From f0d743d720d85cc97324b062dafd082f24708bc8 Mon Sep 17 00:00:00 2001 From: Vara Date: Fri, 15 Mar 2024 11:38:34 -0700 Subject: [PATCH] API changes -Configure resource request and limits for all components --- .../reference/installation/_api.mdx | 14352 ++++++++++++---- calico/reference/installation/_api.mdx | 2 +- 2 files changed, 10947 insertions(+), 3407 deletions(-) diff --git a/calico-enterprise/reference/installation/_api.mdx b/calico-enterprise/reference/installation/_api.mdx index eefffd5f38..80e9b86623 100644 --- a/calico-enterprise/reference/installation/_api.mdx +++ b/calico-enterprise/reference/installation/_api.mdx @@ -44,6 +44,10 @@ Resource Types:
  • PolicyRecommendation
  • +TLSPassThroughRoute +
  • +TLSTerminatedRoute +
  • Tenant
  • TigeraStatus @@ -549,6 +553,26 @@ EnvoySettings User-configurable settings for the Envoy proxy.

    + + + + + +l7LogCollectorDaemonSet
    + + +L7LogCollectorDaemonSet + + + + + + +(Optional) +

    +L7LogCollectorDaemonSet configures the L7LogCollector DaemonSet. +

    + @@ -714,7 +738,7 @@ AuthenticationOIDC (Optional)

    -OIDC contains the configuration needed to set up OIDC authentication. +OIDC contains the configuration needed to setup OIDC authentication.

    @@ -734,7 +758,7 @@ AuthenticationOpenshift (Optional)

    -Openshift contains the configuration needed to set up Openshift OAuth authentication. +Openshift contains the configuration needed to setup Openshift OAuth authentication.

    @@ -754,7 +778,27 @@ AuthenticationLDAP (Optional)

    -LDAP contains the configuration needed to set up LDAP authentication. +LDAP contains the configuration needed to setup LDAP authentication. +

    + + + + + + +dexDeployment
    + + +DexDeployment + + + + + + +(Optional) +

    +DexDeployment configures the Dex Deployment.

    @@ -855,8 +899,106 @@ Specification of the desired state for Tigera compliance reporting.

    -
    + + +complianceControllerDeployment
    + + +ComplianceControllerDeployment + + + + + + +(Optional) +

    +ComplianceControllerDeployment configures the Compliance Controller Deployment. +

    + + + + + + +complianceSnapshotterDeployment
    + + +ComplianceSnapshotterDeployment + + + + + + +(Optional) +

    +ComplianceSnapshotterDeployment configures the Compliance Snapshotter Deployment. +

    + + + + + + +complianceBenchmarkerDaemonSet
    + + +ComplianceBenchmarkerDaemonSet + + + + + + +(Optional) +

    +ComplianceBenchmarkerDaemonSet configures the Compliance Benchmarker DaemonSet. +

    + + + + + + +complianceServerDeployment
    + + +ComplianceServerDeployment + + + + + + +(Optional) +

    +ComplianceServerDeployment configures the Compliance Server Deployment. +

    + + + + + + +complianceReporterPodTemplate
    + + +ComplianceReporterPodTemplate + + + + + +(Optional) +

    +ComplianceReporterPodTemplate configures the Compliance Reporter PodTemplate. +

    + + + + @@ -2058,6 +2200,26 @@ AnomalyDetectionSpec AnomalyDetection is now deprecated, and configuring it has no effect.

    + + + + + +intrusionDetectionControllerDeployment
    + + +IntrusionDetectionControllerDeployment + + + + + + +(Optional) +

    +IntrusionDetectionControllerDeployment configures the IntrusionDetection Controller Deployment. +

    + @@ -2215,7 +2377,7 @@ CollectProcessPathOption (Optional)

    Configuration for enabling/disabling process path collection in flowlogs. -If Enabled, this feature sets hostPID to true to read process cmdline. +If Enabled, this feature sets hostPID to true in order to read process cmdline. Default: Enabled

    @@ -2238,6 +2400,45 @@ If running as a multi-tenant management cluster, the namespace in which the management cluster’s tenant services are running.

    + + + + + +fluentdDaemonSet
    + + +FluentdDaemonSet + + + + + + +

    +FluentdDaemonSet configures the Fluentd DaemonSet. +

    + + + + + + +eksLogForwarderDeployment
    + + +EKSLogForwarderDeployment + + + + + + +(Optional) +

    +EKSLogForwarderDeployment configures the EKSLogForwarderDeployment Deployment. +

    + @@ -2459,6 +2660,85 @@ ComponentResources can be used to customize the resource requirements for each c Only ECKOperator is supported for this spec.

    + + + + + +eckOperatorStatefulSet
    + + +ECKOperatorStatefulSet + + + + + + +(Optional) +

    +ECKOperatorStatefulSet configures the ECKOperator StatefulSet. If used in conjunction with the deprecated +ComponentResources, then these overrides take precedence. +

    + + + + + + +kibana
    + + +Kibana + + + + + + +(Optional) +

    +Kibana configures the Kibana Spec. +

    + + + + + + +linseedDeployment
    + + +LinseedDeployment + + + + + + +

    +LinseedDeployment configures the linseed Deployment. +

    + + + + + + +elasticsearchMetricsDeployment
    + + +ElasticsearchMetricsDeployment + + + + + + +

    +ElasticsearchMetricsDeployment configures the tigera-elasticsearch-metric Deployment. +

    + @@ -2709,6 +2989,25 @@ ManagementClusterTLS TLS provides options for configuring how Managed Clusters can establish an mTLS connection with the Management Cluster.

    + + + + + +guardianDeployment
    + + +GuardianDeployment + + + + + + +

    +GuardianDeployment configures the guardian Deployment. +

    + @@ -2809,10 +3108,10 @@ Specification of the desired state for the Calico Enterprise manager. @@ -2922,17 +3221,76 @@ MonitorSpec

    -auth
    +managerDeployment
    - -Auth + +ManagerDeployment @@ -2821,7 +3120,7 @@ Auth (Optional)

    -Deprecated. Please use the Authentication CR for configuring authentication. +ManagerDeployment configures the Manager Deployment.

    -
    + + +externalPrometheus
    + + +ExternalPrometheus + + + + + + +

    +ExternalPrometheus optionally configures integration with an external Prometheus for scraping Calico metrics. When +specified, the operator will render resources in the defined namespace. This option can be useful for configuring +scraping from git-ops tools without the need of post-installation steps. +

    -status
    +prometheus
    - -MonitorStatus + +Prometheus + + + + + + +(Optional) +

    +Prometheus is the configuration for the Prometheus. +

    + + + + + + +alertManager
    + + +AlertManager + + + + + + +(Optional) +

    +AlertManager is the configuration for the AlertManager. +

    + + + + + + + + + +status
    + + +MonitorStatus @@ -3016,8 +3374,26 @@ PolicyRecommendationSpec

    -
    + + +policyRecommendationDeployment
    + + +PolicyRecommendationDeployment + + + + + + +(Optional) +

    +PolicyRecommendation configures the PolicyRecommendation Deployment. +

    + + + @@ -3038,10 +3414,7 @@ PolicyRecommendationStatus -

    Tenant

    -

    -Tenant is the Schema for the tenants API -

    +

    TLSPassThroughRoute

    @@ -3072,7 +3445,7 @@ string @@ -3098,76 +3471,42 @@ Refer to the Kubernetes API documentation for the fields of the spec
    - -TenantSpec + +TLSPassThroughRouteSpec - - - -
    -Tenant +TLSPassThroughRoute
    +

    +Dest is the destination URL +



    - - - - - - - - @@ -3184,47 +3523,26 @@ This field is required for clusters using external ES.
    -id
    - -string - - -    		 - -

    -ID is the unique identifier for this tenant. -

    - -
    - -name
    - -string - - -    		 - -

    -Name is a human readable name for this tenant. -

    - -
    - -indices
    +target
    - -[]Index + +TargetType     		-

    -Indices defines the how to store a tenant’s data -
    -elastic
    +sniMatch
    - -TenantElasticSpec + +SNIMatch @@ -3175,8 +3514,8 @@ TenantElasticSpec

    -Elastic configures per-tenant ElasticSearch and Kibana parameters. -This field is required for clusters using external ES. +SNIMatch is used to match requests based on the server name for the intended destination server. Matching requests +will be proxied to the Destination.

    -controlPlaneReplicas
    +destination
    -int32 +string     		-(Optional)

    -ControlPlaneReplicas defines how many replicas of the control plane core components will be deployed -in the Tenant’s namespace. Defaults to the controlPlaneReplicas in Installation CR +Destination is the destination url to proxy the request to.

    -
    - -status
    - - -TenantStatus - - - -    		 - -
    -

    TigeraStatus

    -

    -TigeraStatus represents the most recently observed status for Calico or a Calico Enterprise functional area. -

    +

    TLSTerminatedRoute

    @@ -3255,7 +3573,7 @@ string @@ -3281,8 +3599,8 @@ Refer to the Kubernetes API documentation for the fields of the spec
    - -TigeraStatusSpec + +TLSTerminatedRouteSpec @@ -3292,17 +3610,12 @@ TigeraStatusSpec

    -TigeraStatus +TLSTerminatedRoute
    -
    - - - - -status
    +target
    - -TigeraStatusStatus + +TargetType @@ -3312,42 +3625,22 @@ TigeraStatusStatus - - -

    APIServerDeployment

    -

    - -(Appears on: -APIServerSpec) - -

    -

    -APIServerDeployment is the configuration for the API server Deployment. -

    - - - - - - - - @@ -3355,60 +3648,36 @@ Metadata is a subset of a Kubernetes object’s metadata that is added to th - -
    FieldDescription
    -metadata
    +pathMatch
    - -Metadata + +PathMatch     		-(Optional)

    -Metadata is a subset of a Kubernetes object’s metadata that is added to the Deployment. +PathMatch is used to match requests based on what’s in the path. Matching requests will be proxied to the Destination +defined in this structure.

    -spec
    +destination
    - -APIServerDeploymentSpec - +string     		-(Optional)

    -Spec is the specification of the API server Deployment. +Destination is the destination URL where matching traffic is routed to.

    -
    -
    - -
    -

    APIServerDeploymentContainer

    -

    - -(Appears on: -APIServerDeploymentPodSpec) - -

    -

    -APIServerDeploymentContainer is an API server Deployment container. -

    - - - - - - - - @@ -3416,10 +3685,10 @@ Name is an enum which identifies the API server Deployment container by name. - -
    FieldDescription
    -name
    +caBundle
    -string + +Kubernetes core/v1.ConfigMapKeySelector +

    -Name is an enum which identifies the API server Deployment container by name. +CABundle is where we read the CA bundle from to authenticate the +destination (if non-empty)

    -resources
    +mtlsCert
    - -Kubernetes core/v1.ResourceRequirements + +Kubernetes core/v1.SecretKeySelector @@ -3428,47 +3697,29 @@ Kubernetes core/v1.ResourceRequirements (Optional)

    -Resources allows customization of limits and requests for compute resources such as cpu and memory. -If specified, this overrides the named API server Deployment container’s resources. -If omitted, the API server Deployment will use its default value for this container’s resources. -If used in conjunction with the deprecated ComponentResources, then this value takes precedence. +ForwardingMTLSCert is the certificate used for mTLS between voltron and the destination. Either both ForwardingMTLSCert +and ForwardingMTLSKey must be specified, or neither can be specified.

    -

    APIServerDeploymentInitContainer

    -

    - -(Appears on: -APIServerDeploymentPodSpec) - -

    -

    -APIServerDeploymentInitContainer is an API server Deployment init container. -

    - - - - - - - - @@ -3476,11 +3727,9 @@ Name is an enum which identifies the API server Deployment init container by nam @@ -3488,24 +3737,20 @@ Kubernetes core/v1.ResourceRequirements (Optional)

    -Resources allows customization of limits and requests for compute resources such as cpu and memory. -If specified, this overrides the named API server Deployment init container’s resources. -If omitted, the API server Deployment will use its default value for this init container’s resources. +Unauthenticated says whether the request should go through authentication. This is only applicable if the Target +is UI.

    + + +
    FieldDescription
    -name
    +mtlsKey
    -string + +Kubernetes core/v1.SecretKeySelector +     		+(Optional)

    -Name is an enum which identifies the API server Deployment init container by name. +ForwardingMTLSKey is the key used for mTLS between voltron and the destination. Either both ForwardingMTLSCert +and ForwardingMTLSKey must be specified, or neither can be specified.

    -resources
    +unauthenticated
    - -Kubernetes core/v1.ResourceRequirements - +bool
    -

    APIServerDeploymentPodSpec

    -

    - -(Appears on: -APIServerDeploymentPodTemplateSpec) - -

    +

    Tenant

    -APIServerDeploymentDeploymentPodSpec is the API server Deployment’s PodSpec. +Tenant is the Schema for the tenants API

    @@ -3518,43 +3763,7451 @@ APIServerDeploymentDeploymentPodSpec is the API server Deployment’s PodSpe + + + + + + + + + + + + + + + + + + + +
    -initContainers
    +apiVersion
    +string +    		 + + +operator.tigera.io/v1 + + +
    + +kind
    +string + +    		 +Tenant +
    + +metadata
    + + +Kubernetes meta/v1.ObjectMeta + + + +    		 + +Refer to the Kubernetes API documentation for the fields of the +metadata field. + +
    + +spec
    + + +TenantSpec + + + +    		 + +
    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +id
    + +string + + +    		 + +

    +ID is the unique identifier for this tenant. +

    + +
    + +name
    + +string + + +    		 + +

    +Name is a human readable name for this tenant. +

    + +
    + +indices
    + + +[]Index + + + +    		 + +

    +Indices defines the how to store a tenant’s data +

    + +
    + +elastic
    + + +TenantElasticSpec + + + +    		 + +

    +Elastic configures per-tenant ElasticSearch and Kibana parameters. +This field is required for clusters using external ES. +

    + +
    + +controlPlaneReplicas
    + +int32 + + +    		 + +(Optional) +

    +ControlPlaneReplicas defines how many replicas of the control plane core components will be deployed +in the Tenant’s namespace. Defaults to the controlPlaneReplicas in Installation CR +

    + +
    + +linseedDeployment
    + + +LinseedDeployment + + + +    		 + +

    +LinseedDeployment configures the linseed Deployment. +

    + +
    + +dashboardsJob
    + + +DashboardsJob + + + +    		 + +

    +DashboardsJob configures the Dashboards job +

    + +
    +
    + +status
    + + +TenantStatus + + + +    		 + + +
    +

    TigeraStatus

    +

    +TigeraStatus represents the most recently observed status for Calico or a Calico Enterprise functional area. +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +apiVersion
    +string +    		 + + +operator.tigera.io/v1 + + +
    + +kind
    +string + +    		 +TigeraStatus +
    + +metadata
    + + +Kubernetes meta/v1.ObjectMeta + + + +    		 + +Refer to the Kubernetes API documentation for the fields of the +metadata field. + +
    + +spec
    + + +TigeraStatusSpec + + + +    		 + +
    +
    + +
    + +
    + +status
    + + +TigeraStatusStatus + + + +    		 + + +
    +

    APIServerDeployment

    +

    + +(Appears on: +APIServerSpec) + +

    +

    +APIServerDeployment is the configuration for the API server Deployment. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +metadata
    + + +Metadata + + + +    		 + +(Optional) +

    +Metadata is a subset of a Kubernetes object’s metadata that is added to the Deployment. +

    + +
    + +spec
    + + +APIServerDeploymentSpec + + + +    		 + +(Optional) +

    +Spec is the specification of the API server Deployment. +

    +
    +
    + +
    + +
    +

    APIServerDeploymentContainer

    +

    + +(Appears on: +APIServerDeploymentPodSpec) + +

    +

    +APIServerDeploymentContainer is an API server Deployment container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the API server Deployment container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named API server Deployment container’s resources. +If omitted, the API server Deployment will use its default value for this container’s resources. +If used in conjunction with the deprecated ComponentResources, then this value takes precedence. +

    + +
    +

    APIServerDeploymentInitContainer

    +

    + +(Appears on: +APIServerDeploymentPodSpec) + +

    +

    +APIServerDeploymentInitContainer is an API server Deployment init container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the API server Deployment init container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named API server Deployment init container’s resources. +If omitted, the API server Deployment will use its default value for this init container’s resources. +

    + +
    +

    APIServerDeploymentPodSpec

    +

    + +(Appears on: +APIServerDeploymentPodTemplateSpec) + +

    +

    +APIServerDeploymentDeploymentPodSpec is the API server Deployment’s PodSpec. +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +initContainers
    + + +[]APIServerDeploymentInitContainer + + + +    		 + +(Optional) +

    +InitContainers is a list of API server init containers. +If specified, this overrides the specified API server Deployment init containers. +If omitted, the API server Deployment will use its default values for its init containers. +

    + +
    + +containers
    + + +[]APIServerDeploymentContainer + + + +    		 + +(Optional) +

    +Containers is a list of API server containers. +If specified, this overrides the specified API server Deployment containers. +If omitted, the API server Deployment will use its default values for its containers. +

    + +
    + +affinity
    + + +Kubernetes core/v1.Affinity + + + +    		 + +(Optional) +

    +Affinity is a group of affinity scheduling rules for the API server pods. +If specified, this overrides any affinity that may be set on the API server Deployment. +If omitted, the API server Deployment will use its default value for affinity. +WARNING: Please note that this field will override the default API server Deployment affinity. +

    + +
    + +nodeSelector
    + +map[string]string + + +    		 + +

    +NodeSelector is the API server pod’s scheduling constraints. +If specified, each of the key/value pairs are added to the API server Deployment nodeSelector provided +the key does not already exist in the object’s nodeSelector. +If used in conjunction with ControlPlaneNodeSelector, that nodeSelector is set on the API server Deployment +and each of this field’s key/value pairs are added to the API server Deployment nodeSelector provided +the key does not already exist in the object’s nodeSelector. +If omitted, the API server Deployment will use its default value for nodeSelector. +WARNING: Please note that this field will modify the default API server Deployment nodeSelector. +

    + +
    + +topologySpreadConstraints
    + + +[]Kubernetes core/v1.TopologySpreadConstraint + + + +    		 + +(Optional) +

    +TopologySpreadConstraints describes how a group of pods ought to spread across topology +domains. Scheduler will schedule pods in a way which abides by the constraints. +All topologySpreadConstraints are ANDed. +

    + +
    + +tolerations
    + + +[]Kubernetes core/v1.Toleration + + + +    		 + +(Optional) +

    +Tolerations is the API server pod’s tolerations. +If specified, this overrides any tolerations that may be set on the API server Deployment. +If omitted, the API server Deployment will use its default value for tolerations. +WARNING: Please note that this field will override the default API server Deployment tolerations. +

    + +
    +

    APIServerDeploymentPodTemplateSpec

    +

    + +(Appears on: +APIServerDeploymentSpec) + +

    +

    +APIServerDeploymentPodTemplateSpec is the API server Deployment’s PodTemplateSpec +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +metadata
    + + +Metadata + + + +    		 + +(Optional) +

    +Metadata is a subset of a Kubernetes object’s metadata that is added to +the pod’s metadata. +

    + +
    + +spec
    + + +APIServerDeploymentPodSpec + + + +    		 + +(Optional) +

    +Spec is the API server Deployment’s PodSpec. +

    +
    +
    + +
    + +
    +

    APIServerDeploymentSpec

    +

    + +(Appears on: +APIServerDeployment) + +

    +

    +APIServerDeploymentSpec defines configuration for the API server Deployment. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +minReadySeconds
    + +int32 + + +    		 + +(Optional) +

    +MinReadySeconds is the minimum number of seconds for which a newly created Deployment pod should +be ready without any of its container crashing, for it to be considered available. +If specified, this overrides any minReadySeconds value that may be set on the API server Deployment. +If omitted, the API server Deployment will use its default value for minReadySeconds. +

    + +
    + +template
    + + +APIServerDeploymentPodTemplateSpec + + + +    		 + +(Optional) +

    +Template describes the API server Deployment pod that will be created. +

    + +
    +

    APIServerSpec

    +

    + +(Appears on: +APIServer) + +

    +

    +APIServerSpec defines the desired state of Tigera API server. +

    + + + + + + + + + + + + + +
    FieldDescription
    + +apiServerDeployment
    + + +APIServerDeployment + + + +    		 + +

    +APIServerDeployment configures the calico-apiserver (or tigera-apiserver in Enterprise) Deployment. If +used in conjunction with ControlPlaneNodeSelector or ControlPlaneTolerations, then these overrides +take precedence. +

    + +
    +

    APIServerStatus

    +

    + +(Appears on: +APIServer) + +

    +

    +APIServerStatus defines the observed state of Tigera API server. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +state
    + +string + + +    		 + +

    +State provides user-readable status. +

    + +
    + +conditions
    + + +[]Kubernetes meta/v1.Condition + + + +    		 + +(Optional) +

    +Conditions represents the latest observed set of conditions for the component. A component may be one or more of +Ready, Progressing, Degraded or other customer types. +

    + +
    +

    AWSEgressGateway

    +

    + +(Appears on: +EgressGatewaySpec) + +

    +

    +AWSEgressGateway defines the configurations for deploying EgressGateway in AWS +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +nativeIP
    + + +NativeIP + + + +    		 + +(Optional) +

    +NativeIP defines if EgressGateway is to use an AWS backed IPPool. +Default: Disabled +

    + +
    + +elasticIPs
    + +[]string + + +    		 + +(Optional) +

    +ElasticIPs defines the set of elastic IPs that can be used for Egress Gateway pods. +NativeIP must be Enabled if elastic IPs are set. +

    + +
    +

    AdditionalLogSourceSpec

    +

    + +(Appears on: +LogCollectorSpec) + +

    + + + + + + + + + + + + + +
    FieldDescription
    + +eksCloudwatchLog
    + + +EksCloudwatchLogsSpec + + + +    		 + +(Optional) +

    +If specified with EKS Provider in Installation, enables fetching EKS +audit logs. +

    + +
    +

    AdditionalLogStoreSpec

    +

    + +(Appears on: +LogCollectorSpec) + +

    + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +s3
    + + +S3StoreSpec + + + +    		 + +(Optional) +

    +If specified, enables exporting of flow, audit, and DNS logs to Amazon S3 storage. +

    + +
    + +syslog
    + + +SyslogStoreSpec + + + +    		 + +(Optional) +

    +If specified, enables exporting of flow, audit, and DNS logs to syslog. +

    + +
    + +splunk
    + + +SplunkStoreSpec + + + +    		 + +(Optional) +

    +If specified, enables exporting of flow, audit, and DNS logs to splunk. +

    + +
    +

    AlertManager

    +

    + +(Appears on: +MonitorSpec) + +

    + + + + + + + + + + + + + +
    FieldDescription
    + +spec
    + + +AlertManagerSpec + + + +    		 + +(Optional) +

    +Spec is the specification of the Alertmanager. +

    +
    +
    + +
    + +
    +

    AlertManagerSpec

    +

    + +(Appears on: +AlertManager) + +

    + + + + + + + + + + + + + +
    FieldDescription
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +

    +Define resources requests and limits for single Pods. +

    + +
    +

    AmazonCloudIntegrationSpec

    +

    + +(Appears on: +AmazonCloudIntegration) + +

    +

    +AmazonCloudIntegrationSpec defines the desired state of AmazonCloudIntegration +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +defaultPodMetadataAccess
    + + +MetadataAccessAllowedType + + + +    		 + +(Optional) +

    +DefaultPodMetadataAccess defines what the default behavior will be for accessing +the AWS metadata service from a pod. +Default: Denied +

    + +
    + +nodeSecurityGroupIDs
    + +[]string + + +    		 + +

    +NodeSecurityGroupIDs is a list of Security Group IDs that all nodes and masters +will be in. +

    + +
    + +podSecurityGroupID
    + +string + + +    		 + +

    +PodSecurityGroupID is the ID of the Security Group which all pods should be placed +in by default. +

    + +
    + +vpcs
    + +[]string + + +    		 + +

    +VPCS is a list of VPC IDs to monitor for ENIs and Security Groups, only one is supported. +

    + +
    + +sqsURL
    + +string + + +    		 + +

    +SQSURL is the SQS URL needed to access the Simple Queue Service. +

    + +
    + +awsRegion
    + +string + + +    		 + +

    +AWSRegion is the region in which your cluster is located. +

    + +
    + +enforcedSecurityGroupID
    + +string + + +    		 + +

    +EnforcedSecurityGroupID is the ID of the Security Group which will be applied to all +ENIs that are on a host that is also part of the Kubernetes cluster. +

    + +
    + +trustEnforcedSecurityGroupID
    + +string + + +    		 + +

    +TrustEnforcedSecurityGroupID is the ID of the Security Group which will be applied +to all ENIs in the VPC. +

    + +
    +

    AmazonCloudIntegrationStatus

    +

    + +(Appears on: +AmazonCloudIntegration) + +

    +

    +AmazonCloudIntegrationStatus defines the observed state of AmazonCloudIntegration +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +state
    + +string + + +    		 + +

    +State provides user-readable status. +

    + +
    + +conditions
    + + +[]Kubernetes meta/v1.Condition + + + +    		 + +(Optional) +

    +Conditions represents the latest observed set of conditions for the component. A component may be one or more of +Ready, Progressing, Degraded or other customer types. +

    + +
    +

    AnomalyDetectionSpec

    +

    + +(Appears on: +IntrusionDetectionSpec) + +

    + + + + + + + + + + + + + +
    FieldDescription
    + +storageClassName
    + +string + + +    		 + +(Optional) +

    +StorageClassName is now deprecated, and configuring it has no effect. +

    + +
    +

    ApplicationLayerPolicyStatusType +(string alias)

    +

    + +(Appears on: +ApplicationLayerSpec) + +

    +

    ApplicationLayerSpec

    +

    + +(Appears on: +ApplicationLayer) + +

    +

    +ApplicationLayerSpec defines the desired state of ApplicationLayer +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +webApplicationFirewall
    + + +WAFStatusType + + + +    		 + +

    +WebApplicationFirewall controls whether or not ModSecurity enforcement is enabled for the cluster. +When enabled, Services may opt-in to having ingress traffic examed by ModSecurity. +

    + +
    + +logCollection
    + + +LogCollectionSpec + + + +    		 + +

    +Specification for application layer (L7) log collection. +

    + +
    + +applicationLayerPolicy
    + + +ApplicationLayerPolicyStatusType + + + +    		 + +

    +Application Layer Policy controls whether or not ALP enforcement is enabled for the cluster. +When enabled, NetworkPolicies with HTTP Match rules may be defined to opt-in workloads for traffic enforcement on the application layer. +

    + +
    + +envoy
    + + +EnvoySettings + + + +    		 + +

    +User-configurable settings for the Envoy proxy. +

    + +
    + +l7LogCollectorDaemonSet
    + + +L7LogCollectorDaemonSet + + + +    		 + +(Optional) +

    +L7LogCollectorDaemonSet configures the L7LogCollector DaemonSet. +

    + +
    +

    ApplicationLayerStatus

    +

    + +(Appears on: +ApplicationLayer) + +

    +

    +ApplicationLayerStatus defines the observed state of ApplicationLayer +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +state
    + +string + + +    		 + +

    +State provides user-readable status. +

    + +
    + +conditions
    + + +[]Kubernetes meta/v1.Condition + + + +    		 + +(Optional) +

    +Conditions represents the latest observed set of conditions for the component. A component may be one or more of +Ready, Progressing, Degraded or other customer types. +

    + +
    +

    AuthMethod +(string alias)

    +

    AuthenticationLDAP

    +

    + +(Appears on: +AuthenticationSpec) + +

    +

    +AuthenticationLDAP is the configuration needed to setup LDAP. +

    + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +host
    + +string + + +    		 + +

    +The host and port of the LDAP server. Example: ad.example.com:636 +

    + +
    + +startTLS
    + +bool + + +    		 + +(Optional) +

    +StartTLS whether to enable the startTLS feature for establishing TLS on an existing LDAP session. +If true, the ldap:// protocol is used and then issues a StartTLS command, otherwise, connections will use +the ldaps:// protocol. +

    + +
    + +userSearch
    + + +UserSearch + + + +    		 + +

    +User entry search configuration to match the credentials with a user. +

    + +
    + +groupSearch
    + + +GroupSearch + + + +    		 + +(Optional) +

    +Group search configuration to find the groups that a user is in. +

    + +
    +

    AuthenticationOIDC

    +

    + +(Appears on: +AuthenticationSpec) + +

    +

    +AuthenticationOIDC is the configuration needed to setup OIDC. +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +issuerURL
    + +string + + +    		 + +

    +IssuerURL is the URL to the OIDC provider. +

    + +
    + +usernameClaim
    + +string + + +    		 + +

    +UsernameClaim specifies which claim to use from the OIDC provider as the username. +

    + +
    + +requestedScopes
    + +[]string + + +    		 + +(Optional) +

    +RequestedScopes is a list of scopes to request from the OIDC provider. If not provided, the following scopes are +requested: [“openid”, “email”, “profile”, “groups”, “offline_access”]. +

    + +
    + +usernamePrefix
    + +string + + +    		 + +(Optional) +

    +Deprecated. Please use Authentication.Spec.UsernamePrefix instead. +

    + +
    + +groupsClaim
    + +string + + +    		 + +(Optional) +

    +GroupsClaim specifies which claim to use from the OIDC provider as the group. +

    + +
    + +groupsPrefix
    + +string + + +    		 + +(Optional) +

    +Deprecated. Please use Authentication.Spec.GroupsPrefix instead. +

    + +
    + +emailVerification
    + + +EmailVerificationType + + + +    		 + +(Optional) +

    +Some providers do not include the claim “email_verified” when there is no verification in the user enrollment +process or if they are acting as a proxy for another identity provider. By default those tokens are deemed invalid. +To skip this check, set the value to “InsecureSkip”. +Default: Verify +

    + +
    + +promptTypes
    + + +[]PromptType + + + +    		 + +(Optional) +

    +PromptTypes is an optional list of string values that specifies whether the identity provider prompts the end user +for re-authentication and consent. See the RFC for more information on prompt types: +https://openid.net/specs/openid-connect-core-1_0.html. +Default: “Consent” +

    + +
    + +type
    + + +OIDCType + + + +    		 + +(Optional) +

    +Default: “Dex” +

    + +
    +

    AuthenticationOpenshift

    +

    + +(Appears on: +AuthenticationSpec) + +

    +

    +AuthenticationOpenshift is the configuration needed to setup Openshift. +

    + + + + + + + + + + + + + +
    FieldDescription
    + +issuerURL
    + +string + + +    		 + +

    +IssuerURL is the URL to the Openshift OAuth provider. Ex.: https://api.my-ocp-domain.com:6443 +

    + +
    +

    AuthenticationSpec

    +

    + +(Appears on: +Authentication) + +

    +

    +AuthenticationSpec defines the desired state of Authentication +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +managerDomain
    + +string + + +    		 + +

    +ManagerDomain is the domain name of the Manager +

    + +
    + +usernamePrefix
    + +string + + +    		 + +(Optional) +

    +If specified, UsernamePrefix is prepended to each user obtained from the identity provider. Note that +Kibana does not support a user prefix, so this prefix is removed from Kubernetes User when translating log access +ClusterRoleBindings into Elastic. +

    + +
    + +groupsPrefix
    + +string + + +    		 + +(Optional) +

    +If specified, GroupsPrefix is prepended to each group obtained from the identity provider. Note that +Kibana does not support a groups prefix, so this prefix is removed from Kubernetes Groups when translating log access +ClusterRoleBindings into Elastic. +

    + +
    + +oidc
    + + +AuthenticationOIDC + + + +    		 + +(Optional) +

    +OIDC contains the configuration needed to setup OIDC authentication. +

    + +
    + +openshift
    + + +AuthenticationOpenshift + + + +    		 + +(Optional) +

    +Openshift contains the configuration needed to setup Openshift OAuth authentication. +

    + +
    + +ldap
    + + +AuthenticationLDAP + + + +    		 + +(Optional) +

    +LDAP contains the configuration needed to setup LDAP authentication. +

    + +
    + +dexDeployment
    + + +DexDeployment + + + +    		 + +(Optional) +

    +DexDeployment configures the Dex Deployment. +

    + +
    +

    AuthenticationStatus

    +

    + +(Appears on: +Authentication) + +

    +

    +AuthenticationStatus defines the observed state of Authentication +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +state
    + +string + + +    		 + +

    +State provides user-readable status. +

    + +
    + +conditions
    + + +[]Kubernetes meta/v1.Condition + + + +    		 + +(Optional) +

    +Conditions represents the latest observed set of conditions for the component. A component may be one or more of +Ready, Progressing, Degraded or other customer types. +

    + +
    +

    BGPOption +(string alias)

    +

    + +(Appears on: +CalicoNetworkSpec) + +

    +

    +BGPOption describes the mode of BGP to use. +

    +

    +One of: Enabled, Disabled +

    +

    CAType +(string alias)

    +

    + +(Appears on: +ManagementClusterTLS) + +

    +

    +CAType specifies which verification method the tunnel client should use to verify the tunnel server’s identity. +

