mountPath: /var/log/pods + readOnly: true + - name: varlogcontainers + mountPath: /var/log/containers + readOnly: true + - name: varlibdocker + mountPath: /var/lib/docker + readOnly: true + livenessProbe: + exec: + command: + - /usr/local/bin/liveness-ovs.sh + restartPolicy: Always + volumes: + - name: hostetc + hostPath: + path: /etc + - name: hostvar + hostPath: + path: /var + - name: hostrun + hostPath: + path: /run + - name: hostmodules + hostPath: + path: /lib/modules + - name: varlogpods + hostPath: + path: /var/log/pods + - name: varlogcontainers + hostPath: + path: /var/log/containers + - name: varlibdocker + hostPath: + path: /var/lib/docker +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: aci-containers-controller + namespace: aci-containers-system + labels: + aci-containers-config-version: "{{.Token}}" + network-plugin: aci-containers + name: aci-containers-controller +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + name: aci-containers-controller + network-plugin: aci-containers + template: + metadata: + name: aci-containers-controller + namespace: aci-containers-system + labels: + name: aci-containers-controller + network-plugin: aci-containers + spec: + hostNetwork: true + serviceAccountName: aci-containers-controller +{{- if ne .ImagePullSecret ""}} + imagePullSecrets: + - name: {{.ImagePullSecret}} +{{- end}} +{{- if .Tolerations }} + tolerations: +{{ toYaml .Tolerations | indent 6}} +{{- else }} + tolerations: + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: {{ .TolerationSeconds }} + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: {{ .TolerationSeconds }} + - effect: NoSchedule + key: node.kubernetes.io/not-ready + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/controlplane + value: "true" + operator: Equal + - effect: NoExecute + key: node-role.kubernetes.io/etcd + value: "true" + operator: Equal +{{- end }} +{{- if ne .UseSystemNodePriorityClass "false"}} + priorityClassName: system-node-critical +{{- else if .UseAciContainersControllerPriorityClass}} + priorityClassName: aci-containers-controller +{{- else}} +{{- if ne .NoPriorityClass "true"}} + priorityClassName: system-node-critical +{{- end}} +{{- if eq .UseAciCniPriorityClass "true"}} + priorityClassName: acicni-priority +{{- end}} +{{- end}} + containers: + - name: aci-containers-controller + image: {{.AciControllerContainer}} + imagePullPolicy: {{.ImagePullPolicy}} +{{- if or ( .AciContainersControllerMemoryLimit ) ( .AciContainersControllerMemoryRequest )}} + resources: + limits: +{{- if .AciContainersControllerMemoryLimit }} + memory: "{{ .AciContainersControllerMemoryLimit }}" +{{- else}} + memory: "{{ .AciContainersMemoryLimit }}" +{{- end}} + requests: +{{- if .AciContainersControllerMemoryRequest }} + memory: "{{ .AciContainersControllerMemoryRequest }}" +{{- else}} + memory: "{{ .AciContainersMemoryRequest }}" +{{- end}} +{{- end}} + env: + - name: WATCH_NAMESPACE + value: "" + - name: ACI_SNAT_NAMESPACE + value: "aci-containers-system" + - name: ACI_SNAGLOBALINFO_NAME + value: "snatglobalinfo" + - name: ACI_RDCONFIG_NAME + value: "routingdomain-config" + - name: SYSTEM_NAMESPACE + value: "aci-containers-system" + volumeMounts: + - name: controller-config-volume + mountPath: /usr/local/etc/aci-containers/ + - name: varlogpods + mountPath: /var/log/pods + readOnly: true + - name: varlogcontainers + mountPath: /var/log/containers + readOnly: true + - name: varlibdocker + mountPath: /var/lib/docker + readOnly: true + - name: aci-user-cert-volume + mountPath: /usr/local/etc/aci-cert/ + livenessProbe: + failureThreshold: 10 + httpGet: + path: /status + port: 8091 + scheme: HTTP + initialDelaySeconds: 120 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 30 + volumes: +{{- if eq .CApic "true"}} + - name: kafka-certs + secret: + secretName: kafka-client-certificates +{{- end}} + - name: aci-user-cert-volume + secret: + secretName: aci-user-cert + - name: controller-config-volume + configMap: + name: aci-containers-config + items: + - key: controller-config + path: controller.conf + - name: varlogpods + hostPath: + path: /var/log/pods + - name: varlogcontainers + hostPath: + path: /var/log/containers + - name: varlibdocker + hostPath: + path: /var/lib/docker +{{- if eq .CApic "true"}} +--- +apiVersion: aci.aw/v1 +kind: PodIF +metadata: + name: inet-route + namespace: kube-system +status: + epg: aci-containers-inet-out + ipaddr: 0.0.0.0/0 +{{- end}} +--- +apiVersion: v1 +kind: LimitRange +metadata: + name: memory-limit-range + namespace: aci-containers-system +spec: + limits: + - default: + memory: {{ .AciContainersMemoryLimit }} + defaultRequest: + memory: {{ .AciContainersMemoryRequest }} + type: Container +` diff --git a/pkg/rke/templates/templates.go b/pkg/rke/templates/templates.go index b5ec0817b..117be9641 100644 --- a/pkg/rke/templates/templates.go +++ b/pkg/rke/templates/templates.go @@ -104,6 +104,7 @@ const ( aciv6032 = "aci-v6.0.3.2" aciv6033 = "aci-v6.0.3.3" aciv6041 = "aci-v6.0.4.1" + aciv6042 = "aci-v6.0.4.2" nginxIngressv18 = "nginxingress-v1.8" nginxIngressV115 = "nginxingress-v1.15" @@ -254,42 +255,45 @@ func LoadK8sVersionedTemplates() map[string]map[string]string { ">=1.8.0-rancher0 <1.16.0-alpha": weavev18, }, kdm.Aci: { - ">=1.17.0-alpha <1.20.15-rancher2-2": aciv500, - ">=1.20.15-rancher2-2 <1.21.0-rancher0": aciv523, - ">=1.21.0-rancher0 <1.21.14-rancher1-1": aciv500, - ">=1.21.14-rancher1-1 <1.22.0-rancher0": aciv523, - ">=1.22.0-rancher0 <1.22.11-rancher1-1": aciv500, - ">=1.22.11-rancher1-1 <1.22.16-rancher1-1": aciv523, - ">=1.22.16-rancher1-1 <1.22.17-rancher1-1": aciv5234, - ">=1.22.17-rancher1-1 <1.23.0-rancher0": aciv5235, - ">=1.23.0-rancher0 <1.23.8-rancher1-1": aciv500, - ">=1.23.8-rancher1-1 <1.23.14-rancher1-1": aciv523, - ">=1.23.14-rancher1-1 <1.23.15-rancher1-1": aciv5234, - ">=1.23.15-rancher1-1 <1.23.16-rancher2-2": aciv5235, - ">=1.23.16-rancher2-2 <1.23.16-rancher2-3": aciv5236, - ">=1.23.16-rancher2-3 <1.24.0-rancher0": aciv5271, - ">=1.24.0-rancher0 <1.24.8-rancher1-1": aciv523, - ">=1.24.8-rancher1-1 <1.24.9-rancher1-1": aciv5234, - ">=1.24.9-rancher1-1 <1.24.13-rancher2-1": aciv5235, - ">=1.24.13-rancher2-1 <1.24.13-rancher2-2": aciv5236, - ">=1.24.13-rancher2-2 <1.24.17-rancher1-1": aciv5271, - ">=1.24.17-rancher1-1 <1.25.0-rancher0": aciv6031, - ">=1.25.0-rancher0 <1.25.9-rancher2-1": aciv5235, - ">=1.25.9-rancher2-1 <1.25.9-rancher2-2": aciv5236, - ">=1.25.9-rancher2-2 <1.25.13-rancher1-1": aciv5271, - ">=1.25.13-rancher1-1 <1.25.16-rancher2-2": aciv6031, - ">=1.25.16-rancher2-2 <1.25.16-rancher2-3": aciv6032, - ">=1.25.16-rancher2-3 <1.26.0-rancher0": aciv6033, - ">=1.26.0-rancher0 <1.26.8-rancher1-1": aciv5271, - ">=1.26.8-rancher1-1 <1.26.11-rancher2-2": aciv6031, - ">=1.26.11-rancher2-2 <1.26.13-rancher1-2": aciv6032, - ">=1.26.13-rancher1-2 <1.26.14-rancher1-1": aciv6033, - ">=1.26.14-rancher1-1 <1.27.0-rancher1-1": aciv6041, - ">=1.27.0-rancher1-1 <1.27.8-rancher2-1": aciv5271, - ">=1.27.8-rancher2-1 <1.27.8-rancher2-2": aciv6031, - ">=1.27.8-rancher2-2 <1.27.10-rancher1-2": aciv6032, - ">=1.27.10-rancher1-2 <1.27.11-rancher1-1": aciv6033, - ">=1.27.11-rancher1-1": aciv6041, + ">=1.17.0-alpha <1.20.15-rancher2-2": aciv500, + ">=1.20.15-rancher2-2 <1.21.0-rancher0": aciv523, + ">=1.21.0-rancher0 <1.21.14-rancher1-1": aciv500, + ">=1.21.14-rancher1-1 <1.22.0-rancher0": aciv523, + ">=1.22.0-rancher0 <1.22.11-rancher1-1": aciv500, + ">=1.22.11-rancher1-1 <1.22.16-rancher1-1": aciv523, + ">=1.22.16-rancher1-1 <1.22.17-rancher1-1": aciv5234, + ">=1.22.17-rancher1-1 <1.23.0-rancher0": aciv5235, + ">=1.23.0-rancher0 <1.23.8-rancher1-1": aciv500, + ">=1.23.8-rancher1-1 <1.23.14-rancher1-1": aciv523, + ">=1.23.14-rancher1-1 <1.23.15-rancher1-1": aciv5234, + ">=1.23.15-rancher1-1 <1.23.16-rancher2-2": aciv5235, + ">=1.23.16-rancher2-2 <1.23.16-rancher2-3": aciv5236, + ">=1.23.16-rancher2-3 <1.24.0-rancher0": aciv5271, + ">=1.24.0-rancher0 <1.24.8-rancher1-1": aciv523, + ">=1.24.8-rancher1-1 <1.24.9-rancher1-1": aciv5234, + ">=1.24.9-rancher1-1 <1.24.13-rancher2-1": aciv5235, + ">=1.24.13-rancher2-1 <1.24.13-rancher2-2": aciv5236, + ">=1.24.13-rancher2-2 <1.24.17-rancher1-1": aciv5271, + ">=1.24.17-rancher1-1 <1.25.0-rancher0": aciv6031, + ">=1.25.0-rancher0 <1.25.9-rancher2-1": aciv5235, + ">=1.25.9-rancher2-1 <1.25.9-rancher2-2": aciv5236, + ">=1.25.9-rancher2-2 <1.25.13-rancher1-1": aciv5271, + ">=1.25.13-rancher1-1 <1.25.16-rancher2-2": aciv6031, + ">=1.25.16-rancher2-2 <1.25.16-rancher2-3": aciv6032, + ">=1.25.16-rancher2-3 <1.26.0-rancher0": aciv6033, + ">=1.26.0-rancher0 <1.26.8-rancher1-1": aciv5271, + ">=1.26.8-rancher1-1 <1.26.11-rancher2-2": aciv6031, + ">=1.26.11-rancher2-2 <1.26.13-rancher1-2": aciv6032, + ">=1.26.13-rancher1-2 <1.26.14-rancher1-1": aciv6033, + ">=1.26.14-rancher1-1 <1.27.0-rancher1-1": aciv6041, + ">=1.27.0-rancher1-1 <1.27.8-rancher2-1": aciv5271, + ">=1.27.8-rancher2-1 <1.27.8-rancher2-2": aciv6031, + ">=1.27.8-rancher2-2 <1.27.10-rancher1-2": aciv6032, + ">=1.27.10-rancher1-2 <1.27.11-rancher1-1": aciv6033, + ">=1.27.11-rancher1-1 < 1.27.15-rancher1-1": aciv6041, + ">=1.27.15-rancher1-1 < 1.28.0-rancher0": aciv6042, + ">=1.28.0-rancher0 < 1.28.11-rancher1-1": aciv6041, + ">=1.28.11-rancher1-1": aciv6042, }, kdm.NginxIngress: { ">=1.8.0-rancher0 <1.13.10-rancher1-3": nginxIngressv18, @@ -437,6 +441,7 @@ func getTemplates() map[string]string { aciv6032: AciTemplateV6032, aciv6033: AciTemplateV6033, aciv6041: AciTemplateV6041, + aciv6042: AciTemplateV6042, nginxIngressv18: NginxIngressTemplate, nginxIngressV115: NginxIngressTemplateV0251Rancher1, From 18acdebce5157ec03603c2259bd16556305445f5 Mon Sep 17 00:00:00 2001 From: JeffinKottaram Date: Mon, 1 Jul 2024 00:35:53 -0700 Subject: [PATCH 2/2] go generate --- data/data.json | 56 +++++++++++++++++++++++++++----------------------- 1 file changed, 30 insertions(+), 26 deletions(-) diff --git a/data/data.json b/data/data.json index 500df42bd..a68f8efac 100644 --- a/data/data.json +++ b/data/data.json @@ -13320,12 +13320,12 @@ "ingressWebhook": "rancher/mirrored-ingress-nginx-kube-webhook-certgen:v20231011-8b53cabe0", "metricsServer": "rancher/mirrored-metrics-server:v0.6.3", "windowsPodInfraContainer": "rancher/mirrored-pause:3.7", - "aciCniDeployContainer": "noiro/cnideploy:6.0.4.1.81c2369", - "aciHostContainer": "noiro/aci-containers-host:6.0.4.1.81c2369", - "aciOpflexContainer": "noiro/opflex:6.0.4.1.81c2369", - "aciMcastContainer": "noiro/opflex:6.0.4.1.81c2369", - "aciOvsContainer": "noiro/openvswitch:6.0.4.1.81c2369", - "aciControllerContainer": "noiro/aci-containers-controller:6.0.4.1.81c2369" + "aciCniDeployContainer": "noiro/cnideploy:6.0.4.2.81c2369", + "aciHostContainer": "noiro/aci-containers-host:6.0.4.2.81c2369", + "aciOpflexContainer": "noiro/opflex:6.0.4.2.81c2369", + "aciMcastContainer": "noiro/opflex:6.0.4.2.81c2369", + "aciOvsContainer": "noiro/openvswitch:6.0.4.2.81c2369", + "aciControllerContainer": "noiro/aci-containers-controller:6.0.4.2.81c2369" }, "v1.27.6-rancher1-1": { "etcd": "rancher/mirrored-coreos-etcd:v3.5.7", @@ -13527,12 +13527,12 @@ "ingressWebhook": "rancher/mirrored-ingress-nginx-kube-webhook-certgen:v20231226-1a7112e06", "metricsServer": "rancher/mirrored-metrics-server:v0.7.0", "windowsPodInfraContainer": "rancher/mirrored-pause:3.7", - "aciCniDeployContainer": "noiro/cnideploy:6.0.4.1.81c2369", - "aciHostContainer": "noiro/aci-containers-host:6.0.4.1.81c2369", - "aciOpflexContainer": "noiro/opflex:6.0.4.1.81c2369", - "aciMcastContainer": "noiro/opflex:6.0.4.1.81c2369", - "aciOvsContainer": "noiro/openvswitch:6.0.4.1.81c2369", - "aciControllerContainer": "noiro/aci-containers-controller:6.0.4.1.81c2369" + "aciCniDeployContainer": "noiro/cnideploy:6.0.4.2.81c2369", + "aciHostContainer": "noiro/aci-containers-host:6.0.4.2.81c2369", + "aciOpflexContainer": "noiro/opflex:6.0.4.2.81c2369", + "aciMcastContainer": "noiro/opflex:6.0.4.2.81c2369", + "aciOvsContainer": "noiro/openvswitch:6.0.4.2.81c2369", + "aciControllerContainer": "noiro/aci-containers-controller:6.0.4.2.81c2369" }, "v1.28.7-rancher1-1": { "etcd": "rancher/mirrored-coreos-etcd:v3.5.10", @@ -13691,12 +13691,12 @@ "ingressWebhook": "rancher/mirrored-ingress-nginx-kube-webhook-certgen:v20231226-1a7112e06", "metricsServer": "rancher/mirrored-metrics-server:v0.7.0", "windowsPodInfraContainer": "rancher/mirrored-pause:3.7", - "aciCniDeployContainer": "noiro/cnideploy:6.0.4.1.81c2369", - "aciHostContainer": "noiro/aci-containers-host:6.0.4.1.81c2369", - "aciOpflexContainer": "noiro/opflex:6.0.4.1.81c2369", - "aciMcastContainer": "noiro/opflex:6.0.4.1.81c2369", - "aciOvsContainer": "noiro/openvswitch:6.0.4.1.81c2369", - "aciControllerContainer": "noiro/aci-containers-controller:6.0.4.1.81c2369" + "aciCniDeployContainer": "noiro/cnideploy:6.0.4.2.81c2369", + "aciHostContainer": "noiro/aci-containers-host:6.0.4.2.81c2369", + "aciOpflexContainer": "noiro/opflex:6.0.4.2.81c2369", + "aciMcastContainer": "noiro/opflex:6.0.4.2.81c2369", + "aciOvsContainer": "noiro/openvswitch:6.0.4.2.81c2369", + "aciControllerContainer": "noiro/aci-containers-controller:6.0.4.2.81c2369" }, "v1.30.2-rancher1-1": { "etcd": "rancher/mirrored-coreos-etcd:v3.5.12", @@ -13730,12 +13730,12 @@ "ingressWebhook": "rancher/mirrored-ingress-nginx-kube-webhook-certgen:v1.4.1", "metricsServer": "rancher/mirrored-metrics-server:v0.7.1", "windowsPodInfraContainer": "rancher/mirrored-pause:3.7", - "aciCniDeployContainer": "noiro/cnideploy:6.0.4.1.81c2369", - "aciHostContainer": "noiro/aci-containers-host:6.0.4.1.81c2369", - "aciOpflexContainer": "noiro/opflex:6.0.4.1.81c2369", - "aciMcastContainer": "noiro/opflex:6.0.4.1.81c2369", - "aciOvsContainer": "noiro/openvswitch:6.0.4.1.81c2369", - "aciControllerContainer": "noiro/aci-containers-controller:6.0.4.1.81c2369" + "aciCniDeployContainer": "noiro/cnideploy:6.0.4.2.81c2369", + "aciHostContainer": "noiro/aci-containers-host:6.0.4.2.81c2369", + "aciOpflexContainer": "noiro/opflex:6.0.4.2.81c2369", + "aciMcastContainer": "noiro/opflex:6.0.4.2.81c2369", + "aciOvsContainer": "noiro/openvswitch:6.0.4.2.81c2369", + "aciControllerContainer": "noiro/aci-containers-controller:6.0.4.2.81c2369" }, "v1.8.11-rancher2-1": { "etcd": "rancher/coreos-etcd:v3.0.17", @@ -13874,9 +13874,12 @@ "\u003e=1.26.8-rancher1-1 \u003c1.26.11-rancher2-2": "aci-v6.0.3.1", "\u003e=1.27.0-rancher1-1 \u003c1.27.8-rancher2-1": "aci-v5.2.7.1", "\u003e=1.27.10-rancher1-2 \u003c1.27.11-rancher1-1": "aci-v6.0.3.3", - "\u003e=1.27.11-rancher1-1": "aci-v6.0.4.1", + "\u003e=1.27.11-rancher1-1 \u003c 1.27.15-rancher1-1": "aci-v6.0.4.1", + "\u003e=1.27.15-rancher1-1 \u003c 1.28.0-rancher0": "aci-v6.0.4.2", "\u003e=1.27.8-rancher2-1 \u003c1.27.8-rancher2-2": "aci-v6.0.3.1", - "\u003e=1.27.8-rancher2-2 \u003c1.27.10-rancher1-2": "aci-v6.0.3.2" + "\u003e=1.27.8-rancher2-2 \u003c1.27.10-rancher1-2": "aci-v6.0.3.2", + "\u003e=1.28.0-rancher0 \u003c 1.28.11-rancher1-1": "aci-v6.0.4.1", + "\u003e=1.28.11-rancher1-1": "aci-v6.0.4.2" }, "calico": { "\u003e=1.13.0-rancher0 \u003c1.15.0-rancher0": "calico-v1.13", @@ -14045,6 +14048,7 @@ "aci-v6.0.3.2": "\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: acicontainersoperators.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AciContainersOperator\n listKind: AciContainersOperatorList\n plural: acicontainersoperators\n singular: acicontainersoperator\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: acicontainersoperator owns the lifecycle of ACI objects in the cluster\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AciContainersOperatorSpec defines the desired spec for ACI Objects\n properties:\n flavor:\n type: string\n config:\n type: string\n type: object\n status:\n description: AciContainersOperatorStatus defines the successful completion of AciContainersOperator\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: Namespace\nmetadata:\n name: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodepodifs.aci.aw\nspec:\n group: aci.aw\n names:\n kind: NodePodIF\n listKind: NodePodIFList\n plural: nodepodifs\n singular: nodepodif\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n podifs:\n type: array\n items:\n type: object\n properties:\n containerID:\n type: string\n epg:\n type: string\n ifname:\n type: string\n ipaddr:\n type: string\n macaddr:\n type: string\n podname:\n type: string\n podns:\n type: string\n vtep:\n type: string\n required:\n - spec\n type: object\n---\n{{- if eq .UseAciCniPriorityClass \"true\"}}\napiVersion: scheduling.k8s.io/v1beta1\nkind: PriorityClass\nmetadata:\n name: acicni-priority\nvalue: 1000000000\nglobalDefault: false\ndescription: \"This priority class is used for ACI-CNI resources\"\n---\n{{- end }}\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatglobalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatGlobalInfo\n listKind: SnatGlobalInfoList\n plural: snatglobalinfos\n singular: snatglobalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n description: SnatGlobalInfo is the Schema for the snatglobalinfos API\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n globalInfos:\n additionalProperties:\n items:\n properties:\n macAddress:\n type: string\n portRanges:\n items:\n properties:\n end:\n maximum: 65535\n minimum: 1\n type: integer\n start:\n maximum: 65535\n minimum: 1\n type: integer\n type: object\n type: array\n snatIp:\n type: string\n snatIpUid:\n type: string\n snatPolicyName:\n type: string\n required:\n - macAddress\n - portRanges\n - snatIp\n - snatIpUid\n - snatPolicyName\n type: object\n type: array\n type: object\n required:\n - globalInfos\n type: object\n status:\n description: SnatGlobalInfoStatus defines the observed state of SnatGlobalInfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatlocalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatLocalInfo\n listKind: SnatLocalInfoList\n plural: snatlocalinfos\n singular: snatlocalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: SnatLocalInfoSpec defines the desired state of SnatLocalInfo\n properties:\n localInfos:\n items:\n properties:\n podName:\n type: string\n podNamespace:\n type: string\n podUid:\n type: string\n snatPolicies:\n items:\n properties:\n destIp:\n items:\n type: string\n type: array\n name:\n type: string\n snatIp:\n type: string\n required:\n - destIp\n - name\n - snatIp\n type: object\n type: array\n required:\n - podName\n - podNamespace\n - podUid\n - snatPolicies\n type: object\n type: array\n required:\n - localInfos\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatpolicies.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatPolicy\n listKind: SnatPolicyList\n plural: snatpolicies\n singular: snatpolicy\n scope: Cluster\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n selector:\n type: object\n properties:\n labels:\n type: object\n description: 'Selection of Pods'\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n type: object\n snatIp:\n type: array\n items:\n type: string\n destIp:\n type: array\n items:\n type: string\n type: object\n status:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodeinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: NodeInfo\n listKind: NodeInfoList\n plural: nodeinfos\n singular: nodeinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n macaddress:\n type: string\n snatpolicynames:\n additionalProperties:\n type: boolean\n type: object\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: rdconfigs.aci.snat\nspec:\n group: aci.snat\n names:\n kind: RdConfig\n listKind: RdConfigList\n plural: rdconfigs\n singular: rdconfig\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n discoveredsubnets:\n items:\n type: string\n type: array\n usersubnets:\n items:\n type: string\n type: array\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.aci.netpol\nspec:\n group: aci.netpol\n names:\n kind: NetworkPolicy\n listKind: NetworkPolicyList\n plural: networkpolicies\n singular: networkpolicy\n scope: Namespaced\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n description: Network Policy describes traffic flow at IP address or port level\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs default to false.\n type: boolean\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n to:\n description: Rule is matched if traffic is intended for workloads selected by this field. If this field is empty or missing, this rule matches all destinations.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n toFqDn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - enableLogging\n - toFqDn\n type: object\n type: array\n ingress:\n description: Set of ingress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false.\n type: boolean\n from:\n description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n type: object\n type: array\n policyTypes:\n items:\n description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8\n type: string\n type: array\n priority:\n description: Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.\n type: integer\n type:\n description: type of the policy.\n type: string\n required:\n - type\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: dnsnetworkpolicies.aci.dnsnetpol\nspec:\n group: aci.dnsnetpol\n names:\n kind: DnsNetworkPolicy\n listKind: DnsNetworkPolicyList\n plural: dnsnetworkpolicies\n singular: dnsnetworkpolicy\n scope: Namespaced\n versions:\n - name: v1beta\n schema:\n openAPIV3Schema:\n description: dns network Policy\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n properties:\n toFqdn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - toFqdn\n type: object\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: qospolicies.aci.qos\nspec:\n group: aci.qos\n names:\n kind: QosPolicy\n listKind: QosPolicyList\n plural: qospolicies\n singular: qospolicy\n scope: Namespaced\n preserveUnknownFields: false\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n podSelector:\n description: 'Selection of Pods'\n type: object\n properties:\n matchLabels:\n type: object\n description:\n ingress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n egress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n dscpmark:\n type: integer\n default: 0\n minimum: 0\n maximum: 63\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: netflowpolicies.aci.netflow\nspec:\n group: aci.netflow\n names:\n kind: NetflowPolicy\n listKind: NetflowPolicyList\n plural: netflowpolicies\n singular: netflowpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n flowSamplingPolicy:\n type: object\n properties:\n destIp:\n type: string\n destPort:\n type: integer\n minimum: 0\n maximum: 65535\n default: 2055\n flowType:\n type: string\n enum:\n - netflow\n - ipfix\n default: netflow\n activeFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 3600\n default: 60\n idleFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 600\n default: 15\n samplingRate:\n type: integer\n minimum: 0\n maximum: 1000\n default: 0\n required:\n - destIp\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: erspanpolicies.aci.erspan\nspec:\n group: aci.erspan\n names:\n kind: ErspanPolicy\n listKind: ErspanPolicyList\n plural: erspanpolicies\n singular: erspanpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n selector:\n type: object\n description: 'Selection of Pods'\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n source:\n type: object\n properties:\n adminState:\n description: Administrative state.\n default: start\n type: string\n enum:\n - start\n - stop\n direction:\n description: Direction of the packets to monitor.\n default: both\n type: string\n enum:\n - in\n - out\n - both\n destination:\n type: object\n properties:\n destIP:\n description: Destination IP of the ERSPAN packet.\n type: string\n flowID:\n description: Unique flow ID of the ERSPAN packet.