    +

    +One of: Tigera, Public +

    +

    CNILogging

    +

    + +(Appears on: +Logging) + +

    + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +logSeverity
    + + +LogLevel + + + +    		 + +(Optional) +

    +Default: Info +

    + +
    + +logFileMaxSize
    + +k8s.io/apimachinery/pkg/api/resource.Quantity + + +    		 + +(Optional) +

    +Default: 100Mi +

    + +
    + +logFileMaxAgeDays
    + +uint32 + + +    		 + +(Optional) +

    +Default: 30 (days) +

    + +
    + +logFileMaxCount
    + +uint32 + + +    		 + +(Optional) +

    +Default: 10 +

    + +
    +

    CNIPluginType +(string alias)

    +

    + +(Appears on: +CNISpec) + +

    +

    +CNIPluginType describes the type of CNI plugin used. +

    +

    +One of: Calico, GKE, AmazonVPC, AzureVNET +

    +

    CNISpec

    +

    + +(Appears on: +InstallationSpec) + +

    +

    +CNISpec contains configuration for the CNI plugin. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +type
    + + +CNIPluginType + + + +    		 + +

    +Specifies the CNI plugin that will be used in the Calico or Calico Enterprise installation. +* For KubernetesProvider GKE, this field defaults to GKE. +* For KubernetesProvider AKS, this field defaults to AzureVNET. +* For KubernetesProvider EKS, this field defaults to AmazonVPC. +* If aws-node daemonset exists in kube-system when the Installation resource is created, this field defaults to AmazonVPC. +* For all other cases this field defaults to Calico. +

    +

    +For the value Calico, the CNI plugin binaries and CNI config will be installed as part of deployment, +for all other values the CNI plugin binaries and CNI config is a dependency that is expected +to be installed separately. +

    +

    +Default: Calico +

    + +
    + +ipam
    + + +IPAMSpec + + + +    		 + +(Optional) +

    +IPAM specifies the pod IP address management that will be used in the Calico or +Calico Enterprise installation. +

    + +
    +

    CSINodeDriverDaemonSet

    +

    + +(Appears on: +InstallationSpec) + +

    +

    +CSINodeDriverDaemonSet is the configuration for the csi-node-driver DaemonSet. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +metadata
    + + +Metadata + + + +    		 + +(Optional) +

    +Metadata is a subset of a Kubernetes object’s metadata that is added to the DaemonSet. +

    + +
    + +spec
    + + +CSINodeDriverDaemonSetSpec + + + +    		 + +(Optional) +

    +Spec is the specification of the csi-node-driver DaemonSet. +

    +
    +
    + +
    + +
    +

    CSINodeDriverDaemonSetContainer

    +

    + +(Appears on: +CSINodeDriverDaemonSetPodSpec) + +

    +

    +CSINodeDriverDaemonSetContainer is a csi-node-driver DaemonSet container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the csi-node-driver DaemonSet container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named csi-node-driver DaemonSet container’s resources. +If omitted, the csi-node-driver DaemonSet will use its default value for this container’s resources. +

    + +
    +

    CSINodeDriverDaemonSetPodSpec

    +

    + +(Appears on: +CSINodeDriverDaemonSetPodTemplateSpec) + +

    +

    +CSINodeDriverDaemonSetPodSpec is the csi-node-driver DaemonSet’s PodSpec. +

    + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +containers
    + + +[]CSINodeDriverDaemonSetContainer + + + +    		 + +(Optional) +

    +Containers is a list of csi-node-driver containers. +If specified, this overrides the specified csi-node-driver DaemonSet containers. +If omitted, the csi-node-driver DaemonSet will use its default values for its containers. +

    + +
    + +affinity
    + + +Kubernetes core/v1.Affinity + + + +    		 + +(Optional) +

    +Affinity is a group of affinity scheduling rules for the csi-node-driver pods. +If specified, this overrides any affinity that may be set on the csi-node-driver DaemonSet. +If omitted, the csi-node-driver DaemonSet will use its default value for affinity. +WARNING: Please note that this field will override the default csi-node-driver DaemonSet affinity. +

    + +
    + +nodeSelector
    + +map[string]string + + +    		 + +(Optional) +

    +NodeSelector is the csi-node-driver pod’s scheduling constraints. +If specified, each of the key/value pairs are added to the csi-node-driver DaemonSet nodeSelector provided +the key does not already exist in the object’s nodeSelector. +If omitted, the csi-node-driver DaemonSet will use its default value for nodeSelector. +WARNING: Please note that this field will modify the default csi-node-driver DaemonSet nodeSelector. +

    + +
    + +tolerations
    + + +[]Kubernetes core/v1.Toleration + + + +    		 + +(Optional) +

    +Tolerations is the csi-node-driver pod’s tolerations. +If specified, this overrides any tolerations that may be set on the csi-node-driver DaemonSet. +If omitted, the csi-node-driver DaemonSet will use its default value for tolerations. +WARNING: Please note that this field will override the default csi-node-driver DaemonSet tolerations. +

    + +
    +

    CSINodeDriverDaemonSetPodTemplateSpec

    +

    + +(Appears on: +CSINodeDriverDaemonSetSpec) + +

    +

    +CSINodeDriverDaemonSetPodTemplateSpec is the csi-node-driver DaemonSet’s PodTemplateSpec +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +metadata
    + + +Metadata + + + +    		 + +(Optional) +

    +Metadata is a subset of a Kubernetes object’s metadata that is added to +the pod’s metadata. +

    + +
    + +spec
    + + +CSINodeDriverDaemonSetPodSpec + + + +    		 + +(Optional) +

    +Spec is the csi-node-driver DaemonSet’s PodSpec. +

    +
    +
    + +
    + +
    +

    CSINodeDriverDaemonSetSpec

    +

    + +(Appears on: +CSINodeDriverDaemonSet) + +

    +

    +CSINodeDriverDaemonSetSpec defines configuration for the csi-node-driver DaemonSet. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +minReadySeconds
    + +int32 + + +    		 + +(Optional) +

    +MinReadySeconds is the minimum number of seconds for which a newly created DaemonSet pod should +be ready without any of its container crashing, for it to be considered available. +If specified, this overrides any minReadySeconds value that may be set on the csi-node-driver DaemonSet. +If omitted, the csi-node-driver DaemonSet will use its default value for minReadySeconds. +

    + +
    + +template
    + + +CSINodeDriverDaemonSetPodTemplateSpec + + + +    		 + +(Optional) +

    +Template describes the csi-node-driver DaemonSet pod that will be created. +

    + +
    +

    CalicoKubeControllersDeployment

    +

    + +(Appears on: +InstallationSpec) + +

    +

    +CalicoKubeControllersDeployment is the configuration for the calico-kube-controllers Deployment. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +metadata
    + + +Metadata + + + +    		 + +(Optional) +

    +Metadata is a subset of a Kubernetes object’s metadata that is added to the Deployment. +

    + +
    + +spec
    + + +CalicoKubeControllersDeploymentSpec + + + +    		 + +(Optional) +

    +Spec is the specification of the calico-kube-controllers Deployment. +

    +
    +
    + +
    + +
    +

    CalicoKubeControllersDeploymentContainer

    +

    + +(Appears on: +CalicoKubeControllersDeploymentPodSpec) + +

    +

    +CalicoKubeControllersDeploymentContainer is a calico-kube-controllers Deployment container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the calico-kube-controllers Deployment container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named calico-kube-controllers Deployment container’s resources. +If omitted, the calico-kube-controllers Deployment will use its default value for this container’s resources. +If used in conjunction with the deprecated ComponentResources, then this value takes precedence. +

    + +
    +

    CalicoKubeControllersDeploymentPodSpec

    +

    + +(Appears on: +CalicoKubeControllersDeploymentPodTemplateSpec) + +

    +

    +CalicoKubeControllersDeploymentPodSpec is the calico-kube-controller Deployment’s PodSpec. +

    + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +containers
    + + +[]CalicoKubeControllersDeploymentContainer + + + +    		 + +(Optional) +

    +Containers is a list of calico-kube-controllers containers. +If specified, this overrides the specified calico-kube-controllers Deployment containers. +If omitted, the calico-kube-controllers Deployment will use its default values for its containers. +

    + +
    + +affinity
    + + +Kubernetes core/v1.Affinity + + + +    		 + +(Optional) +

    +Affinity is a group of affinity scheduling rules for the calico-kube-controllers pods. +If specified, this overrides any affinity that may be set on the calico-kube-controllers Deployment. +If omitted, the calico-kube-controllers Deployment will use its default value for affinity. +WARNING: Please note that this field will override the default calico-kube-controllers Deployment affinity. +

    + +
    + +nodeSelector
    + +map[string]string + + +    		 + +

    +NodeSelector is the calico-kube-controllers pod’s scheduling constraints. +If specified, each of the key/value pairs are added to the calico-kube-controllers Deployment nodeSelector provided +the key does not already exist in the object’s nodeSelector. +If used in conjunction with ControlPlaneNodeSelector, that nodeSelector is set on the calico-kube-controllers Deployment +and each of this field’s key/value pairs are added to the calico-kube-controllers Deployment nodeSelector provided +the key does not already exist in the object’s nodeSelector. +If omitted, the calico-kube-controllers Deployment will use its default value for nodeSelector. +WARNING: Please note that this field will modify the default calico-kube-controllers Deployment nodeSelector. +

    + +
    + +tolerations
    + + +[]Kubernetes core/v1.Toleration + + + +    		 + +(Optional) +

    +Tolerations is the calico-kube-controllers pod’s tolerations. +If specified, this overrides any tolerations that may be set on the calico-kube-controllers Deployment. +If omitted, the calico-kube-controllers Deployment will use its default value for tolerations. +WARNING: Please note that this field will override the default calico-kube-controllers Deployment tolerations. +

    + +
    +

    CalicoKubeControllersDeploymentPodTemplateSpec

    +

    + +(Appears on: +CalicoKubeControllersDeploymentSpec) + +

    +

    +CalicoKubeControllersDeploymentPodTemplateSpec is the calico-kube-controllers Deployment’s PodTemplateSpec +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +metadata
    + + +Metadata + + + +    		 + +(Optional) +

    +Metadata is a subset of a Kubernetes object’s metadata that is added to +the pod’s metadata. +

    + +
    + +spec
    + + +CalicoKubeControllersDeploymentPodSpec + + + +    		 + +(Optional) +

    +Spec is the calico-kube-controllers Deployment’s PodSpec. +

    +
    +
    + +
    + +
    +

    CalicoKubeControllersDeploymentSpec

    +

    + +(Appears on: +CalicoKubeControllersDeployment) + +

    +

    +CalicoKubeControllersDeploymentSpec defines configuration for the calico-kube-controllers Deployment. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +minReadySeconds
    + +int32 + + +    		 + +(Optional) +

    +MinReadySeconds is the minimum number of seconds for which a newly created Deployment pod should +be ready without any of its container crashing, for it to be considered available. +If specified, this overrides any minReadySeconds value that may be set on the calico-kube-controllers Deployment. +If omitted, the calico-kube-controllers Deployment will use its default value for minReadySeconds. +

    + +
    + +template
    + + +CalicoKubeControllersDeploymentPodTemplateSpec + + + +    		 + +(Optional) +

    +Template describes the calico-kube-controllers Deployment pod that will be created. +

    + +
    +

    CalicoNetworkSpec

    +

    + +(Appears on: +InstallationSpec) + +

    +

    +CalicoNetworkSpec specifies configuration options for Calico provided pod networking. +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +linuxDataplane
    + + +LinuxDataplaneOption + + + +    		 + +(Optional) +

    +LinuxDataplane is used to select the dataplane used for Linux nodes. In particular, it +causes the operator to add required mounts and environment variables for the particular dataplane. +If not specified, iptables mode is used. +Default: Iptables +

    + +
    + +windowsDataplane
    + + +WindowsDataplaneOption + + + +    		 + +(Optional) +

    +WindowsDataplane is used to select the dataplane used for Windows nodes. In particular, it +causes the operator to add required mounts and environment variables for the particular dataplane. +If not specified, it is disabled and the operator will not render the Calico Windows nodes daemonset. +Default: Disabled +

    + +
    + +bgp
    + + +BGPOption + + + +    		 + +(Optional) +

    +BGP configures whether or not to enable Calico’s BGP capabilities. +

    + +
    + +ipPools
    + + +[]IPPool + + + +    		 + +(Optional) +

    +IPPools contains a list of IP pools to create if none exist. At most one IP pool of each +address family may be specified. If omitted, a single pool will be configured if needed. +

    + +
    + +mtu
    + +int32 + + +    		 + +(Optional) +

    +MTU specifies the maximum transmission unit to use on the pod network. +If not specified, Calico will perform MTU auto-detection based on the cluster network. +

    + +
    + +nodeAddressAutodetectionV4
    + + +NodeAddressAutodetection + + + +    		 + +(Optional) +

    +NodeAddressAutodetectionV4 specifies an approach to automatically detect node IPv4 addresses. If not specified, +will use default auto-detection settings to acquire an IPv4 address for each node. +

    + +
    + +nodeAddressAutodetectionV6
    + + +NodeAddressAutodetection + + + +    		 + +(Optional) +

    +NodeAddressAutodetectionV6 specifies an approach to automatically detect node IPv6 addresses. If not specified, +IPv6 addresses will not be auto-detected. +

    + +
    + +hostPorts
    + + +HostPortsType + + + +    		 + +(Optional) +

    +HostPorts configures whether or not Calico will support Kubernetes HostPorts. Valid only when using the Calico CNI plugin. +Default: Enabled +

    + +
    + +multiInterfaceMode
    + + +MultiInterfaceMode + + + +    		 + +(Optional) +

    +MultiInterfaceMode configures what will configure multiple interface per pod. Only valid for Calico Enterprise installations +using the Calico CNI plugin. +Default: None +

    + +
    + +containerIPForwarding
    + + +ContainerIPForwardingType + + + +    		 + +(Optional) +

    +ContainerIPForwarding configures whether ip forwarding will be enabled for containers in the CNI configuration. +Default: Disabled +

    + +
    + +sysctl
    + + +[]Sysctl + + + +    		 + +(Optional) +

    +Sysctl configures sysctl parameters for tuning plugin +

    + +
    + +linuxPolicySetupTimeoutSeconds
    + +int32 + + +    		 + +(Optional) +

    +LinuxPolicySetupTimeoutSeconds delays new pods from running containers +until their policy has been programmed in the dataplane. +The specified delay defines the maximum amount of time +that the Calico CNI plugin will wait for policy to be programmed. +

    +

    +Only applies to pods created on Linux nodes. +

    +
      +
    • A value of 0 disables pod startup delays.
      • +
    +

    +Default: 0 +

    + +
    +

    CalicoNodeDaemonSet

    +

    + +(Appears on: +InstallationSpec) + +

    +

    +CalicoNodeDaemonSet is the configuration for the calico-node DaemonSet. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +metadata
    + + +Metadata + + + +    		 + +(Optional) +

    +Metadata is a subset of a Kubernetes object’s metadata that is added to the DaemonSet. +

    + +
    + +spec
    + + +CalicoNodeDaemonSetSpec + + + +    		 + +(Optional) +

    +Spec is the specification of the calico-node DaemonSet. +

    +
    +
    + +
    + +
    +

    CalicoNodeDaemonSetContainer

    +

    + +(Appears on: +CalicoNodeDaemonSetPodSpec) + +

    +

    +CalicoNodeDaemonSetContainer is a calico-node DaemonSet container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the calico-node DaemonSet container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named calico-node DaemonSet container’s resources. +If omitted, the calico-node DaemonSet will use its default value for this container’s resources. +If used in conjunction with the deprecated ComponentResources, then this value takes precedence. +

    + +
    +

    CalicoNodeDaemonSetInitContainer

    +

    + +(Appears on: +CalicoNodeDaemonSetPodSpec) + +

    +

    +CalicoNodeDaemonSetInitContainer is a calico-node DaemonSet init container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the calico-node DaemonSet init container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named calico-node DaemonSet init container’s resources. +If omitted, the calico-node DaemonSet will use its default value for this container’s resources. +If used in conjunction with the deprecated ComponentResources, then this value takes precedence. +

    + +
    +

    CalicoNodeDaemonSetPodSpec

    +

    + +(Appears on: +CalicoNodeDaemonSetPodTemplateSpec) + +

    +

    +CalicoNodeDaemonSetPodSpec is the calico-node DaemonSet’s PodSpec. +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +initContainers
    + + +[]CalicoNodeDaemonSetInitContainer + + + +    		 + +(Optional) +

    +InitContainers is a list of calico-node init containers. +If specified, this overrides the specified calico-node DaemonSet init containers. +If omitted, the calico-node DaemonSet will use its default values for its init containers. +

    + +
    + +containers
    + + +[]CalicoNodeDaemonSetContainer + + + +    		 + +(Optional) +

    +Containers is a list of calico-node containers. +If specified, this overrides the specified calico-node DaemonSet containers. +If omitted, the calico-node DaemonSet will use its default values for its containers. +

    + +
    + +affinity
    + + +Kubernetes core/v1.Affinity + + + +    		 + +(Optional) +

    +Affinity is a group of affinity scheduling rules for the calico-node pods. +If specified, this overrides any affinity that may be set on the calico-node DaemonSet. +If omitted, the calico-node DaemonSet will use its default value for affinity. +WARNING: Please note that this field will override the default calico-node DaemonSet affinity. +

    + +
    + +nodeSelector
    + +map[string]string + + +    		 + +(Optional) +

    +NodeSelector is the calico-node pod’s scheduling constraints. +If specified, each of the key/value pairs are added to the calico-node DaemonSet nodeSelector provided +the key does not already exist in the object’s nodeSelector. +If omitted, the calico-node DaemonSet will use its default value for nodeSelector. +WARNING: Please note that this field will modify the default calico-node DaemonSet nodeSelector. +

    + +
    + +tolerations
    + + +[]Kubernetes core/v1.Toleration + + + +    		 + +(Optional) +

    +Tolerations is the calico-node pod’s tolerations. +If specified, this overrides any tolerations that may be set on the calico-node DaemonSet. +If omitted, the calico-node DaemonSet will use its default value for tolerations. +WARNING: Please note that this field will override the default calico-node DaemonSet tolerations. +

    + +
    +

    CalicoNodeDaemonSetPodTemplateSpec

    +

    + +(Appears on: +CalicoNodeDaemonSetSpec) + +

    +

    +CalicoNodeDaemonSetPodTemplateSpec is the calico-node DaemonSet’s PodTemplateSpec +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +metadata
    + + +Metadata + + + +    		 + +(Optional) +

    +Metadata is a subset of a Kubernetes object’s metadata that is added to +the pod’s metadata. +

    + +
    + +spec
    + + +CalicoNodeDaemonSetPodSpec + + + +    		 + +(Optional) +

    +Spec is the calico-node DaemonSet’s PodSpec. +

    +
    +
    + +
    + +
    +

    CalicoNodeDaemonSetSpec

    +

    + +(Appears on: +CalicoNodeDaemonSet) + +

    +

    +CalicoNodeDaemonSetSpec defines configuration for the calico-node DaemonSet. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +minReadySeconds
    + +int32 + + +    		 + +(Optional) +

    +MinReadySeconds is the minimum number of seconds for which a newly created DaemonSet pod should +be ready without any of its container crashing, for it to be considered available. +If specified, this overrides any minReadySeconds value that may be set on the calico-node DaemonSet. +If omitted, the calico-node DaemonSet will use its default value for minReadySeconds. +

    + +
    + +template
    + + +CalicoNodeDaemonSetPodTemplateSpec + + + +    		 + +(Optional) +

    +Template describes the calico-node DaemonSet pod that will be created. +

    + +
    +

    CalicoNodeWindowsDaemonSet

    +

    + +(Appears on: +InstallationSpec) + +

    +

    +CalicoNodeWindowsDaemonSet is the configuration for the calico-node-windows DaemonSet. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +metadata
    + + +Metadata + + + +    		 + +(Optional) +

    +Metadata is a subset of a Kubernetes object’s metadata that is added to the DaemonSet. +

    + +
    + +spec
    + + +CalicoNodeWindowsDaemonSetSpec + + + +    		 + +(Optional) +

    +Spec is the specification of the calico-node-windows DaemonSet. +

    +
    +
    + +
    + +
    +

    CalicoNodeWindowsDaemonSetContainer

    +

    + +(Appears on: +CalicoNodeWindowsDaemonSetPodSpec) + +

    +

    +CalicoNodeWindowsDaemonSetContainer is a calico-node-windows DaemonSet container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the calico-node-windows DaemonSet container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named calico-node-windows DaemonSet container’s resources. +If omitted, the calico-node-windows DaemonSet will use its default value for this container’s resources. +If used in conjunction with the deprecated ComponentResources, then this value takes precedence. +

    + +
    +

    CalicoNodeWindowsDaemonSetInitContainer

    +

    + +(Appears on: +CalicoNodeWindowsDaemonSetPodSpec) + +

    +

    +CalicoNodeWindowsDaemonSetInitContainer is a calico-node-windows DaemonSet init container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the calico-node-windows DaemonSet init container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named calico-node-windows DaemonSet init container’s resources. +If omitted, the calico-node-windows DaemonSet will use its default value for this container’s resources. +If used in conjunction with the deprecated ComponentResources, then this value takes precedence. +

    + +
    +

    CalicoNodeWindowsDaemonSetPodSpec

    +

    + +(Appears on: +CalicoNodeWindowsDaemonSetPodTemplateSpec) + +

    +

    +CalicoNodeWindowsDaemonSetPodSpec is the calico-node-windows DaemonSet’s PodSpec. +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +initContainers
    + + +[]CalicoNodeWindowsDaemonSetInitContainer + + + +    		 + +(Optional) +

    +InitContainers is a list of calico-node-windows init containers. +If specified, this overrides the specified calico-node-windows DaemonSet init containers. +If omitted, the calico-node-windows DaemonSet will use its default values for its init containers. +

    + +
    + +containers
    + + +[]CalicoNodeWindowsDaemonSetContainer + + + +    		 + +(Optional) +

    +Containers is a list of calico-node-windows containers. +If specified, this overrides the specified calico-node-windows DaemonSet containers. +If omitted, the calico-node-windows DaemonSet will use its default values for its containers. +

    + +
    + +affinity
    + + +Kubernetes core/v1.Affinity + + + +    		 + +(Optional) +

    +Affinity is a group of affinity scheduling rules for the calico-node-windows pods. +If specified, this overrides any affinity that may be set on the calico-node-windows DaemonSet. +If omitted, the calico-node-windows DaemonSet will use its default value for affinity. +WARNING: Please note that this field will override the default calico-node-windows DaemonSet affinity. +

    + +
    + +nodeSelector
    + +map[string]string + + +    		 + +(Optional) +

    +NodeSelector is the calico-node-windows pod’s scheduling constraints. +If specified, each of the key/value pairs are added to the calico-node-windows DaemonSet nodeSelector provided +the key does not already exist in the object’s nodeSelector. +If omitted, the calico-node-windows DaemonSet will use its default value for nodeSelector. +WARNING: Please note that this field will modify the default calico-node-windows DaemonSet nodeSelector. +

    + +
    + +tolerations
    + + +[]Kubernetes core/v1.Toleration + + + +    		 + +(Optional) +

    +Tolerations is the calico-node-windows pod’s tolerations. +If specified, this overrides any tolerations that may be set on the calico-node-windows DaemonSet. +If omitted, the calico-node-windows DaemonSet will use its default value for tolerations. +WARNING: Please note that this field will override the default calico-node-windows DaemonSet tolerations. +

    + +
    +

    CalicoNodeWindowsDaemonSetPodTemplateSpec

    +

    + +(Appears on: +CalicoNodeWindowsDaemonSetSpec) + +

    +

    +CalicoNodeWindowsDaemonSetPodTemplateSpec is the calico-node-windows DaemonSet’s PodTemplateSpec +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +metadata
    + + +Metadata + + + +    		 + +(Optional) +

    +Metadata is a subset of a Kubernetes object’s metadata that is added to +the pod’s metadata. +

    + +
    + +spec
    + + +CalicoNodeWindowsDaemonSetPodSpec + + + +    		 + +(Optional) +

    +Spec is the calico-node-windows DaemonSet’s PodSpec. +

    +
    +
    + +
    + +
    +

    CalicoNodeWindowsDaemonSetSpec

    +

    + +(Appears on: +CalicoNodeWindowsDaemonSet) + +

    +

    +CalicoNodeWindowsDaemonSetSpec defines configuration for the calico-node-windows DaemonSet. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +minReadySeconds
    + +int32 + + +    		 + +(Optional) +

    +MinReadySeconds is the minimum number of seconds for which a newly created DaemonSet pod should +be ready without any of its container crashing, for it to be considered available. +If specified, this overrides any minReadySeconds value that may be set on the calico-node-windows DaemonSet. +If omitted, the calico-node-windows DaemonSet will use its default value for minReadySeconds. +

    + +
    + +template
    + + +CalicoNodeWindowsDaemonSetPodTemplateSpec + + + +    		 + +(Optional) +

    +Template describes the calico-node-windows DaemonSet pod that will be created. +

    + +
    +

    CalicoWindowsUpgradeDaemonSet

    +

    + +(Appears on: +InstallationSpec) + +

    +

    +Deprecated. The CalicoWindowsUpgradeDaemonSet is deprecated and will be removed from the API in the future. +CalicoWindowsUpgradeDaemonSet is the configuration for the calico-windows-upgrade DaemonSet. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +metadata
    + + +Metadata + + + +    		 + +(Optional) +

    +Metadata is a subset of a Kubernetes object’s metadata that is added to the Deployment. +

    + +
    + +spec
    + + +CalicoWindowsUpgradeDaemonSetSpec + + + +    		 + +(Optional) +

    +Spec is the specification of the calico-windows-upgrade DaemonSet. +

    +
    +
    + +
    + +
    +

    CalicoWindowsUpgradeDaemonSetContainer

    +

    + +(Appears on: +CalicoWindowsUpgradeDaemonSetPodSpec) + +

    +

    +CalicoWindowsUpgradeDaemonSetContainer is a calico-windows-upgrade DaemonSet container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the calico-windows-upgrade DaemonSet container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named calico-windows-upgrade DaemonSet container’s resources. +If omitted, the calico-windows-upgrade DaemonSet will use its default value for this container’s resources. +

    + +
    +

    CalicoWindowsUpgradeDaemonSetPodSpec

    +

    + +(Appears on: +CalicoWindowsUpgradeDaemonSetPodTemplateSpec) + +

    +

    +CalicoWindowsUpgradeDaemonSetPodSpec is the calico-windows-upgrade DaemonSet’s PodSpec. +

    + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +containers
    + + +[]CalicoWindowsUpgradeDaemonSetContainer + + + +    		 + +(Optional) +

    +Containers is a list of calico-windows-upgrade containers. +If specified, this overrides the specified calico-windows-upgrade DaemonSet containers. +If omitted, the calico-windows-upgrade DaemonSet will use its default values for its containers. +

    + +
    + +affinity
    + + +Kubernetes core/v1.Affinity + + + +    		 + +(Optional) +

    +Affinity is a group of affinity scheduling rules for the calico-windows-upgrade pods. +If specified, this overrides any affinity that may be set on the calico-windows-upgrade DaemonSet. +If omitted, the calico-windows-upgrade DaemonSet will use its default value for affinity. +WARNING: Please note that this field will override the default calico-windows-upgrade DaemonSet affinity. +

    + +
    + +nodeSelector
    + +map[string]string + + +    		 + +(Optional) +

    +NodeSelector is the calico-windows-upgrade pod’s scheduling constraints. +If specified, each of the key/value pairs are added to the calico-windows-upgrade DaemonSet nodeSelector provided +the key does not already exist in the object’s nodeSelector. +If omitted, the calico-windows-upgrade DaemonSet will use its default value for nodeSelector. +WARNING: Please note that this field will modify the default calico-windows-upgrade DaemonSet nodeSelector. +

    + +
    + +tolerations
    + + +[]Kubernetes core/v1.Toleration + + + +    		 + +(Optional) +

    +Tolerations is the calico-windows-upgrade pod’s tolerations. +If specified, this overrides any tolerations that may be set on the calico-windows-upgrade DaemonSet. +If omitted, the calico-windows-upgrade DaemonSet will use its default value for tolerations. +WARNING: Please note that this field will override the default calico-windows-upgrade DaemonSet tolerations. +

    + +
    +

    CalicoWindowsUpgradeDaemonSetPodTemplateSpec

    +

    + +(Appears on: +CalicoWindowsUpgradeDaemonSetSpec) + +

    +

    +CalicoWindowsUpgradeDaemonSetPodTemplateSpec is the calico-windows-upgrade DaemonSet’s PodTemplateSpec +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +metadata
    + + +Metadata + + + +    		 + +(Optional) +

    +Metadata is a subset of a Kubernetes object’s metadata that is added to +the pod’s metadata. +

    + +
    + +spec
    + + +CalicoWindowsUpgradeDaemonSetPodSpec + + + +    		 + +(Optional) +

    +Spec is the calico-windows-upgrade DaemonSet’s PodSpec. +

    +
    +
    + +
    + +
    +

    CalicoWindowsUpgradeDaemonSetSpec

    +

    + +(Appears on: +CalicoWindowsUpgradeDaemonSet) + +

    +

    +CalicoWindowsUpgradeDaemonSetSpec defines configuration for the calico-windows-upgrade DaemonSet. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +minReadySeconds
    + +int32 + + +    		 + +(Optional) +

    +MinReadySeconds is the minimum number of seconds for which a newly created Deployment pod should +be ready without any of its container crashing, for it to be considered available. +If specified, this overrides any minReadySeconds value that may be set on the calico-windows-upgrade DaemonSet. +If omitted, the calico-windows-upgrade DaemonSet will use its default value for minReadySeconds. +

    + +
    + +template
    + + +CalicoWindowsUpgradeDaemonSetPodTemplateSpec + + + +    		 + +(Optional) +

    +Template describes the calico-windows-upgrade DaemonSet pod that will be created. +

    + +
    +

    CertificateManagement

    +

    + +(Appears on: +InstallationSpec) + +

    +

    +CertificateManagement configures pods to submit a CertificateSigningRequest to the certificates.k8s.io/v1beta1 API in order +to obtain TLS certificates. This feature requires that you bring your own CSR signing and approval process, otherwise +pods will be stuck during initialization. +

    + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +caCert
    + +[]byte + + +    		 + +

    +Certificate of the authority that signs the CertificateSigningRequests in PEM format. +

    + +
    + +signerName
    + +string + + +    		 + +

    +When a CSR is issued to the certificates.k8s.io API, the signerName is added to the request in order to accommodate for clusters +with multiple signers. +Must be formatted as: <my-domain>/<my-signername>. +

    + +
    + +keyAlgorithm
    + +string + + +    		 + +(Optional) +

    +Specify the algorithm used by pods to generate a key pair that is associated with the X.509 certificate request. +Default: RSAWithSize2048 +

    + +
    + +signatureAlgorithm
    + +string + + +    		 + +(Optional) +

    +Specify the algorithm used for the signature of the X.509 certificate request. +Default: SHA256WithRSA +

    + +
    +

    CollectProcessPathOption +(string alias)

    +

    + +(Appears on: +LogCollectorSpec) + +

    +

    CommonPrometheusFields

    +

    + +(Appears on: +PrometheusSpec) + +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +containers
    + + +[]PrometheusContainer + + + +    		 + +(Optional) +

    +Containers is a list of Prometheus containers. +If specified, this overrides the specified Prometheus Deployment containers. +If omitted, the Prometheus Deployment will use its default values for its containers. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +

    +Define resources requests and limits for single Pods. +

    + +
    +

    ComplianceBenchmarkerDaemonSet

    +

    + +(Appears on: +ComplianceSpec) + +

    +

    +ComplianceBenchmarkerDaemonSet is the configuration for the Compliance Benchmarker DaemonSet. +

    + + + + + + + + + + + + + +
    FieldDescription
    + +spec
    + + +ComplianceBenchmarkerDaemonSetSpec + + + +    		 + +(Optional) +

    +Spec is the specification of the Compliance Benchmarker DaemonSet. +

    +
    +
    + +
    + +
    +

    ComplianceBenchmarkerDaemonSetContainer

    +

    + +(Appears on: +ComplianceBenchmarkerDaemonSetPodSpec) + +

    +

    +ComplianceBenchmarkerDaemonSetContainer is a Compliance Benchmarker DaemonSet container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the Compliance Benchmarker DaemonSet container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named Compliance Benchmarker DaemonSet container’s resources. +If omitted, the Compliance Benchmarker DaemonSet will use its default value for this container’s resources. +

    + +
    +

    ComplianceBenchmarkerDaemonSetInitContainer

    +

    + +(Appears on: +ComplianceBenchmarkerDaemonSetPodSpec) + +

    +

    +ComplianceBenchmarkerDaemonSetInitContainer is a Compliance Benchmarker DaemonSet init container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the Compliance Benchmarker DaemonSet init container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named Compliance Benchmarker DaemonSet init container’s resources. +If omitted, the Compliance Benchmarker DaemonSet will use its default value for this init container’s resources. +