\n default: 1\n type: integer\n minimum: 1\n maximum: 1023\n required:\n - destIP\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: enabledroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: EnableDropLog\n listKind: EnableDropLogList\n plural: enabledroplogs\n singular: enabledroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of EnableDropLog\n type: object\n properties:\n disableDefaultDropLog:\n description: Disables the default droplog enabled by acc-provision.\n default: false\n type: boolean\n nodeSelector:\n type: object\n description: Drop logging is enabled on nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: prunedroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: PruneDropLog\n listKind: PruneDropLogList\n plural: prunedroplogs\n singular: prunedroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of PruneDropLog\n type: object\n properties:\n nodeSelector:\n type: object\n description: Drop logging filters are applied to nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n dropLogFilters:\n type: object\n properties:\n srcIP:\n type: string\n destIP:\n type: string\n srcMAC:\n type: string\n destMAC:\n type: string\n srcPort:\n type: integer\n destPort:\n type: integer\n ipProto:\n type: integer\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: accprovisioninputs.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AccProvisionInput\n listKind: AccProvisionInputList\n plural: accprovisioninputs\n singular: accprovisioninput\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: accprovisioninput defines the input configuration for ACI CNI\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AccProvisionInputSpec defines the desired spec for accprovisioninput object\n properties:\n acc_provision_input:\n type: object\n properties:\n operator_managed_config:\n type: object\n properties:\n enable_updates:\n type: boolean\n aci_config:\n type: object\n properties:\n sync_login:\n type: object\n properties:\n certfile:\n type: string\n keyfile:\n type: string\n client_ssl:\n type: boolean\n net_config:\n type: object\n properties:\n interface_mtu:\n type: integer\n service_monitor_interval:\n type: integer\n pbr_tracking_non_snat:\n type: boolean\n pod_subnet_chunk_size:\n type: integer\n disable_wait_for_network:\n type: boolean\n duration_wait_for_network:\n type: integer\n registry:\n type: object\n properties:\n image_prefix:\n type: string\n image_pull_secret:\n type: string\n aci_containers_operator_version:\n type: string\n aci_containers_controller_version:\n type: string\n aci_containers_host_version:\n type: string\n acc_provision_operator_version:\n type: string\n aci_cni_operator_version:\n type: string\n cnideploy_version:\n type: string\n opflex_agent_version:\n type: string\n openvswitch_version:\n type: string\n gbp_version:\n type: string\n logging:\n type: object\n properties:\n controller_log_level:\n type: string\n hostagent_log_level:\n type: string\n opflexagent_log_level:\n type: string\n istio_config:\n type: object\n properties:\n install_istio:\n type: boolean\n install_profile:\n type: string\n multus:\n type: object\n properties:\n disable:\n type: boolean\n drop_log_config:\n type: object\n properties:\n enable:\n type: boolean\n nodepodif_config:\n type: object\n properties:\n enable:\n type: boolean\n sriov_config:\n type: object\n properties:\n enable:\n type: boolean\n kube_config:\n type: object\n properties:\n ovs_memory_limit:\n type: string\n use_privileged_containers:\n type: boolean\n image_pull_policy:\n type: string\n reboot_opflex_with_ovs:\n type: string\n snat_operator:\n type: object\n properties:\n port_range:\n type: object\n properties:\n start:\n type: integer\n end:\n type: integer\n ports_per_node:\n type: integer\n contract_scope:\n type: string\n disable_periodic_snat_global_info_sync:\n type: boolean\n type: object\n status:\n description: AccProvisionInputStatus defines the successful completion of AccProvisionInput\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: aci-containers-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n controller-config: |-\n {\n \"log-level\": \"{{.ControllerLogLevel}}\",\n \"apic-hosts\": {{.ApicHosts}},\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if .OpflexDeviceReconnectWaitTimeout }}\n \"opflex-device-reconnect-wait-timeout\": {{.OpflexDeviceReconnectWaitTimeout}},\n{{- end}}\n \"apic-refreshtime\": \"{{.ApicRefreshTime}}\",\n \"apic-subscription-delay\": {{.ApicSubscriptionDelay}},\n \"apic_refreshticker_adjust\": \"{{.ApicRefreshTickerAdjust}}\",\n \"apic-username\": \"{{.ApicUserName}}\",\n \"apic-private-key-path\": \"/usr/local/etc/aci-cert/user.key\",\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-policy-tenant\": \"{{.Tenant}}\",\n{{- if ne .CApic \"false\"}}\n \"lb-type\": \"None\",\n{{- end}}\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n{{- if ne .NoWaitForServiceEpReadiness \"false\"}}\n \"no-wait-for-service-ep-readiness\": {{.NoWaitForServiceEpReadiness}},\n{{- end}}\n{{- if ne .ServiceGraphEndpointAddDelay \"0\"}}\n \"service-graph-endpoint-add-delay\" : {\n \"delay\": {{.ServiceGraphEndpointAddDelay}},\n \"services\": [{{- range $index, $item :=.ServiceGraphEndpointAddServices }}{{- if $index}},{{end}}{ {{- range $k, $v := $item }}\"{{ $k }}\": \"{{ $v }}\"{{if eq $k \"name\"}},{{end}}{{- end}}}{{end}}]\n },\n{{- end}}\n{{- if ne .AddExternalSubnetsToRdconfig \"false\"}}\n \"add-external-subnets-to-rdconfig\": {{.AddExternalSubnetsToRdconfig}},\n{{- end}}\n{{- if ne .DisablePeriodicSnatGlobalInfoSync \"false\"}}\n \"disable-periodic-snat-global-info-sync\": {{.DisablePeriodicSnatGlobalInfoSync}},\n{{- end}}\n{{- if .NodeSnatRedirectExclude }}\n \"node-snat-redirect-exclude\": [{{ range $index,$item := .NodeSnatRedirectExclude}}{{- if $index}}, {{end }}{\"group\": \"{{ index $item \"group\" }}\", \"labels\": {{ index $item \"labels\" }}}{{ end }}],\n{{- end }}\n \"opflex-device-delete-timeout\": {{.OpflexDeviceDeleteTimeout}},\n \"sleep-time-snat-global-info-sync\": {{.SleepTimeSnatGlobalInfoSync}},\n \"install-istio\": {{.InstallIstio}},\n \"istio-profile\": \"{{.IstioProfile}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-podbd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-pod-bd\",\n \"aci-nodebd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-node-bd\",\n{{- end}}\n \"aci-service-phys-dom\": \"{{.SystemIdentifier}}-pdom\",\n \"aci-service-encap\": \"vlan-{{.ServiceVlan}}\",\n \"aci-service-monitor-interval\": {{.ServiceMonitorInterval}},\n \"aci-pbr-tracking-non-snat\": {{.PBRTrackingNonSnat}},\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"aci-l3out\": \"{{.L3Out}}\",\n \"aci-ext-networks\": {{.L3OutExternalNetworks}},\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .AddExternalContractToDefaultEpg \"false\"}}\n \"add-external-contract-to-default-epg\": {{.AddExternalContractToDefaultEpg}},\n{{- end}} \n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}\"\n{{- end}}\n },\n \"max-nodes-svc-graph\": {{.MaxNodesSvcGraph}},\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"service-ip-pool\": [{{- range $index, $item := .ServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"extern-static\": [{{- range $index, $item := .StaticExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"extern-dynamic\": [{{- range $index, $item := .DynamicExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"snat-contract-scope\": \"{{.SnatContractScope}}\",\n \"static-service-ip-pool\": [{{- range $index, $item := .StaticServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End }}\" }{{end}}],\n \"pod-ip-pool\": [{{- range $index, $item := .PodIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"pod-subnet-chunk-size\": {{.PodSubnetChunkSize}},\n \"node-service-ip-pool\": [\n {\n \"end\": \"{{.NodeServiceIPEnd}}\",\n \"start\": \"{{.NodeServiceIPStart}}\"\n }\n ],\n \"node-service-subnets\": [\n \"{{.ServiceGraphSubnet}}\"\n ],\n \"enable_endpointslice\": {{.EnableEndpointSlice}}\n }\n host-agent-config: |-\n {\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .EpRegistry \"\"}}\n \"ep-registry\": \"{{.EpRegistry}}\",\n{{- else}}\n \"ep-registry\": null,\n{{- end}}\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if ne .DhcpRenewMaxRetryCount \"0\" }}\n \"dhcp-renew-max-retry-count\": {{.DhcpRenewMaxRetryCount}},\n{{- end}}\n{{- if ne .DhcpDelay \"0\" }}\n \"dhcp-delay\": {{.DhcpDelay}},\n{{- end}}\n{{- if ne .EnableOpflexAgentReconnect \"false\"}}\n \"enable-opflex-agent-reconnect\": {{.EnableOpflexAgentReconnect}},\n{{- end}}\n{{- if ne .OpflexMode \"\"}}\n \"opflex-mode\": \"{{.OpflexMode}}\",\n{{- else}}\n \"opflex-mode\": null,\n{{- end}}\n \"log-level\": \"{{.HostAgentLogLevel}}\",\n \"aci-snat-namespace\": \"{{.SnatNamespace}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"service-vlan\": {{.ServiceVlan}},\n \"kubeapi-vlan\": {{.KubeAPIVlan}},\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n \"pod-subnet\": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"node-subnet\": [{{- range $index, $item := .NodeSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"encap-type\": \"{{.EncapType}}\",\n \"aci-infra-vlan\": {{.InfraVlan}},\n{{- if .MTU}}\n{{- if ne .MTU 0}}\n \"interface-mtu\": {{.MTU}},\n{{- end}}\n{{- end}}\n{{- if .MTUHeadRoom}}\n{{- if ne .MTUHeadRoom \"0\"}}\n \"interface-mtu-headroom\": {{.MTUHeadRoom}},\n{{- end}}\n{{- end}}\n \"cni-netconfig\": [{{- range $index, $item := .PodNetwork }}{{- if $index}},{{end}}{ \"gateway\": \"{{ $item.Gateway }}\", \"subnet\": \"{{ $item.Subnet }}\", \"routes\": [{ \"dst\": \"0.0.0.0/0\", \"gw\": \"{{ $item.Gateway }}\" }]}{{end}}],\n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-default\"\n{{- end}}\n },\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"enable-drop-log\": {{.DropLogEnable}},\n \"enable_endpointslice\": {{.EnableEndpointSlice}},\n \"enable-nodepodif\": {{.NodePodIfEnable}},\n \"enable-ovs-hw-offload\": {{.SriovEnable}}\n }\n opflex-agent-config: |-\n {\n \"log\": {\n \"level\": \"{{.OpflexAgentLogLevel}}\"\n },\n \"opflex\": {\n{{- if eq .OpflexClientSSL \"false\"}}\n \"ssl\": { \"mode\": \"disabled\"},\n{{- end}}\n{{- if eq .OpflexAgentStatistics \"false\"}}\n \"statistics\" : { \"mode\" : \"off\" },\n{{- end}}\n{{- if ne .OpflexAgentPolicyRetryDelayTimer \"10\" }}\n \"timers\" : { \"policy-retry-delay\": {{.OpflexAgentPolicyRetryDelayTimer}} },\n{{- end}}\n \"notif\" : { \"enabled\" : \"false\" },\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOpflexAsyncjsonEnabled}} }\n },\n \"ovs\": {\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOvsAsyncjsonEnabled}} }\n }\n }\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: snat-operator-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n \"start\": \"{{.SnatPortRangeStart}}\"\n \"end\": \"{{.SnatPortRangeEnd}}\"\n \"ports-per-node\": \"{{.SnatPortsPerNode}}\"\n---\napiVersion: v1\nkind: Secret\nmetadata:\n name: aci-user-cert\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n user.key: {{.ApicUserKey}}\n user.crt: {{.ApicUserCrt}}\n---\n{{- if eq .CApic \"true\"}}\napiVersion: v1\nkind: Secret\nmetadata:\n name: kafka-client-certificates\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n ca.crt: {{.KafkaClientCrt}}\n kafka-client.crt: {{.KafkaClientCrt}}\n kafka-client.key: {{.KafkaClientKey}}\n---\n{{- end}}\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-host-agent\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\n{{- if eq .UseClusterRole \"true\"}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - events\n - replicationcontrollers\n - serviceaccounts\n verbs:\n - list\n - watch\n - get\n - patch\n - create\n - update\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - '*'\n- apiGroups:\n - \"rbac.authorization.k8s.io\"\n resources:\n - clusterroles\n - clusterrolebindings\n verbs:\n - '*'\n{{- if ne .InstallIstio \"false\"}}\n- apiGroups:\n - \"install.istio.io\"\n resources:\n - istiocontrolplanes\n - istiooperators\n verbs:\n - '*'\n- apiGroups:\n - \"aci.istio\"\n resources:\n - aciistiooperators\n - aciistiooperator\n verbs:\n - '*'\n{{- end}}\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n - daemonsets\n - statefulsets\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - services/status\n verbs:\n - update\n- apiGroups:\n - \"monitoring.coreos.com\"\n resources:\n - servicemonitors\n verbs:\n - get\n - create\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies/finalizers\n - snatpolicies/status\n - nodeinfos\n verbs:\n - update\n - create\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatglobalinfos\n - snatpolicies\n - nodeinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.netflow\"\n resources:\n - netflowpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.erspan\"\n resources:\n - erspanpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - '*'\n- apiGroups:\n - apps.openshift.io\n resources:\n - deploymentconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.dnsnetpol\"\n resources:\n - dnsnetworkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n---\n{{- end}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-host-agent\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - replicationcontrollers\n verbs:\n - list\n - watch\n - get\n{{- if ne .DropLogEnable \"false\"}}\n - update\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n{{- end}}\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies\n - snatglobalinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.droplog\"\n resources:\n - enabledroplogs\n - prunedroplogs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - nodeinfos\n - snatlocalinfos\n verbs:\n - create\n - update\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - \"*\"\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-controller\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-controller\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-controller\n namespace: aci-containers-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-host-agent\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-host-agent\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-host-agent\n namespace: aci-containers-system\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-host\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-host\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-host\n network-plugin: aci-containers\n annotations:\n prometheus.io/scrape: \"true\"\n prometheus.io/port: \"9612\"\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n tolerations:\n - operator: Exists\n initContainers:\n - name: cnideploy\n image: {{.AciCniDeployContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersHostPriorityClass}} \n priorityClassName: aci-containers-host\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-host\n image: {{.AciHostContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersHostMemoryLimit ) ( .AciContainersHostMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersHostMemoryLimit }}\n memory: \"{{ .AciContainersHostMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersHostMemoryRequest }}\n memory: \"{{ .AciContainersHostMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n - NET_ADMIN\n - SYS_PTRACE\n - NET_RAW\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: TENANT\n value: \"{{.Tenant}}\"\n{{- if ne .MultusDisable \"true\"}}\n - name: MULTUS\n value: true\n{{- end}}\n{{- if eq .DisableWaitForNetwork \"true\"}}\n - name: DISABLE_WAIT_FOR_NETWORK\n value: true\n{{- else}}\n - name: DURATION_WAIT_FOR_NETWORK\n value: \"{{.DurationWaitForNetwork}}\"\n{{- end}}\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n - name: cni-conf\n mountPath: /mnt/cni-conf\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: host-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n{{- if eq .AciMultipod \"true\" }}\n - name: dhclient\n mountPath: /var/lib/dhclient\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - mountPath: /run/netns\n name: host-run-netns\n readOnly: true\n mountPropagation: HostToContainer\n{{- end}}\n{{- if ne .MultusDisable \"true\"}}\n - name: multus-cni-conf\n mountPath: /mnt/multus-cni-conf\n{{- end}}\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8090\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n - name: opflex-agent\n env:\n - name: REBOOT_WITH_OVS\n value: \"true\"\n{{- if ne .OpflexOpensslCompat \"false\"}}\n - name: OPENSSL_CONF\n value: \"/etc/pki/tls/openssl11.cnf\" \n{{- end}}\n image: {{.AciOpflexContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .OpflexAgentMemoryLimit ) ( .OpflexAgentMemoryRequest )}}\n resources:\n limits:\n{{- if .OpflexAgentMemoryLimit }}\n memory: \"{{ .OpflexAgentMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .OpflexAgentMemoryRequest }}\n memory: \"{{ .OpflexAgentMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}} \n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: opflex-config-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/conf.d\n{{- if eq .RunOpflexServerContainer \"true\"}}\n - name: opflex-server\n image: {{.AciOpflexContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-opflexserver.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n capabilities:\n add:\n - NET_ADMIN\n ports:\n - containerPort: {{.OpflexServerPort}}\n - name: metrics\n containerPort: 9632\n terminationMessagePath: /dev/termination-log\n terminationMessagePolicy: File\n volumeMounts:\n - name: opflex-server-config-volume\n mountPath: /usr/local/etc/opflex-server\n - name: hostvar\n mountPath: /usr/local/var\n{{- end}}\n{{- if ne .OpflexMode \"overlay\"}}\n - name: mcast-daemon\n image: {{.AciMcastContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-mcastdaemon.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .McastDaemonMemoryLimit ) ( .McastDaemonMemoryRequest )}}\n resources:\n limits:\n{{- if .McastDaemonMemoryLimit }}\n memory: \"{{ .McastDaemonMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .McastDaemonMemoryRequest }}\n memory: \"{{ .McastDaemonMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n{{- if eq .UsePrivilegedContainer \"true\"}}\n securityContext:\n privileged: true\n{{- end}}\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n{{- end}}\n restartPolicy: Always\n volumes:\n - name: cni-bin\n hostPath:\n path: /opt\n - name: cni-conf\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: host-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: host-agent-config\n path: host-agent.conf\n - name: opflex-hostconfig-volume\n emptyDir:\n medium: Memory\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .AciMultipod \"true\" }}\n{{- if eq .AciMultipodUbuntu \"true\" }}\n - name: dhclient\n hostPath:\n path: /var/lib/dhcp\n{{- else}}\n - name: dhclient\n hostPath:\n path: /var/lib/dhclient\n{{- end}}\n{{- end}}\n - name: opflex-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: opflex-agent-config\n path: local.conf\n{{- if eq .UseOpflexServerVolume \"true\"}}\n - name: opflex-server-config-volume\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - name: host-run-netns\n hostPath:\n path: /run/netns\n{{- end}}\n{{- if ne .MultusDisable \"true\" }}\n - name: multus-cni-conf\n hostPath:\n path: /var/run/multus/\n{{- end}}\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-openvswitch\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{end}}\n tolerations:\n - operator: Exists \n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersOpenvswitchPriorityClass}} \n priorityClassName: aci-containers-openvswitch\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-openvswitch\n image: {{.AciOpenvSwitchContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n resources:\n limits:\n memory: \"{{.OVSMemoryLimit}}\"\n requests:\n memory: \"{{.OVSMemoryRequest}}\"\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n - SYS_MODULE\n - SYS_NICE\n - IPC_LOCK\n env:\n - name: OVS_RUNDIR\n value: /usr/local/var/run/openvswitch\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: hostetc\n mountPath: /usr/local/etc\n - name: hostmodules\n mountPath: /lib/modules\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n livenessProbe:\n exec:\n command:\n - /usr/local/bin/liveness-ovs.sh\n restartPolicy: Always\n volumes:\n - name: hostetc\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: hostmodules\n hostPath:\n path: /lib/modules\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nspec:\n replicas: 1\n strategy:\n type: Recreate\n selector:\n matchLabels:\n name: aci-containers-controller\n network-plugin: aci-containers\n template:\n metadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n name: aci-containers-controller\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n serviceAccountName: aci-containers-controller\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n{{- if .Tolerations }}\n tolerations:\n{{ toYaml .Tolerations | indent 6}}\n{{- else }}\n tolerations:\n - effect: NoExecute\n operator: Exists\n tolerationSeconds: {{ .TolerationSeconds }}\n - effect: NoSchedule\n key: node.kubernetes.io/not-ready\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n{{- end }}\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersControllerPriorityClass}} \n priorityClassName: aci-containers-controller\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-node-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-controller\n image: {{.AciControllerContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersControllerMemoryLimit ) ( .AciContainersControllerMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersControllerMemoryLimit }}\n memory: \"{{ .AciContainersControllerMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersControllerMemoryRequest }}\n memory: \"{{ .AciContainersControllerMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n env:\n - name: WATCH_NAMESPACE\n value: \"\"\n - name: ACI_SNAT_NAMESPACE\n value: \"aci-containers-system\"\n - name: ACI_SNAGLOBALINFO_NAME\n value: \"snatglobalinfo\"\n - name: ACI_RDCONFIG_NAME\n value: \"routingdomain-config\"\n - name: SYSTEM_NAMESPACE\n value: \"aci-containers-system\"\n volumeMounts:\n - name: controller-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n - name: aci-user-cert-volume\n mountPath: /usr/local/etc/aci-cert/\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8091\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n volumes:\n{{- if eq .CApic \"true\"}}\n - name: kafka-certs\n secret:\n secretName: kafka-client-certificates\n{{- end}}\n - name: aci-user-cert-volume\n secret:\n secretName: aci-user-cert\n - name: controller-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: controller-config\n path: controller.conf\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .CApic \"true\"}}\n---\napiVersion: aci.aw/v1\nkind: PodIF\nmetadata:\n name: inet-route\n namespace: kube-system\nstatus:\n epg: aci-containers-inet-out\n ipaddr: 0.0.0.0/0\n{{- end}}\n---\napiVersion: v1\nkind: LimitRange\nmetadata:\n name: memory-limit-range\n namespace: aci-containers-system\nspec:\n limits:\n - default:\n memory: {{ .AciContainersMemoryLimit }}\n defaultRequest:\n memory: {{ .AciContainersMemoryRequest }}\n type: Container\n", "aci-v6.0.3.3": "\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: acicontainersoperators.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AciContainersOperator\n listKind: AciContainersOperatorList\n plural: acicontainersoperators\n singular: acicontainersoperator\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: acicontainersoperator owns the lifecycle of ACI objects in the cluster\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AciContainersOperatorSpec defines the desired spec for ACI Objects\n properties:\n flavor:\n type: string\n config:\n type: string\n type: object\n status:\n description: AciContainersOperatorStatus defines the successful completion of AciContainersOperator\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: Namespace\nmetadata:\n name: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodepodifs.aci.aw\nspec:\n group: aci.aw\n names:\n kind: NodePodIF\n listKind: NodePodIFList\n plural: nodepodifs\n singular: nodepodif\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n podifs:\n type: array\n items:\n type: object\n properties:\n containerID:\n type: string\n epg:\n type: string\n ifname:\n type: string\n ipaddr:\n type: string\n macaddr:\n type: string\n podname:\n type: string\n podns:\n type: string\n vtep:\n type: string\n required:\n - spec\n type: object\n---\n{{- if eq .UseAciCniPriorityClass \"true\"}}\napiVersion: scheduling.k8s.io/v1beta1\nkind: PriorityClass\nmetadata:\n name: acicni-priority\nvalue: 1000000000\nglobalDefault: false\ndescription: \"This priority class is used for ACI-CNI resources\"\n---\n{{- end }}\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatglobalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatGlobalInfo\n listKind: SnatGlobalInfoList\n plural: snatglobalinfos\n singular: snatglobalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n description: SnatGlobalInfo is the Schema for the snatglobalinfos API\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n globalInfos:\n additionalProperties:\n items:\n properties:\n macAddress:\n type: string\n portRanges:\n items:\n properties:\n end:\n maximum: 65535\n minimum: 1\n type: integer\n start:\n maximum: 65535\n minimum: 1\n type: integer\n type: object\n type: array\n snatIp:\n type: string\n snatIpUid:\n type: string\n snatPolicyName:\n type: string\n required:\n - macAddress\n - portRanges\n - snatIp\n - snatIpUid\n - snatPolicyName\n type: object\n type: array\n type: object\n required:\n - globalInfos\n type: object\n status:\n description: SnatGlobalInfoStatus defines the observed state of SnatGlobalInfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatlocalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatLocalInfo\n listKind: SnatLocalInfoList\n plural: snatlocalinfos\n singular: snatlocalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: SnatLocalInfoSpec defines the desired state of SnatLocalInfo\n properties:\n localInfos:\n items:\n properties:\n podName:\n type: string\n podNamespace:\n type: string\n podUid:\n type: string\n snatPolicies:\n items:\n properties:\n destIp:\n items:\n type: string\n type: array\n name:\n type: string\n snatIp:\n type: string\n required:\n - destIp\n - name\n - snatIp\n type: object\n type: array\n required:\n - podName\n - podNamespace\n - podUid\n - snatPolicies\n type: object\n type: array\n required:\n - localInfos\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatpolicies.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatPolicy\n listKind: SnatPolicyList\n plural: snatpolicies\n singular: snatpolicy\n scope: Cluster\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n selector:\n type: object\n properties:\n labels:\n type: object\n description: 'Selection of Pods'\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n type: object\n snatIp:\n type: array\n items:\n type: string\n destIp:\n type: array\n items:\n type: string\n type: object\n status:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodeinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: NodeInfo\n listKind: NodeInfoList\n plural: nodeinfos\n singular: nodeinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n macaddress:\n type: string\n snatpolicynames:\n additionalProperties:\n type: boolean\n type: object\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: rdconfigs.aci.snat\nspec:\n group: aci.snat\n names:\n kind: RdConfig\n listKind: RdConfigList\n plural: rdconfigs\n singular: rdconfig\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n discoveredsubnets:\n items:\n type: string\n type: array\n usersubnets:\n items:\n type: string\n type: array\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.aci.netpol\nspec:\n group: aci.netpol\n names:\n kind: NetworkPolicy\n listKind: NetworkPolicyList\n plural: networkpolicies\n singular: networkpolicy\n scope: Namespaced\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n description: Network Policy describes traffic flow at IP address or port level\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs default to false.\n type: boolean\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n to:\n description: Rule is matched if traffic is intended for workloads selected by this field. If this field is empty or missing, this rule matches all destinations.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n toFqDn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - enableLogging\n - toFqDn\n type: object\n type: array\n ingress:\n description: Set of ingress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false.\n type: boolean\n from:\n description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n type: object\n type: array\n policyTypes:\n items:\n description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8\n type: string\n type: array\n priority:\n description: Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.\n type: integer\n type:\n description: type of the policy.\n type: string\n required:\n - type\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: dnsnetworkpolicies.aci.dnsnetpol\nspec:\n group: aci.dnsnetpol\n names:\n kind: DnsNetworkPolicy\n listKind: DnsNetworkPolicyList\n plural: dnsnetworkpolicies\n singular: dnsnetworkpolicy\n scope: Namespaced\n versions:\n - name: v1beta\n schema:\n openAPIV3Schema:\n description: dns network Policy\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n properties:\n toFqdn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - toFqdn\n type: object\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: qospolicies.aci.qos\nspec:\n group: aci.qos\n names:\n kind: QosPolicy\n listKind: QosPolicyList\n plural: qospolicies\n singular: qospolicy\n scope: Namespaced\n preserveUnknownFields: false\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n podSelector:\n description: 'Selection of Pods'\n type: object\n properties:\n matchLabels:\n type: object\n description:\n ingress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n egress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n dscpmark:\n type: integer\n default: 0\n minimum: 0\n maximum: 63\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: netflowpolicies.aci.netflow\nspec:\n group: aci.netflow\n names:\n kind: NetflowPolicy\n listKind: NetflowPolicyList\n plural: netflowpolicies\n singular: netflowpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n flowSamplingPolicy:\n type: object\n properties:\n destIp:\n type: string\n destPort:\n type: integer\n minimum: 0\n maximum: 65535\n default: 2055\n flowType:\n type: string\n enum:\n - netflow\n - ipfix\n default: netflow\n activeFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 3600\n default: 60\n idleFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 600\n default: 15\n samplingRate:\n type: integer\n minimum: 0\n maximum: 1000\n default: 0\n required:\n - destIp\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: erspanpolicies.aci.erspan\nspec:\n group: aci.erspan\n names:\n kind: ErspanPolicy\n listKind: ErspanPolicyList\n plural: erspanpolicies\n singular: erspanpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n selector:\n type: object\n description: 'Selection of Pods'\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n source:\n type: object\n properties:\n adminState:\n description: Administrative state.\n default: start\n type: string\n enum:\n - start\n - stop\n direction:\n description: Direction of the packets to monitor.\n default: both\n type: string\n enum:\n - in\n - out\n - both\n destination:\n type: object\n properties:\n destIP:\n description: Destination IP of the ERSPAN packet.\n type: string\n flowID:\n description: Unique flow ID of the ERSPAN packet.\n default: 1\n type: integer\n minimum: 1\n maximum: 1023\n required:\n - destIP\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: enabledroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: EnableDropLog\n listKind: EnableDropLogList\n plural: enabledroplogs\n singular: enabledroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of EnableDropLog\n type: object\n properties:\n disableDefaultDropLog:\n description: Disables the default droplog enabled by acc-provision.\n default: false\n type: boolean\n nodeSelector:\n type: object\n description: Drop logging is enabled on nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: prunedroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: PruneDropLog\n listKind: PruneDropLogList\n plural: prunedroplogs\n singular: prunedroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of PruneDropLog\n type: object\n properties:\n nodeSelector:\n type: object\n description: Drop logging filters are applied to nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n dropLogFilters:\n type: object\n properties:\n srcIP:\n type: string\n destIP:\n type: string\n srcMAC:\n type: string\n destMAC:\n type: string\n srcPort:\n type: integer\n destPort:\n type: integer\n ipProto:\n type: integer\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: accprovisioninputs.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AccProvisionInput\n listKind: AccProvisionInputList\n plural: accprovisioninputs\n singular: accprovisioninput\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: accprovisioninput defines the input configuration for ACI CNI\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AccProvisionInputSpec defines the desired spec for accprovisioninput object\n properties:\n acc_provision_input:\n type: object\n properties:\n operator_managed_config:\n type: object\n properties:\n enable_updates:\n type: boolean\n aci_config:\n type: object\n properties:\n sync_login:\n type: object\n properties:\n certfile:\n type: string\n keyfile:\n type: string\n client_ssl:\n type: boolean\n net_config:\n type: object\n properties:\n interface_mtu:\n type: integer\n service_monitor_interval:\n type: integer\n pbr_tracking_non_snat:\n type: boolean\n pod_subnet_chunk_size:\n type: integer\n disable_wait_for_network:\n type: boolean\n duration_wait_for_network:\n type: integer\n registry:\n type: object\n properties:\n image_prefix:\n type: string\n image_pull_secret:\n type: string\n aci_containers_operator_version:\n type: string\n aci_containers_controller_version:\n type: string\n aci_containers_host_version:\n type: string\n acc_provision_operator_version:\n type: string\n aci_cni_operator_version:\n type: string\n cnideploy_version:\n type: string\n opflex_agent_version:\n type: string\n openvswitch_version:\n type: string\n gbp_version:\n type: string\n logging:\n type: object\n properties:\n controller_log_level:\n type: string\n hostagent_log_level:\n type: string\n opflexagent_log_level:\n type: string\n istio_config:\n type: object\n properties:\n install_istio:\n type: boolean\n install_profile:\n type: string\n multus:\n type: object\n properties:\n disable:\n type: boolean\n drop_log_config:\n type: object\n properties:\n enable:\n type: boolean\n nodepodif_config:\n type: object\n properties:\n enable:\n type: boolean\n sriov_config:\n type: object\n properties:\n enable:\n type: boolean\n kube_config:\n type: object\n properties:\n ovs_memory_limit:\n type: string\n use_privileged_containers:\n type: boolean\n image_pull_policy:\n type: string\n reboot_opflex_with_ovs:\n type: string\n snat_operator:\n type: object\n properties:\n port_range:\n type: object\n properties:\n start:\n type: integer\n end:\n type: integer\n ports_per_node:\n type: integer\n contract_scope:\n type: string\n disable_periodic_snat_global_info_sync:\n type: boolean\n type: object\n status:\n description: AccProvisionInputStatus defines the successful completion of AccProvisionInput\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: aci-containers-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n controller-config: |-\n {\n \"log-level\": \"{{.ControllerLogLevel}}\",\n \"apic-hosts\": {{.ApicHosts}},\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if .OpflexDeviceReconnectWaitTimeout }}\n \"opflex-device-reconnect-wait-timeout\": {{.OpflexDeviceReconnectWaitTimeout}},\n{{- end}}\n \"apic-refreshtime\": \"{{.ApicRefreshTime}}\",\n \"apic-subscription-delay\": {{.ApicSubscriptionDelay}},\n \"apic_refreshticker_adjust\": \"{{.ApicRefreshTickerAdjust}}\",\n \"apic-username\": \"{{.ApicUserName}}\",\n \"apic-private-key-path\": \"/usr/local/etc/aci-cert/user.key\",\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-policy-tenant\": \"{{.Tenant}}\",\n{{- if ne .CApic \"false\"}}\n \"lb-type\": \"None\",\n{{- end}}\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n{{- if ne .NoWaitForServiceEpReadiness \"false\"}}\n \"no-wait-for-service-ep-readiness\": {{.NoWaitForServiceEpReadiness}},\n{{- end}}\n{{- if ne .ServiceGraphEndpointAddDelay \"0\"}}\n \"service-graph-endpoint-add-delay\" : {\n \"delay\": {{.ServiceGraphEndpointAddDelay}},\n \"services\": [{{- range $index, $item :=.ServiceGraphEndpointAddServices }}{{- if $index}},{{end}}{ {{- range $k, $v := $item }}\"{{ $k }}\": \"{{ $v }}\"{{if eq $k \"name\"}},{{end}}{{- end}}}{{end}}]\n },\n{{- end}}\n{{- if ne .AddExternalSubnetsToRdconfig \"false\"}}\n \"add-external-subnets-to-rdconfig\": {{.AddExternalSubnetsToRdconfig}},\n{{- end}}\n{{- if ne .DisablePeriodicSnatGlobalInfoSync \"false\"}}\n \"disable-periodic-snat-global-info-sync\": {{.DisablePeriodicSnatGlobalInfoSync}},\n{{- end}}\n{{- if .NodeSnatRedirectExclude }}\n \"node-snat-redirect-exclude\": [{{ range $index,$item := .NodeSnatRedirectExclude}}{{- if $index}}, {{end }}{\"group\": \"{{ index $item \"group\" }}\", \"labels\": {{ index $item \"labels\" }}}{{ end }}],\n{{- end }}\n \"opflex-device-delete-timeout\": {{.OpflexDeviceDeleteTimeout}},\n \"sleep-time-snat-global-info-sync\": {{.SleepTimeSnatGlobalInfoSync}},\n \"install-istio\": {{.InstallIstio}},\n \"istio-profile\": \"{{.IstioProfile}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-podbd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-pod-bd\",\n \"aci-nodebd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-node-bd\",\n{{- end}}\n \"aci-service-phys-dom\": \"{{.SystemIdentifier}}-pdom\",\n \"aci-service-encap\": \"vlan-{{.ServiceVlan}}\",\n \"aci-service-monitor-interval\": {{.ServiceMonitorInterval}},\n \"aci-pbr-tracking-non-snat\": {{.PBRTrackingNonSnat}},\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"aci-l3out\": \"{{.L3Out}}\",\n \"aci-ext-networks\": {{.L3OutExternalNetworks}},\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .AddExternalContractToDefaultEpg \"false\"}}\n \"add-external-contract-to-default-epg\": {{.AddExternalContractToDefaultEpg}},\n{{- end}} \n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}\"\n{{- end}}\n },\n \"max-nodes-svc-graph\": {{.MaxNodesSvcGraph}},\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"service-ip-pool\": [{{- range $index, $item := .ServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"extern-static\": [{{- range $index, $item := .StaticExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"extern-dynamic\": [{{- range $index, $item := .DynamicExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"snat-contract-scope\": \"{{.SnatContractScope}}\",\n \"static-service-ip-pool\": [{{- range $index, $item := .StaticServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End }}\" }{{end}}],\n \"pod-ip-pool\": [{{- range $index, $item := .PodIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"pod-subnet-chunk-size\": {{.PodSubnetChunkSize}},\n \"node-service-ip-pool\": [\n {\n \"end\": \"{{.NodeServiceIPEnd}}\",\n \"start\": \"{{.NodeServiceIPStart}}\"\n }\n ],\n \"node-service-subnets\": [\n \"{{.ServiceGraphSubnet}}\"\n ],\n \"enable_endpointslice\": {{.EnableEndpointSlice}}\n }\n host-agent-config: |-\n {\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .EpRegistry \"\"}}\n \"ep-registry\": \"{{.EpRegistry}}\",\n{{- else}}\n \"ep-registry\": null,\n{{- end}}\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if ne .DhcpRenewMaxRetryCount \"0\" }}\n \"dhcp-renew-max-retry-count\": {{.DhcpRenewMaxRetryCount}},\n{{- end}}\n{{- if ne .DhcpDelay \"0\" }}\n \"dhcp-delay\": {{.DhcpDelay}},\n{{- end}}\n{{- if ne .EnableOpflexAgentReconnect \"false\"}}\n \"enable-opflex-agent-reconnect\": {{.EnableOpflexAgentReconnect}},\n{{- end}}\n{{- if ne .OpflexMode \"\"}}\n \"opflex-mode\": \"{{.OpflexMode}}\",\n{{- else}}\n \"opflex-mode\": null,\n{{- end}}\n \"log-level\": \"{{.HostAgentLogLevel}}\",\n \"aci-snat-namespace\": \"{{.SnatNamespace}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"service-vlan\": {{.ServiceVlan}},\n \"kubeapi-vlan\": {{.KubeAPIVlan}},\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n \"pod-subnet\": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"node-subnet\": [{{- range $index, $item := .NodeSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"encap-type\": \"{{.EncapType}}\",\n \"aci-infra-vlan\": {{.InfraVlan}},\n{{- if .MTU}}\n{{- if ne .MTU 0}}\n \"interface-mtu\": {{.MTU}},\n{{- end}}\n{{- end}}\n{{- if .MTUHeadRoom}}\n{{- if ne .MTUHeadRoom \"0\"}}\n \"interface-mtu-headroom\": {{.MTUHeadRoom}},\n{{- end}}\n{{- end}}\n \"cni-netconfig\": [{{- range $index, $item := .PodNetwork }}{{- if $index}},{{end}}{ \"gateway\": \"{{ $item.Gateway }}\", \"subnet\": \"{{ $item.Subnet }}\", \"routes\": [{ \"dst\": \"0.0.0.0/0\", \"gw\": \"{{ $item.Gateway }}\" }]}{{end}}],\n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-default\"\n{{- end}}\n },\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"enable-drop-log\": {{.DropLogEnable}},\n \"enable_endpointslice\": {{.EnableEndpointSlice}},\n \"enable-nodepodif\": {{.NodePodIfEnable}},\n \"enable-ovs-hw-offload\": {{.SriovEnable}}\n }\n opflex-agent-config: |-\n {\n \"log\": {\n \"level\": \"{{.OpflexAgentLogLevel}}\"\n },\n \"opflex\": {\n{{- if eq .OpflexClientSSL \"false\"}}\n \"ssl\": { \"mode\": \"disabled\"},\n{{- end}}\n{{- if eq .OpflexAgentStatistics \"false\"}}\n \"statistics\" : { \"mode\" : \"off\" },\n{{- end}}\n{{- if ne .OpflexAgentPolicyRetryDelayTimer \"10\" }}\n \"timers\" : { \"policy-retry-delay\": {{.OpflexAgentPolicyRetryDelayTimer}} },\n{{- end}}\n \"notif\" : { \"enabled\" : \"false\" },\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOpflexAsyncjsonEnabled}} }\n },\n \"ovs\": {\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOvsAsyncjsonEnabled}} }\n }\n }\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: snat-operator-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n \"start\": \"{{.SnatPortRangeStart}}\"\n \"end\": \"{{.SnatPortRangeEnd}}\"\n \"ports-per-node\": \"{{.SnatPortsPerNode}}\"\n---\napiVersion: v1\nkind: Secret\nmetadata:\n name: aci-user-cert\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n user.key: {{.ApicUserKey}}\n user.crt: {{.ApicUserCrt}}\n---\n{{- if eq .CApic \"true\"}}\napiVersion: v1\nkind: Secret\nmetadata:\n name: kafka-client-certificates\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n ca.crt: {{.KafkaClientCrt}}\n kafka-client.crt: {{.KafkaClientCrt}}\n kafka-client.key: {{.KafkaClientKey}}\n---\n{{- end}}\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-host-agent\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\n{{- if eq .UseClusterRole \"true\"}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - events\n - replicationcontrollers\n - serviceaccounts\n verbs:\n - list\n - watch\n - get\n - patch\n - create\n - update\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - '*'\n- apiGroups:\n - \"rbac.authorization.k8s.io\"\n resources:\n - clusterroles\n - clusterrolebindings\n verbs:\n - '*'\n{{- if ne .InstallIstio \"false\"}}\n- apiGroups:\n - \"install.istio.io\"\n resources:\n - istiocontrolplanes\n - istiooperators\n verbs:\n - '*'\n- apiGroups:\n - \"aci.istio\"\n resources:\n - aciistiooperators\n - aciistiooperator\n verbs:\n - '*'\n{{- end}}\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n - daemonsets\n - statefulsets\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - services/status\n verbs:\n - update\n- apiGroups:\n - \"monitoring.coreos.com\"\n resources:\n - servicemonitors\n verbs:\n - get\n - create\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies/finalizers\n - snatpolicies/status\n - nodeinfos\n verbs:\n - update\n - create\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatglobalinfos\n - snatpolicies\n - nodeinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.netflow\"\n resources:\n - netflowpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.erspan\"\n resources:\n - erspanpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - '*'\n- apiGroups:\n - apps.openshift.io\n resources:\n - deploymentconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.dnsnetpol\"\n resources:\n - dnsnetworkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n---\n{{- end}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-host-agent\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - replicationcontrollers\n verbs:\n - list\n - watch\n - get\n{{- if ne .DropLogEnable \"false\"}}\n - update\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n{{- end}}\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies\n - snatglobalinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.droplog\"\n resources:\n - enabledroplogs\n - prunedroplogs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - nodeinfos\n - snatlocalinfos\n verbs:\n - create\n - update\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - \"*\"\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-controller\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-controller\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-controller\n namespace: aci-containers-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-host-agent\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-host-agent\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-host-agent\n namespace: aci-containers-system\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-host\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-host\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-host\n network-plugin: aci-containers\n annotations:\n prometheus.io/scrape: \"true\"\n prometheus.io/port: \"9612\"\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n tolerations:\n - operator: Exists\n initContainers:\n - name: cnideploy\n image: {{.AciCniDeployContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersHostPriorityClass}} \n priorityClassName: aci-containers-host\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-host\n image: {{.AciHostContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersHostMemoryLimit ) ( .AciContainersHostMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersHostMemoryLimit }}\n memory: \"{{ .AciContainersHostMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersHostMemoryRequest }}\n memory: \"{{ .AciContainersHostMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n - NET_ADMIN\n - SYS_PTRACE\n - NET_RAW\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: TENANT\n value: \"{{.Tenant}}\"\n{{- if ne .MultusDisable \"true\"}}\n - name: MULTUS\n value: true\n{{- end}}\n{{- if eq .DisableWaitForNetwork \"true\"}}\n - name: DISABLE_WAIT_FOR_NETWORK\n value: true\n{{- else}}\n - name: DURATION_WAIT_FOR_NETWORK\n value: \"{{.DurationWaitForNetwork}}\"\n{{- end}}\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n - name: cni-conf\n mountPath: /mnt/cni-conf\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: host-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n{{- if eq .AciMultipod \"true\" }}\n - name: dhclient\n mountPath: /var/lib/dhclient\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - mountPath: /run/netns\n name: host-run-netns\n readOnly: true\n mountPropagation: HostToContainer\n{{- end}}\n{{- if ne .MultusDisable \"true\"}}\n - name: multus-cni-conf\n mountPath: /mnt/multus-cni-conf\n{{- end}}\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8090\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n - name: opflex-agent\n env:\n - name: REBOOT_WITH_OVS\n value: \"true\"\n{{- if ne .OpflexOpensslCompat \"false\"}}\n - name: OPENSSL_CONF\n value: \"/etc/pki/tls/openssl11.cnf\" \n{{- end}}\n image: {{.AciOpflexContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .OpflexAgentMemoryLimit ) ( .OpflexAgentMemoryRequest )}}\n resources:\n limits:\n{{- if .OpflexAgentMemoryLimit }}\n memory: \"{{ .OpflexAgentMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .OpflexAgentMemoryRequest }}\n memory: \"{{ .OpflexAgentMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}} \n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: opflex-config-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/conf.d\n{{- if eq .RunOpflexServerContainer \"true\"}}\n - name: opflex-server\n image: {{.AciOpflexContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-opflexserver.