    + +
    +

    ComplianceBenchmarkerDaemonSetPodSpec

    +

    + +(Appears on: +ComplianceBenchmarkerDaemonSetPodTemplateSpec) + +

    +

    +ComplianceBenchmarkerDaemonSetPodSpec is the Compliance Benchmarker DaemonSet’s PodSpec. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +initContainers
    + + +[]ComplianceBenchmarkerDaemonSetInitContainer + + + +    		 + +(Optional) +

    +InitContainers is a list of Compliance benchmark init containers. +If specified, this overrides the specified Compliance Benchmarker DaemonSet init containers. +If omitted, the Compliance Benchmarker DaemonSet will use its default values for its init containers. +

    + +
    + +containers
    + + +[]ComplianceBenchmarkerDaemonSetContainer + + + +    		 + +(Optional) +

    +Containers is a list of Compliance benchmark containers. +If specified, this overrides the specified Compliance Benchmarker DaemonSet containers. +If omitted, the Compliance Benchmarker DaemonSet will use its default values for its containers. +

    + +
    +

    ComplianceBenchmarkerDaemonSetPodTemplateSpec

    +

    + +(Appears on: +ComplianceBenchmarkerDaemonSetSpec) + +

    +

    +ComplianceBenchmarkerDaemonSetPodTemplateSpec is the Compliance Benchmarker DaemonSet’s PodTemplateSpec +

    + + + + + + + + + + + + + +
    FieldDescription
    + +spec
    + + +ComplianceBenchmarkerDaemonSetPodSpec + + + +    		 + +(Optional) +

    +Spec is the Compliance Benchmarker DaemonSet’s PodSpec. +

    +
    +
    + +
    + +
    +

    ComplianceBenchmarkerDaemonSetSpec

    +

    + +(Appears on: +ComplianceBenchmarkerDaemonSet) + +

    +

    +ComplianceBenchmarkerDaemonSetSpec defines configuration for the Compliance Benchmarker DaemonSet. +

    + + + + + + + + + + + + + +
    FieldDescription
    + +template
    + + +ComplianceBenchmarkerDaemonSetPodTemplateSpec + + + +    		 + +(Optional) +

    +Template describes the Compliance Benchmarker DaemonSet pod that will be created. +

    + +
    +

    ComplianceControllerDeployment

    +

    + +(Appears on: +ComplianceSpec) + +

    +

    +ComplianceControllerDeployment is the configuration for the compliance controller Deployment. +

    + + + + + + + + + + + + + +
    FieldDescription
    + +spec
    + + +ComplianceControllerDeploymentSpec + + + +    		 + +(Optional) +

    +Spec is the specification of the compliance controller Deployment. +

    +
    +
    + +
    + +
    +

    ComplianceControllerDeploymentContainer

    +

    + +(Appears on: +ComplianceControllerDeploymentPodSpec) + +

    +

    +ComplianceControllerDeploymentContainer is a compliance controller Deployment container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the compliance controller Deployment container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named compliance controller Deployment container’s resources. +If omitted, the compliance controller Deployment will use its default value for this container’s resources. +

    + +
    +

    ComplianceControllerDeploymentInitContainer

    +

    + +(Appears on: +ComplianceControllerDeploymentPodSpec) + +

    +

    +ComplianceControllerDeploymentInitContainer is a compliance controller Deployment init container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the compliance controller Deployment init container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named compliance controller Deployment init container’s resources. +If omitted, the compliance controller Deployment will use its default value for this init container’s resources. +

    + +
    +

    ComplianceControllerDeploymentPodSpec

    +

    + +(Appears on: +ComplianceControllerDeploymentPodTemplateSpec) + +

    +

    +ComplianceControllerDeploymentPodSpec is the compliance controller Deployment’s PodSpec. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +initContainers
    + + +[]ComplianceControllerDeploymentInitContainer + + + +    		 + +(Optional) +

    +InitContainers is a list of compliance controller init containers. +If specified, this overrides the specified compliance controller Deployment init containers. +If omitted, the compliance controller Deployment will use its default values for its init containers. +

    + +
    + +containers
    + + +[]ComplianceControllerDeploymentContainer + + + +    		 + +(Optional) +

    +Containers is a list of compliance controller containers. +If specified, this overrides the specified compliance controller Deployment containers. +If omitted, the compliance controller Deployment will use its default values for its containers. +

    + +
    +

    ComplianceControllerDeploymentPodTemplateSpec

    +

    + +(Appears on: +ComplianceControllerDeploymentSpec) + +

    +

    +ComplianceControllerDeploymentPodTemplateSpec is the compliance controller Deployment’s PodTemplateSpec +

    + + + + + + + + + + + + + +
    FieldDescription
    + +spec
    + + +ComplianceControllerDeploymentPodSpec + + + +    		 + +(Optional) +

    +Spec is the compliance controller Deployment’s PodSpec. +

    +
    +
    + +
    + +
    +

    ComplianceControllerDeploymentSpec

    +

    + +(Appears on: +ComplianceControllerDeployment) + +

    +

    +ComplianceControllerDeploymentSpec defines configuration for the compliance controller Deployment. +

    + + + + + + + + + + + + + +
    FieldDescription
    + +template
    + + +ComplianceControllerDeploymentPodTemplateSpec + + + +    		 + +(Optional) +

    +Template describes the compliance controller Deployment pod that will be created. +

    + +
    +

    ComplianceReporterPodSpec

    +

    + +(Appears on: +ComplianceReporterPodTemplateSpec) + +

    +

    +ComplianceReporterPodSpec is the ComplianceReporter PodSpec. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +initContainers
    + + +[]ComplianceReporterPodTemplateInitContainer + + + +    		 + +(Optional) +

    +InitContainers is a list of ComplianceReporter PodSpec init containers. +If specified, this overrides the specified ComplianceReporter PodSpec init containers. +If omitted, the ComplianceServer Deployment will use its default values for its init containers. +

    + +
    + +containers
    + + +[]ComplianceReporterPodTemplateContainer + + + +    		 + +(Optional) +

    +Containers is a list of ComplianceServer containers. +If specified, this overrides the specified ComplianceReporter PodSpec containers. +If omitted, the ComplianceServer Deployment will use its default values for its containers. +

    + +
    +

    ComplianceReporterPodTemplate

    +

    + +(Appears on: +ComplianceSpec) + +

    +

    +ComplianceReporterPodTemplate is the configuration for the ComplianceReporter PodTemplate. +

    + + + + + + + + + + + + + +
    FieldDescription
    + +template
    + + +ComplianceReporterPodTemplateSpec + + + +    		 + +(Optional) +

    +Spec is the specification of the ComplianceReporter PodTemplateSpec. +

    + +
    +

    ComplianceReporterPodTemplateContainer

    +

    + +(Appears on: +ComplianceReporterPodSpec) + +

    +

    +ComplianceReporterPodTemplateContainer is a ComplianceServer Deployment container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the ComplianceServer Deployment container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named ComplianceServer Deployment container’s resources. +If omitted, the ComplianceServer Deployment will use its default value for this container’s resources. +

    + +
    +

    ComplianceReporterPodTemplateInitContainer

    +

    + +(Appears on: +ComplianceReporterPodSpec) + +

    +

    +ComplianceReporterPodTemplateInitContainer is a ComplianceServer Deployment init container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the ComplianceReporter PodSpec init container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named ComplianceReporter PodSpec init container’s resources. +If omitted, the ComplianceServer Deployment will use its default value for this init container’s resources. +

    + +
    +

    ComplianceReporterPodTemplateSpec

    +

    + +(Appears on: +ComplianceReporterPodTemplate) + +

    +

    +ComplianceReporterPodTemplateSpec is the ComplianceReporter PodTemplateSpec. +

    + + + + + + + + + + + + + +
    FieldDescription
    + +spec
    + + +ComplianceReporterPodSpec + + + +    		 + +(Optional) +

    +Spec is the ComplianceReporter PodTemplate’s PodSpec. +

    +
    +
    + +
    + +
    +

    ComplianceServerDeployment

    +

    + +(Appears on: +ComplianceSpec) + +

    +

    +ComplianceServerDeployment is the configuration for the ComplianceServer Deployment. +

    + + + + + + + + + + + + + +
    FieldDescription
    + +spec
    + + +ComplianceServerDeploymentSpec + + + +    		 + +(Optional) +

    +Spec is the specification of the ComplianceServer Deployment. +

    +
    +
    + +
    + +
    +

    ComplianceServerDeploymentContainer

    +

    + +(Appears on: +ComplianceServerDeploymentPodSpec) + +

    +

    +ComplianceServerDeploymentContainer is a ComplianceServer Deployment container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the ComplianceServer Deployment container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named ComplianceServer Deployment container’s resources. +If omitted, the ComplianceServer Deployment will use its default value for this container’s resources. +

    + +
    +

    ComplianceServerDeploymentInitContainer

    +

    + +(Appears on: +ComplianceServerDeploymentPodSpec) + +

    +

    +ComplianceServerDeploymentInitContainer is a ComplianceServer Deployment init container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the ComplianceServer Deployment init container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named ComplianceServer Deployment init container’s resources. +If omitted, the ComplianceServer Deployment will use its default value for this init container’s resources. +

    + +
    +

    ComplianceServerDeploymentPodSpec

    +

    + +(Appears on: +ComplianceServerDeploymentPodTemplateSpec) + +

    +

    +ComplianceServerDeploymentPodSpec is the ComplianceServer Deployment’s PodSpec. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +initContainers
    + + +[]ComplianceServerDeploymentInitContainer + + + +    		 + +(Optional) +

    +InitContainers is a list of ComplianceServer init containers. +If specified, this overrides the specified ComplianceServer Deployment init containers. +If omitted, the ComplianceServer Deployment will use its default values for its init containers. +

    + +
    + +containers
    + + +[]ComplianceServerDeploymentContainer + + + +    		 + +(Optional) +

    +Containers is a list of ComplianceServer containers. +If specified, this overrides the specified ComplianceServer Deployment containers. +If omitted, the ComplianceServer Deployment will use its default values for its containers. +

    + +
    +

    ComplianceServerDeploymentPodTemplateSpec

    +

    + +(Appears on: +ComplianceServerDeploymentSpec) + +

    +

    +ComplianceServerDeploymentPodTemplateSpec is the ComplianceServer Deployment’s PodTemplateSpec +

    + + + + + + + + + + + + + +
    FieldDescription
    + +spec
    + + +ComplianceServerDeploymentPodSpec + + + +    		 + +(Optional) +

    +Spec is the ComplianceServer Deployment’s PodSpec. +

    +
    +
    + +
    + +
    +

    ComplianceServerDeploymentSpec

    +

    + +(Appears on: +ComplianceServerDeployment) + +

    +

    +ComplianceServerDeploymentSpec defines configuration for the ComplianceServer Deployment. +

    + + + + + + + + + + + + + +
    FieldDescription
    + +template
    + + +ComplianceServerDeploymentPodTemplateSpec + + + +    		 + +(Optional) +

    +Template describes the ComplianceServer Deployment pod that will be created. +

    + +
    +

    ComplianceSnapshotterDeployment

    +

    + +(Appears on: +ComplianceSpec) + +

    +

    +ComplianceSnapshotterDeployment is the configuration for the compliance snapshotter Deployment. +

    + + + + + + + + + + + + + +
    FieldDescription
    + +spec
    + + +ComplianceSnapshotterDeploymentSpec + + + +    		 + +(Optional) +

    +Spec is the specification of the compliance snapshotter Deployment. +

    +
    +
    + +
    + +
    +

    ComplianceSnapshotterDeploymentContainer

    +

    + +(Appears on: +ComplianceSnapshotterDeploymentPodSpec) + +

    +

    +ComplianceSnapshotterDeploymentContainer is a compliance snapshotter Deployment container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the compliance snapshotter Deployment container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named compliance snapshotter Deployment container’s resources. +If omitted, the compliance snapshotter Deployment will use its default value for this container’s resources. +

    + +
    +

    ComplianceSnapshotterDeploymentInitContainer

    +

    + +(Appears on: +ComplianceSnapshotterDeploymentPodSpec) + +

    +

    +ComplianceSnapshotterDeploymentInitContainer is a compliance snapshotter Deployment init container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the compliance snapshotter Deployment init container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named compliance snapshotter Deployment init container’s resources. +If omitted, the compliance snapshotter Deployment will use its default value for this init container’s resources. +

    + +
    +

    ComplianceSnapshotterDeploymentPodSpec

    +

    + +(Appears on: +ComplianceSnapshotterDeploymentPodTemplateSpec) + +

    +

    +ComplianceSnapshotterDeploymentPodSpec is the compliance snapshotter Deployment’s PodSpec. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +initContainers
    + + +[]ComplianceSnapshotterDeploymentInitContainer + + + +    		 + +(Optional) +

    +InitContainers is a list of compliance snapshotter init containers. +If specified, this overrides the specified compliance snapshotter Deployment init containers. +If omitted, the compliance snapshotter Deployment will use its default values for its init containers. +

    + +
    + +containers
    + + +[]ComplianceSnapshotterDeploymentContainer + + + +    		 + +(Optional) +

    +Containers is a list of compliance snapshotter containers. +If specified, this overrides the specified compliance snapshotter Deployment containers. +If omitted, the compliance snapshotter Deployment will use its default values for its containers. +

    + +
    +

    ComplianceSnapshotterDeploymentPodTemplateSpec

    +

    + +(Appears on: +ComplianceSnapshotterDeploymentSpec) + +

    +

    +ComplianceSnapshotterDeploymentPodTemplateSpec is the compliance snapshotter Deployment’s PodTemplateSpec +

    + + + + + + + + + + + + + +
    FieldDescription
    + +spec
    + + +ComplianceSnapshotterDeploymentPodSpec + + + +    		 + +(Optional) +

    +Spec is the compliance snapshotter Deployment’s PodSpec. +

    +
    +
    + +
    + +
    +

    ComplianceSnapshotterDeploymentSpec

    +

    + +(Appears on: +ComplianceSnapshotterDeployment) + +

    +

    +ComplianceSnapshotterDeploymentSpec defines configuration for the compliance snapshotter Deployment. +

    + + + + + + + + + + + + + +
    FieldDescription
    + +template
    + + +ComplianceSnapshotterDeploymentPodTemplateSpec + + + +    		 + +(Optional) +

    +Template describes the compliance snapshotter Deployment pod that will be created. +

    + +
    +

    ComplianceSpec

    +

    + +(Appears on: +Compliance) + +

    +

    +ComplianceSpec defines the desired state of Tigera compliance reporting capabilities. +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +complianceControllerDeployment
    + + +ComplianceControllerDeployment + + + +    		 + +(Optional) +

    +ComplianceControllerDeployment configures the Compliance Controller Deployment. +

    + +
    + +complianceSnapshotterDeployment
    + + +ComplianceSnapshotterDeployment + + + +    		 + +(Optional) +

    +ComplianceSnapshotterDeployment configures the Compliance Snapshotter Deployment. +

    + +
    + +complianceBenchmarkerDaemonSet
    + + +ComplianceBenchmarkerDaemonSet + + + +    		 + +(Optional) +

    +ComplianceBenchmarkerDaemonSet configures the Compliance Benchmarker DaemonSet. +

    + +
    + +complianceServerDeployment
    + + +ComplianceServerDeployment + + + +    		 + +(Optional) +

    +ComplianceServerDeployment configures the Compliance Server Deployment. +

    + +
    + +complianceReporterPodTemplate
    + + +ComplianceReporterPodTemplate + + + +    		 + +(Optional) +

    +ComplianceReporterPodTemplate configures the Compliance Reporter PodTemplate. +

    + +
    +

    ComplianceStatus

    +

    + +(Appears on: +Compliance) + +

    +

    +ComplianceStatus defines the observed state of Tigera compliance reporting capabilities. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +state
    + +string + + +    		 + +

    +State provides user-readable status. +

    + +
    + +conditions
    + + +[]Kubernetes meta/v1.Condition + + + +    		 + +(Optional) +

    +Conditions represents the latest observed set of conditions for the component. A component may be one or more of +Ready, Progressing, Degraded or other customer types. +

    + +
    +

    ComponentName +(string alias)

    +

    + +(Appears on: +ComponentResource) + +

    +

    +ComponentName represents a single component. +

    +

    +One of: Node, Typha, KubeControllers +

    +

    ComponentResource

    +

    + +(Appears on: +InstallationSpec) + +

    +

    +Deprecated. Please use component resource config fields in Installation.Spec instead. +The ComponentResource struct associates a ResourceRequirements with a component by name +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +componentName
    + + +ComponentName + + + +    		 + +

    +ComponentName is an enum which identifies the component +

    + +
    + +resourceRequirements
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +

    +ResourceRequirements allows customization of limits and requests for compute resources such as cpu and memory. +

    + +
    +

    ConditionStatus +(string alias)

    +

    + +(Appears on: +TigeraStatusCondition) + +

    +

    +ConditionStatus represents the status of a particular condition. A condition may be one of: True, False, Unknown. +

    +

    ContainerIPForwardingType +(string alias)

    +

    + +(Appears on: +CalicoNetworkSpec) + +

    +

    +ContainerIPForwardingType specifies whether the CNI config for container ip forwarding is enabled. +

    +

    DashboardsJob

    +

    + +(Appears on: +TenantSpec) + +

    +

    +DashboardsJob is the configuration for the Dashboards job. +

    + + + + + + + + + + + + + +
    FieldDescription
    + +spec
    + + +DashboardsJobSpec + + + +    		 + +(Optional) +

    +Spec is the specification of the dashboards job. +

    +
    +
    + +
    + +
    +

    DashboardsJobContainer

    +

    + +(Appears on: +DashboardsJobPodSpec) + +

    +

    +DashboardsJobContainer is the Dashboards job container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the Dashboard Job container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named Dashboard Job container’s resources. +If omitted, the Dashboard Job will use its default value for this container’s resources. +

    + +
    +

    DashboardsJobPodSpec

    +

    + +(Appears on: +DashboardsJobPodTemplateSpec) + +

    +

    +DashboardsJobPodSpec is the Dashboards job’s PodSpec. +

    + + + + + + + + + + + + + +
    FieldDescription
    + +containers
    + + +[]DashboardsJobContainer + + + +    		 + +(Optional) +

    +Containers is a list of dashboards job containers. +If specified, this overrides the specified Dashboard job containers. +If omitted, the Dashboard job will use its default values for its containers. +

    + +
    +

    DashboardsJobPodTemplateSpec

    +

    + +(Appears on: +DashboardsJobSpec) + +

    +

    +DashboardsJobPodTemplateSpec is the Dashboards job’s PodTemplateSpec +

    + + + + + + + + + + + + + +
    FieldDescription
    + +spec
    + + +DashboardsJobPodSpec + + + +    		 + +(Optional) +

    +Spec is the Dashboard job’s PodSpec. +

    +
    +
    + +
    + +
    +

    DashboardsJobSpec

    +

    + +(Appears on: +DashboardsJob) + +

    +

    +DashboardsJobSpec defines configuration for the Dashboards job. +

    + + + + + + + + + + + + + +
    FieldDescription
    + +template
    + + +DashboardsJobPodTemplateSpec + + + +    		 + +(Optional) +

    +Template describes the Dashboards job pod that will be created. +

    + +
    +

    DataType +(string alias)

    +

    + +(Appears on: +Index) + +

    +

    +DataType represent the type of data stored +

    +

    DexDeployment

    +

    + +(Appears on: +AuthenticationSpec) + +

    +

    +DexDeployment is the configuration for the Dex Deployment. +

    + + + + + + + + + + + + + +
    FieldDescription
    + +spec
    + + +DexDeploymentSpec + + + +    		 + +(Optional) +

    +Spec is the specification of the Dex Deployment. +

    +
    +
    + +
    + +
    +

    DexDeploymentContainer

    +

    + +(Appears on: +DexDeploymentPodSpec) + +

    +

    +DexDeploymentContainer is a Dex Deployment container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the Dex Deployment container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named Dex Deployment container’s resources. +If omitted, the Dex Deployment will use its default value for this container’s resources. +

    + +
    +

    DexDeploymentInitContainer

    +

    + +(Appears on: +DexDeploymentPodSpec) + +

    +

    +DexDeploymentInitContainer is a Dex Deployment init container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the Dex Deployment init container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named Dex Deployment init container’s resources. +If omitted, the Dex Deployment will use its default value for this init container’s resources. +

    + +
    +

    DexDeploymentPodSpec

    +

    + +(Appears on: +DexDeploymentPodTemplateSpec) + +

    +

    +DexDeploymentPodSpec is the Dex Deployment’s PodSpec. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +initContainers
    + + +[]DexDeploymentInitContainer + + + +    		 + +(Optional) +

    +InitContainers is a list of Dex init containers. +If specified, this overrides the specified Dex Deployment init containers. +If omitted, the Dex Deployment will use its default values for its init containers. +

    + +
    + +containers
    + + +[]DexDeploymentContainer + + + +    		 + +(Optional) +

    +Containers is a list of Dex containers. +If specified, this overrides the specified Dex Deployment containers. +If omitted, the Dex Deployment will use its default values for its containers. +

    + +
    +

    DexDeploymentPodTemplateSpec

    +

    + +(Appears on: +DexDeploymentSpec) + +

    +

    +DexDeploymentPodTemplateSpec is the Dex Deployment’s PodTemplateSpec +

    + + + + + + + + + + + + + +
    FieldDescription
    + +spec
    + + +DexDeploymentPodSpec + + + +    		 + +(Optional) +

    +Spec is the Dex Deployment’s PodSpec. +

    +
    +
    + +
    + +
    +

    DexDeploymentSpec

    +

    + +(Appears on: +DexDeployment) + +

    +

    +DexDeploymentSpec defines configuration for the Dex Deployment. +

    + + + + + + + + + + + + + +
    FieldDescription
    + +template
    + + +DexDeploymentPodTemplateSpec + + + +    		 + +(Optional) +

    +Template describes the Dex Deployment pod that will be created. +

    + +
    +

    ECKOperatorStatefulSet

    +

    + +(Appears on: +LogStorageSpec) + +

    +

    +ECKOperatorStatefulSet is the configuration for the ECKOperator StatefulSet. +

    + + + + + + + + + + + + + +
    FieldDescription
    + +spec
    + + +ECKOperatorStatefulSetSpec + + + +    		 + +(Optional) +

    +Spec is the specification of the ECKOperator StatefulSet. +

    +
    +
    + +
    + +
    +

    ECKOperatorStatefulSetContainer

    +

    + +(Appears on: +ECKOperatorStatefulSetPodSpec) + +

    +

    +ECKOperatorStatefulSetContainer is a ECKOperator StatefulSet container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the ECKOperator StatefulSet container by name. +

    + +
    + +resources
    - -[]APIServerDeploymentInitContainer + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named ECKOperator StatefulSet container’s resources. +If omitted, the ECKOperator StatefulSet will use its default value for this container’s resources. +

    + +
    +

    ECKOperatorStatefulSetInitContainer

    +

    + +(Appears on: +ECKOperatorStatefulSetPodSpec) + +

    +

    +ECKOperatorStatefulSetInitContainer is a ECKOperator StatefulSet init container. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the ECKOperator StatefulSet init container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements + + + +    		 + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named ECKOperator StatefulSet init container’s resources. +If omitted, the ECKOperator StatefulSet will use its default value for this init container’s resources. +

    + +
    +

    ECKOperatorStatefulSetPodSpec

    +

    + +(Appears on: +ECKOperatorStatefulSetPodTemplateSpec) + +

    +

    +ECKOperatorStatefulSetPodSpec is the ECKOperator StatefulSet’s PodSpec. +

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +initContainers
    + + +[]ECKOperatorStatefulSetInitContainer + + + +    		 + +(Optional) +

    +InitContainers is a list of ECKOperator StatefulSet init containers. +If specified, this overrides the specified ECKOperator StatefulSet init containers. +If omitted, the ECKOperator StatefulSet will use its default values for its init containers. +

    + +
    + +containers
    + + +[]ECKOperatorStatefulSetContainer + + + +    		 + +(Optional) +

    +Containers is a list of ECKOperator StatefulSet containers. +If specified, this overrides the specified ECKOperator StatefulSet containers. +If omitted, the ECKOperator StatefulSet will use its default values for its containers. +

    + +
    +

    ECKOperatorStatefulSetPodTemplateSpec

    +

    + +(Appears on: +ECKOperatorStatefulSetSpec) + +

    +

    +ECKOperatorStatefulSetPodTemplateSpec is the ECKOperator StatefulSet’s PodTemplateSpec +

    + + + + + + + + + + + + + +
    FieldDescription
    + +spec
    + + +ECKOperatorStatefulSetPodSpec + + + +    		 + +(Optional) +

    +Spec is the ECKOperator StatefulSet’s PodSpec. +

    +
    +
    + +
    + +
    +

    ECKOperatorStatefulSetSpec

    +

    + +(Appears on: +ECKOperatorStatefulSet) + +

    +

    +ECKOperatorStatefulSetSpec defines configuration for the ECKOperator StatefulSet. +

    + + + + + + + + + + + + + +
    FieldDescription
    + +template
    + + +ECKOperatorStatefulSetPodTemplateSpec + + + +    		 + +(Optional) +

    +Template describes the ECKOperator StatefulSet pod that will be created. +

    + +
    +

    EGWDeploymentContainer

    +

    + +(Appears on: +EgressGatewayDeploymentPodSpec) + +

    +

    +EGWDeploymentContainer is a Egress Gateway Deployment container. +

    + + + + + + + + + + + + + + - + + +
    FieldDescription
    + +name
    + +string + + +    		 + +

    +Name is an enum which identifies the EGW Deployment container by name. +

    + +
    + +resources
    + + +Kubernetes core/v1.ResourceRequirements     		+ + +(Optional) +

    +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named EGW Deployment container’s resources. +If omitted, the EGW Deployment will use its default value for this container’s resources. +If used in conjunction with the deprecated ComponentResources, then this value takes precedence. +

    + +
    +

    EGWDeploymentInitContainer

    +

    -(Optional) +(Appears on: +EgressGatewayDeploymentPodSpec) + +

    -InitContainers is a list of API server init containers. -If specified, this overrides the specified API server Deployment init containers. -If omitted, the API server Deployment will use its default values for its init containers. +EGWDeploymentInitContainer is a Egress Gateway Deployment init container.

    - - + + + + + + + @@ -3562,10 +11215,10 @@ If omitted, the API server Deployment will use its default values for its contai + +
    FieldDescription
    -containers
    +name
    - -[]APIServerDeploymentContainer - +string     		-(Optional)

    -Containers is a list of API server containers. -If specified, this overrides the specified API server Deployment containers. -If omitted, the API server Deployment will use its default values for its containers. +Name is an enum which identifies the EGW Deployment init container by name.

    -affinity
    +resources
    - -Kubernetes core/v1.Affinity + +Kubernetes core/v1.ResourceRequirements @@ -3574,56 +11227,91 @@ Kubernetes core/v1.Affinity (Optional)

    -Affinity is a group of affinity scheduling rules for the API server pods. -If specified, this overrides any affinity that may be set on the API server Deployment. -If omitted, the API server Deployment will use its default value for affinity. -WARNING: Please note that this field will override the default API server Deployment affinity. +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named EGW Deployment init container’s resources. +If omitted, the EGW Deployment will use its default value for this init container’s resources. +If used in conjunction with the deprecated ComponentResources, then this value takes precedence.

    +

    EKSLogForwarderDeployment

    +

    + +(Appears on: +LogCollectorSpec) + +

    +

    +EKSLogForwarderDeployment is the configuration for the EKSLogForwarder Deployment. +

    + + + + + + + + + +
    FieldDescription
    -nodeSelector
    +spec
    -map[string]string + +EKSLogForwarderDeploymentSpec +     		+(Optional)

    -NodeSelector is the API server pod’s scheduling constraints. -If specified, each of the key/value pairs are added to the API server Deployment nodeSelector provided -the key does not already exist in the object’s nodeSelector. -If used in conjunction with ControlPlaneNodeSelector, that nodeSelector is set on the API server Deployment -and each of this field’s key/value pairs are added to the API server Deployment nodeSelector provided -the key does not already exist in the object’s nodeSelector. -If omitted, the API server Deployment will use its default value for nodeSelector. -WARNING: Please note that this field will modify the default API server Deployment nodeSelector. +Spec is the specification of the EKSLogForwarder Deployment.

    +
    +
    + +
    +

    EKSLogForwarderDeploymentContainer

    +

    + +(Appears on: +EKSLogForwarderDeploymentPodSpec) + +

    +

    +EKSLogForwarderDeploymentContainer is a EKSLogForwarder Deployment container. +

    + + + + + + + + @@ -3631,10 +11319,10 @@ All topologySpreadConstraints are ANDed.
    FieldDescription
    -topologySpreadConstraints
    +name
    - -[]Kubernetes core/v1.TopologySpreadConstraint - +string     		-(Optional)

    -TopologySpreadConstraints describes how a group of pods ought to spread across topology -domains. Scheduler will schedule pods in a way which abides by the constraints. -All topologySpreadConstraints are ANDed. +Name is an enum which identifies the EKSLogForwarder Deployment container by name.

    -tolerations
    +resources
    - -[]Kubernetes core/v1.Toleration + +Kubernetes core/v1.ResourceRequirements @@ -3643,25 +11331,24 @@ All topologySpreadConstraints are ANDed. (Optional)

    -Tolerations is the API server pod’s tolerations. -If specified, this overrides any tolerations that may be set on the API server Deployment. -If omitted, the API server Deployment will use its default value for tolerations. -WARNING: Please note that this field will override the default API server Deployment tolerations. +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named EKSLogForwarder Deployment container’s resources. +If omitted, the EKSLogForwarder Deployment will use its default value for this container’s resources.

    -

    APIServerDeploymentPodTemplateSpec

    +

    EKSLogForwarderDeploymentInitContainer

    (Appears on: -APIServerDeploymentSpec) +EKSLogForwarderDeploymentPodSpec)

    -APIServerDeploymentPodTemplateSpec is the API server Deployment’s PodTemplateSpec +EKSLogForwarderDeploymentInitContainer is a EKSLogForwarder Deployment init container.

    @@ -3674,20 +11361,16 @@ APIServerDeploymentPodTemplateSpec is the API server Deployment’s PodTempl @@ -3695,10 +11378,10 @@ the pod’s metadata.
    -metadata
    +name
    - -Metadata - +string     		-(Optional)

    -Metadata is a subset of a Kubernetes object’s metadata that is added to -the pod’s metadata. +Name is an enum which identifies the EKSLogForwarder Deployment init container by name.

    -spec
    +resources
    - -APIServerDeploymentPodSpec + +Kubernetes core/v1.ResourceRequirements @@ -3707,26 +11390,24 @@ APIServerDeploymentPodSpec (Optional)

    -Spec is the API server Deployment’s PodSpec. +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named EKSLogForwarder Deployment init container’s resources. +If omitted, the EKSLogForwarder Deployment will use its default value for this init container’s resources.

    -
    -
    - -
    -

    APIServerDeploymentSpec

    +

    EKSLogForwarderDeploymentPodSpec

    (Appears on: -APIServerDeployment) +EKSLogForwarderDeploymentPodTemplateSpec)

    -APIServerDeploymentSpec defines configuration for the API server Deployment. +EKSLogForwarderDeploymentPodSpec is the EKSLogForwarder Deployment’s PodSpec.

    @@ -3739,9 +11420,11 @@ APIServerDeploymentSpec defines configuration for the API server Deployment. @@ -3749,10 +11432,9 @@ int32 (Optional)

    -MinReadySeconds is the minimum number of seconds for which a newly created Deployment pod should -be ready without any of its container crashing, for it to be considered available. -If specified, this overrides any minReadySeconds value that may be set on the API server Deployment. -If omitted, the API server Deployment will use its default value for minReadySeconds. +InitContainers is a list of EKSLogForwarder init containers. +If specified, this overrides the specified EKSLogForwarder Deployment init containers. +If omitted, the EKSLogForwarder Deployment will use its default values for its init containers.

    @@ -3760,10 +11442,10 @@ If omitted, the API server Deployment will use its default value for minReadySec
    -minReadySeconds
    +initContainers
    -int32 + +[]EKSLogForwarderDeploymentInitContainer +
    -template
    +containers
    - -APIServerDeploymentPodTemplateSpec + +[]EKSLogForwarderDeploymentContainer @@ -3772,22 +11454,24 @@ APIServerDeploymentPodTemplateSpec (Optional)

    -Template describes the API server Deployment pod that will be created. +Containers is a list of EKSLogForwarder containers. +If specified, this overrides the specified EKSLogForwarder Deployment containers. +If omitted, the EKSLogForwarder Deployment will use its default values for its containers.

    -

    APIServerSpec

    +

    EKSLogForwarderDeploymentPodTemplateSpec

    (Appears on: -APIServer) +EKSLogForwarderDeploymentSpec)

    -APIServerSpec defines the desired state of Tigera API server. +EKSLogForwarderDeploymentPodTemplateSpec is the EKSLogForwarder Deployment’s PodTemplateSpec

    @@ -3800,35 +11484,38 @@ APIServerSpec defines the desired state of Tigera API server.
    -apiServerDeployment
    +spec
    - -APIServerDeployment + +EKSLogForwarderDeploymentPodSpec     		+(Optional)

    -APIServerDeployment configures the calico-apiserver (or tigera-apiserver in Enterprise) Deployment. If -used in conjunction with ControlPlaneNodeSelector or ControlPlaneTolerations, then these overrides -take precedence. +Spec is the EKSLogForwarder Deployment’s PodSpec.