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n capabilities:\n add:\n - NET_ADMIN\n ports:\n - containerPort: {{.OpflexServerPort}}\n - name: metrics\n containerPort: 9632\n terminationMessagePath: /dev/termination-log\n terminationMessagePolicy: File\n volumeMounts:\n - name: opflex-server-config-volume\n mountPath: /usr/local/etc/opflex-server\n - name: hostvar\n mountPath: /usr/local/var\n{{- end}}\n{{- if ne .OpflexMode \"overlay\"}}\n - name: mcast-daemon\n image: {{.AciMcastContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-mcastdaemon.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .McastDaemonMemoryLimit ) ( .McastDaemonMemoryRequest )}}\n resources:\n limits:\n{{- if .McastDaemonMemoryLimit }}\n memory: \"{{ .McastDaemonMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .McastDaemonMemoryRequest }}\n memory: \"{{ .McastDaemonMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n{{- if eq .UsePrivilegedContainer \"true\"}}\n securityContext:\n privileged: true\n{{- end}}\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n{{- end}}\n restartPolicy: Always\n volumes:\n - name: cni-bin\n hostPath:\n path: /opt\n - name: cni-conf\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: host-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: host-agent-config\n path: host-agent.conf\n - name: opflex-hostconfig-volume\n emptyDir:\n medium: Memory\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .AciMultipod \"true\" }}\n{{- if eq .AciMultipodUbuntu \"true\" }}\n - name: dhclient\n hostPath:\n path: /var/lib/dhcp\n{{- else}}\n - name: dhclient\n hostPath:\n path: /var/lib/dhclient\n{{- end}}\n{{- end}}\n - name: opflex-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: opflex-agent-config\n path: local.conf\n{{- if eq .UseOpflexServerVolume \"true\"}}\n - name: opflex-server-config-volume\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - name: host-run-netns\n hostPath:\n path: /run/netns\n{{- end}}\n{{- if ne .MultusDisable \"true\" }}\n - name: multus-cni-conf\n hostPath:\n path: /var/run/multus/\n{{- end}}\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-openvswitch\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{end}}\n tolerations:\n - operator: Exists \n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersOpenvswitchPriorityClass}} \n priorityClassName: aci-containers-openvswitch\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-openvswitch\n image: {{.AciOpenvSwitchContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n resources:\n limits:\n memory: \"{{.OVSMemoryLimit}}\"\n requests:\n memory: \"{{.OVSMemoryRequest}}\"\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n - SYS_MODULE\n - SYS_NICE\n - IPC_LOCK\n env:\n - name: OVS_RUNDIR\n value: /usr/local/var/run/openvswitch\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: hostetc\n mountPath: /usr/local/etc\n - name: hostmodules\n mountPath: /lib/modules\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n livenessProbe:\n exec:\n command:\n - /usr/local/bin/liveness-ovs.sh\n restartPolicy: Always\n volumes:\n - name: hostetc\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: hostmodules\n hostPath:\n path: /lib/modules\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nspec:\n replicas: 1\n strategy:\n type: Recreate\n selector:\n matchLabels:\n name: aci-containers-controller\n network-plugin: aci-containers\n template:\n metadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n name: aci-containers-controller\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n serviceAccountName: aci-containers-controller\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n{{- if .Tolerations }}\n tolerations:\n{{ toYaml .Tolerations | indent 6}}\n{{- else }}\n tolerations:\n - effect: NoExecute\n operator: Exists\n tolerationSeconds: {{ .TolerationSeconds }}\n - effect: NoSchedule\n key: node.kubernetes.io/not-ready\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n{{- end }}\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersControllerPriorityClass}} \n priorityClassName: aci-containers-controller\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-node-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-controller\n image: {{.AciControllerContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersControllerMemoryLimit ) ( .AciContainersControllerMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersControllerMemoryLimit }}\n memory: \"{{ .AciContainersControllerMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersControllerMemoryRequest }}\n memory: \"{{ .AciContainersControllerMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n env:\n - name: WATCH_NAMESPACE\n value: \"\"\n - name: ACI_SNAT_NAMESPACE\n value: \"aci-containers-system\"\n - name: ACI_SNAGLOBALINFO_NAME\n value: \"snatglobalinfo\"\n - name: ACI_RDCONFIG_NAME\n value: \"routingdomain-config\"\n - name: SYSTEM_NAMESPACE\n value: \"aci-containers-system\"\n volumeMounts:\n - name: controller-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n - name: aci-user-cert-volume\n mountPath: /usr/local/etc/aci-cert/\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8091\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n volumes:\n{{- if eq .CApic \"true\"}}\n - name: kafka-certs\n secret:\n secretName: kafka-client-certificates\n{{- end}}\n - name: aci-user-cert-volume\n secret:\n secretName: aci-user-cert\n - name: controller-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: controller-config\n path: controller.conf\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .CApic \"true\"}}\n---\napiVersion: aci.aw/v1\nkind: PodIF\nmetadata:\n name: inet-route\n namespace: kube-system\nstatus:\n epg: aci-containers-inet-out\n ipaddr: 0.0.0.0/0\n{{- end}}\n---\napiVersion: v1\nkind: LimitRange\nmetadata:\n name: memory-limit-range\n namespace: aci-containers-system\nspec:\n limits:\n - default:\n memory: {{ .AciContainersMemoryLimit }}\n defaultRequest:\n memory: {{ .AciContainersMemoryRequest }}\n type: Container\n", "aci-v6.0.4.1": "\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: acicontainersoperators.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AciContainersOperator\n listKind: AciContainersOperatorList\n plural: acicontainersoperators\n singular: acicontainersoperator\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: acicontainersoperator owns the lifecycle of ACI objects in the cluster\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AciContainersOperatorSpec defines the desired spec for ACI Objects\n properties:\n flavor:\n type: string\n config:\n type: string\n type: object\n status:\n description: AciContainersOperatorStatus defines the successful completion of AciContainersOperator\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: Namespace\nmetadata:\n name: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodepodifs.aci.aw\nspec:\n group: aci.aw\n names:\n kind: NodePodIF\n listKind: NodePodIFList\n plural: nodepodifs\n singular: nodepodif\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n podifs:\n type: array\n items:\n type: object\n properties:\n containerID:\n type: string\n epg:\n type: string\n ifname:\n type: string\n ipaddr:\n type: string\n macaddr:\n type: string\n podname:\n type: string\n podns:\n type: string\n vtep:\n type: string\n required:\n - spec\n type: object\n---\n{{- if eq .UseAciCniPriorityClass \"true\"}}\napiVersion: scheduling.k8s.io/v1beta1\nkind: PriorityClass\nmetadata:\n name: acicni-priority\nvalue: 1000000000\nglobalDefault: false\ndescription: \"This priority class is used for ACI-CNI resources\"\n---\n{{- end }}\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatglobalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatGlobalInfo\n listKind: SnatGlobalInfoList\n plural: snatglobalinfos\n singular: snatglobalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n description: SnatGlobalInfo is the Schema for the snatglobalinfos API\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n globalInfos:\n additionalProperties:\n items:\n properties:\n macAddress:\n type: string\n portRanges:\n items:\n properties:\n end:\n maximum: 65535\n minimum: 1\n type: integer\n start:\n maximum: 65535\n minimum: 1\n type: integer\n type: object\n type: array\n snatIp:\n type: string\n snatIpUid:\n type: string\n snatPolicyName:\n type: string\n required:\n - macAddress\n - portRanges\n - snatIp\n - snatIpUid\n - snatPolicyName\n type: object\n type: array\n type: object\n required:\n - globalInfos\n type: object\n status:\n description: SnatGlobalInfoStatus defines the observed state of SnatGlobalInfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatlocalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatLocalInfo\n listKind: SnatLocalInfoList\n plural: snatlocalinfos\n singular: snatlocalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: SnatLocalInfoSpec defines the desired state of SnatLocalInfo\n properties:\n localInfos:\n items:\n properties:\n podName:\n type: string\n podNamespace:\n type: string\n podUid:\n type: string\n snatPolicies:\n items:\n properties:\n destIp:\n items:\n type: string\n type: array\n name:\n type: string\n snatIp:\n type: string\n required:\n - destIp\n - name\n - snatIp\n type: object\n type: array\n required:\n - podName\n - podNamespace\n - podUid\n - snatPolicies\n type: object\n type: array\n required:\n - localInfos\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatpolicies.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatPolicy\n listKind: SnatPolicyList\n plural: snatpolicies\n singular: snatpolicy\n scope: Cluster\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n selector:\n type: object\n properties:\n labels:\n type: object\n description: 'Selection of Pods'\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n type: object\n snatIp:\n type: array\n items:\n type: string\n destIp:\n type: array\n items:\n type: string\n type: object\n status:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodeinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: NodeInfo\n listKind: NodeInfoList\n plural: nodeinfos\n singular: nodeinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n macaddress:\n type: string\n snatpolicynames:\n additionalProperties:\n type: boolean\n type: object\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: rdconfigs.aci.snat\nspec:\n group: aci.snat\n names:\n kind: RdConfig\n listKind: RdConfigList\n plural: rdconfigs\n singular: rdconfig\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n discoveredsubnets:\n items:\n type: string\n type: array\n usersubnets:\n items:\n type: string\n type: array\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.aci.netpol\nspec:\n group: aci.netpol\n names:\n kind: NetworkPolicy\n listKind: NetworkPolicyList\n plural: networkpolicies\n singular: networkpolicy\n scope: Namespaced\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n description: Network Policy describes traffic flow at IP address or port level\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs default to false.\n type: boolean\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n to:\n description: Rule is matched if traffic is intended for workloads selected by this field. If this field is empty or missing, this rule matches all destinations.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n toFqDn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - enableLogging\n - toFqDn\n type: object\n type: array\n ingress:\n description: Set of ingress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false.\n type: boolean\n from:\n description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n type: object\n type: array\n policyTypes:\n items:\n description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8\n type: string\n type: array\n priority:\n description: Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.\n type: integer\n type:\n description: type of the policy.\n type: string\n required:\n - type\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: dnsnetworkpolicies.aci.dnsnetpol\nspec:\n group: aci.dnsnetpol\n names:\n kind: DnsNetworkPolicy\n listKind: DnsNetworkPolicyList\n plural: dnsnetworkpolicies\n singular: dnsnetworkpolicy\n scope: Namespaced\n versions:\n - name: v1beta\n schema:\n openAPIV3Schema:\n description: dns network Policy\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n properties:\n toFqdn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - toFqdn\n type: object\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: qospolicies.aci.qos\nspec:\n group: aci.qos\n names:\n kind: QosPolicy\n listKind: QosPolicyList\n plural: qospolicies\n singular: qospolicy\n scope: Namespaced\n preserveUnknownFields: false\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n podSelector:\n description: 'Selection of Pods'\n type: object\n properties:\n matchLabels:\n type: object\n description:\n ingress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n egress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n dscpmark:\n type: integer\n default: 0\n minimum: 0\n maximum: 63\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: netflowpolicies.aci.netflow\nspec:\n group: aci.netflow\n names:\n kind: NetflowPolicy\n listKind: NetflowPolicyList\n plural: netflowpolicies\n singular: netflowpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n flowSamplingPolicy:\n type: object\n properties:\n destIp:\n type: string\n destPort:\n type: integer\n minimum: 0\n maximum: 65535\n default: 2055\n flowType:\n type: string\n enum:\n - netflow\n - ipfix\n default: netflow\n activeFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 3600\n default: 60\n idleFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 600\n default: 15\n samplingRate:\n type: integer\n minimum: 0\n maximum: 1000\n default: 0\n required:\n - destIp\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: erspanpolicies.aci.erspan\nspec:\n group: aci.erspan\n names:\n kind: ErspanPolicy\n listKind: ErspanPolicyList\n plural: erspanpolicies\n singular: erspanpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n selector:\n type: object\n description: 'Selection of Pods'\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n source:\n type: object\n properties:\n adminState:\n description: Administrative state.\n default: start\n type: string\n enum:\n - start\n - stop\n direction:\n description: Direction of the packets to monitor.\n default: both\n type: string\n enum:\n - in\n - out\n - both\n destination:\n type: object\n properties:\n destIP:\n description: Destination IP of the ERSPAN packet.\n type: string\n flowID:\n description: Unique flow ID of the ERSPAN packet.\n default: 1\n type: integer\n minimum: 1\n maximum: 1023\n required:\n - destIP\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: enabledroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: EnableDropLog\n listKind: EnableDropLogList\n plural: enabledroplogs\n singular: enabledroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of EnableDropLog\n type: object\n properties:\n disableDefaultDropLog:\n description: Disables the default droplog enabled by acc-provision.\n default: false\n type: boolean\n nodeSelector:\n type: object\n description: Drop logging is enabled on nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: prunedroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: PruneDropLog\n listKind: PruneDropLogList\n plural: prunedroplogs\n singular: prunedroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of PruneDropLog\n type: object\n properties:\n nodeSelector:\n type: object\n description: Drop logging filters are applied to nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n dropLogFilters:\n type: object\n properties:\n srcIP:\n type: string\n destIP:\n type: string\n srcMAC:\n type: string\n destMAC:\n type: string\n srcPort:\n type: integer\n destPort:\n type: integer\n ipProto:\n type: integer\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: accprovisioninputs.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AccProvisionInput\n listKind: AccProvisionInputList\n plural: accprovisioninputs\n singular: accprovisioninput\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: accprovisioninput defines the input configuration for ACI CNI\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AccProvisionInputSpec defines the desired spec for accprovisioninput object\n properties:\n acc_provision_input:\n type: object\n properties:\n operator_managed_config:\n type: object\n properties:\n enable_updates:\n type: boolean\n aci_config:\n type: object\n properties:\n sync_login:\n type: object\n properties:\n certfile:\n type: string\n keyfile:\n type: string\n client_ssl:\n type: boolean\n net_config:\n type: object\n properties:\n interface_mtu:\n type: integer\n service_monitor_interval:\n type: integer\n pbr_tracking_non_snat:\n type: boolean\n pod_subnet_chunk_size:\n type: integer\n disable_wait_for_network:\n type: boolean\n duration_wait_for_network:\n type: integer\n registry:\n type: object\n properties:\n image_prefix:\n type: string\n image_pull_secret:\n type: string\n aci_containers_operator_version:\n type: string\n aci_containers_controller_version:\n type: string\n aci_containers_host_version:\n type: string\n acc_provision_operator_version:\n type: string\n aci_cni_operator_version:\n type: string\n cnideploy_version:\n type: string\n opflex_agent_version:\n type: string\n openvswitch_version:\n type: string\n gbp_version:\n type: string\n logging:\n type: object\n properties:\n controller_log_level:\n type: string\n hostagent_log_level:\n type: string\n opflexagent_log_level:\n type: string\n istio_config:\n type: object\n properties:\n install_istio:\n type: boolean\n install_profile:\n type: string\n multus:\n type: object\n properties:\n disable:\n type: boolean\n drop_log_config:\n type: object\n properties:\n enable:\n type: boolean\n nodepodif_config:\n type: object\n properties:\n enable:\n type: boolean\n sriov_config:\n type: object\n properties:\n enable:\n type: boolean\n kube_config:\n type: object\n properties:\n ovs_memory_limit:\n type: string\n use_privileged_containers:\n type: boolean\n image_pull_policy:\n type: string\n reboot_opflex_with_ovs:\n type: string\n snat_operator:\n type: object\n properties:\n port_range:\n type: object\n properties:\n start:\n type: integer\n end:\n type: integer\n ports_per_node:\n type: integer\n contract_scope:\n type: string\n disable_periodic_snat_global_info_sync:\n type: boolean\n type: object\n status:\n description: AccProvisionInputStatus defines the successful completion of AccProvisionInput\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: aci-containers-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n controller-config: |-\n {\n \"log-level\": \"{{.ControllerLogLevel}}\",\n \"apic-hosts\": {{.ApicHosts}},\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if .OpflexDeviceReconnectWaitTimeout }}\n \"opflex-device-reconnect-wait-timeout\": {{.OpflexDeviceReconnectWaitTimeout}},\n{{- end}}\n \"apic-refreshtime\": \"{{.ApicRefreshTime}}\",\n \"apic-subscription-delay\": {{.ApicSubscriptionDelay}},\n \"apic_refreshticker_adjust\": \"{{.ApicRefreshTickerAdjust}}\",\n \"apic-username\": \"{{.ApicUserName}}\",\n \"apic-private-key-path\": \"/usr/local/etc/aci-cert/user.key\",\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-policy-tenant\": \"{{.Tenant}}\",\n{{- if ne .CApic \"false\"}}\n \"lb-type\": \"None\",\n{{- end}}\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n{{- if ne .DisableHppRendering \"false\"}}\n \"disable-hpp-rendering\": {{.DisableHppRendering}},\n{{- end}}\n{{- if ne .NoWaitForServiceEpReadiness \"false\"}}\n \"no-wait-for-service-ep-readiness\": {{.NoWaitForServiceEpReadiness}},\n{{- end}}\n{{- if ne .ServiceGraphEndpointAddDelay \"0\"}}\n \"service-graph-endpoint-add-delay\" : {\n \"delay\": {{.ServiceGraphEndpointAddDelay}},\n \"services\": [{{- range $index, $item :=.ServiceGraphEndpointAddServices }}{{- if $index}},{{end}}{ {{- range $k, $v := $item }}\"{{ $k }}\": \"{{ $v }}\"{{if eq $k \"name\"}},{{end}}{{- end}}}{{end}}]\n },\n{{- end}}\n{{- if ne .AddExternalSubnetsToRdconfig \"false\"}}\n \"add-external-subnets-to-rdconfig\": {{.AddExternalSubnetsToRdconfig}},\n{{- end}}\n{{- if ne .DisablePeriodicSnatGlobalInfoSync \"false\"}}\n \"disable-periodic-snat-global-info-sync\": {{.DisablePeriodicSnatGlobalInfoSync}},\n{{- end}}\n{{- if .NodeSnatRedirectExclude }}\n \"node-snat-redirect-exclude\": [{{ range $index,$item := .NodeSnatRedirectExclude}}{{- if $index}}, {{end }}{\"group\": \"{{ index $item \"group\" }}\", \"labels\": {{ index $item \"labels\" }}}{{ end }}],\n{{- end }}\n{{- if .ApicConnectionRetryLimit}}\n \"apic-connection-retry-limit\": {{.ApicConnectionRetryLimit}},\n{{- end}}\n \"opflex-device-delete-timeout\": {{.OpflexDeviceDeleteTimeout}},\n \"sleep-time-snat-global-info-sync\": {{.SleepTimeSnatGlobalInfoSync}},\n \"install-istio\": {{.InstallIstio}},\n \"istio-profile\": \"{{.IstioProfile}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-podbd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-pod-bd\",\n \"aci-nodebd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-node-bd\",\n{{- end}}\n \"aci-service-phys-dom\": \"{{.SystemIdentifier}}-pdom\",\n \"aci-service-encap\": \"vlan-{{.ServiceVlan}}\",\n \"aci-service-monitor-interval\": {{.ServiceMonitorInterval}},\n \"aci-pbr-tracking-non-snat\": {{.PBRTrackingNonSnat}},\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"aci-l3out\": \"{{.L3Out}}\",\n \"aci-ext-networks\": {{.L3OutExternalNetworks}},\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .AddExternalContractToDefaultEpg \"false\"}}\n \"add-external-contract-to-default-epg\": {{.AddExternalContractToDefaultEpg}},\n{{- end}} \n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}\"\n{{- end}}\n },\n \"max-nodes-svc-graph\": {{.MaxNodesSvcGraph}},\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"service-ip-pool\": [{{- range $index, $item := .ServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"extern-static\": [{{- range $index, $item := .StaticExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"extern-dynamic\": [{{- range $index, $item := .DynamicExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"snat-contract-scope\": \"{{.SnatContractScope}}\",\n \"static-service-ip-pool\": [{{- range $index, $item := .StaticServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End }}\" }{{end}}],\n{{- if and (ne .TaintNotReadyNode \"false\") (ne .TaintNotReadyNode \"False\") }}\n \"taint-not-ready\": true,\n{{- end}}\n \"pod-ip-pool\": [{{- range $index, $item := .PodIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"pod-subnet\": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"pod-subnet-chunk-size\": {{.PodSubnetChunkSize}},\n \"node-service-ip-pool\": [\n {\n \"end\": \"{{.NodeServiceIPEnd}}\",\n \"start\": \"{{.NodeServiceIPStart}}\"\n }\n ],\n \"node-service-subnets\": [\n \"{{.ServiceGraphSubnet}}\"\n ],\n \"enable_endpointslice\": {{.EnableEndpointSlice}}\n }\n host-agent-config: |-\n {\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .EpRegistry \"\"}}\n \"ep-registry\": \"{{.EpRegistry}}\",\n{{- else}}\n \"ep-registry\": null,\n{{- end}}\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if ne .DhcpRenewMaxRetryCount \"0\" }}\n \"dhcp-renew-max-retry-count\": {{.DhcpRenewMaxRetryCount}},\n{{- end}}\n{{- if ne .DhcpDelay \"0\" }}\n \"dhcp-delay\": {{.DhcpDelay}},\n{{- end}}\n{{- if ne .EnableOpflexAgentReconnect \"false\"}}\n \"enable-opflex-agent-reconnect\": {{.EnableOpflexAgentReconnect}},\n{{- end}}\n{{- if ne .OpflexMode \"\"}}\n \"opflex-mode\": \"{{.OpflexMode}}\",\n{{- else}}\n \"opflex-mode\": null,\n{{- end}}\n \"log-level\": \"{{.HostAgentLogLevel}}\",\n \"aci-snat-namespace\": \"{{.SnatNamespace}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"service-vlan\": {{.ServiceVlan}},\n \"kubeapi-vlan\": {{.KubeAPIVlan}},\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n{{- if ne .DisableHppRendering \"false\"}}\n \"disable-hpp-rendering\": {{.DisableHppRendering}},\n{{- end}}\n \"pod-subnet\": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"node-subnet\": [{{- range $index, $item := .NodeSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"encap-type\": \"{{.EncapType}}\",\n \"aci-infra-vlan\": {{.InfraVlan}},\n{{- if .MTU}}\n{{- if ne .MTU 0}}\n \"interface-mtu\": {{.MTU}},\n{{- end}}\n{{- end}}\n{{- if .MTUHeadRoom}}\n{{- if ne .MTUHeadRoom \"0\"}}\n \"interface-mtu-headroom\": {{.MTUHeadRoom}},\n{{- end}}\n{{- end}}\n \"cni-netconfig\": [{{- range $index, $item := .PodNetwork }}{{- if $index}},{{end}}{ \"gateway\": \"{{ $item.Gateway }}\", \"subnet\": \"{{ $item.Subnet }}\", \"routes\": [{ \"dst\": \"0.0.0.0/0\", \"gw\": \"{{ $item.Gateway }}\" }]}{{end}}],\n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-default\"\n{{- end}}\n },\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"enable-drop-log\": {{.DropLogEnable}},\n{{- if and (ne .DropLogDisableEvents \"false\") (ne .DropLogDisableEvents \"False\")}}\n \"packet-event-notification-socket\": \"\",\n{{- end}}\n \"enable_endpointslice\": {{.EnableEndpointSlice}},\n \"enable-nodepodif\": {{.NodePodIfEnable}},\n{{- if and (ne .TaintNotReadyNode \"false\") (ne .TaintNotReadyNode \"False\") }}\n \"taint-not-ready\": true,\n{{- end}} \n \"enable-ovs-hw-offload\": {{.SriovEnable}}\n }\n opflex-agent-config: |-\n {\n \"log\": {\n \"level\": \"{{.OpflexAgentLogLevel}}\"\n },\n \"opflex\": {\n{{- if eq .OpflexClientSSL \"false\"}}\n \"ssl\": { \"mode\": \"disabled\"},\n{{- end}}\n{{- if eq .OpflexAgentStatistics \"false\"}}\n \"statistics\" : { \"mode\" : \"off\" },\n{{- end}}\n{{- if ne .OpflexAgentPolicyRetryDelayTimer \"10\" }}\n \"timers\" : { \"policy-retry-delay\": {{.OpflexAgentPolicyRetryDelayTimer}} },\n{{- end}}\n \"notif\" : { \"enabled\" : \"false\" },\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOpflexAsyncjsonEnabled}} }\n },\n \"ovs\": {\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOvsAsyncjsonEnabled}} }\n }\n }\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: snat-operator-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n \"start\": \"{{.SnatPortRangeStart}}\"\n \"end\": \"{{.SnatPortRangeEnd}}\"\n \"ports-per-node\": \"{{.SnatPortsPerNode}}\"\n---\napiVersion: v1\nkind: Secret\nmetadata:\n name: aci-user-cert\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n user.key: {{.ApicUserKey}}\n user.crt: {{.ApicUserCrt}}\n---\n{{- if eq .CApic \"true\"}}\napiVersion: v1\nkind: Secret\nmetadata:\n name: kafka-client-certificates\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n ca.crt: {{.KafkaClientCrt}}\n kafka-client.crt: {{.KafkaClientCrt}}\n kafka-client.key: {{.KafkaClientKey}}\n---\n{{- end}}\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-host-agent\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\n{{- if eq .UseClusterRole \"true\"}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - events\n - replicationcontrollers\n - serviceaccounts\n verbs:\n - list\n - watch\n - get\n - patch\n - create\n - update\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - '*'\n- apiGroups:\n - \"rbac.authorization.k8s.io\"\n resources:\n - clusterroles\n - clusterrolebindings\n verbs:\n - '*'\n{{- if ne .InstallIstio \"false\"}}\n- apiGroups:\n - \"install.istio.io\"\n resources:\n - istiocontrolplanes\n - istiooperators\n verbs:\n - '*'\n- apiGroups:\n - \"aci.istio\"\n resources:\n - aciistiooperators\n - aciistiooperator\n verbs:\n - '*'\n{{- end}}\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n - daemonsets\n - statefulsets\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - services/status\n verbs:\n - update\n- apiGroups:\n - \"monitoring.coreos.com\"\n resources:\n - servicemonitors\n verbs:\n - get\n - create\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies/finalizers\n - snatpolicies/status\n - nodeinfos\n verbs:\n - update\n - create\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatglobalinfos\n - snatpolicies\n - nodeinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.netflow\"\n resources:\n - netflowpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.erspan\"\n resources:\n - erspanpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - '*'\n- apiGroups:\n - apps.openshift.io\n resources:\n - deploymentconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.dnsnetpol\"\n resources:\n - dnsnetworkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n---\n{{- end}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-host-agent\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - replicationcontrollers\n verbs:\n - list\n - watch\n - get\n{{- if ne .DropLogEnable \"false\"}}\n - update\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n{{- end}}\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies\n - snatglobalinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.droplog\"\n resources:\n - enabledroplogs\n - prunedroplogs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - nodeinfos\n - snatlocalinfos\n verbs:\n - create\n - update\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - \"*\"\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-controller\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-controller\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-controller\n namespace: aci-containers-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-host-agent\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-host-agent\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-host-agent\n namespace: aci-containers-system\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-host\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-host\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-host\n network-plugin: aci-containers\n annotations:\n prometheus.io/scrape: \"true\"\n prometheus.io/port: \"9612\"\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n tolerations:\n - operator: Exists\n initContainers:\n - name: cnideploy\n image: {{.AciCniDeployContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersHostPriorityClass}} \n priorityClassName: aci-containers-host\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-host\n image: {{.AciHostContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersHostMemoryLimit ) ( .AciContainersHostMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersHostMemoryLimit }}\n memory: \"{{ .AciContainersHostMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersHostMemoryRequest }}\n memory: \"{{ .AciContainersHostMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n - NET_ADMIN\n - SYS_PTRACE\n - NET_RAW\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: TENANT\n value: \"{{.Tenant}}\"\n{{- if ne .MultusDisable \"true\"}}\n - name: MULTUS\n value: true\n{{- end}}\n{{- if eq .DisableWaitForNetwork \"true\"}}\n - name: DISABLE_WAIT_FOR_NETWORK\n value: true\n{{- else}}\n - name: DURATION_WAIT_FOR_NETWORK\n value: \"{{.DurationWaitForNetwork}}\"\n{{- end}}\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n - name: cni-conf\n mountPath: /mnt/cni-conf\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: host-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n{{- if eq .AciMultipod \"true\" }}\n - name: dhclient\n mountPath: /var/lib/dhclient\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - mountPath: /run/netns\n name: host-run-netns\n readOnly: true\n mountPropagation: HostToContainer\n{{- end}}\n{{- if ne .MultusDisable \"true\"}}\n - name: multus-cni-conf\n mountPath: /mnt/multus-cni-conf\n{{- end}}\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8090\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n - name: opflex-agent\n env:\n - name: REBOOT_WITH_OVS\n value: \"true\"\n{{- if ne .OpflexOpensslCompat \"false\"}}\n - name: OPENSSL_CONF\n value: \"/etc/pki/tls/openssl11.cnf\" \n{{- end}}\n image: {{.AciOpflexContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .OpflexAgentMemoryLimit ) ( .OpflexAgentMemoryRequest )}}\n resources:\n limits:\n{{- if .OpflexAgentMemoryLimit }}\n memory: \"{{ .OpflexAgentMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .OpflexAgentMemoryRequest }}\n memory: \"{{ .OpflexAgentMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}} \n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: opflex-config-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/conf.d\n{{- if eq .RunOpflexServerContainer \"true\"}}\n - name: opflex-server\n image: {{.AciOpflexContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-opflexserver.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n capabilities:\n add:\n - NET_ADMIN\n ports:\n - containerPort: {{.OpflexServerPort}}\n - name: metrics\n containerPort: 9632\n terminationMessagePath: /dev/termination-log\n terminationMessagePolicy: File\n volumeMounts:\n - name: opflex-server-config-volume\n mountPath: /usr/local/etc/opflex-server\n - name: hostvar\n mountPath: /usr/local/var\n{{- end}}\n{{- if ne .OpflexMode \"overlay\"}}\n - name: mcast-daemon\n image: {{.AciMcastContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-mcastdaemon.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .McastDaemonMemoryLimit ) ( .McastDaemonMemoryRequest )}}\n resources:\n limits:\n{{- if .McastDaemonMemoryLimit }}\n memory: \"{{ .McastDaemonMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .McastDaemonMemoryRequest }}\n memory: \"{{ .McastDaemonMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n{{- if eq .UsePrivilegedContainer \"true\"}}\n securityContext:\n privileged: true\n{{- end}}\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n{{- end}}\n restartPolicy: Always\n volumes:\n - name: cni-bin\n hostPath:\n path: /opt\n - name: cni-conf\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: host-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: host-agent-config\n path: host-agent.conf\n - name: opflex-hostconfig-volume\n emptyDir:\n medium: Memory\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .AciMultipod \"true\" }}\n{{- if eq .AciMultipodUbuntu \"true\" }}\n - name: dhclient\n hostPath:\n path: /var/lib/dhcp\n{{- else}}\n - name: dhclient\n hostPath:\n path: /var/lib/dhclient\n{{- end}}\n{{- end}}\n - name: opflex-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: opflex-agent-config\n path: local.conf\n{{- if eq .UseOpflexServerVolume \"true\"}}\n - name: opflex-server-config-volume\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - name: host-run-netns\n hostPath:\n path: /run/netns\n{{- end}}\n{{- if ne .MultusDisable \"true\" }}\n - name: multus-cni-conf\n hostPath:\n path: /var/run/multus/\n{{- end}}\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-openvswitch\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{end}}\n tolerations:\n - operator: Exists \n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersOpenvswitchPriorityClass}} \n priorityClassName: aci-containers-openvswitch\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-openvswitch\n image: {{.AciOpenvSwitchContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n resources:\n limits:\n memory: \"{{.OVSMemoryLimit}}\"\n requests:\n memory: \"{{.OVSMemoryRequest}}\"\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n - SYS_MODULE\n - SYS_NICE\n - IPC_LOCK\n env:\n - name: OVS_RUNDIR\n value: /usr/local/var/run/openvswitch\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: hostetc\n mountPath: /usr/local/etc\n - name: hostmodules\n mountPath: /lib/modules\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n livenessProbe:\n exec:\n command:\n - /usr/local/bin/liveness-ovs.sh\n restartPolicy: Always\n volumes:\n - name: hostetc\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: hostmodules\n hostPath:\n path: /lib/modules\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nspec:\n replicas: 1\n strategy:\n type: Recreate\n selector:\n matchLabels:\n name: aci-containers-controller\n network-plugin: aci-containers\n template:\n metadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n name: aci-containers-controller\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n serviceAccountName: aci-containers-controller\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n{{- if .Tolerations }}\n tolerations:\n{{ toYaml .Tolerations | indent 6}}\n{{- else }}\n tolerations:\n - effect: NoExecute\n operator: Exists\n tolerationSeconds: {{ .TolerationSeconds }}\n - effect: NoSchedule\n key: node.kubernetes.io/not-ready\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n{{- end }}\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersControllerPriorityClass}} \n priorityClassName: aci-containers-controller\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-node-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-controller\n image: {{.AciControllerContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersControllerMemoryLimit ) ( .AciContainersControllerMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersControllerMemoryLimit }}\n memory: \"{{ .AciContainersControllerMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersControllerMemoryRequest }}\n memory: \"{{ .AciContainersControllerMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n env:\n - name: WATCH_NAMESPACE\n value: \"\"\n - name: ACI_SNAT_NAMESPACE\n value: \"aci-containers-system\"\n - name: ACI_SNAGLOBALINFO_NAME\n value: \"snatglobalinfo\"\n - name: ACI_RDCONFIG_NAME\n value: \"routingdomain-config\"\n - name: SYSTEM_NAMESPACE\n value: \"aci-containers-system\"\n volumeMounts:\n - name: controller-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n - name: aci-user-cert-volume\n mountPath: /usr/local/etc/aci-cert/\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8091\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n volumes:\n{{- if eq .CApic \"true\"}}\n - name: kafka-certs\n secret:\n secretName: kafka-client-certificates\n{{- end}}\n - name: aci-user-cert-volume\n secret:\n secretName: aci-user-cert\n - name: controller-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: controller-config\n path: controller.conf\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .CApic \"true\"}}\n---\napiVersion: aci.aw/v1\nkind: PodIF\nmetadata:\n name: inet-route\n namespace: kube-system\nstatus:\n epg: aci-containers-inet-out\n ipaddr: 0.0.0.0/0\n{{- end}}\n---\napiVersion: v1\nkind: LimitRange\nmetadata:\n name: memory-limit-range\n namespace: aci-containers-system\nspec:\n limits:\n - default:\n memory: {{ .AciContainersMemoryLimit }}\n defaultRequest:\n memory: {{ .AciContainersMemoryRequest }}\n type: Container\n", + "aci-v6.0.4.2": "\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: acicontainersoperators.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AciContainersOperator\n listKind: AciContainersOperatorList\n plural: acicontainersoperators\n singular: acicontainersoperator\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: acicontainersoperator owns the lifecycle of ACI objects in the cluster\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AciContainersOperatorSpec defines the desired spec for ACI Objects\n properties:\n flavor:\n type: string\n config:\n type: string\n type: object\n status:\n description: AciContainersOperatorStatus defines the successful completion of AciContainersOperator\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: Namespace\nmetadata:\n name: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodepodifs.aci.aw\nspec:\n group: aci.aw\n names:\n kind: NodePodIF\n listKind: NodePodIFList\n plural: nodepodifs\n singular: nodepodif\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n podifs:\n type: array\n items:\n type: object\n properties:\n containerID:\n type: string\n epg:\n type: string\n ifname:\n type: string\n ipaddr:\n type: string\n macaddr:\n type: string\n podname:\n type: string\n podns:\n type: string\n vtep:\n type: string\n required:\n - spec\n type: object\n---\n{{- if eq .UseAciCniPriorityClass \"true\"}}\napiVersion: scheduling.k8s.io/v1beta1\nkind: PriorityClass\nmetadata:\n name: acicni-priority\nvalue: 1000000000\nglobalDefault: false\ndescription: \"This priority class is used for ACI-CNI resources\"\n---\n{{- end }}\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatglobalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatGlobalInfo\n listKind: SnatGlobalInfoList\n plural: snatglobalinfos\n singular: snatglobalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n description: SnatGlobalInfo is the Schema for the snatglobalinfos API\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n globalInfos:\n additionalProperties:\n items:\n properties:\n macAddress:\n type: string\n portRanges:\n items:\n properties:\n end:\n maximum: 65535\n minimum: 1\n type: integer\n start:\n maximum: 65535\n minimum: 1\n type: integer\n type: object\n type: array\n snatIp:\n type: string\n snatIpUid:\n type: string\n snatPolicyName:\n type: string\n required:\n - macAddress\n - portRanges\n - snatIp\n - snatIpUid\n - snatPolicyName\n type: object\n type: array\n type: object\n required:\n - globalInfos\n type: object\n status:\n description: SnatGlobalInfoStatus defines the observed state of SnatGlobalInfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatlocalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatLocalInfo\n listKind: SnatLocalInfoList\n plural: snatlocalinfos\n singular: snatlocalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: SnatLocalInfoSpec defines the desired state of SnatLocalInfo\n properties:\n localInfos:\n items:\n properties:\n podName:\n type: string\n podNamespace:\n type: string\n podUid:\n type: string\n snatPolicies:\n items:\n properties:\n destIp:\n items:\n type: string\n type: array\n name:\n type: string\n snatIp:\n type: string\n required:\n - destIp\n - name\n - snatIp\n type: object\n type: array\n required:\n - podName\n - podNamespace\n - podUid\n - snatPolicies\n type: object\n type: array\n required:\n - localInfos\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatpolicies.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatPolicy\n listKind: SnatPolicyList\n plural: snatpolicies\n singular: snatpolicy\n scope: Cluster\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n selector:\n type: object\n properties:\n labels:\n type: object\n description: 'Selection of Pods'\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n type: object\n snatIp:\n type: array\n items:\n type: string\n destIp:\n type: array\n items:\n type: string\n type: object\n status:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodeinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: NodeInfo\n listKind: NodeInfoList\n plural: nodeinfos\n singular: nodeinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n macaddress:\n type: string\n snatpolicynames:\n additionalProperties:\n type: boolean\n type: object\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: rdconfigs.aci.snat\nspec:\n group: aci.snat\n names:\n kind: RdConfig\n listKind: RdConfigList\n plural: rdconfigs\n singular: rdconfig\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n discoveredsubnets:\n items:\n type: string\n type: array\n usersubnets:\n items:\n type: string\n type: array\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.aci.netpol\nspec:\n group: aci.netpol\n names:\n kind: NetworkPolicy\n listKind: NetworkPolicyList\n plural: networkpolicies\n singular: networkpolicy\n scope: Namespaced\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n description: Network Policy describes traffic flow at IP address or port level\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs default to false.\n type: boolean\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n to:\n description: Rule is matched if traffic is intended for workloads selected by this field. If this field is empty or missing, this rule matches all destinations.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n toFqDn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - enableLogging\n - toFqDn\n type: object\n type: array\n ingress:\n description: Set of ingress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false.\n type: boolean\n from:\n description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n type: object\n type: array\n policyTypes:\n items:\n description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8\n type: string\n type: array\n priority:\n description: Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.\n type: integer\n type:\n description: type of the policy.\n type: string\n required:\n - type\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: dnsnetworkpolicies.aci.dnsnetpol\nspec:\n group: aci.dnsnetpol\n names:\n kind: DnsNetworkPolicy\n listKind: DnsNetworkPolicyList\n plural: dnsnetworkpolicies\n singular: dnsnetworkpolicy\n scope: Namespaced\n versions:\n - name: v1beta\n schema:\n openAPIV3Schema:\n description: dns network Policy\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n properties:\n toFqdn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - toFqdn\n type: object\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: qospolicies.aci.qos\nspec:\n group: aci.qos\n names:\n kind: QosPolicy\n listKind: QosPolicyList\n plural: qospolicies\n singular: qospolicy\n scope: Namespaced\n preserveUnknownFields: false\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n podSelector:\n description: 'Selection of Pods'\n type: object\n properties:\n matchLabels:\n type: object\n description:\n ingress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n egress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n dscpmark:\n type: integer\n default: 0\n minimum: 0\n maximum: 63\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: netflowpolicies.aci.netflow\nspec:\n group: aci.netflow\n names:\n kind: NetflowPolicy\n listKind: NetflowPolicyList\n plural: netflowpolicies\n singular: netflowpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n flowSamplingPolicy:\n type: object\n properties:\n destIp:\n type: string\n destPort:\n type: integer\n minimum: 0\n maximum: 65535\n default: 2055\n flowType:\n type: string\n enum:\n - netflow\n - ipfix\n default: netflow\n activeFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 3600\n default: 60\n idleFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 600\n default: 15\n samplingRate:\n type: integer\n minimum: 0\n maximum: 1000\n default: 0\n required:\n - destIp\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: erspanpolicies.aci.erspan\nspec:\n group: aci.erspan\n names:\n kind: ErspanPolicy\n listKind: ErspanPolicyList\n plural: erspanpolicies\n singular: erspanpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n selector:\n type: object\n description: 'Selection of Pods'\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n source:\n type: object\n properties:\n adminState:\n description: Administrative state.