    +
    +
    + +
    -

    APIServerStatus

    +

    EKSLogForwarderDeploymentSpec

    (Appears on: -APIServer) +EKSLogForwarderDeployment)

    -APIServerStatus defines the observed state of Tigera API server. +EKSLogForwarderDeploymentSpec defines configuration for the EKSLogForwarder Deployment.

    @@ -3841,27 +11528,50 @@ APIServerStatus defines the observed state of Tigera API server. + +
    -state
    +template
    -string + +EKSLogForwarderDeploymentPodTemplateSpec +     		+(Optional)

    -State provides user-readable status. +Template describes the EKSLogForwarder Deployment pod that will be created.

    +

    EgressGatewayDeploymentPodSpec

    +

    + +(Appears on: +EgressGatewayDeploymentPodTemplateSpec) + +

    +

    +EgressGatewayDeploymentPodSpec is the Egress Gateway Deployment’s PodSpec. +

    + + + + + + + + - -
    FieldDescription
    -conditions
    +initContainers
    - -[]Kubernetes meta/v1.Condition + +[]EGWDeploymentInitContainer @@ -3870,39 +11580,42 @@ State provides user-readable status. (Optional)

    -Conditions represents the latest observed set of conditions for the component. A component may be one or more of -Ready, Progressing, Degraded or other customer types. +InitContainers is a list of EGW init containers. +If specified, this overrides the specified EGW Deployment init containers. +If omitted, the EGW Deployment will use its default values for its init containers.

    -

    AWSEgressGateway

    -

    + + -(Appears on: -EgressGatewaySpec) +containers
    + + +[]EGWDeploymentContainer + + -

    + + + +(Optional)

    -AWSEgressGateway defines the configurations for deploying EgressGateway in AWS +Containers is a list of EGW containers. +If specified, this overrides the specified EGW Deployment containers. +If omitted, the EGW Deployment will use its default values for its containers.

    - - - - - + + - - @@ -3920,9 +11632,9 @@ Default: Disabled @@ -3930,37 +11642,17 @@ Default: Disabled (Optional)

    -ElasticIPs defines the set of elastic IPs that can be used for Egress Gateway pods. -NativeIP must be Enabled if elastic IPs are set. +NodeSelector gives more control over the nodes where the Egress Gateway pods will run on.

    - -
    FieldDescription
    -nativeIP
    +affinity
    - -NativeIP + +Kubernetes core/v1.Affinity @@ -3911,8 +11624,7 @@ NativeIP (Optional)

    -NativeIP defines if EgressGateway is to use an AWS backed IPPool. -Default: Disabled +Affinity is a group of affinity scheduling rules for the EGW pods.

    -elasticIPs
    +nodeSelector
    -[]string +map[string]string
    -

    AdditionalLogSourceSpec

    -

    - -(Appears on: -LogCollectorSpec) - -

    - - - - - - - - @@ -3968,36 +11660,18 @@ EksCloudwatchLogsSpec (Optional)

    -If specified with EKS Provider in Installation, enables fetching EKS -audit logs. +TerminationGracePeriodSeconds defines the termination grace period of the Egress Gateway pods in seconds.

    - -
    FieldDescription
    -eksCloudwatchLog
    +terminationGracePeriodSeconds
    - -EksCloudwatchLogsSpec - +int64
    -

    AdditionalLogStoreSpec

    -

    - -(Appears on: -LogCollectorSpec) - -

    - - - - - - - - @@ -4014,10 +11688,10 @@ If specified, enables exporting of flow, audit, and DNS logs to Amazon S3 storag @@ -4034,11 +11710,9 @@ If specified, enables exporting of flow, audit, and DNS logs to syslog. @@ -4046,22 +11720,22 @@ SplunkStoreSpec (Optional)

    -If specified, enables exporting of flow, audit, and DNS logs to splunk. +PriorityClassName allows to specify a PriorityClass resource to be used.

    FieldDescription
    -s3
    +topologySpreadConstraints
    - -S3StoreSpec + +[]Kubernetes core/v1.TopologySpreadConstraint @@ -4006,7 +11680,7 @@ S3StoreSpec (Optional)

    -If specified, enables exporting of flow, audit, and DNS logs to Amazon S3 storage. +TopologySpreadConstraints defines how the Egress Gateway pods should be spread across different AZs.

    -syslog
    +tolerations
    - -SyslogStoreSpec + +[]Kubernetes core/v1.Toleration @@ -4026,7 +11700,9 @@ SyslogStoreSpec (Optional)

    -If specified, enables exporting of flow, audit, and DNS logs to syslog. +Tolerations is the egress gateway pod’s tolerations. +If specified, this overrides any tolerations that may be set on the EGW Deployment. +If omitted, the EGW Deployment will use its default value for tolerations.

    -splunk
    +priorityClassName
    - -SplunkStoreSpec - +string
    -

    AmazonCloudIntegrationSpec

    +

    EgressGatewayDeploymentPodTemplateSpec

    (Appears on: -AmazonCloudIntegration) +EgressGatewaySpec)

    -AmazonCloudIntegrationSpec defines the desired state of AmazonCloudIntegration +EgressGatewayDeploymentPodTemplateSpec is the EGW Deployment’s PodTemplateSpec

    @@ -4074,10 +11748,10 @@ AmazonCloudIntegrationSpec defines the desired state of AmazonCloudIntegration @@ -4096,86 +11769,65 @@ Default: Denied - - -
    -defaultPodMetadataAccess
    +metadata
    - -MetadataAccessAllowedType + +EgressGatewayMetadata @@ -4086,9 +11760,8 @@ MetadataAccessAllowedType (Optional)

    -DefaultPodMetadataAccess defines what the default behavior will be for accessing -the AWS metadata service from a pod. -Default: Denied +Metadata is a subset of a Kubernetes object’s metadata that is added to +the pod’s metadata.

    -nodeSecurityGroupIDs
    +spec
    -[]string + +EgressGatewayDeploymentPodSpec +     		+(Optional)

    -NodeSecurityGroupIDs is a list of Security Group IDs that all nodes and masters -will be in. +Spec is the EGW Deployment’s PodSpec.

    +
    +
    + +
    - -podSecurityGroupID
    - -string - - -    		 - + +
    +

    EgressGatewayFailureDetection

    -PodSecurityGroupID is the ID of the Security Group which all pods should be placed -in by default. -

    - - - - - - -vpcs
    - -[]string - - - +(Appears on: +EgressGatewaySpec) -

    -VPCS is a list of VPC IDs to monitor for ENIs and Security Groups, only one is supported.

    - - - - - - -sqsURL
    - -string - - - - -

    -SQSURL is the SQS URL needed to access the Simple Queue Service. +EgressGatewayFailureDetection defines the fields the needed for determining Egress Gateway +readiness.

    - - + + + + + + + @@ -4183,17 +11835,21 @@ AWSRegion is the region in which your cluster is located. @@ -4201,32 +11857,33 @@ ENIs that are on a host that is also part of the Kubernetes cluster.
    FieldDescription
    -awsRegion
    +healthTimeoutDataStoreSeconds
    -string +int32     		+(Optional)

    -AWSRegion is the region in which your cluster is located. +HealthTimeoutDataStoreSeconds defines how long Egress Gateway can fail to connect +to the datastore before reporting not ready. +This value must be greater than 0. +Default: 90

    -enforcedSecurityGroupID
    +icmpProbe
    -string + +ICMPProbe +     		+(Optional)

    -EnforcedSecurityGroupID is the ID of the Security Group which will be applied to all -ENIs that are on a host that is also part of the Kubernetes cluster. +ICMPProbe define outgoing ICMP probes that Egress Gateway will use to +verify its upstream connection. Egress Gateway will report not ready if all +fail. Timeout must be greater than interval.

    -trustEnforcedSecurityGroupID
    +httpProbe
    -string + +HTTPProbe +     		+(Optional)

    -TrustEnforcedSecurityGroupID is the ID of the Security Group which will be applied -to all ENIs in the VPC. +HTTPProbe define outgoing HTTP probes that Egress Gateway will use to +verify its upsteam connection. Egress Gateway will report not ready if all +fail. Timeout must be greater than interval.

    -

    AmazonCloudIntegrationStatus

    +

    EgressGatewayIPPool

    (Appears on: -AmazonCloudIntegration) +EgressGatewaySpec) -

    -

    -AmazonCloudIntegrationStatus defines the observed state of AmazonCloudIntegration

    @@ -4239,7 +11896,7 @@ AmazonCloudIntegrationStatus defines the observed state of AmazonCloudIntegratio @@ -4256,11 +11914,9 @@ State provides user-readable status. @@ -4268,20 +11924,22 @@ State provides user-readable status. (Optional)

    -Conditions represents the latest observed set of conditions for the component. A component may be one or more of -Ready, Progressing, Degraded or other customer types. +CIDR is the IPPool CIDR that the Egress Gateways can use.

    -state
    +name
    string @@ -4247,8 +11904,9 @@ string     		+(Optional)

    -State provides user-readable status. +Name is the name of the IPPool that the Egress Gateways can use.

    -conditions
    +cidr
    - -[]Kubernetes meta/v1.Condition - +string
    -

    AnomalyDetectionSpec

    +

    EgressGatewayMetadata

    (Appears on: -IntrusionDetectionSpec) +EgressGatewayDeploymentPodTemplateSpec) +

    +

    +EgressGatewayMetadata contains the standard Kubernetes labels and annotations fields.

    @@ -4294,9 +11952,31 @@ Ready, Progressing, Degraded or other customer types. + + + + @@ -4304,30 +11984,24 @@ string (Optional)

    -StorageClassName is now deprecated, and configuring it has no effect. +Annotations is a map of arbitrary non-identifying metadata. Each of these +key/value pairs are added to the object’s annotations provided the key does not +already exist in the object’s annotations.

    -storageClassName
    +labels
    -string +map[string]string + + +    		 + +(Optional) +

    +Labels is a map of string keys and values that may match replica set and +service selectors. Each of these key/value pairs are added to the +object’s labels provided the key does not already exist in the object’s labels. +If not specified will default to projectcalico.org/egw:[name], where [name] is +the name of the Egress Gateway resource. +

    + +
    + +annotations
    + +map[string]string
    -

    ApplicationLayerPolicyStatusType -(string alias)

    -

    - -(Appears on: -ApplicationLayerSpec) - -

    -

    ApplicationLayerSpec

    +

    EgressGatewaySpec

    (Appears on: -ApplicationLayer) +EgressGateway)

    -ApplicationLayerSpec defines the desired state of ApplicationLayer +EgressGatewaySpec defines the desired state of EgressGateway

    @@ -4340,19 +12014,17 @@ ApplicationLayerSpec defines the desired state of ApplicationLayer @@ -4360,10 +12032,10 @@ When enabled, Services may opt-in to having ingress traffic examed by ModSecurit @@ -4379,19 +12053,19 @@ Specification for application layer (L7) log collection. @@ -4399,55 +12073,64 @@ When enabled, NetworkPolicies with HTTP Match rules may be defined to opt-in wor - -
    -webApplicationFirewall
    +replicas
    - -WAFStatusType - +int32     		+(Optional)

    -WebApplicationFirewall controls whether or not ModSecurity enforcement is enabled for the cluster. -When enabled, Services may opt-in to having ingress traffic examed by ModSecurity. +Replicas defines how many instances of the Egress Gateway pod will run.

    -logCollection
    +ipPools
    - -LogCollectionSpec + +[]EgressGatewayIPPool @@ -4371,7 +12043,9 @@ LogCollectionSpec

    -Specification for application layer (L7) log collection. +IPPools defines the IP Pools that the Egress Gateway pods should be using. +Either name or CIDR must be specified. +IPPools must match existing IPPools.

    -applicationLayerPolicy
    +externalNetworks
    - -ApplicationLayerPolicyStatusType - +[]string     		+(Optional)

    -Application Layer Policy controls whether or not ALP enforcement is enabled for the cluster. -When enabled, NetworkPolicies with HTTP Match rules may be defined to opt-in workloads for traffic enforcement on the application layer. +ExternalNetworks defines the external network names this Egress Gateway is +associated with. +ExternalNetworks must match existing external networks.

    -envoy
    +logSeverity
    - -EnvoySettings + +LogLevel     		+(Optional)

    -User-configurable settings for the Envoy proxy. +LogSeverity defines the logging level of the Egress Gateway. +Default: Info

    -

    ApplicationLayerStatus

    -

    + + -(Appears on: -ApplicationLayer) +template
    + + +EgressGatewayDeploymentPodTemplateSpec + + -

    + + + +(Optional)

    -ApplicationLayerStatus defines the observed state of ApplicationLayer +Template describes the EGW Deployment pod that will be created.

    - - - - - + + - - @@ -4455,10 +12138,10 @@ State provides user-readable status.
    FieldDescription
    -state
    +egressGatewayFailureDetection
    -string + +EgressGatewayFailureDetection +     		+(Optional)

    -State provides user-readable status. +EgressGatewayFailureDetection is used to configure how Egress Gateway +determines readiness. If both ICMP, HTTP probes are defined, one ICMP probe and one +HTTP probe should succeed for Egress Gateways to become ready. +Otherwise one of ICMP or HTTP probe should succeed for Egress gateways to become +ready if configured.

    -conditions
    +aws
    - -[]Kubernetes meta/v1.Condition + +AWSEgressGateway @@ -4467,24 +12150,22 @@ State provides user-readable status. (Optional)

    -Conditions represents the latest observed set of conditions for the component. A component may be one or more of -Ready, Progressing, Degraded or other customer types. +AWS defines the additional configuration options for Egress Gateways on AWS.

    -

    Auth

    +

    EgressGatewayStatus

    (Appears on: -ManagerSpec, -ManagerStatus) +EgressGateway)

    -Auth defines authentication configuration. +EgressGatewayStatus defines the observed state of EgressGateway

    @@ -4497,27 +12178,7 @@ Auth defines authentication configuration. - - - - @@ -4535,9 +12195,11 @@ Authority configures the OAuth2/OIDC authority/issuer when using OAuth2 or OIDC @@ -4545,36 +12207,23 @@ string (Optional)

    -ClientId configures the OAuth2/OIDC client ID to use for OAuth2 or OIDC login. +Conditions represents the latest observed set of conditions for the component. A component may be one or more of +Ready, Progressing, Degraded or other customer types.

    -type
    - - -AuthType - - - -    		 - -

    -Type configures the type of authentication used by the manager. -Default: Token -

    - -
    - -authority
    +state
    string @@ -4525,9 +12186,8 @@ string     		-(Optional)

    -Authority configures the OAuth2/OIDC authority/issuer when using OAuth2 or OIDC login. +State provides user-readable status.

    -clientID
    +conditions
    -string + +[]Kubernetes meta/v1.Condition +
    -

    AuthMethod -(string alias)

    -

    AuthType -(string alias)

    -

    - -(Appears on: -Auth) - -

    -

    -AuthType represents the type of authentication to use. Valid -options are: Token, Basic, OIDC, OAuth -

    -

    AuthenticationLDAP

    +

    EksCloudwatchLogsSpec

    (Appears on: -AuthenticationSpec) +AdditionalLogSourceSpec)

    -AuthenticationLDAP is the configuration needed to set up LDAP. +EksConfigSpec defines configuration for fetching EKS audit logs.

    @@ -4587,7 +12236,7 @@ AuthenticationLDAP is the configuration needed to set up LDAP. @@ -4604,19 +12253,16 @@ The host and port of the LDAP server. Example: ad.example.com:636 @@ -4624,18 +12270,18 @@ the ldaps:// protocol. @@ -4643,11 +12289,9 @@ User entry search configuration to match the credentials with a user. @@ -4655,22 +12299,23 @@ GroupSearch (Optional)

    -Group search configuration to find the groups that a user is in. +Cloudwatch audit logs fetching interval in seconds. +Default: 60

    -host
    +region
    string @@ -4596,7 +12245,7 @@ string

    -The host and port of the LDAP server. Example: ad.example.com:636 +AWS Region EKS cluster is hosted in.

    -startTLS
    +groupName
    -bool +string     		-(Optional)

    -StartTLS whether to enable the startTLS feature for establishing TLS on an existing LDAP session. -If true, the ldap:// protocol is used and then issues a StartTLS command, otherwise, connections will use -the ldaps:// protocol. +Cloudwatch log-group name containing EKS audit logs.

    -userSearch
    +streamPrefix
    - -UserSearch - +string     		+(Optional)

    -User entry search configuration to match the credentials with a user. +Prefix of Cloudwatch log stream containing EKS audit logs in the log-group. +Default: kube-apiserver-audit-

    -groupSearch
    +fetchInterval
    - -GroupSearch - +int32
    -

    AuthenticationOIDC

    +

    ElasticsearchMetricsDeployment

    (Appears on: -AuthenticationSpec) +LogStorageSpec)

    -AuthenticationOIDC is the configuration needed to set up OIDC. +ElasticsearchMetricsDeployment is the configuration for the tigera-elasticsearch-metric Deployment.

    @@ -4683,24 +12328,51 @@ AuthenticationOIDC is the configuration needed to set up OIDC. + +
    -issuerURL
    +spec
    -string + +ElasticsearchMetricsDeploymentSpec +     		+(Optional)

    -IssuerURL is the URL to the OIDC provider. +Spec is the specification of the ElasticsearchMetrics Deployment.

    +
    +
    + +
    +

    ElasticsearchMetricsDeploymentContainer

    +

    + +(Appears on: +ElasticsearchMetricsDeploymentPodSpec) + +

    +

    +ElasticsearchMetricsDeploymentContainer is a ElasticsearchMetricsDeployment container. +

    + + + + + + + + @@ -4717,9 +12389,11 @@ UsernameClaim specifies which claim to use from the OIDC provider as the usernam @@ -4727,34 +12401,37 @@ UsernameClaim specifies which claim to use from the OIDC provider as the usernam (Optional)

    -RequestedScopes is a list of scopes to request from the OIDC provider. If not provided, the following scopes are -requested: [“openid”, “email”, “profile”, “groups”, “offline_access”]. +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named ElasticsearchMetricsDeployment container’s resources. +If omitted, the ElasticsearchMetrics Deployment will use its default value for this container’s resources.

    - - +
    FieldDescription
    -usernameClaim
    +name
    string @@ -4709,7 +12381,7 @@ string

    -UsernameClaim specifies which claim to use from the OIDC provider as the username. +Name is an enum which identifies the ElasticsearchMetricsDeployment container by name.

    -requestedScopes
    +resources
    -[]string + +Kubernetes core/v1.ResourceRequirements +
    - -usernamePrefix
    - -string - +
    +

    ElasticsearchMetricsDeploymentInitContainer

    +

    - - +(Appears on: +ElasticsearchMetricsDeploymentPodSpec) -(Optional) +

    -Deprecated. Please use Authentication.Spec.UsernamePrefix instead. +ElasticsearchMetricsDeploymentInitContainer is a ElasticsearchMetricsDeployment init container.

    - - + + + + + + + @@ -4772,9 +12448,11 @@ GroupsClaim specifies which claim to use from the OIDC provider as the group. @@ -4782,18 +12460,40 @@ string (Optional)

    -Deprecated. Please use Authentication.Spec.GroupsPrefix instead. +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named ElasticsearchMetricsDeployment init container’s resources. +If omitted, the ElasticsearchMetrics Deployment will use its default value for this init container’s resources.

    + +
    FieldDescription
    -groupsClaim
    +name
    string @@ -4762,9 +12439,8 @@ string     		-(Optional)

    -GroupsClaim specifies which claim to use from the OIDC provider as the group. +Name is an enum which identifies the ElasticsearchMetricsDeployment init container by name.

    -groupsPrefix
    +resources
    -string + +Kubernetes core/v1.ResourceRequirements +
    +

    ElasticsearchMetricsDeploymentPodSpec

    +

    + +(Appears on: +ElasticsearchMetricsDeploymentPodTemplateSpec) + +

    +

    +ElasticsearchMetricsDeploymentPodSpec is the tElasticsearchMetricsDeployment’s PodSpec. +

    + + + + + + + + @@ -4813,10 +12512,10 @@ Default: Verify + +
    FieldDescription
    -emailVerification
    +initContainers
    - -EmailVerificationType + +[]ElasticsearchMetricsDeploymentInitContainer @@ -4802,10 +12502,9 @@ EmailVerificationType (Optional)

    -Some providers do not include the claim “email_verified” when there is no verification in the user enrollment -process or if they are acting as a proxy for another identity provider. By default those tokens are deemed invalid. -To skip this check, set the value to “InsecureSkip”. -Default: Verify +InitContainers is a list of ElasticsearchMetricsDeployment init containers. +If specified, this overrides the specified ElasticsearchMetricsDeployment init containers. +If omitted, the ElasticsearchMetrics Deployment will use its default values for its init containers.

    -promptTypes
    +containers
    - -[]PromptType + +[]ElasticsearchMetricsDeploymentContainer @@ -4825,21 +12524,40 @@ Default: Verify (Optional)

    -PromptTypes is an optional list of string values that specifies whether the identity provider prompts the end user -for re-authentication and consent. See the RFC for more information on prompt types: -https://openid.net/specs/openid-connect-core-1_0.html. -Default: “Consent” +Containers is a list of ElasticsearchMetricsDeployment containers. +If specified, this overrides the specified ElasticsearchMetricsDeployment containers. +If omitted, the ElasticsearchMetrics Deployment will use its default values for its containers.

    +

    ElasticsearchMetricsDeploymentPodTemplateSpec

    +

    + +(Appears on: +ElasticsearchMetricsDeploymentSpec) + +

    +

    +ElasticsearchMetricsDeploymentPodTemplateSpec is the ElasticsearchMetricsDeployment’s PodTemplateSpec +

    + + + + + + + +
    FieldDescription
    -type
    +spec
    - -OIDCType + +ElasticsearchMetricsDeploymentPodSpec @@ -4848,22 +12566,26 @@ OIDCType (Optional)

    -Default: “Dex” +Spec is the ElasticsearchMetrics Deployment’s PodSpec.

    +
    +
    + +
    -

    AuthenticationOpenshift

    +

    ElasticsearchMetricsDeploymentSpec

    (Appears on: -AuthenticationSpec) +ElasticsearchMetricsDeployment)

    -AuthenticationOpenshift is the configuration needed to set up Openshift. +ElasticsearchMetricsDeploymentSpec defines configuration for the ElasticsearchMetricsDeployment Deployment.

    @@ -4876,31 +12598,70 @@ AuthenticationOpenshift is the configuration needed to set up Openshift.
    -issuerURL
    +template
    -string + +ElasticsearchMetricsDeploymentPodTemplateSpec +     		+(Optional)

    -IssuerURL is the URL to the Openshift OAuth provider. Ex.: https://api.my-ocp-domain.com:6443 +Template describes the ElasticsearchMetrics Deployment pod that will be created.

    -

    AuthenticationSpec

    +

    EmailVerificationType +(string alias)

    (Appears on: -Authentication) +AuthenticationOIDC)

    +

    EncapsulationType +(string alias)

    -AuthenticationSpec defines the desired state of Authentication + +(Appears on: +IPPool) + +

    +

    +EncapsulationType is the type of encapsulation to use on an IP pool. +

    +

    +One of: IPIP, VXLAN, IPIPCrossSubnet, VXLANCrossSubnet, None +

    +

    EncryptionOption +(string alias)

    +

    + +(Appears on: +SyslogStoreSpec) + +

    +

    +EncryptionOption specifies the traffic encryption mode when connecting to a Syslog server. +

    +

    +One of: None, TLS +

    +

    Endpoint

    +

    + +(Appears on: +ServiceMonitor) + +

    +

    +Endpoint contains a subset of relevant fields from the Prometheus Endpoint struct.

    @@ -4913,16 +12674,17 @@ AuthenticationSpec defines the desired state of Authentication @@ -4930,19 +12692,19 @@ ManagerDomain is the domain name of the Manager @@ -4950,19 +12712,17 @@ ClusterRoleBindings into Elastic. @@ -4970,19 +12730,17 @@ ClusterRoleBindings into Elastic. @@ -4990,19 +12748,16 @@ OIDC contains the configuration needed to set up OIDC authentication. @@ -5010,34 +12765,65 @@ Openshift contains the configuration needed to set up Openshift OAuth authentica + + + + + + + +
    -managerDomain
    +params
    -string +map[string][]string

    -ManagerDomain is the domain name of the Manager +Optional HTTP URL parameters +Default: scrape all metrics.

    -usernamePrefix
    +bearerTokenSecret
    -string + +Kubernetes core/v1.SecretKeySelector +     		-(Optional)

    -If specified, UsernamePrefix is prepended to each user obtained from the identity provider. Note that -Kibana does not support a user prefix, so this prefix is removed from Kubernetes User when translating log access -ClusterRoleBindings into Elastic. +Secret to mount to read bearer token for scraping targets. +Recommended: when unset, the operator will create a Secret, a ClusterRole and a ClusterRoleBinding.

    -groupsPrefix
    +interval
    -string +github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1.Duration     		-(Optional)

    -If specified, GroupsPrefix is prepended to each group obtained from the identity provider. Note that -Kibana does not support a groups prefix, so this prefix is removed from Kubernetes Groups when translating log access -ClusterRoleBindings into Elastic. +Interval at which metrics should be scraped. +If not specified Prometheus’ global scrape interval is used.

    -oidc
    +scrapeTimeout
    - -AuthenticationOIDC - +github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1.Duration     		-(Optional)

    -OIDC contains the configuration needed to set up OIDC authentication. +Timeout after which the scrape is ended. +If not specified, the Prometheus global scrape timeout is used unless it is less than Interval in which the latter is used.

    -openshift
    +honorLabels
    - -AuthenticationOpenshift - +bool     		-(Optional)

    -Openshift contains the configuration needed to set up Openshift OAuth authentication. +HonorLabels chooses the metric’s labels on collisions with target labels.

    -ldap
    +honorTimestamps
    - -AuthenticationLDAP - +bool + + +    		 + +

    +HonorTimestamps controls whether Prometheus respects the timestamps present in scraped data. +

    + +
    + +metricRelabelings
    + +[]*github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1.RelabelConfig + + +    		 + +

    +MetricRelabelConfigs to apply to samples before ingestion. +

    + +
    + +relabelings
    + +[]*github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1.RelabelConfig     		-(Optional)

    -LDAP contains the configuration needed to set up LDAP authentication. +RelabelConfigs to apply to samples before scraping. +Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields. +The original scrape job’s name is available via the __tmp_prometheus_job_name label. +More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config

    -

    AuthenticationStatus

    +

    EnvoySettings

    (Appears on: -Authentication) +ApplicationLayerSpec) -

    -

    -AuthenticationStatus defines the observed state of Authentication

    @@ -5050,16 +12836,19 @@ AuthenticationStatus defines the observed state of Authentication @@ -5067,11 +12856,9 @@ State provides user-readable status. @@ -5079,48 +12866,92 @@ State provides user-readable status. (Optional)

    -Conditions represents the latest observed set of conditions for the component. A component may be one or more of -Ready, Progressing, Degraded or other customer types. +If set to true, the Envoy connection manager will use the real remote address +of the client connection when determining internal versus external origin and +manipulating various headers.

    -state
    +xffNumTrustedHops
    -string +int32     		+(Optional)

    -State provides user-readable status. +The number of additional ingress proxy hops from the right side of the +x-forwarded-for HTTP header to trust when determining the origin client’s +IP address. 0 is permitted, but >=1 is the typical setting.

    -conditions
    +useRemoteAddress
    - -[]Kubernetes meta/v1.Condition - +bool
    -

    BGPOption -(string alias)

    +

    ExternalPrometheus

    (Appears on: -CalicoNetworkSpec) +MonitorSpec)

    + + + + + + + + + + + + + + + + + +
    FieldDescription
    + +serviceMonitor
    + + +ServiceMonitor + + + +    		 + +(Optional)

    -BGPOption describes the mode of BGP to use. -

    -

    -One of: Enabled, Disabled +ServiceMonitor when specified, the operator will create a ServiceMonitor object in the namespace. It is recommended +that you configure labels if you want your prometheus instance to pick up the configuration automatically. +The operator will configure 1 endpoint by default: +- Params to scrape all metrics available in Calico Enterprise. +- BearerTokenSecret (If not overridden, the operator will also create corresponding RBAC that allows authz to the metrics.) +- TLSConfig, containing the caFile and serverName.

    -

    CAType -(string alias)

    -

    -(Appears on: -ManagementClusterTLS) +

    + +namespace
    + +string + + +    		 -

    -CAType specifies which verification method the tunnel client should use to verify the tunnel server’s identity. +Namespace is the namespace where the operator will create resources for your Prometheus instance. The namespace +must be created before the operator will create Prometheus resources.

    + +
    +

    FIPSMode +(string alias)

    -One of: Tigera, Public + +(Appears on: +InstallationSpec) +

    -

    CNILogging

    +

    FluentdDaemonSet

    (Appears on: -Logging) +LogCollectorSpec) +

    +

    +FluentdDaemonSet is the configuration for the Fluentd DaemonSet.

    @@ -5133,10 +12964,10 @@ One of: Tigera, Public - -
    -logSeverity
    +spec
    - -LogLevel + +FluentdDaemonSetSpec @@ -5145,43 +12976,48 @@ LogLevel (Optional)

    -Default: Info +Spec is the specification of the Fluentd DaemonSet.

    +
    +
    + +
    - -logFileMaxSize
    - -k8s.io/apimachinery/pkg/api/resource.Quantity - + +
    +

    FluentdDaemonSetContainer

    +

    - - +(Appears on: +FluentdDaemonSetPodSpec) -(Optional) +

    -Default: 100Mi +FluentdDaemonSetContainer is a Fluentd DaemonSet container.

    - - + + + + + + + @@ -5189,9 +13025,11 @@ Default: 30 (days) @@ -5199,36 +13037,24 @@ uint32 (Optional)

    -Default: 10 +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named Fluentd DaemonSet container’s resources. +If omitted, the Fluentd DaemonSet will use its default value for this container’s resources.

    FieldDescription
    -logFileMaxAgeDays
    +name
    -uint32 +string     		-(Optional)

    -Default: 30 (days) +Name is an enum which identifies the Fluentd DaemonSet container by name.

    -logFileMaxCount
    +resources
    -uint32 + +Kubernetes core/v1.ResourceRequirements +
    -

    CNIPluginType -(string alias)

    -

    - -(Appears on: -CNISpec) - -

    -

    -CNIPluginType describes the type of CNI plugin used. -

    -

    -One of: Calico, GKE, AmazonVPC, AzureVNET -

    -

    CNISpec

    +

    FluentdDaemonSetInitContainer

    (Appears on: -InstallationSpec) +FluentdDaemonSetPodSpec)

    -CNISpec contains configuration for the CNI plugin. +FluentdDaemonSetInitContainer is a Fluentd DaemonSet init container.

    @@ -5241,31 +13067,16 @@ CNISpec contains configuration for the CNI plugin. @@ -5273,10 +13084,10 @@ Default: Calico
    -type
    +name
    - -CNIPluginType - +string

    -Specifies the CNI plugin that will be used in the Calico or Calico Enterprise installation. -* For KubernetesProvider GKE, this field defaults to GKE. -* For KubernetesProvider AKS, this field defaults to AzureVNET. -* For KubernetesProvider EKS, this field defaults to AmazonVPC. -* If aws-node daemonset exists in kube-system when the Installation resource is created, this field defaults to AmazonVPC. -* For all other cases this field defaults to Calico. -

    -

    -For the value Calico, the CNI plugin binaries and CNI config will be installed as part of deployment, -for all other values the CNI plugin binaries and CNI config is a dependency that is expected -to be installed separately. -

    -

    -Default: Calico +Name is an enum which identifies the Fluentd DaemonSet init container by name.

    -ipam
    +resources
    - -IPAMSpec + +Kubernetes core/v1.ResourceRequirements @@ -5285,23 +13096,24 @@ IPAMSpec (Optional)

    -IPAM specifies the pod IP address management that will be used in the Calico or -Calico Enterprise installation. +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named Fluentd DaemonSet init container’s resources. +If omitted, the Fluentd DaemonSet will use its default value for this init container’s resources.

    -

    CSINodeDriverDaemonSet

    +

    FluentdDaemonSetPodSpec

    (Appears on: -InstallationSpec) +FluentdDaemonSetPodTemplateSpec)

    -CSINodeDriverDaemonSet is the configuration for the csi-node-driver DaemonSet. +FluentdDaemonSetPodSpec is the Fluentd DaemonSet’s PodSpec.

    @@ -5314,10 +13126,10 @@ CSINodeDriverDaemonSet is the configuration for the csi-node-driver DaemonSet. @@ -5334,10 +13148,10 @@ Metadata is a subset of a Kubernetes object’s metadata that is added to th
    -metadata
    +initContainers
    - -Metadata + +[]FluentdDaemonSetInitContainer @@ -5326,7 +13138,9 @@ Metadata (Optional)

    -Metadata is a subset of a Kubernetes object’s metadata that is added to the DaemonSet. +InitContainers is a list of Fluentd DaemonSet init containers. +If specified, this overrides the specified Fluentd DaemonSet init containers. +If omitted, the Fluentd DaemonSet will use its default values for its init containers.

    -spec
    +containers
    - -CSINodeDriverDaemonSetSpec + +[]FluentdDaemonSetContainer @@ -5346,26 +13160,24 @@ CSINodeDriverDaemonSetSpec (Optional)

    -Spec is the specification of the csi-node-driver DaemonSet. +Containers is a list of Fluentd DaemonSet containers. +If specified, this overrides the specified Fluentd DaemonSet containers. +If omitted, the Fluentd DaemonSet will use its default values for its containers.

    -
    -
    - -
    -

    CSINodeDriverDaemonSetContainer

    +

    FluentdDaemonSetPodTemplateSpec

    (Appears on: -CSINodeDriverDaemonSetPodSpec) +FluentdDaemonSetSpec)

    -CSINodeDriverDaemonSetContainer is a csi-node-driver DaemonSet container. +FluentdDaemonSetPodTemplateSpec is the Fluentd DaemonSet’s PodTemplateSpec

    @@ -5378,27 +13190,54 @@ CSINodeDriverDaemonSetContainer is a csi-node-driver DaemonSet container. + +
    -name
    +spec
    -string + +FluentdDaemonSetPodSpec +     		+(Optional)

    -Name is an enum which identifies the csi-node-driver DaemonSet container by name. +Spec is the Fluentd DaemonSet’s PodSpec.

    +
    +
    + +
    +

    FluentdDaemonSetSpec

    +

    + +(Appears on: +FluentdDaemonSet) + +

    +

    +FluentdDaemonSetSpec defines configuration for the Fluentd DaemonSet. +

    + + + + + + + +
    FieldDescription
    -resources
    +template
    - -Kubernetes core/v1.ResourceRequirements + +FluentdDaemonSetPodTemplateSpec @@ -5407,24 +13246,22 @@ Kubernetes core/v1.ResourceRequirements (Optional)

    -Resources allows customization of limits and requests for compute resources such as cpu and memory. -If specified, this overrides the named csi-node-driver DaemonSet container’s resources. -If omitted, the csi-node-driver DaemonSet will use its default value for this container’s resources. +Template describes the Fluentd DaemonSet pod that will be created.

    -

    CSINodeDriverDaemonSetPodSpec

    +

    GroupSearch

    (Appears on: -CSINodeDriverDaemonSetPodTemplateSpec) +AuthenticationLDAP)

    -CSINodeDriverDaemonSetPodSpec is the csi-node-driver DaemonSet’s PodSpec. +Group search configuration to find the groups that a user is in.

    @@ -5437,21 +13274,16 @@ CSINodeDriverDaemonSetPodSpec is the csi-node-driver DaemonSet’s PodSpec. @@ -5459,11 +13291,9 @@ If omitted, the csi-node-driver DaemonSet will use its default values for its co @@ -5471,10 +13301,8 @@ Kubernetes core/v1.Affinity (Optional)

    -Affinity is a group of affinity scheduling rules for the csi-node-driver pods. -If specified, this overrides any affinity that may be set on the csi-node-driver DaemonSet. -If omitted, the csi-node-driver DaemonSet will use its default value for affinity. -WARNING: Please note that this field will override the default csi-node-driver DaemonSet affinity. +Optional filter to apply when searching the directory. +For example “(objectClass=posixGroup)”

    @@ -5482,21 +13310,16 @@ WARNING: Please note that this field will override the default csi-node-driver D @@ -5504,37 +13327,35 @@ WARNING: Please note that this field will modify the default csi-node-driver Dae
    -containers
    +baseDN
    - -[]CSINodeDriverDaemonSetContainer - +string     		-(Optional)

    -Containers is a list of csi-node-driver containers. -If specified, this overrides the specified csi-node-driver DaemonSet containers. -If omitted, the csi-node-driver DaemonSet will use its default values for its containers. +BaseDN to start the search from. For example “cn=groups,dc=example,dc=com”

    -affinity
    +filter
    - -Kubernetes core/v1.Affinity - +string
    -nodeSelector
    +nameAttribute
    -map[string]string +string     		-(Optional)

    -NodeSelector is the csi-node-driver pod’s scheduling constraints. -If specified, each of the key/value pairs are added to the csi-node-driver DaemonSet nodeSelector provided -the key does not already exist in the object’s nodeSelector. -If omitted, the csi-node-driver DaemonSet will use its default value for nodeSelector. -WARNING: Please note that this field will modify the default csi-node-driver DaemonSet nodeSelector. +The attribute of the group that represents its name. This attribute can be used to apply RBAC to a user group.

    -tolerations
    +userMatchers
    - -[]Kubernetes core/v1.Toleration + +[]UserMatch     		-(Optional)

    -Tolerations is the csi-node-driver pod’s tolerations. -If specified, this overrides any tolerations that may be set on the csi-node-driver DaemonSet. -If omitted, the csi-node-driver DaemonSet will use its default value for tolerations. -WARNING: Please note that this field will override the default csi-node-driver DaemonSet tolerations. +Following list contains field pairs that are used to match a user to a group. It adds an additional +requirement to the filter that an attribute in the group must match the user’s +attribute value.

    -

    CSINodeDriverDaemonSetPodTemplateSpec

    +

    GuardianDeployment

    (Appears on: -CSINodeDriverDaemonSetSpec) +ManagementClusterConnectionSpec)

    -CSINodeDriverDaemonSetPodTemplateSpec is the csi-node-driver DaemonSet’s PodTemplateSpec +GuardianDeployment is the configuration for the guardian Deployment.

    @@ -5547,20 +13368,60 @@ CSINodeDriverDaemonSetPodTemplateSpec is the csi-node-driver DaemonSet’s P + + +
    -metadata
    +spec
    - -Metadata + +GuardianDeploymentSpec     		-(Optional) +(Optional) +

    +Spec is the specification of the guardian Deployment. +

    +
    +
    + +
    + +
    +

    GuardianDeploymentContainer

    +

    + +(Appears on: +GuardianDeploymentPodSpec) + +

    +

    +GuardianDeploymentContainer is a guardian Deployment container. +

    + + + + + + + + + + + @@ -5568,10 +13429,10 @@ the pod’s metadata.
    FieldDescription
    + +name
    + +string + + +    		 +

    -Metadata is a subset of a Kubernetes object’s metadata that is added to -the pod’s metadata. +Name is an enum which identifies the guardian Deployment container by name.

    -spec
    +resources
    - -CSINodeDriverDaemonSetPodSpec + +Kubernetes core/v1.ResourceRequirements @@ -5580,26 +13441,24 @@ CSINodeDriverDaemonSetPodSpec (Optional)

    -Spec is the csi-node-driver DaemonSet’s PodSpec. +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named guardian Deployment container’s resources. +If omitted, the guardian Deployment will use its default value for this container’s resources.

    -
    -
    - -
    -

    CSINodeDriverDaemonSetSpec

    +

    GuardianDeploymentInitContainer

    (Appears on: -CSINodeDriverDaemonSet) +GuardianDeploymentPodSpec)

    -CSINodeDriverDaemonSetSpec defines configuration for the csi-node-driver DaemonSet. +GuardianDeploymentInitContainer is a guardian Deployment init container.

    @@ -5612,20 +13471,16 @@ CSINodeDriverDaemonSetSpec defines configuration for the csi-node-driver DaemonS @@ -5633,10 +13488,10 @@ If omitted, the csi-node-driver DaemonSet will use its default value for minRead
    -minReadySeconds
    +name
    -int32 +string     		-(Optional)

    -MinReadySeconds is the minimum number of seconds for which a newly created DaemonSet pod should -be ready without any of its container crashing, for it to be considered available. -If specified, this overrides any minReadySeconds value that may be set on the csi-node-driver DaemonSet. -If omitted, the csi-node-driver DaemonSet will use its default value for minReadySeconds. +Name is an enum which identifies the guardian Deployment init container by name.

    -template
    +resources
    - -CSINodeDriverDaemonSetPodTemplateSpec + +Kubernetes core/v1.ResourceRequirements @@ -5645,22 +13500,24 @@ CSINodeDriverDaemonSetPodTemplateSpec (Optional)

    -Template describes the csi-node-driver DaemonSet pod that will be created. +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named guardian Deployment init container’s resources. +If omitted, the guardian Deployment will use its default value for this init container’s resources.

    -

    CalicoKubeControllersDeployment

    +

    GuardianDeploymentPodSpec

    (Appears on: -InstallationSpec) +GuardianDeploymentPodTemplateSpec)

    -CalicoKubeControllersDeployment is the configuration for the calico-kube-controllers Deployment. +GuardianDeploymentPodSpec is the guardian Deployment’s PodSpec.

    @@ -5673,10 +13530,10 @@ CalicoKubeControllersDeployment is the configuration for the calico-kube-control @@ -5693,10 +13552,10 @@ Metadata is a subset of a Kubernetes object’s metadata that is added to th
    -metadata
    +initContainers
    - -Metadata + +[]GuardianDeploymentInitContainer @@ -5685,7 +13542,9 @@ Metadata (Optional)

    -Metadata is a subset of a Kubernetes object’s metadata that is added to the Deployment. +InitContainers is a list of guardian init containers. +If specified, this overrides the specified guardian Deployment init containers. +If omitted, the guardian Deployment will use its default values for its init containers.

    -spec
    +containers
    - -CalicoKubeControllersDeploymentSpec + +[]GuardianDeploymentContainer @@ -5705,26 +13564,24 @@ CalicoKubeControllersDeploymentSpec (Optional)

    -Spec is the specification of the calico-kube-controllers Deployment. +Containers is a list of guardian containers. +If specified, this overrides the specified guardian Deployment containers. +If omitted, the guardian Deployment will use its default values for its containers.

    -
    -
    - -
    -

    CalicoKubeControllersDeploymentContainer

    +

    GuardianDeploymentPodTemplateSpec

    (Appears on: -CalicoKubeControllersDeploymentPodSpec) +GuardianDeploymentSpec)

    -CalicoKubeControllersDeploymentContainer is a calico-kube-controllers Deployment container. +GuardianDeploymentPodTemplateSpec is the guardian Deployment’s PodTemplateSpec

    @@ -5737,27 +13594,10 @@ CalicoKubeControllersDeploymentContainer is a calico-kube-controllers Deployment - - - -
    -name
    - -string - - -    		 - -

    -Name is an enum which identifies the calico-kube-controllers Deployment container by name. -

    - -
    - -resources
    +spec
    - -Kubernetes core/v1.ResourceRequirements + +GuardianDeploymentPodSpec @@ -5766,25 +13606,26 @@ Kubernetes core/v1.ResourceRequirements (Optional)

    -Resources allows customization of limits and requests for compute resources such as cpu and memory. -If specified, this overrides the named calico-kube-controllers Deployment container’s resources. -If omitted, the calico-kube-controllers Deployment will use its default value for this container’s resources. -If used in conjunction with the deprecated ComponentResources, then this value takes precedence. +Spec is the guardian Deployment’s PodSpec.

    +
    +
    + +
    -

    CalicoKubeControllersDeploymentPodSpec

    +

    GuardianDeploymentSpec

    (Appears on: -CalicoKubeControllersDeploymentPodTemplateSpec) +GuardianDeployment)

    -CalicoKubeControllersDeploymentPodSpec is the calico-kube-controller Deployment’s PodSpec. +GuardianDeploymentSpec defines configuration for the guardian Deployment.

    @@ -5797,10 +13638,10 @@ CalicoKubeControllersDeploymentPodSpec is the calico-kube-controller Deployment& + +
    -containers
    +template
    - -[]CalicoKubeControllersDeploymentContainer + +GuardianDeploymentPodTemplateSpec @@ -5809,32 +13650,45 @@ CalicoKubeControllersDeploymentPodSpec is the calico-kube-controller Deployment& (Optional)

    -Containers is a list of calico-kube-controllers containers. -If specified, this overrides the specified calico-kube-controllers Deployment containers. -If omitted, the calico-kube-controllers Deployment will use its default values for its containers. +Template describes the guardian Deployment pod that will be created.

    +

    HTTPProbe

    +

    + +(Appears on: +EgressGatewayFailureDetection) + +

    +

    +HTTPProbe defines the HTTP probe configuration for Egress Gateway. +

    + + + + + + + + @@ -5842,23 +13696,18 @@ WARNING: Please note that this field will override the default calico-kube-contr @@ -5866,11 +13715,9 @@ WARNING: Please note that this field will modify the default calico-kube-control @@ -5878,25 +13725,37 @@ WARNING: Please note that this field will modify the default calico-kube-control (Optional)

    -Tolerations is the calico-kube-controllers pod’s tolerations. -If specified, this overrides any tolerations that may be set on the calico-kube-controllers Deployment. -If omitted, the calico-kube-controllers Deployment will use its default value for tolerations. -WARNING: Please note that this field will override the default calico-kube-controllers Deployment tolerations. +TimeoutSeconds defines the timeout value of HTTP probes. Used when URLs is non-empty. +Default: 30

    FieldDescription
    -affinity
    +urls
    - -Kubernetes core/v1.Affinity - +[]string     		-(Optional)

    -Affinity is a group of affinity scheduling rules for the calico-kube-controllers pods. -If specified, this overrides any affinity that may be set on the calico-kube-controllers Deployment. -If omitted, the calico-kube-controllers Deployment will use its default value for affinity. -WARNING: Please note that this field will override the default calico-kube-controllers Deployment affinity. +URLs define the list of HTTP probe URLs. Egress Gateway will probe each URL +periodically.If all probes fail, Egress Gateway will report non-ready.

    -nodeSelector
    +intervalSeconds
    -map[string]string +int32     		+(Optional)

    -NodeSelector is the calico-kube-controllers pod’s scheduling constraints. -If specified, each of the key/value pairs are added to the calico-kube-controllers Deployment nodeSelector provided -the key does not already exist in the object’s nodeSelector. -If used in conjunction with ControlPlaneNodeSelector, that nodeSelector is set on the calico-kube-controllers Deployment -and each of this field’s key/value pairs are added to the calico-kube-controllers Deployment nodeSelector provided -the key does not already exist in the object’s nodeSelector. -If omitted, the calico-kube-controllers Deployment will use its default value for nodeSelector. -WARNING: Please note that this field will modify the default calico-kube-controllers Deployment nodeSelector. +IntervalSeconds defines the interval of HTTP probes. Used when URLs is non-empty. +Default: 10

    -tolerations
    +timeoutSeconds
    - -[]Kubernetes core/v1.Toleration - +int32
    -

    CalicoKubeControllersDeploymentPodTemplateSpec

    +

    HostPortsType +(string alias)

    (Appears on: -CalicoKubeControllersDeploymentSpec) +CalicoNetworkSpec)

    -CalicoKubeControllersDeploymentPodTemplateSpec is the calico-kube-controllers Deployment’s PodTemplateSpec +HostPortsType specifies host port support. +

    +

    +One of: Enabled, Disabled +

    +

    ICMPProbe

    +

    + +(Appears on: +EgressGatewayFailureDetection) + +

    +

    +ICMPProbe defines the ICMP probe configuration for Egress Gateway.

    @@ -5909,11 +13768,27 @@ CalicoKubeControllersDeploymentPodTemplateSpec is the calico-kube-controllers De + + + + @@ -5921,8 +13796,8 @@ Metadata (Optional)

    -Metadata is a subset of a Kubernetes object’s metadata that is added to -the pod’s metadata. +IntervalSeconds defines the interval of ICMP probes. Used when IPs is non-empty. +Default: 5

    @@ -5930,11 +13805,9 @@ the pod’s metadata. @@ -5942,26 +13815,31 @@ CalicoKubeControllersDeploymentPodSpec (Optional)

    -Spec is the calico-kube-controllers Deployment’s PodSpec. +TimeoutSeconds defines the timeout value of ICMP probes. Used when IPs is non-empty. +Default: 15

    -
    -
    -
    -metadata
    +ips
    - -Metadata - +[]string + + +    		 + +

    +IPs define the list of ICMP probe IPs. Egress Gateway will probe each IP +periodically. If all probes fail, Egress Gateway will report non-ready. +

    + +
    + +intervalSeconds
    + +int32
    -spec
    +timeoutSeconds
    - -CalicoKubeControllersDeploymentPodSpec - +int32
    -
    -

    CalicoKubeControllersDeploymentSpec

    +

    IPAMPluginType +(string alias)

    (Appears on: -CalicoKubeControllersDeployment) +IPAMSpec)

    +

    IPAMSpec

    -CalicoKubeControllersDeploymentSpec defines configuration for the calico-kube-controllers Deployment. + +(Appears on: +CNISpec) + +

    +

    +IPAMSpec contains configuration for pod IP address management.

    @@ -5974,55 +13852,42 @@ CalicoKubeControllersDeploymentSpec defines configuration for the calico-kube-co - - - -
    -minReadySeconds
    - -int32 - - -    		 - -(Optional) -

    -MinReadySeconds is the minimum number of seconds for which a newly created Deployment pod should -be ready without any of its container crashing, for it to be considered available. -If specified, this overrides any minReadySeconds value that may be set on the calico-kube-controllers Deployment. -If omitted, the calico-kube-controllers Deployment will use its default value for minReadySeconds. -

    - -
    - -template
    +type
    - -CalicoKubeControllersDeploymentPodTemplateSpec + +IPAMPluginType     		-(Optional)

    -Template describes the calico-kube-controllers Deployment pod that will be created. +Specifies the IPAM plugin that will be used in the Calico or Calico Enterprise installation. +* For CNI Plugin Calico, this field defaults to Calico. +* For CNI Plugin GKE, this field defaults to HostLocal. +* For CNI Plugin AzureVNET, this field defaults to AzureVNET. +* For CNI Plugin AmazonVPC, this field defaults to AmazonVPC. +

    +

    +The IPAM plugin is installed and configured only if the CNI plugin is set to Calico, +for all other values of the CNI plugin the plugin binaries and CNI config is a dependency +that is expected to be installed separately. +

    +

    +Default: Calico

    -

    CalicoNetworkSpec

    +

    IPPool

    (Appears on: -InstallationSpec) +CalicoNetworkSpec) -

    -

    -CalicoNetworkSpec specifies configuration options for Calico provided pod networking.

    @@ -6035,22 +13900,16 @@ CalicoNetworkSpec specifies configuration options for Calico provided pod networ @@ -6058,10 +13917,10 @@ Default: Iptables @@ -6081,10 +13939,10 @@ Default: Disabled @@ -6101,11 +13960,9 @@ BGP configures whether or not to enable Calico’s BGP capabilities. @@ -6113,8 +13970,8 @@ BGP configures whether or not to enable Calico’s BGP capabilities. (Optional)

    -IPPools contains a list of IP pools to create if none exist. At most one IP pool of each -address family may be specified. If omitted, a single pool will be configured if needed. +NodeSelector specifies the node selector that will be set for the IP Pool. +Default: ‘all()’

    @@ -6122,7 +13979,7 @@ address family may be specified. If omitted, a single pool will be configured if @@ -6141,11 +13999,9 @@ If not specified, Calico will perform MTU auto-detection based on the cluster ne @@ -6153,72 +14009,45 @@ NodeAddressAutodetection (Optional)

    -NodeAddressAutodetectionV4 specifies an approach to automatically detect node IPv4 addresses. If not specified, -will use default auto-detection settings to acquire an IPv4 address for each node. +DisableBGPExport specifies whether routes from this IP pool’s CIDR are exported over BGP. +Default: false

    - - -
    -linuxDataplane
    +cidr
    - -LinuxDataplaneOption - +string     		-(Optional)

    -LinuxDataplane is used to select the dataplane used for Linux nodes. In particular, it -causes the operator to add required mounts and environment variables for the particular dataplane. -If not specified, iptables mode is used. -Default: Iptables +CIDR contains the address range for the IP Pool in classless inter-domain routing format.

    -windowsDataplane
    +encapsulation
    - -WindowsDataplaneOption + +EncapsulationType @@ -6070,10 +13929,9 @@ WindowsDataplaneOption (Optional)

    -WindowsDataplane is used to select the dataplane used for Windows nodes. In particular, it -causes the operator to add required mounts and environment variables for the particular dataplane. -If not specified, it is disabled and the operator will not render the Calico Windows nodes daemonset. -Default: Disabled +Encapsulation specifies the encapsulation type that will be used with +the IP Pool. +Default: IPIP

    -bgp
    +natOutgoing
    - -BGPOption + +NATOutgoingType @@ -6093,7 +13951,8 @@ BGPOption (Optional)

    -BGP configures whether or not to enable Calico’s BGP capabilities. +NATOutgoing specifies if NAT will be enabled or disabled for outgoing traffic. +Default: Enabled

    -ipPools
    +nodeSelector
    - -[]IPPool - +string
    -mtu
    +blockSize
    int32 @@ -6132,8 +13989,9 @@ int32 (Optional)

    -MTU specifies the maximum transmission unit to use on the pod network. -If not specified, Calico will perform MTU auto-detection based on the cluster network. +BlockSize specifies the CIDR prefex length to use when allocating per-node IP blocks from +the main IP pool CIDR. +Default: 26 (IPv4), 122 (IPv6)

    -nodeAddressAutodetectionV4
    +disableBGPExport
    - -NodeAddressAutodetection - +bool
    - -nodeAddressAutodetectionV6
    - - -NodeAddressAutodetection - - - -    		 - -(Optional) + +
    +

    Image

    -NodeAddressAutodetectionV6 specifies an approach to automatically detect node IPv6 addresses. If not specified, -IPv6 addresses will not be auto-detected. -

    - - - - - - -hostPorts
    - - -HostPortsType - - - - +(Appears on: +ImageSetSpec) -(Optional) -

    -HostPorts configures whether or not Calico will support Kubernetes HostPorts. Valid only when using the Calico CNI plugin. -Default: Enabled

    - - + + + + + + + @@ -6226,35 +14055,32 @@ Default: None
    FieldDescription
    -multiInterfaceMode
    +image
    - -MultiInterfaceMode - +string     		-(Optional)

    -MultiInterfaceMode configures what will configure multiple interface per pod. Only valid for Calico Enterprise installations -using the Calico CNI plugin. -Default: None +Image is an image that the operator deploys and instead of using the built in tag +the operator will use the Digest for the image identifier. +The value should be the image name without registry or tag or digest. +For the image docker.io/calico/node:v3.17.1 it should be represented as calico/node

    -containerIPForwarding
    +digest
    - -ContainerIPForwardingType - +string     		-(Optional)

    -ContainerIPForwarding configures whether ip forwarding will be enabled for containers in the CNI configuration. -Default: Disabled +Digest is the image identifier that will be used for the Image. +The field should not include a leading @ and must be prefixed with sha256:.

    -

    CalicoNodeDaemonSet

    +

    ImageSetSpec

    (Appears on: -InstallationSpec) +ImageSet)

    -CalicoNodeDaemonSet is the configuration for the calico-node DaemonSet. +ImageSetSpec defines the desired state of ImageSet.

    @@ -6267,58 +14093,34 @@ CalicoNodeDaemonSet is the configuration for the calico-node DaemonSet. - - - -
    -metadata
    - - -Metadata - - - -    		 - -(Optional) -

    -Metadata is a subset of a Kubernetes object’s metadata that is added to the DaemonSet. -

    - -
    - -spec
    +images
    - -CalicoNodeDaemonSetSpec + +[]Image     		-(Optional)

    -Spec is the specification of the calico-node DaemonSet. +Images is the list of images to use digests. All images that the operator will deploy +must be specified.

    -
    -
    - -
    -

    CalicoNodeDaemonSetContainer

    +

    Index

    (Appears on: -CalicoNodeDaemonSetPodSpec) +TenantSpec)

    -CalicoNodeDaemonSetContainer is a calico-node DaemonSet container. +Index defines how to store a tenant’s data

    @@ -6331,7 +14133,7 @@ CalicoNodeDaemonSetContainer is a calico-node DaemonSet container. @@ -6348,37 +14152,33 @@ Name is an enum which identifies the calico-node DaemonSet container by name.
    -name
    +baseIndexName
    string @@ -6340,7 +14142,9 @@ string

    -Name is an enum which identifies the calico-node DaemonSet container by name. +BaseIndexName defines the name of the index +that will be used to store data (this name +excludes the numerical identifier suffix)

    -resources
    +dataType
    - -Kubernetes core/v1.ResourceRequirements + +DataType     		-(Optional)

    -Resources allows customization of limits and requests for compute resources such as cpu and memory. -If specified, this overrides the named calico-node DaemonSet container’s resources. -If omitted, the calico-node DaemonSet will use its default value for this container’s resources. -If used in conjunction with the deprecated ComponentResources, then this value takes precedence. +DataType represents the type of data stored in the defined index

    -

    CalicoNodeDaemonSetInitContainer

    +

    Indices

    (Appears on: -CalicoNodeDaemonSetPodSpec) +LogStorageSpec)

    -CalicoNodeDaemonSetInitContainer is a calico-node DaemonSet init container. +Indices defines the configuration for the indices in an Elasticsearch cluster.

    @@ -6391,28 +14191,9 @@ CalicoNodeDaemonSetInitContainer is a calico-node DaemonSet init container. - - - - @@ -6420,25 +14201,23 @@ Kubernetes core/v1.ResourceRequirements (Optional)

    -Resources allows customization of limits and requests for compute resources such as cpu and memory. -If specified, this overrides the named calico-node DaemonSet init container’s resources. -If omitted, the calico-node DaemonSet will use its default value for this container’s resources. -If used in conjunction with the deprecated ComponentResources, then this value takes precedence. +Replicas defines how many replicas each index will have. See https://www.elastic.co/guide/en/elasticsearch/reference/current/scalability.html

    -name
    - -string - - -    		 - -

    -Name is an enum which identifies the calico-node DaemonSet init container by name. -

    - -
    - -resources
    +replicas
    - -Kubernetes core/v1.ResourceRequirements - +int32
    -

    CalicoNodeDaemonSetPodSpec

    +

    InstallationSpec

    (Appears on: -CalicoNodeDaemonSetPodTemplateSpec) +Installation, +InstallationStatus)

    -CalicoNodeDaemonSetPodSpec is the calico-node DaemonSet’s PodSpec. +InstallationSpec defines configuration for a Calico or Calico Enterprise installation.

    @@ -6451,10 +14230,10 @@ CalicoNodeDaemonSetPodSpec is the calico-node DaemonSet’s PodSpec. @@ -6473,11 +14251,9 @@ If omitted, the calico-node DaemonSet will use its default values for its init c @@ -6485,9 +14261,17 @@ If omitted, the calico-node DaemonSet will use its default values for its init c (Optional)

    -Containers is a list of calico-node containers. -If specified, this overrides the specified calico-node DaemonSet containers. -If omitted, the calico-node DaemonSet will use its default values for its containers. +Registry is the default Docker registry used for component Docker images. +If specified then the given value must end with a slash character (/) and all images will be pulled from this registry. +If not specified then the default registries will be used. A special case value, UseDefault, is +supported to explicitly specify the default registries will be used. +

    +

    +Image format: +<registry><imagePath>/<imagePrefix><imageName>:<image-tag> +

    +

    +This option allows configuring the <registry> portion of the above format.

    @@ -6495,11 +14279,9 @@ If omitted, the calico-node DaemonSet will use its default values for its contai @@ -6507,10 +14289,18 @@ Kubernetes core/v1.Affinity (Optional)

    -Affinity is a group of affinity scheduling rules for the calico-node pods. -If specified, this overrides any affinity that may be set on the calico-node DaemonSet. -If omitted, the calico-node DaemonSet will use its default value for affinity. -WARNING: Please note that this field will override the default calico-node DaemonSet affinity. +ImagePath allows for the path part of an image to be specified. If specified +then the specified value will be used as the image path for each image. If not specified +or empty, the default for each image will be used. +A special case value, UseDefault, is supported to explicitly specify the default +image path will be used for each image. +

    +

    +Image format: +<registry><imagePath>/<imagePrefix><imageName>:<image-tag> +

    +

    +This option allows configuring the <imagePath> portion of the above format.

    @@ -6518,9 +14308,9 @@ WARNING: Please note that this field will override the default calico-node Daemo @@ -6528,11 +14318,18 @@ map[string]string (Optional)

    -NodeSelector is the calico-node pod’s scheduling constraints. -If specified, each of the key/value pairs are added to the calico-node DaemonSet nodeSelector provided -the key does not already exist in the object’s nodeSelector. -If omitted, the calico-node DaemonSet will use its default value for nodeSelector. -WARNING: Please note that this field will modify the default calico-node DaemonSet nodeSelector. +ImagePrefix allows for the prefix part of an image to be specified. If specified +then the given value will be used as a prefix on each image. If not specified +or empty, no prefix will be used. +A special case value, UseDefault, is supported to explicitly specify the default +image prefix will be used for each image. +

    +

    +Image format: +<registry><imagePath>/<imagePrefix><imageName>:<image-tag> +

    +

    +This option allows configuring the <imagePrefix> portion of the above format.

    @@ -6540,10 +14337,10 @@ WARNING: Please note that this field will modify the default calico-node DaemonS - -
    -initContainers
    +variant
    - -[]CalicoNodeDaemonSetInitContainer + +ProductVariant @@ -6463,9 +14242,8 @@ CalicoNodeDaemonSetPodSpec is the calico-node DaemonSet’s PodSpec. (Optional)

    -InitContainers is a list of calico-node init containers. -If specified, this overrides the specified calico-node DaemonSet init containers. -If omitted, the calico-node DaemonSet will use its default values for its init containers. +Variant is the product to install - one of Calico or TigeraSecureEnterprise +Default: Calico

    -containers
    +registry
    - -[]CalicoNodeDaemonSetContainer - +string
    -affinity
    +imagePath
    - -Kubernetes core/v1.Affinity - +string
    -nodeSelector
    +imagePrefix
    -map[string]string +string
    -tolerations
    +imagePullSecrets
    - -[]Kubernetes core/v1.Toleration + +[]Kubernetes core/v1.LocalObjectReference @@ -6552,41 +14349,19 @@ WARNING: Please note that this field will modify the default calico-node DaemonS (Optional)

    -Tolerations is the calico-node pod’s tolerations. -If specified, this overrides any tolerations that may be set on the calico-node DaemonSet. -If omitted, the calico-node DaemonSet will use its default value for tolerations. -WARNING: Please note that this field will override the default calico-node DaemonSet tolerations. +ImagePullSecrets is an array of references to container registry pull secrets to use. These are +applied to all images to be pulled.

    -

    CalicoNodeDaemonSetPodTemplateSpec

    -

    - -(Appears on: -CalicoNodeDaemonSetSpec) - -

    -

    -CalicoNodeDaemonSetPodTemplateSpec is the calico-node DaemonSet’s PodTemplateSpec -

    - - - - - - - - @@ -6604,10 +14381,10 @@ the pod’s metadata. - -
    FieldDescription
    -metadata
    +kubernetesProvider
    - -Metadata + +Provider @@ -6595,8 +14370,10 @@ Metadata (Optional)

    -Metadata is a subset of a Kubernetes object’s metadata that is added to -the pod’s metadata. +KubernetesProvider specifies a particular provider of the Kubernetes platform and enables provider-specific configuration. +If the specified value is empty, the Operator will attempt to automatically determine the current provider. +If the specified value is not empty, the Operator will still attempt auto-detection, but +will additionally compare the auto-detected value to the specified value to confirm they match.

    -spec
    +cni
    - -CalicoNodeDaemonSetPodSpec + +CNISpec @@ -6616,41 +14393,19 @@ CalicoNodeDaemonSetPodSpec (Optional)

    -Spec is the calico-node DaemonSet’s PodSpec. +CNI specifies the CNI that will be used by this installation.

    -
    -
    - -
    -

    CalicoNodeDaemonSetSpec

    -

    - -(Appears on: -CalicoNodeDaemonSet) - -

    -

    -CalicoNodeDaemonSetSpec defines configuration for the calico-node DaemonSet. -

    - - - - - - - - @@ -6658,10 +14413,7 @@ int32 (Optional)

    -MinReadySeconds is the minimum number of seconds for which a newly created DaemonSet pod should -be ready without any of its container crashing, for it to be considered available. -If specified, this overrides any minReadySeconds value that may be set on the calico-node DaemonSet. -If omitted, the calico-node DaemonSet will use its default value for minReadySeconds. +CalicoNetwork specifies networking configuration options for Calico.

    @@ -6669,10 +14421,10 @@ If omitted, the calico-node DaemonSet will use its default value for minReadySec - -
    FieldDescription
    -minReadySeconds
    +calicoNetwork
    -int32 + +CalicoNetworkSpec +
    -template
    +typhaAffinity
    - -CalicoNodeDaemonSetPodTemplateSpec + +TyphaAffinity @@ -6681,38 +14433,38 @@ CalicoNodeDaemonSetPodTemplateSpec (Optional)

    -Template describes the calico-node DaemonSet pod that will be created. +Deprecated. Please use Installation.Spec.TyphaDeployment instead. +TyphaAffinity allows configuration of node affinity characteristics for Typha pods.