\n default: start\n type: string\n enum:\n - start\n - stop\n direction:\n description: Direction of the packets to monitor.\n default: both\n type: string\n enum:\n - in\n - out\n - both\n destination:\n type: object\n properties:\n destIP:\n description: Destination IP of the ERSPAN packet.\n type: string\n flowID:\n description: Unique flow ID of the ERSPAN packet.\n default: 1\n type: integer\n minimum: 1\n maximum: 1023\n required:\n - destIP\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: enabledroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: EnableDropLog\n listKind: EnableDropLogList\n plural: enabledroplogs\n singular: enabledroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of EnableDropLog\n type: object\n properties:\n disableDefaultDropLog:\n description: Disables the default droplog enabled by acc-provision.\n default: false\n type: boolean\n nodeSelector:\n type: object\n description: Drop logging is enabled on nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: prunedroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: PruneDropLog\n listKind: PruneDropLogList\n plural: prunedroplogs\n singular: prunedroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of PruneDropLog\n type: object\n properties:\n nodeSelector:\n type: object\n description: Drop logging filters are applied to nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n dropLogFilters:\n type: object\n properties:\n srcIP:\n type: string\n destIP:\n type: string\n srcMAC:\n type: string\n destMAC:\n type: string\n srcPort:\n type: integer\n destPort:\n type: integer\n ipProto:\n type: integer\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: accprovisioninputs.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AccProvisionInput\n listKind: AccProvisionInputList\n plural: accprovisioninputs\n singular: accprovisioninput\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: accprovisioninput defines the input configuration for ACI CNI\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AccProvisionInputSpec defines the desired spec for accprovisioninput object\n properties:\n acc_provision_input:\n type: object\n properties:\n operator_managed_config:\n type: object\n properties:\n enable_updates:\n type: boolean\n aci_config:\n type: object\n properties:\n sync_login:\n type: object\n properties:\n certfile:\n type: string\n keyfile:\n type: string\n client_ssl:\n type: boolean\n net_config:\n type: object\n properties:\n interface_mtu:\n type: integer\n service_monitor_interval:\n type: integer\n pbr_tracking_non_snat:\n type: boolean\n pod_subnet_chunk_size:\n type: integer\n disable_wait_for_network:\n type: boolean\n duration_wait_for_network:\n type: integer\n registry:\n type: object\n properties:\n image_prefix:\n type: string\n image_pull_secret:\n type: string\n aci_containers_operator_version:\n type: string\n aci_containers_controller_version:\n type: string\n aci_containers_host_version:\n type: string\n acc_provision_operator_version:\n type: string\n aci_cni_operator_version:\n type: string\n cnideploy_version:\n type: string\n opflex_agent_version:\n type: string\n openvswitch_version:\n type: string\n gbp_version:\n type: string\n logging:\n type: object\n properties:\n controller_log_level:\n type: string\n hostagent_log_level:\n type: string\n opflexagent_log_level:\n type: string\n istio_config:\n type: object\n properties:\n install_profile:\n type: string\n multus:\n type: object\n properties:\n disable:\n type: boolean\n drop_log_config:\n type: object\n properties:\n enable:\n type: boolean\n nodepodif_config:\n type: object\n properties:\n enable:\n type: boolean\n sriov_config:\n type: object\n properties:\n enable:\n type: boolean\n kube_config:\n type: object\n properties:\n ovs_memory_limit:\n type: string\n use_privileged_containers:\n type: boolean\n image_pull_policy:\n type: string\n reboot_opflex_with_ovs:\n type: string\n snat_operator:\n type: object\n properties:\n port_range:\n type: object\n properties:\n start:\n type: integer\n end:\n type: integer\n ports_per_node:\n type: integer\n contract_scope:\n type: string\n disable_periodic_snat_global_info_sync:\n type: boolean\n type: object\n status:\n description: AccProvisionInputStatus defines the successful completion of AccProvisionInput\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: aci-containers-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n controller-config: |-\n {\n \"log-level\": \"{{.ControllerLogLevel}}\",\n \"apic-hosts\": {{.ApicHosts}},\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if .OpflexDeviceReconnectWaitTimeout }}\n \"opflex-device-reconnect-wait-timeout\": {{.OpflexDeviceReconnectWaitTimeout}},\n{{- end}}\n \"apic-refreshtime\": \"{{.ApicRefreshTime}}\",\n \"apic-subscription-delay\": {{.ApicSubscriptionDelay}},\n \"apic_refreshticker_adjust\": \"{{.ApicRefreshTickerAdjust}}\",\n \"apic-username\": \"{{.ApicUserName}}\",\n \"apic-private-key-path\": \"/usr/local/etc/aci-cert/user.key\",\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-policy-tenant\": \"{{.Tenant}}\",\n{{- if ne .CApic \"false\"}}\n \"lb-type\": \"None\",\n{{- end}}\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n{{- if ne .DisableHppRendering \"false\"}}\n \"disable-hpp-rendering\": {{.DisableHppRendering}},\n{{- end}}\n{{- if ne .NoWaitForServiceEpReadiness \"false\"}}\n \"no-wait-for-service-ep-readiness\": {{.NoWaitForServiceEpReadiness}},\n{{- end}}\n{{- if ne .ServiceGraphEndpointAddDelay \"0\"}}\n \"service-graph-endpoint-add-delay\" : {\n \"delay\": {{.ServiceGraphEndpointAddDelay}},\n \"services\": [{{- range $index, $item :=.ServiceGraphEndpointAddServices }}{{- if $index}},{{end}}{ {{- range $k, $v := $item }}\"{{ $k }}\": \"{{ $v }}\"{{if eq $k \"name\"}},{{end}}{{- end}}}{{end}}]\n },\n{{- end}}\n{{- if ne .AddExternalSubnetsToRdconfig \"false\"}}\n \"add-external-subnets-to-rdconfig\": {{.AddExternalSubnetsToRdconfig}},\n{{- end}}\n{{- if ne .DisablePeriodicSnatGlobalInfoSync \"false\"}}\n \"disable-periodic-snat-global-info-sync\": {{.DisablePeriodicSnatGlobalInfoSync}},\n{{- end}}\n{{- if .NodeSnatRedirectExclude }}\n \"node-snat-redirect-exclude\": [{{ range $index,$item := .NodeSnatRedirectExclude}}{{- if $index}}, {{end }}{\"group\": \"{{ index $item \"group\" }}\", \"labels\": {{ index $item \"labels\" }}}{{ end }}],\n{{- end }}\n{{- if .ApicConnectionRetryLimit}}\n \"apic-connection-retry-limit\": {{.ApicConnectionRetryLimit}},\n{{- end}}\n \"opflex-device-delete-timeout\": {{.OpflexDeviceDeleteTimeout}},\n \"sleep-time-snat-global-info-sync\": {{.SleepTimeSnatGlobalInfoSync}},\n{{- /* Commenting code to disable the install_istio flag as the functionality\n is disabled to remove dependency from istio.io/istio package.\n Vulnerabilties were detected by quay.io security scan of aci-containers-controller\n and aci-containers-operator images for istio.io/istio package \n \"install-istio\": {{.InstallIstio}},\n \"istio-profile\": \"{{.IstioProfile}}\",\n*/}}\n{{- if ne .CApic \"true\"}}\n \"aci-podbd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-pod-bd\",\n \"aci-nodebd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-node-bd\",\n{{- end}}\n \"aci-service-phys-dom\": \"{{.SystemIdentifier}}-pdom\",\n \"aci-service-encap\": \"vlan-{{.ServiceVlan}}\",\n \"aci-service-monitor-interval\": {{.ServiceMonitorInterval}},\n \"aci-pbr-tracking-non-snat\": {{.PBRTrackingNonSnat}},\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"aci-l3out\": \"{{.L3Out}}\",\n \"aci-ext-networks\": {{.L3OutExternalNetworks}},\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .AddExternalContractToDefaultEpg \"false\"}}\n \"add-external-contract-to-default-epg\": {{.AddExternalContractToDefaultEpg}},\n{{- end}} \n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}\"\n{{- end}}\n },\n \"max-nodes-svc-graph\": {{.MaxNodesSvcGraph}},\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"service-ip-pool\": [{{- range $index, $item := .ServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"extern-static\": [{{- range $index, $item := .StaticExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"extern-dynamic\": [{{- range $index, $item := .DynamicExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"snat-contract-scope\": \"{{.SnatContractScope}}\",\n \"static-service-ip-pool\": [{{- range $index, $item := .StaticServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End }}\" }{{end}}],\n{{- if and (ne .TaintNotReadyNode \"false\") (ne .TaintNotReadyNode \"False\") }}\n \"taint-not-ready\": true,\n{{- end}}\n \"pod-ip-pool\": [{{- range $index, $item := .PodIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"pod-subnet\": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"pod-subnet-chunk-size\": {{.PodSubnetChunkSize}},\n \"node-service-ip-pool\": [\n {\n \"end\": \"{{.NodeServiceIPEnd}}\",\n \"start\": \"{{.NodeServiceIPStart}}\"\n }\n ],\n \"node-service-subnets\": [\n \"{{.ServiceGraphSubnet}}\"\n ],\n \"enable_endpointslice\": {{.EnableEndpointSlice}}\n }\n host-agent-config: |-\n {\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .EpRegistry \"\"}}\n \"ep-registry\": \"{{.EpRegistry}}\",\n{{- else}}\n \"ep-registry\": null,\n{{- end}}\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if ne .DhcpRenewMaxRetryCount \"0\" }}\n \"dhcp-renew-max-retry-count\": {{.DhcpRenewMaxRetryCount}},\n{{- end}}\n{{- if ne .DhcpDelay \"0\" }}\n \"dhcp-delay\": {{.DhcpDelay}},\n{{- end}}\n{{- if ne .EnableOpflexAgentReconnect \"false\"}}\n \"enable-opflex-agent-reconnect\": {{.EnableOpflexAgentReconnect}},\n{{- end}}\n{{- if ne .OpflexMode \"\"}}\n \"opflex-mode\": \"{{.OpflexMode}}\",\n{{- else}}\n \"opflex-mode\": null,\n{{- end}}\n \"log-level\": \"{{.HostAgentLogLevel}}\",\n \"aci-snat-namespace\": \"{{.SnatNamespace}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"service-vlan\": {{.ServiceVlan}},\n \"kubeapi-vlan\": {{.KubeAPIVlan}},\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n{{- if ne .DisableHppRendering \"false\"}}\n \"disable-hpp-rendering\": {{.DisableHppRendering}},\n{{- end}}\n \"pod-subnet\": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"node-subnet\": [{{- range $index, $item := .NodeSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"encap-type\": \"{{.EncapType}}\",\n \"aci-infra-vlan\": {{.InfraVlan}},\n{{- if .MTU}}\n{{- if ne .MTU 0}}\n \"interface-mtu\": {{.MTU}},\n{{- end}}\n{{- end}}\n{{- if .MTUHeadRoom}}\n{{- if ne .MTUHeadRoom \"0\"}}\n \"interface-mtu-headroom\": {{.MTUHeadRoom}},\n{{- end}}\n{{- end}}\n \"cni-netconfig\": [{{- range $index, $item := .PodNetwork }}{{- if $index}},{{end}}{ \"gateway\": \"{{ $item.Gateway }}\", \"subnet\": \"{{ $item.Subnet }}\", \"routes\": [{ \"dst\": \"0.0.0.0/0\", \"gw\": \"{{ $item.Gateway }}\" }]}{{end}}],\n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-default\"\n{{- end}}\n },\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"enable-drop-log\": {{.DropLogEnable}},\n{{- if and (ne .DropLogDisableEvents \"false\") (ne .DropLogDisableEvents \"False\")}}\n \"packet-event-notification-socket\": \"\",\n{{- end}}\n \"enable_endpointslice\": {{.EnableEndpointSlice}},\n \"enable-nodepodif\": {{.NodePodIfEnable}},\n{{- if and (ne .TaintNotReadyNode \"false\") (ne .TaintNotReadyNode \"False\") }}\n \"taint-not-ready\": true,\n{{- end}} \n \"enable-ovs-hw-offload\": {{.SriovEnable}}\n }\n opflex-agent-config: |-\n {\n \"log\": {\n \"level\": \"{{.OpflexAgentLogLevel}}\"\n },\n \"opflex\": {\n{{- if eq .OpflexClientSSL \"false\"}}\n \"ssl\": { \"mode\": \"disabled\"},\n{{- end}}\n{{- if eq .OpflexAgentStatistics \"false\"}}\n \"statistics\" : { \"mode\" : \"off\" },\n{{- end}}\n \"timers\" : {\n{{- if .OpflexAgentPolicyRetryDelayTimer}}\n \"policy-retry-delay\": {{.OpflexAgentPolicyRetryDelayTimer}},\n{{- end}}\n \"switch-sync-delay\": {{.OpflexSwitchSyncDelay}},\n \"switch-sync-dynamic\": {{.OpflexSwitchSyncDynamic}}\n },\n \"startup\": {\n \"enabled\": \"{{.OpflexStartupEnabled}}\",\n \"policy-file\": \"/usr/local/var/lib/opflex-agent-ovs/startup/pol.json\",\n \"policy-duration\": {{.OpflexStartupPolicyDuration}},\n \"resolve-aft-conn\": \"{{.OpflexStartupResolveAftConn}}\"\n },\n \"notif\" : { \"enabled\" : \"false\" },\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOpflexAsyncjsonEnabled}} }\n },\n \"ovs\": {\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOvsAsyncjsonEnabled}} }\n }\n }\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: snat-operator-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n \"start\": \"{{.SnatPortRangeStart}}\"\n \"end\": \"{{.SnatPortRangeEnd}}\"\n \"ports-per-node\": \"{{.SnatPortsPerNode}}\"\n---\napiVersion: v1\nkind: Secret\nmetadata:\n name: aci-user-cert\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n user.key: {{.ApicUserKey}}\n user.crt: {{.ApicUserCrt}}\n---\n{{- if eq .CApic \"true\"}}\napiVersion: v1\nkind: Secret\nmetadata:\n name: kafka-client-certificates\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n ca.crt: {{.KafkaClientCrt}}\n kafka-client.crt: {{.KafkaClientCrt}}\n kafka-client.key: {{.KafkaClientKey}}\n---\n{{- end}}\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-host-agent\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\n{{- if eq .UseClusterRole \"true\"}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - events\n - replicationcontrollers\n - serviceaccounts\n verbs:\n - list\n - watch\n - get\n - patch\n - create\n - update\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - '*'\n- apiGroups:\n - \"rbac.authorization.k8s.io\"\n resources:\n - clusterroles\n - clusterrolebindings\n verbs:\n - '*'\n{{- /* Commenting code to disable the install_istio flag as the functionality\n is disabled to remove dependency from istio.io/istio package.\n Vulnerabilties were detected by quay.io security scan of aci-containers-controller\n and aci-containers-operator images for istio.io/istio package\n{{- if ne .InstallIstio \"false\"}}\n- apiGroups:\n - \"install.istio.io\"\n resources:\n - istiocontrolplanes\n - istiooperators\n verbs:\n - '*'\n- apiGroups:\n - \"aci.istio\"\n resources:\n - aciistiooperators\n - aciistiooperator\n verbs:\n - '*'\n{{- end}}\n*/}}\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n - daemonsets\n - statefulsets\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - services/status\n verbs:\n - update\n- apiGroups:\n - \"monitoring.coreos.com\"\n resources:\n - servicemonitors\n verbs:\n - get\n - create\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies/finalizers\n - snatpolicies/status\n - nodeinfos\n verbs:\n - update\n - create\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatglobalinfos\n - snatpolicies\n - nodeinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.netflow\"\n resources:\n - netflowpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.erspan\"\n resources:\n - erspanpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - '*'\n- apiGroups:\n - apps.openshift.io\n resources:\n - deploymentconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.dnsnetpol\"\n resources:\n - dnsnetworkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n---\n{{- end}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-host-agent\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - replicationcontrollers\n verbs:\n - list\n - watch\n - get\n{{- if ne .DropLogEnable \"false\"}}\n - update\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n{{- end}}\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies\n - snatglobalinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.droplog\"\n resources:\n - enabledroplogs\n - prunedroplogs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - nodeinfos\n - snatlocalinfos\n verbs:\n - create\n - update\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - \"*\"\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-controller\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-controller\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-controller\n namespace: aci-containers-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-host-agent\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-host-agent\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-host-agent\n namespace: aci-containers-system\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-host\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-host\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-host\n network-plugin: aci-containers\n annotations:\n prometheus.io/scrape: \"true\"\n prometheus.io/port: \"9612\"\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n tolerations:\n - operator: Exists\n initContainers:\n - name: cnideploy\n image: {{.AciCniDeployContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersHostPriorityClass}} \n priorityClassName: aci-containers-host\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-host\n image: {{.AciHostContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersHostMemoryLimit ) ( .AciContainersHostMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersHostMemoryLimit }}\n memory: \"{{ .AciContainersHostMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersHostMemoryRequest }}\n memory: \"{{ .AciContainersHostMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n - NET_ADMIN\n - SYS_PTRACE\n - NET_RAW\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: TENANT\n value: \"{{.Tenant}}\"\n{{- if ne .MultusDisable \"true\"}}\n - name: MULTUS\n value: true\n{{- end}}\n{{- if eq .DisableWaitForNetwork \"true\"}}\n - name: DISABLE_WAIT_FOR_NETWORK\n value: true\n{{- else}}\n - name: DURATION_WAIT_FOR_NETWORK\n value: \"{{.DurationWaitForNetwork}}\"\n{{- end}}\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n - name: cni-conf\n mountPath: /mnt/cni-conf\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: host-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n{{- if eq .AciMultipod \"true\" }}\n - name: dhclient\n mountPath: /var/lib/dhclient\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - mountPath: /run/netns\n name: host-run-netns\n readOnly: true\n mountPropagation: HostToContainer\n{{- end}}\n{{- if ne .MultusDisable \"true\"}}\n - name: multus-cni-conf\n mountPath: /mnt/multus-cni-conf\n{{- end}}\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8090\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n - name: opflex-agent\n env:\n - name: REBOOT_WITH_OVS\n value: \"true\"\n{{- if ne .OpflexOpensslCompat \"false\"}}\n - name: OPENSSL_CONF\n value: \"/etc/pki/tls/openssl11.cnf\" \n{{- end}}\n image: {{.AciOpflexContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .OpflexAgentMemoryLimit ) ( .OpflexAgentMemoryRequest )}}\n resources:\n limits:\n{{- if .OpflexAgentMemoryLimit }}\n memory: \"{{ .OpflexAgentMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .OpflexAgentMemoryRequest }}\n memory: \"{{ .OpflexAgentMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}} \n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: opflex-config-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/conf.d\n{{- if eq .RunOpflexServerContainer \"true\"}}\n - name: opflex-server\n image: {{.AciOpflexContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-opflexserver.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n capabilities:\n add:\n - NET_ADMIN\n ports:\n - containerPort: {{.OpflexServerPort}}\n - name: metrics\n containerPort: 9632\n terminationMessagePath: /dev/termination-log\n terminationMessagePolicy: File\n volumeMounts:\n - name: opflex-server-config-volume\n mountPath: /usr/local/etc/opflex-server\n - name: hostvar\n mountPath: /usr/local/var\n{{- end}}\n{{- if ne .OpflexMode \"overlay\"}}\n - name: mcast-daemon\n image: {{.AciMcastContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-mcastdaemon.