    -

    CalicoNodeWindowsDaemonSet

    -

    + + -(Appears on: -InstallationSpec) +controlPlaneNodeSelector
    + +map[string]string + -

    + + + +(Optional)

    -CalicoNodeWindowsDaemonSet is the configuration for the calico-node-windows DaemonSet. +ControlPlaneNodeSelector is used to select control plane nodes on which to run Calico +components. This is globally applied to all resources created by the operator excluding daemonsets.

    - - - - - + + - - @@ -6729,11 +14482,9 @@ Metadata is a subset of a Kubernetes object’s metadata that is added to th @@ -6741,48 +14492,46 @@ CalicoNodeWindowsDaemonSetSpec (Optional)

    -Spec is the specification of the calico-node-windows DaemonSet. +ControlPlaneReplicas defines how many replicas of the control plane core components will be deployed. +This field applies to all control plane components that support High Availability. Defaults to 2.

    -
    -
    -
    FieldDescription
    -metadata
    +controlPlaneTolerations
    - -Metadata + +[]Kubernetes core/v1.Toleration @@ -6721,7 +14473,8 @@ Metadata (Optional)

    -Metadata is a subset of a Kubernetes object’s metadata that is added to the DaemonSet. +ControlPlaneTolerations specify tolerations which are then globally applied to all resources +created by the operator.

    -spec
    +controlPlaneReplicas
    - -CalicoNodeWindowsDaemonSetSpec - +int32
    -
    - - -

    CalicoNodeWindowsDaemonSetContainer

    -

    + + -(Appears on: -CalicoNodeWindowsDaemonSetPodSpec) +nodeMetricsPort
    + +int32 + -

    + + + +(Optional)

    -CalicoNodeWindowsDaemonSetContainer is a calico-node-windows DaemonSet container. +NodeMetricsPort specifies which port calico/node serves prometheus metrics on. By default, metrics are not enabled. +If specified, this overrides any FelixConfiguration resources which may exist. If omitted, then +prometheus metrics may still be configured through FelixConfiguration.

    - - - - - + + - - @@ -6790,11 +14539,9 @@ Name is an enum which identifies the calico-node-windows DaemonSet container by @@ -6802,38 +14549,17 @@ Kubernetes core/v1.ResourceRequirements (Optional)

    -Resources allows customization of limits and requests for compute resources such as cpu and memory. -If specified, this overrides the named calico-node-windows DaemonSet container’s resources. -If omitted, the calico-node-windows DaemonSet will use its default value for this container’s resources. -If used in conjunction with the deprecated ComponentResources, then this value takes precedence. +FlexVolumePath optionally specifies a custom path for FlexVolume. If not specified, FlexVolume will be +enabled by default. If set to ‘None’, FlexVolume will be disabled. The default is based on the +kubernetesProvider.

    - -
    FieldDescription
    -name
    +typhaMetricsPort
    -string +int32     		+(Optional)

    -Name is an enum which identifies the calico-node-windows DaemonSet container by name. +TyphaMetricsPort specifies which port calico/typha serves prometheus metrics on. By default, metrics are not enabled.

    -resources
    +flexVolumePath
    - -Kubernetes core/v1.ResourceRequirements - +string
    -

    CalicoNodeWindowsDaemonSetInitContainer

    -

    - -(Appears on: -CalicoNodeWindowsDaemonSetPodSpec) - -

    -

    -CalicoNodeWindowsDaemonSetInitContainer is a calico-node-windows DaemonSet init container. -

    - - - - - - - - @@ -6850,10 +14579,10 @@ Name is an enum which identifies the calico-node-windows DaemonSet init containe - -
    FieldDescription
    -name
    +kubeletVolumePluginPath
    string @@ -6841,8 +14567,11 @@ string     		+(Optional)

    -Name is an enum which identifies the calico-node-windows DaemonSet init container by name. +KubeletVolumePluginPath optionally specifies enablement of Calico CSI plugin. If not specified, +CSI will be enabled by default. If set to ‘None’, CSI will be disabled. +Default: /var/lib/kubelet

    -resources
    +nodeUpdateStrategy
    - -Kubernetes core/v1.ResourceRequirements + +Kubernetes apps/v1.DaemonSetUpdateStrategy @@ -6862,41 +14591,19 @@ Kubernetes core/v1.ResourceRequirements (Optional)

    -Resources allows customization of limits and requests for compute resources such as cpu and memory. -If specified, this overrides the named calico-node-windows DaemonSet init container’s resources. -If omitted, the calico-node-windows DaemonSet will use its default value for this container’s resources. -If used in conjunction with the deprecated ComponentResources, then this value takes precedence. +NodeUpdateStrategy can be used to customize the desired update strategy, such as the MaxUnavailable +field.

    -

    CalicoNodeWindowsDaemonSetPodSpec

    -

    - -(Appears on: -CalicoNodeWindowsDaemonSetPodTemplateSpec) - -

    -

    -CalicoNodeWindowsDaemonSetPodSpec is the calico-node-windows DaemonSet’s PodSpec. -

    - - - - - - - - @@ -6915,10 +14622,10 @@ If omitted, the calico-node-windows DaemonSet will use its default values for it @@ -6937,10 +14644,10 @@ If omitted, the calico-node-windows DaemonSet will use its default values for it @@ -6960,21 +14664,19 @@ WARNING: Please note that this field will override the default calico-node-windo @@ -6982,63 +14684,38 @@ WARNING: Please note that this field will modify the default calico-node-windows - -
    FieldDescription
    -initContainers
    +componentResources
    - -[]CalicoNodeWindowsDaemonSetInitContainer + +[]ComponentResource @@ -6905,9 +14612,9 @@ CalicoNodeWindowsDaemonSetPodSpec is the calico-node-windows DaemonSet’s P (Optional)

    -InitContainers is a list of calico-node-windows init containers. -If specified, this overrides the specified calico-node-windows DaemonSet init containers. -If omitted, the calico-node-windows DaemonSet will use its default values for its init containers. +Deprecated. Please use CalicoNodeDaemonSet, TyphaDeployment, and KubeControllersDeployment. +ComponentResources can be used to customize the resource requirements for each component. +Node, Typha, and KubeControllers are supported for installations.

    -containers
    +certificateManagement
    - -[]CalicoNodeWindowsDaemonSetContainer + +CertificateManagement @@ -6927,9 +14634,9 @@ If omitted, the calico-node-windows DaemonSet will use its default values for it (Optional)

    -Containers is a list of calico-node-windows containers. -If specified, this overrides the specified calico-node-windows DaemonSet containers. -If omitted, the calico-node-windows DaemonSet will use its default values for its containers. +CertificateManagement configures pods to submit a CertificateSigningRequest to the certificates.k8s.io/v1beta1 API in order +to obtain TLS certificates. This feature requires that you bring your own CSR signing and approval process, otherwise +pods will be stuck during initialization.

    -affinity
    +nonPrivileged
    - -Kubernetes core/v1.Affinity + +NonPrivilegedType @@ -6949,10 +14656,7 @@ Kubernetes core/v1.Affinity (Optional)

    -Affinity is a group of affinity scheduling rules for the calico-node-windows pods. -If specified, this overrides any affinity that may be set on the calico-node-windows DaemonSet. -If omitted, the calico-node-windows DaemonSet will use its default value for affinity. -WARNING: Please note that this field will override the default calico-node-windows DaemonSet affinity. +NonPrivileged configures Calico to be run in non-privileged containers as non-root users where possible.

    -nodeSelector
    +calicoNodeDaemonSet
    -map[string]string + +CalicoNodeDaemonSet +     		-(Optional)

    -NodeSelector is the calico-node-windows pod’s scheduling constraints. -If specified, each of the key/value pairs are added to the calico-node-windows DaemonSet nodeSelector provided -the key does not already exist in the object’s nodeSelector. -If omitted, the calico-node-windows DaemonSet will use its default value for nodeSelector. -WARNING: Please note that this field will modify the default calico-node-windows DaemonSet nodeSelector. +CalicoNodeDaemonSet configures the calico-node DaemonSet. If used in +conjunction with the deprecated ComponentResources, then these overrides take precedence.

    -tolerations
    +csiNodeDriverDaemonSet
    - -[]Kubernetes core/v1.Toleration + +CSINodeDriverDaemonSet     		-(Optional)

    -Tolerations is the calico-node-windows pod’s tolerations. -If specified, this overrides any tolerations that may be set on the calico-node-windows DaemonSet. -If omitted, the calico-node-windows DaemonSet will use its default value for tolerations. -WARNING: Please note that this field will override the default calico-node-windows DaemonSet tolerations. +CSINodeDriverDaemonSet configures the csi-node-driver DaemonSet.

    -

    CalicoNodeWindowsDaemonSetPodTemplateSpec

    -

    - -(Appears on: -CalicoNodeWindowsDaemonSetSpec) - -

    -

    -CalicoNodeWindowsDaemonSetPodTemplateSpec is the calico-node-windows DaemonSet’s PodTemplateSpec -

    - - - - - - - - @@ -7046,64 +14723,39 @@ the pod’s metadata. - -
    FieldDescription
    -metadata
    +calicoKubeControllersDeployment
    - -Metadata + +CalicoKubeControllersDeployment     		-(Optional)

    -Metadata is a subset of a Kubernetes object’s metadata that is added to -the pod’s metadata. +CalicoKubeControllersDeployment configures the calico-kube-controllers Deployment. If used in +conjunction with the deprecated ComponentResources, then these overrides take precedence.

    -spec
    +typhaDeployment
    - -CalicoNodeWindowsDaemonSetPodSpec + +TyphaDeployment     		-(Optional)

    -Spec is the calico-node-windows DaemonSet’s PodSpec. +TyphaDeployment configures the typha Deployment. If used in conjunction with the deprecated +ComponentResources or TyphaAffinity, then these overrides take precedence.

    -
    -
    - -
    -

    CalicoNodeWindowsDaemonSetSpec

    -

    - -(Appears on: -CalicoNodeWindowsDaemonSet) - -

    -

    -CalicoNodeWindowsDaemonSetSpec defines configuration for the calico-node-windows DaemonSet. -

    - - - - - - - - @@ -7111,51 +14763,29 @@ If omitted, the calico-node-windows DaemonSet will use its default value for min - -
    FieldDescription
    -minReadySeconds
    +calicoWindowsUpgradeDaemonSet
    -int32 + +CalicoWindowsUpgradeDaemonSet +     		-(Optional)

    -MinReadySeconds is the minimum number of seconds for which a newly created DaemonSet pod should -be ready without any of its container crashing, for it to be considered available. -If specified, this overrides any minReadySeconds value that may be set on the calico-node-windows DaemonSet. -If omitted, the calico-node-windows DaemonSet will use its default value for minReadySeconds. +Deprecated. The CalicoWindowsUpgradeDaemonSet is deprecated and will be removed from the API in the future. +CalicoWindowsUpgradeDaemonSet configures the calico-windows-upgrade DaemonSet.

    -template
    +calicoNodeWindowsDaemonSet
    - -CalicoNodeWindowsDaemonSetPodTemplateSpec + +CalicoNodeWindowsDaemonSet     		-(Optional)

    -Template describes the calico-node-windows DaemonSet pod that will be created. +CalicoNodeWindowsDaemonSet configures the calico-node-windows DaemonSet.

    -

    CalicoWindowsUpgradeDaemonSet

    -

    - -(Appears on: -InstallationSpec) - -

    -

    -Deprecated. The CalicoWindowsUpgradeDaemonSet is deprecated and will be removed from the API in the future. -CalicoWindowsUpgradeDaemonSet is the configuration for the calico-windows-upgrade DaemonSet. -

    - - - - - - - - @@ -7172,10 +14803,10 @@ Metadata is a subset of a Kubernetes object’s metadata that is added to th - -
    FieldDescription
    -metadata
    - - -Metadata +fipsMode
    + +     +FIPSMode @@ -7164,7 +14794,8 @@ Metadata (Optional)

    -Metadata is a subset of a Kubernetes object’s metadata that is added to the Deployment. +FIPSMode uses images and features only that are using FIPS 140-2 validated cryptographic modules and standards. +Default: Disabled

    -spec
    +logging
    - -CalicoWindowsUpgradeDaemonSetSpec + +Logging @@ -7184,48 +14815,27 @@ CalicoWindowsUpgradeDaemonSetSpec (Optional)

    -Spec is the specification of the calico-windows-upgrade DaemonSet. +Logging Configuration for Components

    -
    -
    - -
    -

    CalicoWindowsUpgradeDaemonSetContainer

    -

    - -(Appears on: -CalicoWindowsUpgradeDaemonSetPodSpec) - -

    -

    -CalicoWindowsUpgradeDaemonSetContainer is a calico-windows-upgrade DaemonSet container. -

    - - - - - - - - @@ -7233,11 +14843,9 @@ Name is an enum which identifies the calico-windows-upgrade DaemonSet container @@ -7245,24 +14853,22 @@ Kubernetes core/v1.ResourceRequirements (Optional)

    -Resources allows customization of limits and requests for compute resources such as cpu and memory. -If specified, this overrides the named calico-windows-upgrade DaemonSet container’s resources. -If omitted, the calico-windows-upgrade DaemonSet will use its default value for this container’s resources. +Kubernetes Service CIDRs. Specifying this is required when using Calico for Windows.

    FieldDescription
    -name
    +windowsNodes
    -string + +WindowsNodeSpec +     		+(Optional)

    -Name is an enum which identifies the calico-windows-upgrade DaemonSet container by name. +Windows Configuration

    -resources
    +serviceCIDRs
    - -Kubernetes core/v1.ResourceRequirements - +[]string
    -

    CalicoWindowsUpgradeDaemonSetPodSpec

    +

    InstallationStatus

    (Appears on: -CalicoWindowsUpgradeDaemonSetPodTemplateSpec) +Installation)

    -CalicoWindowsUpgradeDaemonSetPodSpec is the calico-windows-upgrade DaemonSet’s PodSpec. +InstallationStatus defines the observed state of the Calico or Calico Enterprise installation.

    @@ -7275,21 +14881,18 @@ CalicoWindowsUpgradeDaemonSetPodSpec is the calico-windows-upgrade DaemonSet&rsq @@ -7297,22 +14900,17 @@ If omitted, the calico-windows-upgrade DaemonSet will use its default values for @@ -7320,9 +14918,9 @@ WARNING: Please note that this field will override the default calico-windows-up @@ -7330,11 +14928,8 @@ map[string]string (Optional)

    -NodeSelector is the calico-windows-upgrade pod’s scheduling constraints. -If specified, each of the key/value pairs are added to the calico-windows-upgrade DaemonSet nodeSelector provided -the key does not already exist in the object’s nodeSelector. -If omitted, the calico-windows-upgrade DaemonSet will use its default value for nodeSelector. -WARNING: Please note that this field will modify the default calico-windows-upgrade DaemonSet nodeSelector. +ImageSet is the name of the ImageSet being used, if there is an ImageSet +that is being used. If an ImageSet is not being used then this will not be set.

    @@ -7342,10 +14937,10 @@ WARNING: Please note that this field will modify the default calico-windows-upgr - -
    -containers
    +variant
    - -[]CalicoWindowsUpgradeDaemonSetContainer + +ProductVariant     		-(Optional)

    -Containers is a list of calico-windows-upgrade containers. -If specified, this overrides the specified calico-windows-upgrade DaemonSet containers. -If omitted, the calico-windows-upgrade DaemonSet will use its default values for its containers. +Variant is the most recently observed installed variant - one of Calico or TigeraSecureEnterprise

    -affinity
    +mtu
    - -Kubernetes core/v1.Affinity - +int32     		-(Optional)

    -Affinity is a group of affinity scheduling rules for the calico-windows-upgrade pods. -If specified, this overrides any affinity that may be set on the calico-windows-upgrade DaemonSet. -If omitted, the calico-windows-upgrade DaemonSet will use its default value for affinity. -WARNING: Please note that this field will override the default calico-windows-upgrade DaemonSet affinity. +MTU is the most recently observed value for pod network MTU. This may be an explicitly +configured value, or based on Calico’s native auto-detetion.

    -nodeSelector
    +imageSet
    -map[string]string +string
    -tolerations
    +computed
    - -[]Kubernetes core/v1.Toleration + +InstallationSpec @@ -7354,51 +14949,26 @@ WARNING: Please note that this field will modify the default calico-windows-upgr (Optional)

    -Tolerations is the calico-windows-upgrade pod’s tolerations. -If specified, this overrides any tolerations that may be set on the calico-windows-upgrade DaemonSet. -If omitted, the calico-windows-upgrade DaemonSet will use its default value for tolerations. -WARNING: Please note that this field will override the default calico-windows-upgrade DaemonSet tolerations. +Computed is the final installation including overlaid resources.

    -

    CalicoWindowsUpgradeDaemonSetPodTemplateSpec

    -

    - -(Appears on: -CalicoWindowsUpgradeDaemonSetSpec) - -

    -

    -CalicoWindowsUpgradeDaemonSetPodTemplateSpec is the calico-windows-upgrade DaemonSet’s PodTemplateSpec -

    - - - - - - - - @@ -7406,10 +14976,10 @@ the pod’s metadata.
    FieldDescription
    -metadata
    +calicoVersion
    - -Metadata - +string     		-(Optional)

    -Metadata is a subset of a Kubernetes object’s metadata that is added to -the pod’s metadata. +CalicoVersion shows the current running version of calico. +CalicoVersion along with Variant is needed to know the exact +version deployed.

    -spec
    +conditions
    - -CalicoWindowsUpgradeDaemonSetPodSpec + +[]Kubernetes meta/v1.Condition @@ -7418,26 +14988,31 @@ CalicoWindowsUpgradeDaemonSetPodSpec (Optional)

    -Spec is the calico-windows-upgrade DaemonSet’s PodSpec. +Conditions represents the latest observed set of conditions for the component. A component may be one or more of +Ready, Progressing, Degraded or other customer types.

    -
    -
    - -
    -

    CalicoWindowsUpgradeDaemonSetSpec

    +

    IntrusionDetectionComponentName +(string alias)

    (Appears on: -CalicoWindowsUpgradeDaemonSet) +IntrusionDetectionComponentResource) + +

    +

    IntrusionDetectionComponentResource

    +

    + +(Appears on: +IntrusionDetectionSpec)

    -CalicoWindowsUpgradeDaemonSetSpec defines configuration for the calico-windows-upgrade DaemonSet. +The ComponentResource struct associates a ResourceRequirements with a component by name

    @@ -7450,20 +15025,18 @@ CalicoWindowsUpgradeDaemonSetSpec defines configuration for the calico-windows-u @@ -7471,36 +15044,33 @@ If omitted, the calico-windows-upgrade DaemonSet will use its default value for
    -minReadySeconds
    +componentName
    -int32 + +IntrusionDetectionComponentName +     		-(Optional)

    -MinReadySeconds is the minimum number of seconds for which a newly created Deployment pod should -be ready without any of its container crashing, for it to be considered available. -If specified, this overrides any minReadySeconds value that may be set on the calico-windows-upgrade DaemonSet. -If omitted, the calico-windows-upgrade DaemonSet will use its default value for minReadySeconds. +ComponentName is an enum which identifies the component

    -template
    +resourceRequirements
    - -CalicoWindowsUpgradeDaemonSetPodTemplateSpec + +Kubernetes core/v1.ResourceRequirements     		-(Optional)

    -Template describes the calico-windows-upgrade DaemonSet pod that will be created. +ResourceRequirements allows customization of limits and requests for compute resources such as cpu and memory.

    -

    CertificateManagement

    +

    IntrusionDetectionControllerDeployment

    (Appears on: -InstallationSpec) +IntrusionDetectionSpec)

    -CertificateManagement configures pods to submit a CertificateSigningRequest to the certificates.k8s.io/v1beta1 API in order -to obtain TLS certificates. This feature requires that you bring your own CSR signing and approval process, otherwise -pods will be stuck during initialization. +IntrusionDetectionControllerDeployment is the configuration for the IntrusionDetectionController Deployment.

    @@ -7513,106 +15083,38 @@ pods will be stuck during initialization. - - - - - - - - - - - -
    -caCert
    - -[]byte - - -    		 - -

    -Certificate of the authority that signs the CertificateSigningRequests in PEM format. -

    - -
    - -signerName
    - -string - - -    		 - -

    -When a CSR is issued to the certificates.k8s.io API, the signerName is added to the request to accommodate for clusters -with multiple signers. -Must be formatted as: <my-domain>/<my-signername>. -

    - -
    - -keyAlgorithm
    - -string - - -    		 - -(Optional) -

    -Specify the algorithm used by pods to generate a key pair that is associated with the X.509 certificate request. -Default: RSAWithSize2048 -

    - -
    - -signatureAlgorithm
    +spec
    -string + +IntrusionDetectionControllerDeploymentSpec +     		(Optional) -

    -Specify the algorithm used for the signature of the X.509 certificate request. -Default: SHA256WithRSA +

    +Spec is the specification of the IntrusionDetectionController Deployment.

    +
    +
    + +
    -

    CollectProcessPathOption -(string alias)

    -

    - -(Appears on: -LogCollectorSpec) - -

    -

    ComplianceSpec

    -

    - -(Appears on: -Compliance) - -

    -

    -ComplianceSpec defines the desired state of Tigera compliance reporting capabilities. -

    -

    ComplianceStatus

    +

    IntrusionDetectionControllerDeploymentContainer

    (Appears on: -Compliance) +IntrusionDetectionControllerDeploymentPodSpec)

    -ComplianceStatus defines the observed state of Tigera compliance reporting capabilities. +IntrusionDetectionControllerDeploymentContainer is a IntrusionDetectionController Deployment container.

    @@ -7625,7 +15127,7 @@ ComplianceStatus defines the observed state of Tigera compliance reporting capab @@ -7642,10 +15144,10 @@ State provides user-readable status.
    -state
    +name
    string @@ -7634,7 +15136,7 @@ string

    -State provides user-readable status. +Name is an enum which identifies the IntrusionDetectionController Deployment container by name.

    -conditions
    +resources
    - -[]Kubernetes meta/v1.Condition + +Kubernetes core/v1.ResourceRequirements @@ -7654,38 +15156,24 @@ State provides user-readable status. (Optional)

    -Conditions represents the latest observed set of conditions for the component. A component may be one or more of -Ready, Progressing, Degraded or other customer types. +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named IntrusionDetectionController Deployment container’s resources. +If omitted, the IntrusionDetection Deployment will use its default value for this container’s resources.

    -

    ComponentName -(string alias)

    -

    - -(Appears on: -ComponentResource) - -

    -

    -ComponentName represents a single component. -

    -

    -One of: Node, Typha, KubeControllers -

    -

    ComponentResource

    +

    IntrusionDetectionControllerDeploymentInitContainer

    (Appears on: -InstallationSpec) +IntrusionDetectionControllerDeploymentPodSpec)

    -Deprecated. Please use component resource config fields in Installation.Spec instead. -The ComponentResource struct associates a ResourceRequirements with a component by name +IntrusionDetectionControllerDeploymentInitContainer is a IntrusionDetectionController Deployment init container.

    @@ -7698,18 +15186,16 @@ The ComponentResource struct associates a ResourceRequirements with a component @@ -7717,7 +15203,7 @@ ComponentName is an enum which identifies the component
    -componentName
    +name
    - -ComponentName - +string

    -ComponentName is an enum which identifies the component +Name is an enum which identifies the IntrusionDetectionController Deployment init container by name.

    -resourceRequirements
    +resources
    Kubernetes core/v1.ResourceRequirements @@ -7727,56 +15213,26 @@ Kubernetes core/v1.ResourceRequirements     		+(Optional)

    -ResourceRequirements allows customization of limits and requests for compute resources such as cpu and memory. +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named IntrusionDetectionController Deployment init container’s resources. +If omitted, the IntrusionDetectionController Deployment will use its default value for this init container’s resources.

    -

    ConditionStatus -(string alias)

    -

    - -(Appears on: -TigeraStatusCondition) - -

    -

    -ConditionStatus represents the status of a particular condition. A condition may be one of: True, False, Unknown. -

    -

    ContainerIPForwardingType -(string alias)

    -

    - -(Appears on: -CalicoNetworkSpec) - -

    -

    -ContainerIPForwardingType specifies whether the CNI config for container ip forwarding is enabled. -

    -

    DataType -(string alias)

    -

    - -(Appears on: -Index) - -

    -

    -DataType represent the type of data stored -

    -

    EGWDeploymentContainer

    +

    IntrusionDetectionControllerDeploymentPodSpec

    (Appears on: -EgressGatewayDeploymentPodSpec) +IntrusionDetectionControllerDeploymentPodTemplateSpec)

    -EGWDeploymentContainer is a Egress Gateway Deployment container. +IntrusionDetectionControllerDeploymentPodSpec is the IntrusionDetectionController Deployment’s PodSpec.

    @@ -7789,16 +15245,21 @@ EGWDeploymentContainer is a Egress Gateway Deployment container. @@ -7806,10 +15267,10 @@ Name is an enum which identifies the EGW Deployment container by name.
    -name
    +initContainers
    -string + +[]IntrusionDetectionControllerDeploymentInitContainer +     		+(Optional)

    -Name is an enum which identifies the EGW Deployment container by name. +InitContainers is a list of IntrusionDetectionController init containers. +If specified, this overrides the specified IntrusionDetectionController Deployment init containers. +If omitted, the IntrusionDetectionController Deployment will use its default values for its init containers.

    -resources
    +containers
    - -Kubernetes core/v1.ResourceRequirements + +[]IntrusionDetectionControllerDeploymentContainer @@ -7818,25 +15279,24 @@ Kubernetes core/v1.ResourceRequirements (Optional)

    -Resources allows customization of limits and requests for compute resources such as cpu and memory. -If specified, this overrides the named EGW Deployment container’s resources. -If omitted, the EGW Deployment will use its default value for this container’s resources. -If used in conjunction with the deprecated ComponentResources, then this value takes precedence. +Containers is a list of IntrusionDetectionController containers. +If specified, this overrides the specified IntrusionDetectionController Deployment containers. +If omitted, the IntrusionDetectionController Deployment will use its default values for its containers.

    -

    EGWDeploymentInitContainer

    +

    IntrusionDetectionControllerDeploymentPodTemplateSpec

    (Appears on: -EgressGatewayDeploymentPodSpec) +IntrusionDetectionControllerDeploymentSpec)

    -EGWDeploymentInitContainer is a Egress Gateway Deployment init container. +IntrusionDetectionControllerDeploymentPodTemplateSpec is the IntrusionDetectionController Deployment’s PodTemplateSpec

    @@ -7849,27 +15309,54 @@ EGWDeploymentInitContainer is a Egress Gateway Deployment init container. + +
    -name
    +spec
    -string + +IntrusionDetectionControllerDeploymentPodSpec +     		+(Optional)

    -Name is an enum which identifies the EGW Deployment init container by name. +Spec is the IntrusionDetectionController Deployment’s PodSpec.

    +
    +
    + +
    +

    IntrusionDetectionControllerDeploymentSpec

    +

    + +(Appears on: +IntrusionDetectionControllerDeployment) + +

    +

    +IntrusionDetectionControllerDeploymentSpec defines configuration for the IntrusionDetectionController Deployment. +

    + + + + + + + +
    FieldDescription
    -resources
    +template
    - -Kubernetes core/v1.ResourceRequirements + +IntrusionDetectionControllerDeploymentPodTemplateSpec @@ -7878,25 +15365,22 @@ Kubernetes core/v1.ResourceRequirements (Optional)

    -Resources allows customization of limits and requests for compute resources such as cpu and memory. -If specified, this overrides the named EGW Deployment init container’s resources. -If omitted, the EGW Deployment will use its default value for this init container’s resources. -If used in conjunction with the deprecated ComponentResources, then this value takes precedence. +Template describes the IntrusionDetectionController Deployment pod that will be created.

    -

    EgressGatewayDeploymentPodSpec

    +

    IntrusionDetectionSpec

    (Appears on: -EgressGatewayDeploymentPodTemplateSpec) +IntrusionDetection)

    -EgressGatewayDeploymentPodSpec is the Egress Gateway Deployment’s PodSpec. +IntrusionDetectionSpec defines the desired state of Tigera intrusion detection capabilities.

    @@ -7909,10 +15393,10 @@ EgressGatewayDeploymentPodSpec is the Egress Gateway Deployment’s PodSpec. @@ -7931,10 +15414,10 @@ If omitted, the EGW Deployment will use its default values for its init containe @@ -7953,10 +15434,10 @@ If omitted, the EGW Deployment will use its default values for its containers. - -
    -initContainers
    +componentResources
    - -[]EGWDeploymentInitContainer + +[]IntrusionDetectionComponentResource @@ -7921,9 +15405,8 @@ EgressGatewayDeploymentPodSpec is the Egress Gateway Deployment’s PodSpec. (Optional)

    -InitContainers is a list of EGW init containers. -If specified, this overrides the specified EGW Deployment init containers. -If omitted, the EGW Deployment will use its default values for its init containers. +ComponentResources can be used to customize the resource requirements for each component. +Only DeepPacketInspection is supported for this spec.

    -containers
    +anomalyDetection
    - -[]EGWDeploymentContainer + +AnomalyDetectionSpec @@ -7943,9 +15426,7 @@ If omitted, the EGW Deployment will use its default values for its init containe (Optional)

    -Containers is a list of EGW containers. -If specified, this overrides the specified EGW Deployment containers. -If omitted, the EGW Deployment will use its default values for its containers. +AnomalyDetection is now deprecated, and configuring it has no effect.

    -affinity
    +intrusionDetectionControllerDeployment
    - -Kubernetes core/v1.Affinity + +IntrusionDetectionControllerDeployment @@ -7965,43 +15446,44 @@ Kubernetes core/v1.Affinity (Optional)

    -Affinity is a group of affinity scheduling rules for the EGW pods. +IntrusionDetectionControllerDeployment configures the IntrusionDetection Controller Deployment.

    - -nodeSelector
    - -map[string]string - + +
    +

    IntrusionDetectionStatus

    +

    - - +(Appears on: +IntrusionDetection) -(Optional) +

    -NodeSelector gives more control over the nodes where the Egress Gateway pods will run on. +IntrusionDetectionStatus defines the observed state of Tigera intrusion detection capabilities.

    - - + + + + + + + @@ -8009,10 +15491,10 @@ TerminationGracePeriodSeconds defines the termination grace period of the Egress + +
    FieldDescription
    -terminationGracePeriodSeconds
    +state
    -int64 +string     		-(Optional)

    -TerminationGracePeriodSeconds defines the termination grace period of the Egress Gateway pods in seconds. +State provides user-readable status.

    -topologySpreadConstraints
    +conditions
    - -[]Kubernetes core/v1.TopologySpreadConstraint + +[]Kubernetes meta/v1.Condition @@ -8021,18 +15503,39 @@ TerminationGracePeriodSeconds defines the termination grace period of the Egress (Optional)

    -TopologySpreadConstraints defines how the Egress Gateway pods should be spread across different AZs. +Conditions represents the latest observed set of conditions for the component. A component may be one or more of +Ready, Progressing, Degraded or other customer types.

    +

    Kibana

    +

    + +(Appears on: +LogStorageSpec) + +

    +

    +Kibana is the configuration for the Kibana. +

    + + + + + + + +
    FieldDescription
    -tolerations
    +spec
    - -[]Kubernetes core/v1.Toleration + +KibanaSpec @@ -8041,24 +15544,26 @@ TopologySpreadConstraints defines how the Egress Gateway pods should be spread a (Optional)

    -Tolerations is the egress gateway pod’s tolerations. -If specified, this overrides any tolerations that may be set on the EGW Deployment. -If omitted, the EGW Deployment will use its default value for tolerations. +Spec is the specification of the Kibana.

    +
    +
    + +
    -

    EgressGatewayDeploymentPodTemplateSpec

    +

    KibanaContainer

    (Appears on: -EgressGatewaySpec) +KibanaPodSpec)

    -EgressGatewayDeploymentPodTemplateSpec is the EGW Deployment’s PodTemplateSpec +KibanaContainer is a Kibana container.

    @@ -8071,20 +15576,16 @@ EgressGatewayDeploymentPodTemplateSpec is the EGW Deployment’s PodTemplate @@ -8092,10 +15593,10 @@ the pod’s metadata.
    -metadata
    +name
    - -EgressGatewayMetadata - +string     		-(Optional)

    -Metadata is a subset of a Kubernetes object’s metadata that is added to -the pod’s metadata. +Name is an enum which identifies the Kibana Deployment container by name.

    -spec
    +resources
    - -EgressGatewayDeploymentPodSpec + +Kubernetes core/v1.ResourceRequirements @@ -8104,27 +15605,24 @@ EgressGatewayDeploymentPodSpec (Optional)

    -Spec is the EGW Deployment’s PodSpec. +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named Kibana container’s resources. +If omitted, the Kibana will use its default value for this container’s resources.

    -
    -
    - -
    -

    EgressGatewayFailureDetection

    +

    KibanaInitContainer

    (Appears on: -EgressGatewaySpec) +KibanaPodSpec)

    -EgressGatewayFailureDetection defines the fields the needed for determining Egress Gateway -readiness. +KibanaInitContainer is a Kibana init container.