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .McastDaemonMemoryLimit ) ( .McastDaemonMemoryRequest )}}\n resources:\n limits:\n{{- if .McastDaemonMemoryLimit }}\n memory: \"{{ .McastDaemonMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .McastDaemonMemoryRequest }}\n memory: \"{{ .McastDaemonMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n{{- if eq .UsePrivilegedContainer \"true\"}}\n securityContext:\n privileged: true\n{{- end}}\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n{{- end}}\n restartPolicy: Always\n volumes:\n - name: cni-bin\n hostPath:\n path: /opt\n - name: cni-conf\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: host-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: host-agent-config\n path: host-agent.conf\n - name: opflex-hostconfig-volume\n emptyDir:\n medium: Memory\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .AciMultipod \"true\" }}\n{{- if eq .AciMultipodUbuntu \"true\" }}\n - name: dhclient\n hostPath:\n path: /var/lib/dhcp\n{{- else}}\n - name: dhclient\n hostPath:\n path: /var/lib/dhclient\n{{- end}}\n{{- end}}\n - name: opflex-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: opflex-agent-config\n path: local.conf\n{{- if eq .UseOpflexServerVolume \"true\"}}\n - name: opflex-server-config-volume\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - name: host-run-netns\n hostPath:\n path: /run/netns\n{{- end}}\n{{- if ne .MultusDisable \"true\" }}\n - name: multus-cni-conf\n hostPath:\n path: /var/run/multus/\n{{- end}}\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-openvswitch\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{end}}\n tolerations:\n - operator: Exists \n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersOpenvswitchPriorityClass}} \n priorityClassName: aci-containers-openvswitch\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-openvswitch\n image: {{.AciOpenvSwitchContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n resources:\n limits:\n memory: \"{{.OVSMemoryLimit}}\"\n requests:\n memory: \"{{.OVSMemoryRequest}}\"\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n - SYS_MODULE\n - SYS_NICE\n - IPC_LOCK\n env:\n - name: OVS_RUNDIR\n value: /usr/local/var/run/openvswitch\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: hostetc\n mountPath: /usr/local/etc\n - name: hostmodules\n mountPath: /lib/modules\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n livenessProbe:\n exec:\n command:\n - /usr/local/bin/liveness-ovs.sh\n restartPolicy: Always\n volumes:\n - name: hostetc\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: hostmodules\n hostPath:\n path: /lib/modules\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nspec:\n replicas: 1\n strategy:\n type: Recreate\n selector:\n matchLabels:\n name: aci-containers-controller\n network-plugin: aci-containers\n template:\n metadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n name: aci-containers-controller\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n serviceAccountName: aci-containers-controller\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n{{- if .Tolerations }}\n tolerations:\n{{ toYaml .Tolerations | indent 6}}\n{{- else }}\n tolerations:\n - effect: NoExecute\n key: node.kubernetes.io/unreachable\n operator: Exists\n tolerationSeconds: {{ .TolerationSeconds }}\n - effect: NoExecute\n key: node.kubernetes.io/not-ready\n operator: Exists\n tolerationSeconds: {{ .TolerationSeconds }}\n - effect: NoSchedule\n key: node.kubernetes.io/not-ready\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/controlplane\n value: \"true\"\n operator: Equal\n - effect: NoExecute\n key: node-role.kubernetes.io/etcd\n value: \"true\"\n operator: Equal\n{{- end }}\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersControllerPriorityClass}} \n priorityClassName: aci-containers-controller\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-node-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-controller\n image: {{.AciControllerContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersControllerMemoryLimit ) ( .AciContainersControllerMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersControllerMemoryLimit }}\n memory: \"{{ .AciContainersControllerMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersControllerMemoryRequest }}\n memory: \"{{ .AciContainersControllerMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n env:\n - name: WATCH_NAMESPACE\n value: \"\"\n - name: ACI_SNAT_NAMESPACE\n value: \"aci-containers-system\"\n - name: ACI_SNAGLOBALINFO_NAME\n value: \"snatglobalinfo\"\n - name: ACI_RDCONFIG_NAME\n value: \"routingdomain-config\"\n - name: SYSTEM_NAMESPACE\n value: \"aci-containers-system\"\n volumeMounts:\n - name: controller-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n - name: aci-user-cert-volume\n mountPath: /usr/local/etc/aci-cert/\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8091\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n volumes:\n{{- if eq .CApic \"true\"}}\n - name: kafka-certs\n secret:\n secretName: kafka-client-certificates\n{{- end}}\n - name: aci-user-cert-volume\n secret:\n secretName: aci-user-cert\n - name: controller-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: controller-config\n path: controller.conf\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .CApic \"true\"}}\n---\napiVersion: aci.aw/v1\nkind: PodIF\nmetadata:\n name: inet-route\n namespace: kube-system\nstatus:\n epg: aci-containers-inet-out\n ipaddr: 0.0.0.0/0\n{{- end}}\n---\napiVersion: v1\nkind: LimitRange\nmetadata:\n name: memory-limit-range\n namespace: aci-containers-system\nspec:\n limits:\n - default:\n memory: {{ .AciContainersMemoryLimit }}\n defaultRequest:\n memory: {{ .AciContainersMemoryRequest }}\n type: Container\n", "calico-v1.13": "\n{{if eq .RBACConfig \"rbac\"}}\n## start rbac here\n\n# Include a clusterrole for the calico-node DaemonSet,\n# and bind it to the calico-node serviceaccount.\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1beta1\nmetadata:\n name: calico-node\nrules:\n # The CNI plugin needs to get pods, nodes, and namespaces.\n - apiGroups: [\"\"]\n resources:\n - pods\n - nodes\n - namespaces\n verbs:\n - get\n - apiGroups: [\"\"]\n resources:\n - endpoints\n - services\n verbs:\n # Used to discover service IPs for advertisement.\n - watch\n - list\n # Used to discover Typhas.\n - get\n - apiGroups: [\"\"]\n resources:\n - nodes/status\n verbs:\n # Needed for clearing NodeNetworkUnavailable flag.\n - patch\n # Calico stores some configuration information in node annotations.\n - update\n # Watch for changes to Kubernetes NetworkPolicies.\n - apiGroups: [\"networking.k8s.io\"]\n resources:\n - networkpolicies\n verbs:\n - watch\n - list\n # Used by Calico for policy information.\n - apiGroups: [\"\"]\n resources:\n - pods\n - namespaces\n - serviceaccounts\n verbs:\n - list\n - watch\n # The CNI plugin patches pods/status.\n - apiGroups: [\"\"]\n resources:\n - pods/status\n verbs:\n - patch\n # Calico monitors various CRDs for config.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - globalfelixconfigs\n - felixconfigurations\n - bgppeers\n - globalbgpconfigs\n - bgpconfigurations\n - ippools\n - globalnetworkpolicies\n - globalnetworksets\n - networkpolicies\n - clusterinformations\n - hostendpoints\n verbs:\n - get\n - list\n - watch\n # Calico must create and update some CRDs on startup.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ippools\n - felixconfigurations\n - clusterinformations\n verbs:\n - create\n - update\n # Calico stores some configuration information on the node.\n - apiGroups: [\"\"]\n resources:\n - nodes\n verbs:\n - get\n - list\n - watch\n # These permissions are only requried for upgrade from v2.6, and can\n # be removed after upgrade or on fresh installations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - bgpconfigurations\n - bgppeers\n verbs:\n - create\n - update\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n name: calico-node\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: calico-node\nsubjects:\n- kind: ServiceAccount\n name: calico-node\n namespace: kube-system\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n{{end}}\n## end rbac here\n\n---\n# This ConfigMap is used to configure a self-hosted Calico installation.\nkind: ConfigMap\napiVersion: v1\nmetadata:\n name: calico-config\n namespace: kube-system\ndata:\n # To enable Typha, set this to \"calico-typha\" *and* set a non-zero value for Typha replicas\n # below. We recommend using Typha if you have more than 50 nodes. Above 100 nodes it is\n # essential.\n typha_service_name: \"none\"\n # Configure the Calico backend to use.\n calico_backend: \"bird\"\n\n # Configure the MTU to use\n{{- if .MTU }}\n{{- if ne .MTU 0 }}\n veth_mtu: \"{{.MTU}}\"\n{{- end}}\n{{- else }}\n veth_mtu: \"1440\"\n{{- end}}\n\n # The CNI network configuration to install on each node. The special\n # values in this config will be automatically populated.\n cni_network_config: |-\n {\n \"name\": \"k8s-pod-network\",\n \"cniVersion\": \"0.3.0\",\n \"plugins\": [\n {\n \"type\": \"calico\",\n \"log_level\": \"WARNING\",\n \"datastore_type\": \"kubernetes\",\n \"nodename\": \"__KUBERNETES_NODE_NAME__\",\n \"mtu\": __CNI_MTU__,\n \"ipam\": {\n \"type\": \"host-local\",\n \"subnet\": \"usePodCidr\"\n },\n \"policy\": {\n \"type\": \"k8s\"\n },\n \"kubernetes\": {\n \"kubeconfig\": \"{{.KubeCfg}}\"\n }\n },\n {\n \"type\": \"portmap\",\n \"snat\": true,\n \"capabilities\": {\"portMappings\": true}\n }\n ]\n }\n---\n\n# This manifest installs the calico/node container, as well\n# as the Calico CNI plugins and network config on\n# each master and worker node in a Kubernetes cluster.\nkind: DaemonSet\napiVersion: extensions/v1beta1\nmetadata:\n name: calico-node\n namespace: kube-system\n labels:\n k8s-app: calico-node\nspec:\n selector:\n matchLabels:\n k8s-app: calico-node\n updateStrategy:\n{{if .UpdateStrategy}}\n{{ toYaml .UpdateStrategy | indent 4}}\n{{else}}\n type: RollingUpdate\n rollingUpdate:\n maxUnavailable: 1\n{{end}}\n template:\n metadata:\n labels:\n k8s-app: calico-node\n annotations:\n # This, along with the CriticalAddonsOnly toleration below,\n # marks the pod as a critical add-on, ensuring it gets\n # priority scheduling and that its resources are reserved\n # if it ever gets evicted.\n scheduler.alpha.kubernetes.io/critical-pod: ''\n spec:\n affinity:\n nodeAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: beta.kubernetes.io/os\n operator: NotIn\n values:\n - windows\n hostNetwork: true\n{{if .NodeSelector}}\n nodeSelector:\n {{ range $k, $v := .NodeSelector }}\n {{ $k }}: \"{{ $v }}\"\n {{ end }}\n{{end}}\n tolerations:\n # Make sure calico-node gets scheduled on all nodes.\n - effect: NoSchedule\n operator: Exists\n # Mark the pod as a critical add-on for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n - effect: NoExecute\n operator: Exists\n serviceAccountName: calico-node\n # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a \"force\n # deletion\": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.\n terminationGracePeriodSeconds: 0\n initContainers:\n # This container installs the Calico CNI binaries\n # and CNI network config file on each node.\n - name: install-cni\n image: {{.CNIImage}}\n command: [\"/install-cni.sh\"]\n env:\n # Name of the CNI config file to create.\n - name: CNI_CONF_NAME\n value: \"10-calico.conflist\"\n # The CNI network config to install on each node.\n - name: CNI_NETWORK_CONFIG\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: cni_network_config\n # Set the hostname based on the k8s node name.\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n # CNI MTU Config variable\n - name: CNI_MTU\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: veth_mtu\n # Prevents the container from sleeping forever.\n - name: SLEEP\n value: \"false\"\n volumeMounts:\n - mountPath: /host/opt/cni/bin\n name: cni-bin-dir\n - mountPath: /host/etc/cni/net.d\n name: cni-net-dir\n containers:\n # Runs calico/node container on each Kubernetes node. This\n # container programs network policy and routes on each\n # host.\n - name: calico-node\n image: {{.NodeImage}}\n env:\n # Use Kubernetes API as the backing datastore.\n - name: DATASTORE_TYPE\n value: \"kubernetes\"\n # Typha support: controlled by the ConfigMap.\n - name: FELIX_TYPHAK8SSERVICENAME\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: typha_service_name\n # Wait for the datastore.\n - name: WAIT_FOR_DATASTORE\n value: \"true\"\n # Set based on the k8s node name.\n - name: NODENAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n # Choose the backend to use.\n - name: CALICO_NETWORKING_BACKEND\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: calico_backend\n # Cluster type to identify the deployment type\n - name: CLUSTER_TYPE\n value: \"k8s,bgp\"\n # Auto-detect the BGP IP address.\n - name: IP\n value: \"autodetect\"\n # Enable IPIP\n - name: CALICO_IPV4POOL_IPIP\n value: \"Always\"\n # Set MTU for tunnel device used if ipip is enabled\n - name: FELIX_IPINIPMTU\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: veth_mtu\n # The default IPv4 pool to create on startup if none exists. Pod IPs will be\n # chosen from this range. Changing this value after installation will have\n # no effect. This should fall within --cluster-cidr.\n - name: CALICO_IPV4POOL_CIDR\n value: \"{{.ClusterCIDR}}\"\n # Disable file logging so kubectl logs works.\n - name: CALICO_DISABLE_FILE_LOGGING\n value: \"true\"\n # Set Felix endpoint to host default action to ACCEPT.\n - name: FELIX_DEFAULTENDPOINTTOHOSTACTION\n value: \"ACCEPT\"\n # Disable IPv6 on Kubernetes.\n - name: FELIX_IPV6SUPPORT\n value: \"false\"\n # Disable felix logging to file\n - name: FELIX_LOGFILEPATH\n value: \"none\"\n # Disable felix logging for syslog\n - name: FELIX_LOGSEVERITYSYS\n value: \"\"\n # Enable felix logging to stdout\n - name: FELIX_LOGSEVERITYSCREEN\n value: \"Warning\"\n - name: FELIX_HEALTHENABLED\n value: \"true\"\n securityContext:\n privileged: true\n resources:\n requests:\n cpu: 250m\n livenessProbe:\n httpGet:\n path: /liveness\n port: 9099\n host: localhost\n periodSeconds: 10\n initialDelaySeconds: 10\n failureThreshold: 6\n readinessProbe:\n exec:\n command:\n - /bin/calico-node\n - -bird-ready\n - -felix-ready\n periodSeconds: 10\n volumeMounts:\n - mountPath: /lib/modules\n name: lib-modules\n readOnly: true\n - mountPath: /run/xtables.lock\n name: xtables-lock\n readOnly: false\n - mountPath: /var/run/calico\n name: var-run-calico\n readOnly: false\n - mountPath: /var/lib/calico\n name: var-lib-calico\n readOnly: false\n volumes:\n # Used by calico/node.\n - name: lib-modules\n hostPath:\n path: /lib/modules\n - name: var-run-calico\n hostPath:\n path: /var/run/calico\n - name: var-lib-calico\n hostPath:\n path: /var/lib/calico\n - name: xtables-lock\n hostPath:\n path: /run/xtables.lock\n type: FileOrCreate\n # Used to install CNI.\n - name: cni-bin-dir\n hostPath:\n path: /opt/cni/bin\n - name: cni-net-dir\n hostPath:\n path: /etc/cni/net.d\n\n# Create all the CustomResourceDefinitions needed for\n# Calico policy and networking mode.\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: felixconfigurations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: FelixConfiguration\n plural: felixconfigurations\n singular: felixconfiguration\n\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: bgppeers.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BGPPeer\n plural: bgppeers\n singular: bgppeer\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: bgpconfigurations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BGPConfiguration\n plural: bgpconfigurations\n singular: bgpconfiguration\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ippools.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPPool\n plural: ippools\n singular: ippool\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: hostendpoints.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: HostEndpoint\n plural: hostendpoints\n singular: hostendpoint\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: clusterinformations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: ClusterInformation\n plural: clusterinformations\n singular: clusterinformation\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: globalnetworkpolicies.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: GlobalNetworkPolicy\n plural: globalnetworkpolicies\n singular: globalnetworkpolicy\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: globalnetworksets.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: GlobalNetworkSet\n plural: globalnetworksets\n singular: globalnetworkset\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.crd.projectcalico.org\nspec:\n scope: Namespaced\n group: crd.projectcalico.org\n version: v1\n names:\n kind: NetworkPolicy\n plural: networkpolicies\n singular: networkpolicy\n\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: calico-node\n namespace: kube-system\n\n\n{{if ne .CloudProvider \"none\"}}\n---\nkind: ConfigMap\napiVersion: v1\nmetadata:\n name: {{.CloudProvider}}-ippool\n namespace: kube-system\ndata:\n {{.CloudProvider}}-ippool: |-\n apiVersion: projectcalico.org/v3\n kind: IPPool\n metadata:\n name: ippool-ipip-1\n spec:\n cidr: {{.ClusterCIDR}}\n ipipMode: Always\n natOutgoing: true\n---\napiVersion: v1\nkind: Pod\nmetadata:\n name: calicoctl\n namespace: kube-system\nspec:\n hostNetwork: true\n restartPolicy: OnFailure\n tolerations:\n - effect: NoExecute\n operator: Exists\n - effect: NoSchedule\n operator: Exists\n containers:\n - name: calicoctl\n image: {{.Calicoctl}}\n command: [\"/bin/sh\", \"-c\", \"calicoctl apply -f {{.CloudProvider}}-ippool.yaml\"]\n env:\n - name: DATASTORE_TYPE\n value: kubernetes\n volumeMounts:\n - name: ippool-config\n mountPath: /root/\n volumes:\n - name: ippool-config\n configMap:\n name: {{.CloudProvider}}-ippool\n items:\n - key: {{.CloudProvider}}-ippool\n path: {{.CloudProvider}}-ippool.yaml\n # Mount in the etcd TLS secrets.\n{{end}}\n", "calico-v1.15": "\n{{if eq .RBACConfig \"rbac\"}}\n---\n# Source: calico/templates/rbac.yaml\n# Include a clusterrole for the kube-controllers component,\n# and bind it to the calico-kube-controllers serviceaccount.\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1beta1\nmetadata:\n name: calico-kube-controllers\nrules:\n # Nodes are watched to monitor for deletions.\n - apiGroups: [\"\"]\n resources:\n - nodes\n verbs:\n - watch\n - list\n - get\n # Pods are queried to check for existence.\n - apiGroups: [\"\"]\n resources:\n - pods\n verbs:\n - get\n # IPAM resources are manipulated when nodes are deleted.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ippools\n verbs:\n - list\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - blockaffinities\n - ipamblocks\n - ipamhandles\n verbs:\n - get\n - list\n - create\n - update\n - delete\n # Needs access to update clusterinformations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - clusterinformations\n verbs:\n - get\n - create\n - update\n---\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1beta1\nmetadata:\n name: calico-kube-controllers\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: calico-kube-controllers\nsubjects:\n- kind: ServiceAccount\n name: calico-kube-controllers\n namespace: kube-system\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n---\n# Include a clusterrole for the calico-node DaemonSet,\n# and bind it to the calico-node serviceaccount.\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1beta1\nmetadata:\n name: calico-node\nrules:\n # The CNI plugin needs to get pods, nodes, and namespaces.\n - apiGroups: [\"\"]\n resources:\n - pods\n - nodes\n - namespaces\n verbs:\n - get\n - apiGroups: [\"\"]\n resources:\n - endpoints\n - services\n verbs:\n # Used to discover service IPs for advertisement.\n - watch\n - list\n # Used to discover Typhas.\n - get\n - apiGroups: [\"\"]\n resources:\n - nodes/status\n verbs:\n # Needed for clearing NodeNetworkUnavailable flag.\n - patch\n # Calico stores some configuration information in node annotations.\n - update\n # Watch for changes to Kubernetes NetworkPolicies.\n - apiGroups: [\"networking.k8s.io\"]\n resources:\n - networkpolicies\n verbs:\n - watch\n - list\n # Used by Calico for policy information.\n - apiGroups: [\"\"]\n resources:\n - pods\n - namespaces\n - serviceaccounts\n verbs:\n - list\n - watch\n # The CNI plugin patches pods/status.\n - apiGroups: [\"\"]\n resources:\n - pods/status\n verbs:\n - patch\n # Calico monitors various CRDs for config.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - globalfelixconfigs\n - felixconfigurations\n - bgppeers\n - globalbgpconfigs\n - bgpconfigurations\n - ippools\n - ipamblocks\n - globalnetworkpolicies\n - globalnetworksets\n - networkpolicies\n - networksets\n - clusterinformations\n - hostendpoints\n verbs:\n - get\n - list\n - watch\n # Calico must create and update some CRDs on startup.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ippools\n - felixconfigurations\n - clusterinformations\n verbs:\n - create\n - update\n # Calico stores some configuration information on the node.\n - apiGroups: [\"\"]\n resources:\n - nodes\n verbs:\n - get\n - list\n - watch\n # These permissions are only requried for upgrade from v2.6, and can\n # be removed after upgrade or on fresh installations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - bgpconfigurations\n - bgppeers\n verbs:\n - create\n - update\n # These permissions are required for Calico CNI to perform IPAM allocations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - blockaffinities\n - ipamblocks\n - ipamhandles\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ipamconfigs\n verbs:\n - get\n # Block affinities must also be watchable by confd for route aggregation.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - blockaffinities\n verbs:\n - watch\n # The Calico IPAM migration needs to get daemonsets. These permissions can be\n # removed if not upgrading from an installation using host-local IPAM.\n - apiGroups: [\"apps\"]\n resources:\n - daemonsets\n verbs:\n - get\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n name: calico-node\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: calico-node\nsubjects:\n- kind: ServiceAccount\n name: calico-node\n namespace: kube-system\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n{{end}}\n---\n# Source: calico/templates/calico-config.yaml\n# This ConfigMap is used to configure a self-hosted Calico installation.\nkind: ConfigMap\napiVersion: v1\nmetadata:\n name: calico-config\n namespace: kube-system\ndata:\n # Typha is disabled.\n typha_service_name: \"none\"\n # Configure the backend to use.\n calico_backend: \"bird\"\n\n # Configure the MTU to use\n{{- if .MTU }}\n{{- if ne .MTU 0 }}\n veth_mtu: \"{{.MTU}}\"\n{{- end}}\n{{- else }}\n veth_mtu: \"1440\"\n{{- end}}\n\n # The CNI network configuration to install on each node. The special\n # values in this config will be automatically populated.\n cni_network_config: |-\n {\n \"name\": \"k8s-pod-network\",\n \"cniVersion\": \"0.3.0\",\n \"plugins\": [\n {\n \"type\": \"calico\",\n \"log_level\": \"info\",\n \"datastore_type\": \"kubernetes\",\n \"nodename\": \"__KUBERNETES_NODE_NAME__\",\n \"mtu\": __CNI_MTU__,\n \"ipam\": {\n \"type\": \"calico-ipam\"\n },\n \"policy\": {\n \"type\": \"k8s\"\n },\n \"kubernetes\": {\n \"kubeconfig\": \"{{.KubeCfg}}\"\n }\n },\n {\n \"type\": \"portmap\",\n \"snat\": true,\n \"capabilities\": {\"portMappings\": true}\n }\n ]\n }\n---\n# Source: calico/templates/kdd-crds.yaml\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: felixconfigurations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: FelixConfiguration\n plural: felixconfigurations\n singular: felixconfiguration\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ipamblocks.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPAMBlock\n plural: ipamblocks\n singular: ipamblock\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: blockaffinities.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BlockAffinity\n plural: blockaffinities\n singular: blockaffinity\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ipamhandles.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPAMHandle\n plural: ipamhandles\n singular: ipamhandle\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ipamconfigs.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPAMConfig\n plural: ipamconfigs\n singular: ipamconfig\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: bgppeers.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BGPPeer\n plural: bgppeers\n singular: bgppeer\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: bgpconfigurations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BGPConfiguration\n plural: bgpconfigurations\n singular: bgpconfiguration\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ippools.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPPool\n plural: ippools\n singular: ippool\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: hostendpoints.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: HostEndpoint\n plural: hostendpoints\n singular: hostendpoint\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: clusterinformations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: ClusterInformation\n plural: clusterinformations\n singular: clusterinformation\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: globalnetworkpolicies.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: GlobalNetworkPolicy\n plural: globalnetworkpolicies\n singular: globalnetworkpolicy\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: globalnetworksets.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: GlobalNetworkSet\n plural: globalnetworksets\n singular: globalnetworkset\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.crd.projectcalico.org\nspec:\n scope: Namespaced\n group: crd.projectcalico.org\n version: v1\n names:\n kind: NetworkPolicy\n plural: networkpolicies\n singular: networkpolicy\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: networksets.crd.projectcalico.org\nspec:\n scope: Namespaced\n group: crd.projectcalico.org\n version: v1\n names:\n kind: NetworkSet\n plural: networksets\n singular: networkset\n---\n# Source: calico/templates/calico-node.yaml\n# This manifest installs the calico-node container, as well\n# as the CNI plugins and network config on\n# each master and worker node in a Kubernetes cluster.