    @@ -8137,42 +15635,16 @@ readiness. - - - - @@ -8180,10 +15652,10 @@ fail. Timeout must be greater than interval.
    -healthTimeoutDataStoreSeconds
    - -int32 - - -    		 - -(Optional) -

    -HealthTimeoutDataStoreSeconds defines how long Egress Gateway can fail to connect -to the datastore before reporting not ready. -This value must be greater than 0. -Default: 90 -

    - -
    - -icmpProbe
    +name
    - -ICMPProbe - +string     		-(Optional)

    -ICMPProbe define outgoing ICMP probes that Egress Gateway will use to -verify its upstream connection. Egress Gateway will report not ready if all -fail. Timeout must be greater than interval. +Name is an enum which identifies the Kibana init container by name.

    -httpProbe
    +resources
    - -HTTPProbe + +Kubernetes core/v1.ResourceRequirements @@ -8192,21 +15664,25 @@ HTTPProbe (Optional)

    -HTTPProbe define outgoing HTTP probes that Egress Gateway will use to -verify its upsteam connection. Egress Gateway will report not ready if all -fail. Timeout must be greater than interval. +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named Kibana Deployment init container’s resources. +If omitted, the Kibana Deployment will use its default value for this init container’s resources. +If used in conjunction with the deprecated ComponentResources, then this value takes precedence.

    -

    EgressGatewayIPPool

    +

    KibanaPodSpec

    (Appears on: -EgressGatewaySpec) +KibanaPodTemplateSpec) +

    +

    +KibanaPodSpec is the Kibana Deployment’s PodSpec.

    @@ -8219,9 +15695,11 @@ fail. Timeout must be greater than interval. @@ -8229,7 +15707,9 @@ string (Optional)

    -Name is the name of the IPPool that the Egress Gateways can use. +InitContainers is a list of Kibana init containers. +If specified, this overrides the specified Kibana Deployment init containers. +If omitted, the Kibana Deployment will use its default values for its init containers.

    @@ -8237,9 +15717,11 @@ Name is the name of the IPPool that the Egress Gateways can use. @@ -8247,22 +15729,24 @@ string (Optional)

    -CIDR is the IPPool CIDR that the Egress Gateways can use. +Containers is a list of Kibana containers. +If specified, this overrides the specified Kibana Deployment containers. +If omitted, the Kibana Deployment will use its default values for its containers.

    -name
    +initContainers
    -string + +[]KibanaInitContainer +
    -cidr
    +containers
    -string + +[]KibanaContainer +
    -

    EgressGatewayMetadata

    +

    KibanaPodTemplateSpec

    (Appears on: -EgressGatewayDeploymentPodTemplateSpec) +KibanaSpec)

    -EgressGatewayMetadata contains the standard Kubernetes labels and annotations fields. +KibanaPodTemplateSpec is the Kibana’s PodTemplateSpec

    @@ -8275,9 +15759,11 @@ EgressGatewayMetadata contains the standard Kubernetes labels and annotations fi @@ -8285,21 +15771,40 @@ map[string]string (Optional)

    -Labels is a map of string keys and values that may match replica set and -service selectors. Each of these key/value pairs are added to the -object’s labels provided the key does not already exist in the object’s labels. -If not specified will default to projectcalico.org/egw:[name], where [name] is -the name of the Egress Gateway resource. +Spec is the Kibana’s PodSpec.

    +
    +
    +
    -labels
    +spec
    -map[string]string + +KibanaPodSpec +
    +
    + + +

    KibanaSpec

    +

    + +(Appears on: +Kibana) + +

    + + + + + + + + @@ -8307,24 +15812,36 @@ map[string]string (Optional)

    -Annotations is a map of arbitrary non-identifying metadata. Each of these -key/value pairs are added to the object’s annotations provided the key does not -already exist in the object’s annotations. +Template describes the Kibana pod that will be created.

    FieldDescription
    -annotations
    +template
    -map[string]string + +KibanaPodTemplateSpec +
    -

    EgressGatewaySpec

    +

    KubernetesAutodetectionMethod +(string alias)

    (Appears on: -EgressGateway) +NodeAddressAutodetection)

    -EgressGatewaySpec defines the desired state of EgressGateway +KubernetesAutodetectionMethod is a method of detecting an IP address based on the Kubernetes API. +

    +

    +One of: NodeInternalIP +

    +

    L7LogCollectorDaemonSet

    +

    + +(Appears on: +ApplicationLayerSpec) + +

    +

    +L7LogCollectorDaemonSet is the configuration for the L7LogCollector DaemonSet.

    @@ -8337,9 +15854,11 @@ EgressGatewaySpec defines the desired state of EgressGateway @@ -8347,48 +15866,48 @@ int32 (Optional)

    -Replicas defines how many instances of the Egress Gateway pod will run. +Spec is the specification of the L7LogCollector DaemonSet.

    +
    +
    +
    -replicas
    +spec
    -int32 + +L7LogCollectorDaemonSetSpec +
    +
    - - - -ipPools
    - - -[]EgressGatewayIPPool - - + + +

    L7LogCollectorDaemonSetContainer

    +

    - - +(Appears on: +L7LogCollectorDaemonSetPodSpec) +

    -IPPools defines the IP Pools that the Egress Gateway pods should be using. -Either name or CIDR must be specified. -IPPools must match existing IPPools. +L7LogCollectorDaemonSetContainer is a L7LogCollector DaemonSet container.

    - - + + + + + + + @@ -8396,10 +15915,10 @@ ExternalNetworks must match existing external networks. - - +
    FieldDescription
    -externalNetworks
    +name
    -[]string +string     		-(Optional)

    -ExternalNetworks defines the external network names this Egress Gateway is -associated with. -ExternalNetworks must match existing external networks. +Name is an enum which identifies the L7LogCollector DaemonSet container by name.

    -logSeverity
    +resources
    - -LogLevel + +Kubernetes core/v1.ResourceRequirements @@ -8408,52 +15927,46 @@ LogLevel (Optional)

    -LogSeverity defines the logging level of the Egress Gateway. -Default: Info +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named L7LogCollector DaemonSet container’s resources. +If omitted, the L7LogCollector DaemonSet will use its default value for this container’s resources.

    - -template
    - - -EgressGatewayDeploymentPodTemplateSpec - - +
    +

    L7LogCollectorDaemonSetInitContainer

    +

    - - +(Appears on: +L7LogCollectorDaemonSetPodSpec) -(Optional) +

    -Template describes the EGW Deployment pod that will be created. +L7LogCollectorDaemonSetInitContainer is a L7LogCollector DaemonSet init container.

    - - + + + + + + + @@ -8461,10 +15974,10 @@ ready if configured.
    FieldDescription
    -egressGatewayFailureDetection
    +name
    - -EgressGatewayFailureDetection - +string     		-(Optional)

    -EgressGatewayFailureDetection is used to configure how Egress Gateway -determines readiness. If both ICMP, HTTP probes are defined, one ICMP probe and one -HTTP probe should succeed for Egress Gateways to become ready. -Otherwise one of ICMP or HTTP probe should succeed for Egress gateways to become -ready if configured. +Name is an enum which identifies the L7LogCollector DaemonSet init container by name.

    -aws
    +resources
    - -AWSEgressGateway + +Kubernetes core/v1.ResourceRequirements @@ -8473,22 +15986,24 @@ AWSEgressGateway (Optional)

    -AWS defines the additional configuration options for Egress Gateways on AWS. +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named L7LogCollector DaemonSet init container’s resources. +If omitted, the L7LogCollector DaemonSet will use its default value for this init container’s resources.

    -

    EgressGatewayStatus

    +

    L7LogCollectorDaemonSetPodSpec

    (Appears on: -EgressGateway) +L7LogCollectorDaemonSetPodTemplateSpec)

    -EgressGatewayStatus defines the observed state of EgressGateway +L7LogCollectorDaemonSetPodSpec is the L7LogCollector DaemonSet’s PodSpec.

    @@ -8501,16 +16016,21 @@ EgressGatewayStatus defines the observed state of EgressGateway @@ -8518,10 +16038,10 @@ State provides user-readable status.
    -state
    +initContainers
    -string + +[]L7LogCollectorDaemonSetInitContainer +     		+(Optional)

    -State provides user-readable status. +InitContainers is a list of L7LogCollector DaemonSet init containers. +If specified, this overrides the specified L7LogCollector DaemonSet init containers. +If omitted, the L7LogCollector DaemonSet will use its default values for its init containers.

    -conditions
    +containers
    - -[]Kubernetes meta/v1.Condition + +[]L7LogCollectorDaemonSetContainer @@ -8530,23 +16050,24 @@ State provides user-readable status. (Optional)

    -Conditions represents the latest observed set of conditions for the component. A component may be one or more of -Ready, Progressing, Degraded or other customer types. +Containers is a list of L7LogCollector DaemonSet containers. +If specified, this overrides the specified L7LogCollector DaemonSet containers. +If omitted, the L7LogCollector DaemonSet will use its default values for its containers.

    -

    EksCloudwatchLogsSpec

    +

    L7LogCollectorDaemonSetPodTemplateSpec

    (Appears on: -AdditionalLogSourceSpec) +L7LogCollectorDaemonSetSpec)

    -EksConfigSpec defines configuration for fetching EKS audit logs. +L7LogCollectorDaemonSetPodTemplateSpec is the L7LogCollector DaemonSet’s PodTemplateSpec

    @@ -8559,43 +16080,55 @@ EksConfigSpec defines configuration for fetching EKS audit logs. - -
    -region
    +spec
    -string + +L7LogCollectorDaemonSetPodSpec +     		+(Optional)

    -AWS Region EKS cluster is hosted in. +Spec is the L7LogCollector DaemonSet’s PodSpec.

    +
    +
    + +
    - -groupName
    - -string - + +
    +

    L7LogCollectorDaemonSetSpec

    +

    - - +(Appears on: +L7LogCollectorDaemonSet) +

    -Cloudwatch log-group name containing EKS audit logs. +L7LogCollectorDaemonSetSpec defines configuration for the L7LogCollector DaemonSet.

    - - + + + + + + + @@ -8603,18 +16136,40 @@ string (Optional)

    -Prefix of Cloudwatch log stream containing EKS audit logs in the log-group. -Default: kube-apiserver-audit- +Template describes the L7LogCollector DaemonSet pod that will be created.

    + +
    FieldDescription
    -streamPrefix
    +template
    -string + +L7LogCollectorDaemonSetPodTemplateSpec +
    +

    LinseedDeployment

    +

    + +(Appears on: +LogStorageSpec, +TenantSpec) + +

    +

    +LinseedDeployment is the configuration for the linseed Deployment. +

    + + + + + + + + @@ -8622,56 +16177,26 @@ int32 (Optional)

    -Cloudwatch audit logs fetching interval in seconds. -Default: 60 +Spec is the specification of the linseed Deployment.

    +
    +
    +
    FieldDescription
    -fetchInterval
    +spec
    -int32 + +LinseedDeploymentSpec +
    +
    -

    EmailVerificationType -(string alias)

    -

    - -(Appears on: -AuthenticationOIDC) - -

    -

    EncapsulationType -(string alias)

    -

    - -(Appears on: -IPPool) - -

    -

    -EncapsulationType is the type of encapsulation to use on an IP pool. -

    -

    -One of: IPIP, VXLAN, IPIPCrossSubnet, VXLANCrossSubnet, None -

    -

    EncryptionOption -(string alias)

    +

    LinseedDeploymentContainer

    (Appears on: -SyslogStoreSpec) +LinseedDeploymentPodSpec)

    -EncryptionOption specifies the traffic encryption mode when connecting to a Syslog server. -

    -

    -One of: None, TLS -

    -

    EnvoySettings

    -

    - -(Appears on: -ApplicationLayerSpec) - +LinseedDeploymentContainer is a linseed Deployment container.

    @@ -8684,19 +16209,16 @@ One of: None, TLS @@ -8704,9 +16226,11 @@ IP address. 0 is permitted, but >=1 is the typical setting. @@ -8714,32 +16238,24 @@ bool (Optional)

    -If set to true, the Envoy connection manager will use the real remote address -of the client connection when determining internal versus external origin and -manipulating various headers. +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named linseed Deployment container’s resources. +If omitted, the linseed Deployment will use its default value for this container’s resources.

    -xffNumTrustedHops
    +name
    -int32 +string     		-(Optional)

    -The number of additional ingress proxy hops from the right side of the -x-forwarded-for HTTP header to trust when determining the origin client’s -IP address. 0 is permitted, but >=1 is the typical setting. +Name is an enum which identifies the linseed Deployment container by name.

    -useRemoteAddress
    +resources
    -bool + +Kubernetes core/v1.ResourceRequirements +
    -

    FIPSMode -(string alias)

    -

    - -(Appears on: -InstallationSpec) - -

    -

    GroupSearch

    +

    LinseedDeploymentInitContainer

    (Appears on: -AuthenticationLDAP) +LinseedDeploymentPodSpec)

    -Group search configuration to find the groups that a user is in. +LinseedDeploymentInitContainer is a linseed Deployment init container.

    @@ -8752,7 +16268,7 @@ Group search configuration to find the groups that a user is in. @@ -8769,9 +16285,11 @@ BaseDN to start the search from. For example “cn=groups,dc=example,dc=com& @@ -8779,25 +16297,51 @@ string (Optional)

    -Optional filter to apply when searching the directory. -For example “(objectClass=posixGroup)” +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named linseed Deployment init container’s resources. +If omitted, the linseed Deployment will use its default value for this init container’s resources.

    + +
    -baseDN
    +name
    string @@ -8761,7 +16277,7 @@ string

    -BaseDN to start the search from. For example “cn=groups,dc=example,dc=com” +Name is an enum which identifies the linseed Deployment init container by name.

    -filter
    +resources
    -string + +Kubernetes core/v1.ResourceRequirements +
    +

    LinseedDeploymentPodSpec

    +

    + +(Appears on: +LinseedDeploymentPodTemplateSpec) + +

    +

    +LinseedDeploymentPodSpec is the linseed Deployment’s PodSpec. +

    + + + + + + + + @@ -8805,35 +16349,36 @@ The attribute of the group that represents its name. This attribute can be used
    FieldDescription
    -nameAttribute
    +initContainers
    -string + +[]LinseedDeploymentInitContainer +     		+(Optional)

    -The attribute of the group that represents its name. This attribute can be used to apply RBAC to a user group. +InitContainers is a list of linseed init containers. +If specified, this overrides the specified linseed Deployment init containers. +If omitted, the linseed Deployment will use its default values for its init containers.

    -userMatchers
    +containers
    - -[]UserMatch + +[]LinseedDeploymentContainer     		+(Optional)

    -Following list contains field pairs that are used to match a user to a group. It adds an additional -requirement to the filter that an attribute in the group must match the user’s -attribute value. +Containers is a list of linseed containers. +If specified, this overrides the specified linseed Deployment containers. +If omitted, the linseed Deployment will use its default values for its containers.

    -

    HTTPProbe

    +

    LinseedDeploymentPodTemplateSpec

    (Appears on: -EgressGatewayFailureDetection) +LinseedDeploymentSpec)

    -HTTPProbe defines the HTTP probe configuration for Egress Gateway. +LinseedDeploymentPodTemplateSpec is the linseed Deployment’s PodTemplateSpec

    @@ -8846,46 +16391,55 @@ HTTPProbe defines the HTTP probe configuration for Egress Gateway. - -
    -urls
    +spec
    -[]string + +LinseedDeploymentPodSpec +     		+(Optional)

    -URLs define the list of HTTP probe URLs. Egress Gateway will probe each URL -periodically.If all probes fail, Egress Gateway will report non-ready. +Spec is the linseed Deployment’s PodSpec.

    +
    +
    + +
    - -intervalSeconds
    - -int32 - + +
    +

    LinseedDeploymentSpec

    +

    - - +(Appears on: +LinseedDeployment) -(Optional) +

    -IntervalSeconds defines the interval of HTTP probes. Used when URLs is non-empty. -Default: 10 +LinseedDeploymentSpec defines configuration for the linseed Deployment.

    - - + + + + + + + @@ -8893,15 +16447,14 @@ int32 (Optional)

    -TimeoutSeconds defines the timeout value of HTTP probes. Used when URLs is non-empty. -Default: 30 +Template describes the linseed Deployment pod that will be created.

    FieldDescription
    -timeoutSeconds
    +template
    -int32 + +LinseedDeploymentPodTemplateSpec +
    -

    HostPortsType +

    LinuxDataplaneOption (string alias)

    @@ -8910,20 +16463,17 @@ Default: 30

    -HostPortsType specifies host port support. +LinuxDataplaneOption controls which dataplane is to be used on Linux nodes.

    -One of: Enabled, Disabled +One of: Iptables, BPF

    -

    ICMPProbe

    +

    LogCollectionSpec

    (Appears on: -EgressGatewayFailureDetection) +ApplicationLayerSpec) -

    -

    -ICMPProbe defines the ICMP probe configuration for Egress Gateway.

    @@ -8936,17 +16486,20 @@ ICMPProbe defines the ICMP probe configuration for Egress Gateway. @@ -8954,9 +16507,9 @@ periodically. If all probes fail, Egress Gateway will report non-ready. @@ -8964,8 +16517,8 @@ int32 (Optional)

    -IntervalSeconds defines the interval of ICMP probes. Used when IPs is non-empty. -Default: 5 +Interval in seconds for sending L7 log information for processing. +Default: 5 sec

    @@ -8973,9 +16526,9 @@ Default: 5 @@ -8983,31 +16536,33 @@ int32 (Optional)

    -TimeoutSeconds defines the timeout value of ICMP probes. Used when IPs is non-empty. -Default: 15 +Maximum number of unique L7 logs that are sent LogIntervalSeconds. +Adjust this to limit the number of L7 logs sent per LogIntervalSeconds +to felix for further processing, use negative number to ignore limits. +Default: -1

    -ips
    +collectLogs
    -[]string + +LogCollectionStatusType +     		+(Optional)

    -IPs define the list of ICMP probe IPs. Egress Gateway will probe each IP -periodically. If all probes fail, Egress Gateway will report non-ready. +This setting enables or disable log collection. +Allowed values are Enabled or Disabled.

    -intervalSeconds
    +logIntervalSeconds
    -int32 +int64
    -timeoutSeconds
    +logRequestsPerInterval
    -int32 +int64
    -

    IPAMPluginType +

    LogCollectionStatusType (string alias)

    (Appears on: -IPAMSpec) +LogCollectionSpec)

    -

    IPAMSpec

    +

    LogCollectorSpec

    (Appears on: -CNISpec) +LogCollector)

    -IPAMSpec contains configuration for pod IP address management. +LogCollectorSpec defines the desired state of Tigera flow, audit, and DNS log collection.

    @@ -9020,64 +16575,19 @@ IPAMSpec contains configuration for pod IP address management. - - -
    -type
    +additionalStores
    - -IPAMPluginType + +AdditionalLogStoreSpec     		+(Optional)

    -Specifies the IPAM plugin that will be used in the Calico or Calico Enterprise installation. -* For CNI Plugin Calico, this field defaults to Calico. -* For CNI Plugin GKE, this field defaults to HostLocal. -* For CNI Plugin AzureVNET, this field defaults to AzureVNET. -* For CNI Plugin AmazonVPC, this field defaults to AmazonVPC. -

    -

    -The IPAM plugin is installed and configured only if the CNI plugin is set to Calico, -for all other values of the CNI plugin the plugin binaries and CNI config is a dependency -that is expected to be installed separately. -

    -

    -Default: Calico -

    - -
    -

    IPPool

    -

    - -(Appears on: -CalicoNetworkSpec) - -

    - - - - - - - - - - - @@ -9085,10 +16595,10 @@ CIDR contains the address range for the IP Pool in classless inter-domain routin @@ -9107,10 +16615,10 @@ Default: IPIP @@ -9147,19 +16656,18 @@ Default: ‘all()’ @@ -9167,9 +16675,11 @@ Default: 26 (IPv4), 122 (IPv6) @@ -9177,20 +16687,22 @@ bool (Optional)

    -DisableBGPExport specifies whether routes from this IP pool’s CIDR are exported over BGP. -Default: false +EKSLogForwarderDeployment configures the EKSLogForwarderDeployment Deployment.

    FieldDescription
    - -cidr
    - -string - - -    		 - -

    -CIDR contains the address range for the IP Pool in classless inter-domain routing format. +Configuration for exporting flow, audit, and DNS logs to external storage.

    -encapsulation
    +additionalSources
    - -EncapsulationType + +AdditionalLogSourceSpec @@ -9097,9 +16607,7 @@ EncapsulationType (Optional)

    -Encapsulation specifies the encapsulation type that will be used with -the IP Pool. -Default: IPIP +Configuration for importing audit logs from managed kubernetes cluster log sources.

    -natOutgoing
    +collectProcessPath
    - -NATOutgoingType + +CollectProcessPathOption @@ -9119,7 +16627,8 @@ NATOutgoingType (Optional)

    -NATOutgoing specifies if NAT will be enabled or disabled for outgoing traffic. +Configuration for enabling/disabling process path collection in flowlogs. +If Enabled, this feature sets hostPID to true in order to read process cmdline. Default: Enabled

    @@ -9128,7 +16637,7 @@ Default: Enabled
    -nodeSelector
    +multiTenantManagementClusterNamespace
    string @@ -9138,8 +16647,8 @@ string (Optional)

    -NodeSelector specifies the node selector that will be set for the IP Pool. -Default: ‘all()’ +If running as a multi-tenant management cluster, the namespace in which +the management cluster’s tenant services are running.

    -blockSize
    +fluentdDaemonSet
    -int32 + +FluentdDaemonSet +     		-(Optional)

    -BlockSize specifies the CIDR prefex length to use when allocating per-node IP blocks from -the main IP pool CIDR. -Default: 26 (IPv4), 122 (IPv6) +FluentdDaemonSet configures the Fluentd DaemonSet.

    -disableBGPExport
    +eksLogForwarderDeployment
    -bool + +EKSLogForwarderDeployment +
    -

    Image

    +

    LogCollectorStatus

    (Appears on: -ImageSetSpec) +LogCollector) +

    +

    +LogCollectorStatus defines the observed state of Tigera flow and DNS log collection

    @@ -9203,7 +16715,7 @@ Default: false @@ -9223,72 +16732,55 @@ For the image docker.io/calico/node:v3.17.1 it should be represente
    -image
    +state
    string @@ -9212,10 +16724,7 @@ string

    -Image is an image that the operator deploys and instead of using the built in tag -the operator will use the Digest for the image identifier. -The value should be the image name without registry or tag or digest. -For the image docker.io/calico/node:v3.17.1 it should be represented as calico/node +State provides user-readable status.

    -digest
    +conditions
    -string + +[]Kubernetes meta/v1.Condition +     		+(Optional)

    -Digest is the image identifier that will be used for the Image. -The field should not include a leading @ and must be prefixed with sha256:. +Conditions represents the latest observed set of conditions for the component. A component may be one or more of +Ready, Progressing, Degraded or other customer types.

    -

    ImageSetSpec

    +

    LogLevel +(string alias)

    (Appears on: -ImageSet) +CNILogging, +EgressGatewaySpec)

    +

    LogStorageComponentName +(string alias)

    -ImageSetSpec defines the desired state of ImageSet. -

    - - - - - - - - - - - - - -
    FieldDescription
    - -images
    - - -[]Image - - -    		 +(Appears on: +LogStorageComponentResource) +

    -Images is the list of images to use digests. All images that the operator will deploy -must be specified. +LogStorageComponentName CRD enum

    - -
    -

    Index

    +

    LogStorageComponentResource

    (Appears on: -TenantSpec) +LogStorageSpec)

    -Index defines how to store a tenant’s data +The ComponentResource struct associates a ResourceRequirements with a component by name

    @@ -9301,29 +16793,10 @@ Index defines how to store a tenant’s data - - - - - -
    -baseIndexName
    - -string - - -    		 - -

    -BaseIndexName defines the name of the index -that will be used to store data (this name -excludes the numerical identifier suffix) -

    - -
    - -dataType
    +componentName
    - -DataType + +LogStorageComponentName @@ -9331,61 +16804,42 @@ DataType

    -DataType represents the type of data stored in the defined index +Deprecated. Please use ECKOperatorStatefulSet. +ComponentName is an enum which identifies the component

    -

    Indices

    -

    - -(Appears on: -LogStorageSpec) - -

    -

    -Indices defines the configuration for the indices in an Elasticsearch cluster. -

    - - - - - - - -
    FieldDescription
    -replicas
    +resourceRequirements
    -int32 + +Kubernetes core/v1.ResourceRequirements +     		-(Optional)

    -Replicas defines how many replicas each index will have. See https://www.elastic.co/guide/en/elasticsearch/reference/current/scalability.html +ResourceRequirements allows customization of limits and requests for compute resources such as cpu and memory.

    -

    InstallationSpec

    +

    LogStorageSpec

    (Appears on: -Installation, -InstallationStatus) +LogStorage)

    -InstallationSpec defines configuration for a Calico or Calico Enterprise installation. +LogStorageSpec defines the desired state of Tigera flow and DNS log storage.

    @@ -9398,20 +16852,18 @@ InstallationSpec defines configuration for a Calico or Calico Enterprise install @@ -9419,9 +16871,11 @@ Default: Calico @@ -9429,17 +16883,7 @@ string (Optional)

    -Registry is the default Docker registry used for component Docker images. -If specified then the given value must end with a slash character (/) and all images will be pulled from this registry. -If not specified then the default registries will be used. A special case value, UseDefault, is -supported to explicitly specify the default registries will be used. -

    -

    -Image format: -<registry><imagePath>/<imagePrefix><imageName>:<image-tag> -

    -

    -This option allows configuring the <registry> portion of the above format. +Index defines the configuration for the indices in the Elasticsearch cluster.

    @@ -9447,9 +16891,11 @@ This option allows configuring the <registry> portion of the @@ -9457,18 +16903,7 @@ string (Optional)

    -ImagePath allows for the path part of an image to be specified. If specified -then the specified value will be used as the image path for each image. If not specified -or empty, the default for each image will be used. -A special case value, UseDefault, is supported to explicitly specify the default -image path will be used for each image. -

    -

    -Image format: -<registry><imagePath>/<imagePrefix><imageName>:<image-tag> -

    -

    -This option allows configuring the <imagePath> portion of the above format. +Retention defines how long data is retained in the Elasticsearch cluster before it is cleared.

    @@ -9476,7 +16911,7 @@ This option allows configuring the <imagePath> portion of the @@ -9505,11 +16933,9 @@ This option allows configuring the <imagePrefix> portion of t @@ -9517,8 +16943,9 @@ This option allows configuring the <imagePrefix> portion of t (Optional)

    -ImagePullSecrets is an array of references to container registry pull secrets to use. These are -applied to all images to be pulled. +DataNodeSelector gives you more control over the node that Elasticsearch will run on. The contents of DataNodeSelector will +be added to the PodSpec of the Elasticsearch nodes. For the pod to be eligible to run on a node, the node must have +each of the indicated key-value pairs as labels as well as access to the specified StorageClassName.

    @@ -9526,10 +16953,10 @@ applied to all images to be pulled. @@ -9549,10 +16974,10 @@ will additionally compare the auto-detected value to the specified value to conf @@ -9569,10 +16995,10 @@ CNI specifies the CNI that will be used by this installation. @@ -9589,20 +17015,18 @@ CalicoNetwork specifies networking configuration options for Calico. @@ -9610,39 +17034,55 @@ TyphaAffinity allows configuration of node affinity characteristics for Typha po + +
    -variant
    +nodes
    - -ProductVariant + +Nodes     		-(Optional)

    -Variant is the product to install - one of Calico or TigeraSecureEnterprise -Default: Calico +Nodes defines the configuration for a set of identical Elasticsearch cluster nodes, each of type master, data, and ingest.

    -registry
    +indices
    -string + +Indices +
    -imagePath
    +retention
    -string + +Retention +
    -imagePrefix
    +storageClassName
    string @@ -9486,18 +16921,11 @@ string (Optional)

    -ImagePrefix allows for the prefix part of an image to be specified. If specified -then the given value will be used as a prefix on each image. If not specified -or empty, no prefix will be used. -A special case value, UseDefault, is supported to explicitly specify the default -image prefix will be used for each image. -

    -

    -Image format: -<registry><imagePath>/<imagePrefix><imageName>:<image-tag> -

    -

    -This option allows configuring the <imagePrefix> portion of the above format. +StorageClassName will populate the PersistentVolumeClaim.StorageClassName that is used to provision disks to the +Tigera Elasticsearch cluster. The StorageClassName should only be modified when no LogStorage is currently +active. We recommend choosing a storage class dedicated to Tigera LogStorage only. Otherwise, data retention +cannot be guaranteed during upgrades. See https://docs.tigera.io/maintenance/upgrading for up-to-date instructions. +Default: tigera-elasticsearch

    -imagePullSecrets
    +dataNodeSelector
    - -[]Kubernetes core/v1.LocalObjectReference - +map[string]string
    -kubernetesProvider
    +componentResources
    - -Provider + +[]LogStorageComponentResource @@ -9538,10 +16965,8 @@ Provider (Optional)

    -KubernetesProvider specifies a particular provider of the Kubernetes platform and enables provider-specific configuration. -If the specified value is empty, the Operator will attempt to automatically determine the current provider. -If the specified value is not empty, the Operator will still attempt auto-detection, but -will additionally compare the auto-detected value to the specified value to confirm they match. +ComponentResources can be used to customize the resource requirements for each component. +Only ECKOperator is supported for this spec.

    -cni
    +eckOperatorStatefulSet
    - -CNISpec + +ECKOperatorStatefulSet @@ -9561,7 +16986,8 @@ CNISpec (Optional)

    -CNI specifies the CNI that will be used by this installation. +ECKOperatorStatefulSet configures the ECKOperator StatefulSet. If used in conjunction with the deprecated +ComponentResources, then these overrides take precedence.

    -calicoNetwork
    +kibana
    - -CalicoNetworkSpec + +Kibana @@ -9581,7 +17007,7 @@ CalicoNetworkSpec (Optional)

    -CalicoNetwork specifies networking configuration options for Calico. +Kibana configures the Kibana Spec.

    -typhaAffinity
    +linseedDeployment
    - -TyphaAffinity + +LinseedDeployment     		-(Optional)

    -Deprecated. Please use Installation.Spec.TyphaDeployment instead. -TyphaAffinity allows configuration of node affinity characteristics for Typha pods. +LinseedDeployment configures the linseed Deployment.

    -controlPlaneNodeSelector
    +elasticsearchMetricsDeployment
    -map[string]string + +ElasticsearchMetricsDeployment +     		-(Optional)

    -ControlPlaneNodeSelector is used to select control plane nodes on which to run Calico -components. This is globally applied to all resources created by the operator excluding daemonsets. +ElasticsearchMetricsDeployment configures the tigera-elasticsearch-metric Deployment.

    +

    LogStorageStatus

    +

    + +(Appears on: +LogStorage) + +

    +

    +LogStorageStatus defines the observed state of Tigera flow and DNS log storage. +

    + + + + + + + + @@ -9650,18 +17090,17 @@ created by the operator. @@ -9669,19 +17108,17 @@ This field applies to all control plane components that support High Availabilit @@ -9689,9 +17126,11 @@ prometheus metrics may still be configured through FelixConfiguration. @@ -9699,17 +17138,37 @@ int32 (Optional)

    -TyphaMetricsPort specifies which port calico/typha serves prometheus metrics on. By default, metrics are not enabled. +Conditions represents the latest observed set of conditions for the component. A component may be one or more of +Ready, Progressing, Degraded or other customer types.

    + +
    FieldDescription
    -controlPlaneTolerations
    +state
    - -[]Kubernetes core/v1.Toleration - +string     		-(Optional)

    -ControlPlaneTolerations specify tolerations which are then globally applied to all resources -created by the operator. +State provides user-readable status.

    -controlPlaneReplicas
    +elasticsearchHash
    -int32 +string     		-(Optional)

    -ControlPlaneReplicas defines how many replicas of the control plane core components will be deployed. -This field applies to all control plane components that support High Availability. Defaults to 2. +ElasticsearchHash represents the current revision and configuration of the installed Elasticsearch cluster. This +is an opaque string which can be monitored for changes to perform actions when Elasticsearch is modified.

    -nodeMetricsPort
    +kibanaHash
    -int32 +string     		-(Optional)

    -NodeMetricsPort specifies which port calico/node serves prometheus metrics on. By default, metrics are not enabled. -If specified, this overrides any FelixConfiguration resources which may exist. If omitted, then -prometheus metrics may still be configured through FelixConfiguration. +KibanaHash represents the current revision and configuration of the installed Kibana dashboard. This +is an opaque string which can be monitored for changes to perform actions when Kibana is modified.