\nkind: DaemonSet\napiVersion: extensions/v1beta1\nmetadata:\n name: calico-node\n namespace: kube-system\n labels:\n k8s-app: calico-node\nspec:\n selector:\n matchLabels:\n k8s-app: calico-node\n updateStrategy:\n{{if .UpdateStrategy}}\n{{ toYaml .UpdateStrategy | indent 4}}\n{{else}}\n type: RollingUpdate\n rollingUpdate:\n maxUnavailable: 1\n{{end}}\n template:\n metadata:\n labels:\n k8s-app: calico-node\n annotations:\n # This, along with the CriticalAddonsOnly toleration below,\n # marks the pod as a critical add-on, ensuring it gets\n # priority scheduling and that its resources are reserved\n # if it ever gets evicted.\n scheduler.alpha.kubernetes.io/critical-pod: ''\n spec:\n nodeSelector:\n beta.kubernetes.io/os: linux\n {{ range $k, $v := .NodeSelector }}\n {{ $k }}: \"{{ $v }}\"\n {{ end }}\n hostNetwork: true\n tolerations:\n # Make sure calico-node gets scheduled on all nodes.\n - effect: NoSchedule\n operator: Exists\n # Mark the pod as a critical add-on for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n - effect: NoExecute\n operator: Exists\n{{if eq .RBACConfig \"rbac\"}}\n serviceAccountName: calico-node\n{{end}}\n # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a \"force\n # deletion\": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.\n terminationGracePeriodSeconds: 0\n initContainers:\n # This container performs upgrade from host-local IPAM to calico-ipam.\n # It can be deleted if this is a fresh installation, or if you have already\n # upgraded to use calico-ipam.\n - name: upgrade-ipam\n image: {{.CNIImage}}\n command: [\"/opt/cni/bin/calico-ipam\", \"-upgrade\"]\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: CALICO_NETWORKING_BACKEND\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: calico_backend\n volumeMounts:\n - mountPath: /var/lib/cni/networks\n name: host-local-net-dir\n - mountPath: /host/opt/cni/bin\n name: cni-bin-dir\n # This container installs the CNI binaries\n # and CNI network config file on each node.\n - name: install-cni\n image: {{.CNIImage}}\n command: [\"/install-cni.sh\"]\n env:\n # Name of the CNI config file to create.\n - name: CNI_CONF_NAME\n value: \"10-calico.conflist\"\n # The CNI network config to install on each node.\n - name: CNI_NETWORK_CONFIG\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: cni_network_config\n # Set the hostname based on the k8s node name.\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n # CNI MTU Config variable\n - name: CNI_MTU\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: veth_mtu\n # Prevents the container from sleeping forever.\n - name: SLEEP\n value: \"false\"\n volumeMounts:\n - mountPath: /host/opt/cni/bin\n name: cni-bin-dir\n - mountPath: /host/etc/cni/net.d\n name: cni-net-dir\n containers:\n # Runs calico-node container on each Kubernetes node. This\n # container programs network policy and routes on each\n # host.\n - name: calico-node\n image: {{.NodeImage}}\n env:\n # Use Kubernetes API as the backing datastore.\n - name: DATASTORE_TYPE\n value: \"kubernetes\"\n # Wait for the datastore.\n - name: WAIT_FOR_DATASTORE\n value: \"true\"\n # Set based on the k8s node name.\n - name: NODENAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n # Choose the backend to use.\n - name: CALICO_NETWORKING_BACKEND\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: calico_backend\n # Cluster type to identify the deployment type\n - name: CLUSTER_TYPE\n value: \"k8s,bgp\"\n # Auto-detect the BGP IP address.\n - name: IP\n value: \"autodetect\"\n # Enable IPIP\n - name: CALICO_IPV4POOL_IPIP\n value: \"Always\"\n # Set MTU for tunnel device used if ipip is enabled\n - name: FELIX_IPINIPMTU\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: veth_mtu\n # The default IPv4 pool to create on startup if none exists. Pod IPs will be\n # chosen from this range. Changing this value after installation will have\n # no effect. This should fall within --cluster-cidr.\n - name: CALICO_IPV4POOL_CIDR\n value: \"{{.ClusterCIDR}}\"\n # Disable file logging so kubectl logs works.\n - name: CALICO_DISABLE_FILE_LOGGING\n value: \"true\"\n # Set Felix endpoint to host default action to ACCEPT.\n - name: FELIX_DEFAULTENDPOINTTOHOSTACTION\n value: \"ACCEPT\"\n # Disable IPv6 on Kubernetes.\n - name: FELIX_IPV6SUPPORT\n value: \"false\"\n # Set Felix logging to \"info\"\n - name: FELIX_LOGSEVERITYSCREEN\n value: \"info\"\n - name: FELIX_HEALTHENABLED\n value: \"true\"\n securityContext:\n privileged: true\n resources:\n requests:\n cpu: 250m\n livenessProbe:\n httpGet:\n path: /liveness\n port: 9099\n host: localhost\n periodSeconds: 10\n initialDelaySeconds: 10\n failureThreshold: 6\n readinessProbe:\n exec:\n command:\n - /bin/calico-node\n - -bird-ready\n - -felix-ready\n periodSeconds: 10\n volumeMounts:\n - mountPath: /lib/modules\n name: lib-modules\n readOnly: true\n - mountPath: /run/xtables.lock\n name: xtables-lock\n readOnly: false\n - mountPath: /var/run/calico\n name: var-run-calico\n readOnly: false\n - mountPath: /var/lib/calico\n name: var-lib-calico\n readOnly: false\n volumes:\n # Used by calico-node.\n - name: lib-modules\n hostPath:\n path: /lib/modules\n - name: var-run-calico\n hostPath:\n path: /var/run/calico\n - name: var-lib-calico\n hostPath:\n path: /var/lib/calico\n - name: xtables-lock\n hostPath:\n path: /run/xtables.lock\n type: FileOrCreate\n # Used to install CNI.\n - name: cni-bin-dir\n hostPath:\n path: /opt/cni/bin\n - name: cni-net-dir\n hostPath:\n path: /etc/cni/net.d\n # Mount in the directory for host-local IPAM allocations. This is\n # used when upgrading from host-local to calico-ipam, and can be removed\n # if not using the upgrade-ipam init container.\n - name: host-local-net-dir\n hostPath:\n path: /var/lib/cni/networks\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: calico-node\n namespace: kube-system\n---\n# Source: calico/templates/calico-kube-controllers.yaml\n# See https://github.com/projectcalico/kube-controllers\napiVersion: extensions/v1beta1\nkind: Deployment\nmetadata:\n name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\n annotations:\n scheduler.alpha.kubernetes.io/critical-pod: ''\nspec:\n # The controller can only have a single active instance.\n replicas: 1\n strategy:\n type: Recreate\n template:\n metadata:\n name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\n spec:\n nodeSelector:\n beta.kubernetes.io/os: linux\n tolerations:\n # Make sure calico-node gets scheduled on all nodes.\n - effect: NoSchedule\n operator: Exists\n # Mark the pod as a critical add-on for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n - effect: NoExecute\n operator: Exists\n{{if eq .RBACConfig \"rbac\"}}\n serviceAccountName: calico-kube-controllers\n{{end}}\n containers:\n - name: calico-kube-controllers\n image: {{.ControllersImage}}\n env:\n # Choose which controllers to run.\n - name: ENABLED_CONTROLLERS\n value: node\n - name: DATASTORE_TYPE\n value: kubernetes\n readinessProbe:\n exec:\n command:\n - /usr/bin/check-status\n - -r\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: calico-kube-controllers\n namespace: kube-system\n", "calico-v1.15-privileged": "\n# CalicoTemplateV115Privileged\n{{if eq .RBACConfig \"rbac\"}}\n# Source: calico/templates/rbac.yaml\n# Include a clusterrole for the kube-controllers component,\n# and bind it to the calico-kube-controllers serviceaccount.\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: calico-kube-controllers\nrules:\n # Nodes are watched to monitor for deletions.\n - apiGroups: [\"\"]\n resources:\n - nodes\n verbs:\n - watch\n - list\n - get\n # Pods are queried to check for existence.\n - apiGroups: [\"\"]\n resources:\n - pods\n verbs:\n - get\n # IPAM resources are manipulated when nodes are deleted.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ippools\n verbs:\n - list\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - blockaffinities\n - ipamblocks\n - ipamhandles\n verbs:\n - get\n - list\n - create\n - update\n - delete\n # Needs access to update clusterinformations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - clusterinformations\n verbs:\n - get\n - create\n - update\n---\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: calico-kube-controllers\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: calico-kube-controllers\nsubjects:\n- kind: ServiceAccount\n name: calico-kube-controllers\n namespace: kube-system\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n---\n# Include a clusterrole for the calico-node DaemonSet,\n# and bind it to the calico-node serviceaccount.\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: calico-node\nrules:\n # The CNI plugin needs to get pods, nodes, and namespaces.\n - apiGroups: [\"\"]\n resources:\n - pods\n - nodes\n - namespaces\n verbs:\n - get\n - apiGroups: [\"\"]\n resources:\n - endpoints\n - services\n verbs:\n # Used to discover service IPs for advertisement.\n - watch\n - list\n # Used to discover Typhas.\n - get\n # Pod CIDR auto-detection on kubeadm needs access to config maps.\n - apiGroups: [\"\"]\n resources:\n - configmaps\n verbs:\n - get\n - apiGroups: [\"\"]\n resources:\n - nodes/status\n verbs:\n # Needed for clearing NodeNetworkUnavailable flag.\n - patch\n # Calico stores some configuration information in node annotations.\n - update\n # Watch for changes to Kubernetes NetworkPolicies.\n - apiGroups: [\"networking.k8s.io\"]\n resources:\n - networkpolicies\n verbs:\n - watch\n - list\n # Used by Calico for policy information.\n - apiGroups: [\"\"]\n resources:\n - pods\n - namespaces\n - serviceaccounts\n verbs:\n - list\n - watch\n # The CNI plugin patches pods/status.\n - apiGroups: [\"\"]\n resources:\n - pods/status\n verbs:\n - patch\n # Calico monitors various CRDs for config.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - globalfelixconfigs\n - felixconfigurations\n - bgppeers\n - globalbgpconfigs\n - bgpconfigurations\n - ippools\n - ipamblocks\n - globalnetworkpolicies\n - globalnetworksets\n - networkpolicies\n - networksets\n - clusterinformations\n - hostendpoints\n - blockaffinities\n verbs:\n - get\n - list\n - watch\n # Calico must create and update some CRDs on startup.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ippools\n - felixconfigurations\n - clusterinformations\n verbs:\n - create\n - update\n # Calico stores some configuration information on the node.\n - apiGroups: [\"\"]\n resources:\n - nodes\n verbs:\n - get\n - list\n - watch\n # These permissions are only requried for upgrade from v2.6, and can\n # be removed after upgrade or on fresh installations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - bgpconfigurations\n - bgppeers\n verbs:\n - create\n - update\n # These permissions are required for Calico CNI to perform IPAM allocations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - blockaffinities\n - ipamblocks\n - ipamhandles\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ipamconfigs\n verbs:\n - get\n # Block affinities must also be watchable by confd for route aggregation.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - blockaffinities\n verbs:\n - watch\n # The Calico IPAM migration needs to get daemonsets. These permissions can be\n # removed if not upgrading from an installation using host-local IPAM.\n - apiGroups: [\"apps\"]\n resources:\n - daemonsets\n verbs:\n - get\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: calico-node\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: calico-node\nsubjects:\n- kind: ServiceAccount\n name: calico-node\n namespace: kube-system\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n{{end}}\n---\n# Source: calico/templates/calico-config.yaml\n# This ConfigMap is used to configure a self-hosted Calico installation.\nkind: ConfigMap\napiVersion: v1\nmetadata:\n name: calico-config\n namespace: kube-system\ndata:\n # Typha is disabled.\n typha_service_name: \"none\"\n # Configure the backend to use.\n calico_backend: \"bird\"\n\n # Configure the MTU to use\n{{- if .MTU }}\n{{- if ne .MTU 0 }}\n veth_mtu: \"{{.MTU}}\"\n{{- end}}\n{{- else }}\n veth_mtu: \"1440\"\n{{- end}}\n\n # The CNI network configuration to install on each node. The special\n # values in this config will be automatically populated.\n cni_network_config: |-\n {\n \"name\": \"k8s-pod-network\",\n \"cniVersion\": \"0.3.1\",\n \"plugins\": [\n {\n \"type\": \"calico\",\n \"log_level\": \"info\",\n \"datastore_type\": \"kubernetes\",\n \"nodename\": \"__KUBERNETES_NODE_NAME__\",\n \"mtu\": __CNI_MTU__,\n \"ipam\": {\n \"type\": \"calico-ipam\"\n },\n \"policy\": {\n \"type\": \"k8s\"\n },\n \"kubernetes\": {\n \"kubeconfig\": \"{{.KubeCfg}}\"\n }\n },\n {\n \"type\": \"portmap\",\n \"snat\": true,\n \"capabilities\": {\"portMappings\": true}\n },\n {\n \"type\": \"bandwidth\",\n \"capabilities\": {\"bandwidth\": true}\n }\n ]\n }\n---\n# Source: calico/templates/kdd-crds.yaml\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: felixconfigurations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: FelixConfiguration\n plural: felixconfigurations\n singular: felixconfiguration\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ipamblocks.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPAMBlock\n plural: ipamblocks\n singular: ipamblock\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: blockaffinities.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BlockAffinity\n plural: blockaffinities\n singular: blockaffinity\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ipamhandles.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPAMHandle\n plural: ipamhandles\n singular: ipamhandle\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ipamconfigs.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPAMConfig\n plural: ipamconfigs\n singular: ipamconfig\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: bgppeers.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BGPPeer\n plural: bgppeers\n singular: bgppeer\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: bgpconfigurations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BGPConfiguration\n plural: bgpconfigurations\n singular: bgpconfiguration\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ippools.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPPool\n plural: ippools\n singular: ippool\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: hostendpoints.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: HostEndpoint\n plural: hostendpoints\n singular: hostendpoint\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: clusterinformations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: ClusterInformation\n plural: clusterinformations\n singular: clusterinformation\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: globalnetworkpolicies.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: GlobalNetworkPolicy\n plural: globalnetworkpolicies\n singular: globalnetworkpolicy\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: globalnetworksets.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: GlobalNetworkSet\n plural: globalnetworksets\n singular: globalnetworkset\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.crd.projectcalico.org\nspec:\n scope: Namespaced\n group: crd.projectcalico.org\n version: v1\n names:\n kind: NetworkPolicy\n plural: networkpolicies\n singular: networkpolicy\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: networksets.crd.projectcalico.org\nspec:\n scope: Namespaced\n group: crd.projectcalico.org\n version: v1\n names:\n kind: NetworkSet\n plural: networksets\n singular: networkset\n---\n# Source: calico/templates/calico-node.yaml\n# This manifest installs the calico-node container, as well\n# as the CNI plugins and network config on\n# each master and worker node in a Kubernetes cluster.\nkind: DaemonSet\napiVersion: apps/v1\nmetadata:\n name: calico-node\n namespace: kube-system\n labels:\n k8s-app: calico-node\nspec:\n selector:\n matchLabels:\n k8s-app: calico-node\n updateStrategy:\n{{if .UpdateStrategy}}\n{{ toYaml .UpdateStrategy | indent 4}}\n{{else}}\n type: RollingUpdate\n rollingUpdate:\n maxUnavailable: 1\n{{end}}\n template:\n metadata:\n labels:\n k8s-app: calico-node\n annotations:\n # This, along with the CriticalAddonsOnly toleration below,\n # marks the pod as a critical add-on, ensuring it gets\n # priority scheduling and that its resources are reserved\n # if it ever gets evicted.\n scheduler.alpha.kubernetes.io/critical-pod: ''\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n {{ range $k, $v := .NodeSelector }}\n {{ $k }}: \"{{ $v }}\"\n {{ end }}\n hostNetwork: true\n tolerations:\n # Make sure calico-node gets scheduled on all nodes.\n - effect: NoSchedule\n operator: Exists\n # Mark the pod as a critical add-on for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n - effect: NoExecute\n operator: Exists\n{{if eq .RBACConfig \"rbac\"}}\n serviceAccountName: calico-node\n{{end}}\n # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a \"force\n # deletion\": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.\n terminationGracePeriodSeconds: 0\n # Rancher specific change\n priorityClassName: {{ .CalicoNodePriorityClassName | default \"system-node-critical\" }}\n initContainers:\n # This container performs upgrade from host-local IPAM to calico-ipam.\n # It can be deleted if this is a fresh installation, or if you have already\n # upgraded to use calico-ipam.\n - name: upgrade-ipam\n image: {{.CNIImage}}\n command: [\"/opt/cni/bin/calico-ipam\", \"-upgrade\"]\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: CALICO_NETWORKING_BACKEND\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: calico_backend\n volumeMounts:\n - mountPath: /var/lib/cni/networks\n name: host-local-net-dir\n - mountPath: /host/opt/cni/bin\n name: cni-bin-dir\n securityContext:\n privileged: true\n # This container installs the CNI binaries\n # and CNI network config file on each node.\n - name: install-cni\n image: {{.CNIImage}}\n command: [\"/install-cni.sh\"]\n env:\n # Name of the CNI config file to create.\n - name: CNI_CONF_NAME\n value: \"10-calico.conflist\"\n # The CNI network config to install on each node.\n - name: CNI_NETWORK_CONFIG\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: cni_network_config\n # Set the hostname based on the k8s node name.\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n # CNI MTU Config variable\n - name: CNI_MTU\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: veth_mtu\n # Prevents the container from sleeping forever.\n - name: SLEEP\n value: \"false\"\n volumeMounts:\n - mountPath: /host/opt/cni/bin\n name: cni-bin-dir\n - mountPath: /host/etc/cni/net.d\n name: cni-net-dir\n securityContext:\n privileged: true\n # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes\n # to communicate with Felix over the Policy Sync API.\n - name: flexvol-driver\n image: {{.FlexVolImg}}\n volumeMounts:\n - name: flexvol-driver-host\n mountPath: /host/driver\n securityContext:\n privileged: true\n containers:\n # Runs calico-node container on each Kubernetes node. This\n # container programs network policy and routes on each\n # host.\n - name: calico-node\n image: {{.NodeImage}}\n env:\n # Use Kubernetes API as the backing datastore.\n - name: DATASTORE_TYPE\n value: \"kubernetes\"\n # Wait for the datastore.\n - name: WAIT_FOR_DATASTORE\n value: \"true\"\n # Set based on the k8s node name.\n - name: NODENAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n # Choose the backend to use.\n - name: CALICO_NETWORKING_BACKEND\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: calico_backend\n # Cluster type to identify the deployment type\n - name: CLUSTER_TYPE\n value: \"k8s,bgp\"\n # Auto-detect the BGP IP address.\n - name: IP\n value: \"autodetect\"\n # Enable IPIP\n - name: CALICO_IPV4POOL_IPIP\n value: \"Always\"\n # Set MTU for tunnel device used if ipip is enabled\n - name: FELIX_IPINIPMTU\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: veth_mtu\n # The default IPv4 pool to create on startup if none exists. Pod IPs will be\n # chosen from this range. Changing this value after installation will have\n # no effect. This should fall within --cluster-cidr.\n - name: CALICO_IPV4POOL_CIDR\n value: \"{{.ClusterCIDR}}\"\n # Disable file logging so kubectl logs works.\n - name: CALICO_DISABLE_FILE_LOGGING\n value: \"true\"\n # Set Felix endpoint to host default action to ACCEPT.\n - name: FELIX_DEFAULTENDPOINTTOHOSTACTION\n value: \"ACCEPT\"\n # Disable IPv6 on Kubernetes.\n - name: FELIX_IPV6SUPPORT\n value: \"false\"\n # Set Felix logging to \"info\"\n - name: FELIX_LOGSEVERITYSCREEN\n value: \"info\"\n - name: FELIX_HEALTHENABLED\n value: \"true\"\n securityContext:\n privileged: true\n resources:\n requests:\n cpu: 250m\n livenessProbe:\n exec:\n command:\n - /bin/calico-node\n - -felix-live\n - -bird-live\n periodSeconds: 10\n initialDelaySeconds: 10\n failureThreshold: 6\n readinessProbe:\n exec:\n command:\n - /bin/calico-node\n - -felix-ready\n - -bird-ready\n periodSeconds: 10\n volumeMounts:\n - mountPath: /lib/modules\n name: lib-modules\n readOnly: true\n - mountPath: /run/xtables.lock\n name: xtables-lock\n readOnly: false\n - mountPath: /var/run/calico\n name: var-run-calico\n readOnly: false\n - mountPath: /var/lib/calico\n name: var-lib-calico\n readOnly: false\n - name: policysync\n mountPath: /var/run/nodeagent\n volumes:\n # Used by calico-node.\n - name: lib-modules\n hostPath:\n path: /lib/modules\n - name: var-run-calico\n hostPath:\n path: /var/run/calico\n - name: var-lib-calico\n hostPath:\n path: /var/lib/calico\n - name: xtables-lock\n hostPath:\n path: /run/xtables.lock\n type: FileOrCreate\n # Used to install CNI.\n - name: cni-bin-dir\n hostPath:\n path: /opt/cni/bin\n - name: cni-net-dir\n hostPath:\n path: /etc/cni/net.d\n # Mount in the directory for host-local IPAM allocations. This is\n # used when upgrading from host-local to calico-ipam, and can be removed\n # if not using the upgrade-ipam init container.\n - name: host-local-net-dir\n hostPath:\n path: /var/lib/cni/networks\n # Used to create per-pod Unix Domain Sockets\n - name: policysync\n hostPath:\n type: DirectoryOrCreate\n path: /var/run/nodeagent\n # Used to install Flex Volume Driver\n - name: flexvol-driver-host\n hostPath:\n type: DirectoryOrCreate\n{{- if .FlexVolPluginDir }}\n path: {{.FlexVolPluginDir}}\n{{- else }}\n path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds\n{{- end }}\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: calico-kube-controllers\n namespace: kube-system\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: calico-node\n namespace: kube-system\n---\n# Source: calico/templates/calico-kube-controllers.yaml\n# See https://github.com/projectcalico/kube-controllers\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\nspec:\n # The controllers can only have a single active instance.\n replicas: 1\n selector:\n matchLabels:\n k8s-app: calico-kube-controllers\n strategy:\n type: Recreate\n template:\n metadata:\n name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\n annotations:\n scheduler.alpha.kubernetes.io/critical-pod: ''\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n tolerations:\n # Make sure calico-node gets scheduled on all nodes.\n - effect: NoSchedule\n operator: Exists\n # Mark the pod as a critical add-on for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n - effect: NoExecute\n operator: Exists\n{{if eq .RBACConfig \"rbac\"}}\n serviceAccountName: calico-kube-controllers\n{{end}}\n priorityClassName: system-cluster-critical\n containers:\n - name: calico-kube-controllers\n image: {{.ControllersImage}}\n env:\n # Choose which controllers to run.\n - name: ENABLED_CONTROLLERS\n value: node\n - name: DATASTORE_TYPE\n value: kubernetes\n readinessProbe:\n exec:\n command:\n - /usr/bin/check-status\n - -r\n",