    -typhaMetricsPort
    +conditions
    -int32 + +[]Kubernetes meta/v1.Condition +
    +

    Logging

    +

    + +(Appears on: +InstallationSpec) + +

    + + + + + + + + @@ -9717,17 +17176,35 @@ string (Optional)

    -FlexVolumePath optionally specifies a custom path for FlexVolume. If not specified, FlexVolume will be -enabled by default. If set to ‘None’, FlexVolume will be disabled. The default is based on the -kubernetesProvider. +Customized logging specification for calico-cni plugin

    + +
    FieldDescription
    -flexVolumePath
    +cni
    -string + +CNILogging +
    +

    ManagementClusterConnectionSpec

    +

    + +(Appears on: +ManagementClusterConnection) + +

    +

    +ManagementClusterConnectionSpec defines the desired state of ManagementClusterConnection +

    + + + + + + + + @@ -9747,10 +17223,10 @@ Default: /var/lib/kubelet @@ -9768,32 +17243,49 @@ field. + +
    FieldDescription
    -kubeletVolumePluginPath
    +managementClusterAddr
    string @@ -9737,9 +17214,8 @@ string (Optional)

    -KubeletVolumePluginPath optionally specifies enablement of Calico CSI plugin. If not specified, -CSI will be enabled by default. If set to ‘None’, CSI will be disabled. -Default: /var/lib/kubelet +Specify where the managed cluster can reach the management cluster. Ex.: “10.128.0.10:30449”. A managed cluster +should be able to access this address. This field is used by managed clusters only.

    -nodeUpdateStrategy
    +tls
    - -Kubernetes apps/v1.DaemonSetUpdateStrategy + +ManagementClusterTLS @@ -9759,8 +17235,7 @@ Kubernetes apps/v1.DaemonSetUpdateStrategy (Optional)

    -NodeUpdateStrategy can be used to customize the desired update strategy, such as the MaxUnavailable -field. +TLS provides options for configuring how Managed Clusters can establish an mTLS connection with the Management Cluster.

    -componentResources
    +guardianDeployment
    - -[]ComponentResource + +GuardianDeployment     		-(Optional)

    -Deprecated. Please use CalicoNodeDaemonSet, TyphaDeployment, and KubeControllersDeployment. -ComponentResources can be used to customize the resource requirements for each component. -Node, Typha, and KubeControllers are supported for installations. +GuardianDeployment configures the guardian Deployment.

    +

    ManagementClusterConnectionStatus

    +

    + +(Appears on: +ManagementClusterConnection) + +

    +

    +ManagementClusterConnectionStatus defines the observed state of ManagementClusterConnection +

    + + + + + + + + + +
    FieldDescription
    -certificateManagement
    +conditions
    - -CertificateManagement + +[]Kubernetes meta/v1.Condition @@ -9802,21 +17294,38 @@ CertificateManagement (Optional)

    -CertificateManagement configures pods to submit a CertificateSigningRequest to the certificates.k8s.io/v1beta1 API in order -to obtain TLS certificates. This feature requires that you bring your own CSR signing and approval process, otherwise -pods will be stuck during initialization. +Conditions represents the latest observed set of conditions for the component. A component may be one or more of +Ready, Progressing, Degraded or other customer types.

    +

    ManagementClusterSpec

    +

    + +(Appears on: +ManagementCluster) + +

    +

    +ManagementClusterSpec defines the desired state of a ManagementCluster +

    + + + + + + + + @@ -9824,7 +17333,9 @@ NonPrivilegedType (Optional)

    -NonPrivileged configures Calico to be run in non-privileged containers as non-root users where possible. +This field specifies the externally reachable address to which your managed cluster will connect. When a managed +cluster is added, this field is used to populate an easy-to-apply manifest that will connect both clusters. +Valid examples are: “0.0.0.0:31000”, “example.com:32000”, “[::1]:32500”

    @@ -9832,30 +17343,47 @@ NonPrivileged configures Calico to be run in non-privileged containers as non-ro + +
    FieldDescription
    -nonPrivileged
    +address
    - -NonPrivilegedType - +string
    -calicoNodeDaemonSet
    +tls
    - -CalicoNodeDaemonSet + +TLS     		+(Optional)

    -CalicoNodeDaemonSet configures the calico-node DaemonSet. If used in -conjunction with the deprecated ComponentResources, then these overrides take precedence. +TLS provides options for configuring how Managed Clusters can establish an mTLS connection with the Management Cluster.

    +

    ManagementClusterTLS

    +

    + +(Appears on: +ManagementClusterConnectionSpec) + +

    + + + + + + + + - - +
    FieldDescription
    -csiNodeDriverDaemonSet
    +ca
    - -CSINodeDriverDaemonSet + +CAType @@ -9863,67 +17391,98 @@ CSINodeDriverDaemonSet

    -CSINodeDriverDaemonSet configures the csi-node-driver DaemonSet. +CA indicates which verification method the tunnel client should use to verify the tunnel server’s identity. +

    +

    +When left blank or set to ‘Tigera’, the tunnel client will expect a self-signed cert to be included in the certificate bundle +and will expect the cert to have a Common Name (CN) of ‘voltron’. +

    +

    +When set to ‘Public’, the tunnel client will use its installed system certs and will use the managementClusterAddr to verify the tunnel server’s identity. +

    +

    +Default: Tigera

    - -calicoKubeControllersDeployment
    - - -CalicoKubeControllersDeployment - - +
    +

    ManagerDeployment

    +

    - - +(Appears on: +ManagerSpec) +

    -CalicoKubeControllersDeployment configures the calico-kube-controllers Deployment. If used in -conjunction with the deprecated ComponentResources, then these overrides take precedence. +ManagerDeployment is the configuration for the Manager Deployment.

    - - + + + + + + + + +
    FieldDescription
    -typhaDeployment
    +spec
    - -TyphaDeployment + +ManagerDeploymentSpec     		+(Optional)

    -TyphaDeployment configures the typha Deployment. If used in conjunction with the deprecated -ComponentResources or TyphaAffinity, then these overrides take precedence. +Spec is the specification of the Manager Deployment.

    +
    +
    + +
    +

    ManagerDeploymentContainer

    +

    + +(Appears on: +ManagerDeploymentPodSpec) + +

    +

    +ManagerDeploymentContainer is a Manager Deployment container. +

    + + + + + + + + @@ -9931,39 +17490,58 @@ CalicoWindowsUpgradeDaemonSet configures the calico-windows-upgrade DaemonSet. + +
    FieldDescription
    -calicoWindowsUpgradeDaemonSet
    +name
    - -CalicoWindowsUpgradeDaemonSet - +string

    -Deprecated. The CalicoWindowsUpgradeDaemonSet is deprecated and will be removed from the API in the future. -CalicoWindowsUpgradeDaemonSet configures the calico-windows-upgrade DaemonSet. +Name is an enum which identifies the Manager Deployment container by name.

    -calicoNodeWindowsDaemonSet
    +resources
    - -CalicoNodeWindowsDaemonSet + +Kubernetes core/v1.ResourceRequirements     		+(Optional)

    -CalicoNodeWindowsDaemonSet configures the calico-node-windows DaemonSet. +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named Manager Deployment container’s resources. +If omitted, the Manager Deployment will use its default value for this container’s resources.

    +

    ManagerDeploymentInitContainer

    +

    + +(Appears on: +ManagerDeploymentPodSpec) + +

    +

    +ManagerDeploymentInitContainer is a Manager Deployment init container. +

    + + + + + + + + @@ -9971,10 +17549,10 @@ Default: Disabled + +
    FieldDescription
    -fipsMode
    +name
    - -FIPSMode - +string     		-(Optional)

    -FIPSMode uses images and features only that are using FIPS 140-2 validated cryptographic modules and standards. -Default: Disabled +Name is an enum which identifies the Manager Deployment init container by name.

    -logging
    +resources
    - -Logging + +Kubernetes core/v1.ResourceRequirements @@ -9983,18 +17561,41 @@ Logging (Optional)

    -Logging Configuration for Components +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named Manager Deployment init container’s resources. +If omitted, the Manager Deployment will use its default value for this init container’s resources. +If used in conjunction with the deprecated ComponentResources, then this value takes precedence.

    +

    ManagerDeploymentPodSpec

    +

    + +(Appears on: +ManagerDeploymentPodTemplateSpec) + +

    +

    +ManagerDeploymentPodSpec is the Manager Deployment’s PodSpec. +

    + + + + + + + + @@ -10011,9 +17614,11 @@ Windows Configuration @@ -10021,22 +17626,24 @@ Windows Configuration (Optional)

    -Kubernetes Service CIDRs. Specifying this is required when using Calico for Windows. +Containers is a list of Manager containers. +If specified, this overrides the specified Manager Deployment containers. +If omitted, the Manager Deployment will use its default values for its containers.

    FieldDescription
    -windowsNodes
    +initContainers
    - -WindowsNodeSpec + +[]ManagerDeploymentInitContainer @@ -10003,7 +17604,9 @@ WindowsNodeSpec (Optional)

    -Windows Configuration +InitContainers is a list of Manager init containers. +If specified, this overrides the specified Manager Deployment init containers. +If omitted, the Manager Deployment will use its default values for its init containers.

    -serviceCIDRs
    +containers
    -[]string + +[]ManagerDeploymentContainer +
    -

    InstallationStatus

    +

    ManagerDeploymentPodTemplateSpec

    (Appears on: -Installation) +ManagerDeploymentSpec)

    -InstallationStatus defines the observed state of the Calico or Calico Enterprise installation. +ManagerDeploymentPodTemplateSpec is the Manager Deployment’s PodTemplateSpec

    @@ -10049,46 +17656,55 @@ InstallationStatus defines the observed state of the Calico or Calico Enterprise - -
    -variant
    +spec
    - -ProductVariant + +ManagerDeploymentPodSpec     		+(Optional)

    -Variant is the most recently observed installed variant - one of Calico or TigeraSecureEnterprise +Spec is the Manager Deployment’s PodSpec.

    +
    +
    + +
    - -mtu
    - -int32 - + +
    +

    ManagerDeploymentSpec

    +

    - - +(Appears on: +ManagerDeployment) +

    -MTU is the most recently observed value for pod network MTU. This may be an explicitly -configured value, or based on Calico’s native auto-detetion. +ManagerDeploymentSpec defines configuration for the Manager Deployment.

    - - + + + + + + + @@ -10096,19 +17712,38 @@ string (Optional)

    -ImageSet is the name of the ImageSet being used, if there is an ImageSet -that is being used. If an ImageSet is not being used then this will not be set. +Template describes the Manager Deployment pod that will be created.

    + +
    FieldDescription
    -imageSet
    +template
    -string + +ManagerDeploymentPodTemplateSpec +
    +

    ManagerSpec

    +

    + +(Appears on: +Manager) + +

    +

    +ManagerSpec defines configuration for the Calico Enterprise manager GUI. +

    + + + + + + + + + +
    FieldDescription
    -computed
    +managerDeployment
    - -InstallationSpec + +ManagerDeployment @@ -10117,15 +17752,35 @@ InstallationSpec (Optional)

    -Computed is the final installation including overlaid resources. +ManagerDeployment configures the Manager Deployment.

    +

    ManagerStatus

    +

    + +(Appears on: +Manager) + +

    +

    +ManagerStatus defines the observed state of the Calico Enterprise manager GUI. +

    + + + + + + + + @@ -10164,23 +17817,28 @@ Ready, Progressing, Degraded or other customer types.
    FieldDescription
    -calicoVersion
    +state
    string @@ -10134,9 +17789,7 @@ string

    -CalicoVersion shows the current running version of calico. -CalicoVersion along with Variant is needed to know the exact -version deployed. +State provides user-readable status.

    -

    IntrusionDetectionComponentName -(string alias)

    -

    - -(Appears on: -IntrusionDetectionComponentResource) - -

    -

    IntrusionDetectionComponentResource

    +

    Metadata

    (Appears on: -IntrusionDetectionSpec) +APIServerDeployment, +APIServerDeploymentPodTemplateSpec, +CSINodeDriverDaemonSet, +CSINodeDriverDaemonSetPodTemplateSpec, +CalicoKubeControllersDeployment, +CalicoKubeControllersDeploymentPodTemplateSpec, +CalicoNodeDaemonSet, +CalicoNodeDaemonSetPodTemplateSpec, +CalicoNodeWindowsDaemonSet, +CalicoNodeWindowsDaemonSetPodTemplateSpec, +CalicoWindowsUpgradeDaemonSet, +CalicoWindowsUpgradeDaemonSetPodTemplateSpec, +TyphaDeployment, +TyphaDeploymentPodTemplateSpec)

    -The ComponentResource struct associates a ResourceRequirements with a component by name +Metadata contains the standard Kubernetes labels and annotations fields.

    @@ -10193,18 +17851,19 @@ The ComponentResource struct associates a ResourceRequirements with a component @@ -10212,33 +17871,45 @@ ComponentName is an enum which identifies the component
    -componentName
    +labels
    - -IntrusionDetectionComponentName - +map[string]string     		+(Optional)

    -ComponentName is an enum which identifies the component +Labels is a map of string keys and values that may match replicaset and +service selectors. Each of these key/value pairs are added to the +object’s labels provided the key does not already exist in the object’s labels.

    -resourceRequirements
    +annotations
    - -Kubernetes core/v1.ResourceRequirements - +map[string]string     		+(Optional)

    -ResourceRequirements allows customization of limits and requests for compute resources such as cpu and memory. +Annotations is a map of arbitrary non-identifying metadata. Each of these +key/value pairs are added to the object’s annotations provided the key does not +already exist in the object’s annotations.

    -

    IntrusionDetectionSpec

    +

    MetadataAccessAllowedType +(string alias)

    (Appears on: -IntrusionDetection) +AmazonCloudIntegrationSpec)

    -IntrusionDetectionSpec defines the desired state of Tigera intrusion detection capabilities. +MetadataAccessAllowedType +

    +

    MonitorSpec

    +

    + +(Appears on: +Monitor) + +

    +

    +MonitorSpec defines the desired state of Tigera monitor.

    @@ -10251,10 +17922,31 @@ IntrusionDetectionSpec defines the desired state of Tigera intrusion detection c + + + + @@ -10272,10 +17963,10 @@ Only DeepPacketInspection is supported for this spec.
    -componentResources
    +externalPrometheus
    - -[]IntrusionDetectionComponentResource + +ExternalPrometheus + + + +    		 + +

    +ExternalPrometheus optionally configures integration with an external Prometheus for scraping Calico metrics. When +specified, the operator will render resources in the defined namespace. This option can be useful for configuring +scraping from git-ops tools without the need of post-installation steps. +

    + +
    + +prometheus
    + + +Prometheus @@ -10263,8 +17955,7 @@ IntrusionDetectionSpec defines the desired state of Tigera intrusion detection c (Optional)

    -ComponentResources can be used to customize the resource requirements for each component. -Only DeepPacketInspection is supported for this spec. +Prometheus is the configuration for the Prometheus.

    -anomalyDetection
    +alertManager
    - -AnomalyDetectionSpec + +AlertManager @@ -10284,22 +17975,22 @@ AnomalyDetectionSpec (Optional)

    -AnomalyDetection is now deprecated, and configuring it has no effect. +AlertManager is the configuration for the AlertManager.

    -

    IntrusionDetectionStatus

    +

    MonitorStatus

    (Appears on: -IntrusionDetection) +Monitor)

    -IntrusionDetectionStatus defines the observed state of Tigera intrusion detection capabilities. +MonitorStatus defines the observed state of Tigera monitor.

    @@ -10349,129 +18040,57 @@ Ready, Progressing, Degraded or other customer types.
    -

    KubernetesAutodetectionMethod +

    MultiInterfaceMode (string alias)

    (Appears on: -NodeAddressAutodetection) +CalicoNetworkSpec)

    -KubernetesAutodetectionMethod is a method of detecting an IP address based on the Kubernetes API. +MultiInterfaceMode describes the method of providing multiple pod interfaces.

    -One of: NodeInternalIP +One of: None, Multus

    -

    LinuxDataplaneOption +

    NATOutgoingType (string alias)

    (Appears on: -CalicoNetworkSpec) +IPPool)

    -LinuxDataplaneOption controls which dataplane is to be used on Linux nodes. +NATOutgoingType describe the type of outgoing NAT to use.

    -One of: Iptables, BPF +One of: Enabled, Disabled

    -

    LogCollectionSpec

    +

    NativeIP +(string alias)

    (Appears on: -ApplicationLayerSpec) - -

    - - - - - - - - - - - - - - - - - - - - - -
    FieldDescription
    - -collectLogs
    - - -LogCollectionStatusType - - - -    		 - -(Optional) -

    -This setting enables or disable log collection. -Allowed values are Enabled or Disabled. -

    - -
    - -logIntervalSeconds
    - -int64 - - -    		 - -(Optional) -

    -Interval in seconds for sending L7 log information for processing. -Default: 5 sec -

    - -
    - -logRequestsPerInterval
    - -int64 - - -    		 +AWSEgressGateway) -(Optional) -

    -Maximum number of unique L7 logs that are sent LogIntervalSeconds. -Adjust this to limit the number of L7 logs sent per LogIntervalSeconds -to felix for further processing, use negative number to ignore limits. -Default: -1

    - -
    -

    LogCollectionStatusType -(string alias)

    - -(Appears on: -LogCollectionSpec) - +NativeIP defines if Egress Gateway pods should have AWS IPs. +When NativeIP is enabled, the IPPools should be backed by AWS subnet.

    -

    LogCollectorSpec

    +

    NodeAddressAutodetection

    (Appears on: -LogCollector) +CalicoNetworkSpec)

    -LogCollectorSpec defines the desired state of Tigera flow, audit, and DNS log collection. +NodeAddressAutodetection provides configuration options for auto-detecting node addresses. At most one option +can be used. If no detection option is specified, then IP auto detection will be disabled for this address family and IPs +must be specified directly on the Node resource.

    @@ -10484,11 +18103,9 @@ LogCollectorSpec defines the desired state of Tigera flow, audit, and DNS log co @@ -10496,7 +18113,8 @@ AdditionalLogStoreSpec (Optional)

    -Configuration for exporting flow, audit, and DNS logs to external storage. +FirstFound uses default interface matching parameters to select an interface, performing best-effort +filtering based on well-known interface names.

    @@ -10504,10 +18122,10 @@ Configuration for exporting flow, audit, and DNS logs to external storage. @@ -10524,11 +18142,9 @@ Configuration for importing audit logs from managed kubernetes cluster log sourc @@ -10536,9 +18152,7 @@ CollectProcessPathOption (Optional)

    -Configuration for enabling/disabling process path collection in flowlogs. -If Enabled, this feature sets hostPID to true to read process cmdline. -Default: Enabled +Interface enables IP auto-detection based on interfaces that match the given regex.

    @@ -10546,7 +18160,7 @@ Default: Enabled - -
    -additionalStores
    +firstFound
    - -AdditionalLogStoreSpec - +bool
    -additionalSources
    +kubernetes
    - -AdditionalLogSourceSpec + +KubernetesAutodetectionMethod @@ -10516,7 +18134,7 @@ AdditionalLogSourceSpec (Optional)

    -Configuration for importing audit logs from managed kubernetes cluster log sources. +Kubernetes configures Calico to detect node addresses based on the Kubernetes API.

    -collectProcessPath
    +interface
    - -CollectProcessPathOption - +string
    -multiTenantManagementClusterNamespace
    +skipInterface
    string @@ -10556,36 +18170,16 @@ string (Optional)

    -If running as a multi-tenant management cluster, the namespace in which -the management cluster’s tenant services are running. +SkipInterface enables IP auto-detection based on interfaces that do not match +the given regex.

    -

    LogCollectorStatus

    -

    - -(Appears on: -LogCollector) - -

    -

    -LogCollectorStatus defines the observed state of Tigera flow and DNS log collection -

    - - - - - - - - @@ -10602,55 +18198,32 @@ State provides user-readable status.
    FieldDescription
    -state
    +canReach
    string @@ -10593,8 +18187,10 @@ string     		+(Optional)

    -State provides user-readable status. +CanReach enables IP auto-detection based on which source address on the node is used to reach the +specified IP or domain.

    -conditions
    +cidrs
    - -[]Kubernetes meta/v1.Condition - +[]string     		-(Optional)

    -Conditions represents the latest observed set of conditions for the component. A component may be one or more of -Ready, Progressing, Degraded or other customer types. +CIDRS enables IP auto-detection based on which addresses on the nodes are within +one of the provided CIDRs.

    -

    LogLevel -(string alias)

    -

    - -(Appears on: -CNILogging, -EgressGatewaySpec) - -

    -

    LogStorageComponentName -(string alias)

    -

    - -(Appears on: -LogStorageComponentResource) - -

    -

    -LogStorageComponentName CRD enum -

    -

    LogStorageComponentResource

    +

    NodeAffinity

    (Appears on: -LogStorageSpec) +TyphaAffinity)

    -The ComponentResource struct associates a ResourceRequirements with a component by name +NodeAffinity is similar to *v1.NodeAffinity, but allows us to limit available schedulers.

    @@ -10663,18 +18236,21 @@ The ComponentResource struct associates a ResourceRequirements with a component @@ -10682,33 +18258,45 @@ ComponentName is an enum which identifies the component
    -componentName
    +preferredDuringSchedulingIgnoredDuringExecution
    - -LogStorageComponentName + +[]Kubernetes core/v1.PreferredSchedulingTerm     		+(Optional)

    -ComponentName is an enum which identifies the component +The scheduler will prefer to schedule pods to nodes that satisfy +the affinity expressions specified by this field, but it may choose +a node that violates one or more of the expressions.

    -resourceRequirements
    +requiredDuringSchedulingIgnoredDuringExecution
    - -Kubernetes core/v1.ResourceRequirements + +Kubernetes core/v1.NodeSelector     		+(Optional)

    -ResourceRequirements allows customization of limits and requests for compute resources such as cpu and memory. +WARNING: Please note that if the affinity requirements specified by this field are not met at +scheduling time, the pod will NOT be scheduled onto the node. +There is no fallback to another affinity rules with this setting. +This may cause networking disruption or even catastrophic failure! +PreferredDuringSchedulingIgnoredDuringExecution should be used for affinity +unless there is a specific well understood reason to use RequiredDuringSchedulingIgnoredDuringExecution and +you can guarantee that the RequiredDuringSchedulingIgnoredDuringExecution will always have sufficient nodes to satisfy the requirement. +NOTE: RequiredDuringSchedulingIgnoredDuringExecution is set by default for AKS nodes, +to avoid scheduling Typhas on virtual-nodes. +If the affinity requirements specified by this field cease to be met +at some point during pod execution (e.g. due to an update), the system +may or may not try to eventually evict the pod from its node.

    -

    LogStorageSpec

    +

    NodeSet

    (Appears on: -LogStorage) +Nodes)

    -LogStorageSpec defines the desired state of Tigera flow and DNS log storage. +NodeSets defines configuration specific to each Elasticsearch Node Set

    @@ -10721,10 +18309,10 @@ LogStorageSpec defines the desired state of Tigera flow and DNS log storage. - - -
    -nodes
    +selectionAttributes
    - -Nodes + +[]NodeSetSelectionAttribute @@ -10732,55 +18320,39 @@ Nodes

    -Nodes defines the configuration for a set of identical Elasticsearch cluster nodes, each of type master, data, and ingest. +SelectionAttributes defines K8s node attributes a NodeSet should use when setting the Node Affinity selectors and +Elasticsearch cluster awareness attributes for the Elasticsearch nodes. The list of SelectionAttributes are used +to define Node Affinities and set the node awareness configuration in the running Elasticsearch instance.

    - -indices
    - - -Indices - - - -    		 - -(Optional) + +
    +

    NodeSetSelectionAttribute

    -Index defines the configuration for the indices in the Elasticsearch cluster. -

    - - - - - - -retention
    - - -Retention - - - - +(Appears on: +NodeSet) -(Optional) +

    -Retention defines how long data is retained in the Elasticsearch cluster before it is cleared. +NodeSetSelectionAttribute defines a K8s node “attribute” the Elasticsearch nodes should be aware of. The “Name” and “Value” +are used together to set the “awareness” attributes in Elasticsearch, while the “NodeLabel” and “Value” are used together +to define Node Affinity for the Pods created for the Elasticsearch nodes.

    - - + + + + + + +
    FieldDescription
    -storageClassName
    +name
    string @@ -10788,69 +18360,48 @@ string     		-(Optional) -

    -StorageClassName will populate the PersistentVolumeClaim.StorageClassName that is used to provision disks to the -Tigera Elasticsearch cluster. The StorageClassName should only be modified when no LogStorage is currently -active. We recommend choosing a storage class dedicated to Tigera LogStorage only. Otherwise, data retention -cannot be guaranteed during upgrades. See https://docs.tigera.io/maintenance/upgrading for up-to-date instructions. -Default: tigera-elasticsearch -
    -dataNodeSelector
    +nodeLabel
    -map[string]string +string     		-(Optional) -

    -DataNodeSelector gives you more control over the node that Elasticsearch will run on. The contents of DataNodeSelector will -be added to the PodSpec of the Elasticsearch nodes. For the pod to be eligible to run on a node, the node must have -each of the indicated key-value pairs as labels as well as access to the specified StorageClassName. -
    -componentResources
    +value
    - -[]LogStorageComponentResource - +string     		-(Optional) -

    -ComponentResources can be used to customize the resource requirements for each component. -Only ECKOperator is supported for this spec. -
    -

    LogStorageStatus

    +

    Nodes

    (Appears on: -LogStorage) +LogStorageSpec)

    -LogStorageStatus defines the observed state of Tigera flow and DNS log storage. +Nodes defines the configuration for a set of identical Elasticsearch cluster nodes, each of type master, data, and ingest.

    @@ -10863,34 +18414,16 @@ LogStorageStatus defines the observed state of Tigera flow and DNS log storage. - - - - @@ -10898,17 +18431,19 @@ is an opaque string which can be monitored for changes to perform actions when E @@ -10916,10 +18451,10 @@ is an opaque string which can be monitored for changes to perform actions when K
    -state
    - -string - - -    		 - -

    -State provides user-readable status. -

    - -
    - -elasticsearchHash
    +count
    -string +int64

    -ElasticsearchHash represents the current revision and configuration of the installed Elasticsearch cluster. This -is an opaque string which can be monitored for changes to perform actions when Elasticsearch is modified. +Count defines the number of nodes in the Elasticsearch cluster.

    -kibanaHash
    +nodeSets
    -string + +[]NodeSet +     		+(Optional)

    -KibanaHash represents the current revision and configuration of the installed Kibana dashboard. This -is an opaque string which can be monitored for changes to perform actions when Kibana is modified. +NodeSets defines configuration specific to each Elasticsearch Node Set

    -conditions
    +resourceRequirements
    - -[]Kubernetes meta/v1.Condition + +Kubernetes core/v1.ResourceRequirements @@ -10928,20 +18463,46 @@ is an opaque string which can be monitored for changes to perform actions when K (Optional)

    -Conditions represents the latest observed set of conditions for the component. A component may be one or more of -Ready, Progressing, Degraded or other customer types. +ResourceRequirements defines the resource limits and requirements for the Elasticsearch cluster.

    -

    Logging

    +

    NonPrivilegedType +(string alias)

    (Appears on: InstallationSpec) +

    +

    +NonPrivilegedType specifies whether Calico runs as permissioned or not +

    +

    +One of: Enabled, Disabled +

    +

    OIDCType +(string alias)

    +

    + +(Appears on: +AuthenticationOIDC) + +

    +

    +OIDCType defines how OIDC is configured for Tigera Enterprise. Dex should be the best option for most use-cases. +The Tigera option can help in specific use-cases, for instance, when you are unable to configure a client secret. +One of: Dex, Tigera +

    +

    PathMatch

    +

    + +(Appears on: +TLSTerminatedRouteSpec) +

    @@ -10954,47 +18515,24 @@ Ready, Progressing, Degraded or other customer types. - -
    -cni
    +path
    - -CNILogging - +string     		-(Optional)

    -Customized logging specification for calico-cni plugin +Path is the path portion of the URL based on which we proxy.

    -

    ManagementClusterConnectionSpec

    -

    - -(Appears on: -ManagementClusterConnection) - -

    -

    -ManagementClusterConnectionSpec defines the desired state of ManagementClusterConnection -

    - - - - - - - - @@ -11013,11 +18550,9 @@ should be able to access this address. This field is used by managed clusters on @@ -11025,22 +18560,22 @@ ManagementClusterTLS (Optional)

    -TLS provides options for configuring how Managed Clusters can establish an mTLS connection with the Management Cluster. +PathReplace if not nil will be used to replace PathRegexp matches.

    FieldDescription
    -managementClusterAddr
    +pathRegexp
    string @@ -11004,8 +18542,7 @@ string (Optional)

    -Specify where the managed cluster can reach the management cluster. Ex.: “10.128.0.10:30449”. A managed cluster -should be able to access this address. This field is used by managed clusters only. +PathRegexp, if not nil, checks if Regexp matches the path.

    -tls
    +pathReplace
    - -ManagementClusterTLS - +string
    -

    ManagementClusterConnectionStatus

    +

    PolicyRecommendationDeployment

    (Appears on: -ManagementClusterConnection) +PolicyRecommendationSpec)

    -ManagementClusterConnectionStatus defines the observed state of ManagementClusterConnection +PolicyRecommendationDeployment is the configuration for the PolicyRecommendation Deployment.

    @@ -11053,10 +18588,10 @@ ManagementClusterConnectionStatus defines the observed state of ManagementCluste
    -conditions
    +spec
    - -[]Kubernetes meta/v1.Condition + +PolicyRecommendationDeploymentSpec @@ -11065,23 +18600,26 @@ ManagementClusterConnectionStatus defines the observed state of ManagementCluste (Optional)

    -Conditions represents the latest observed set of conditions for the component. A component may be one or more of -Ready, Progressing, Degraded or other customer types. +Spec is the specification of the PolicyRecommendation Deployment.

    +
    +
    + +
    -

    ManagementClusterSpec

    +

    PolicyRecommendationDeploymentContainer

    (Appears on: -ManagementCluster) +PolicyRecommendationDeploymentPodSpec)

    -ManagementClusterSpec defines the desired state of a ManagementCluster +PolicyRecommendationDeploymentContainer is a PolicyRecommendation Deployment container.

    @@ -11094,7 +18632,7 @@ ManagementClusterSpec defines the desired state of a ManagementCluster @@ -11114,10 +18649,10 @@ Valid examples are: “0.0.0.0:31000”, “example.com:32000”
    -address
    +name
    string @@ -11102,11 +18640,8 @@ string     		-(Optional)

    -This field specifies the externally reachable address to which your managed cluster will connect. When a managed -cluster is added, this field is used to populate an easy-to-apply manifest that will connect both clusters. -Valid examples are: “0.0.0.0:31000”, “example.com:32000”, “[::1]:32500” +Name is an enum which identifies the PolicyRecommendation Deployment container by name.

    -tls
    +resources
    - -TLS + +Kubernetes core/v1.ResourceRequirements @@ -11126,19 +18661,24 @@ TLS (Optional)

    -TLS provides options for configuring how Managed Clusters can establish an mTLS connection with the Management Cluster. +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named PolicyRecommendation Deployment container’s resources. +If omitted, the PolicyRecommendation Deployment will use its default value for this container’s resources.

    -

    ManagementClusterTLS

    +

    PolicyRecommendationDeploymentInitContainer

    (Appears on: -ManagementClusterConnectionSpec) +PolicyRecommendationDeploymentPodSpec) +

    +

    +PolicyRecommendationDeploymentInitContainer is a PolicyRecommendation Deployment init container.

    @@ -11151,59 +18691,27 @@ TLS provides options for configuring how Managed Clusters can establish an mTLS - -
    -ca
    +name
    - -CAType - +string

    -CA indicates which verification method the tunnel client should use to verify the tunnel server’s identity. -

    -

    -When left blank or set to ‘Tigera’, the tunnel client will expect a self-signed cert to be included in the certificate bundle -and will expect the cert to have a Common Name (CN) of ‘voltron’. -

    -

    -When set to ‘Public’, the tunnel client will use its installed system certs and will use the managementClusterAddr to verify the tunnel server’s identity. -

    -

    -Default: Tigera +Name is an enum which identifies the PolicyRecommendation Deployment init container by name.

    -

    ManagerSpec

    -

    - -(Appears on: -Manager) - -

    -

    -ManagerSpec defines configuration for the Calico Enterprise manager GUI. -

    - - - - - - - -
    FieldDescription
    -auth
    +resources
    - -Auth + +Kubernetes core/v1.ResourceRequirements @@ -11212,22 +18720,24 @@ Auth (Optional)

    -Deprecated. Please use the Authentication CR for configuring authentication. +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named PolicyRecommendation Deployment init container’s resources. +If omitted, the PolicyRecommendation Deployment will use its default value for this init container’s resources.

    -

    ManagerStatus

    +

    PolicyRecommendationDeploymentPodSpec

    (Appears on: -Manager) +PolicyRecommendationDeploymentPodTemplateSpec)

    -ManagerStatus defines the observed state of the Calico Enterprise manager GUI. +PolicyRecommendationDeploymentPodSpec is the PolicyRecommendation Deployment’s PodSpec.

    @@ -11240,10 +18750,10 @@ ManagerStatus defines the observed state of the Calico Enterprise manager GUI. - - - - @@ -11277,10 +18772,10 @@ State provides user-readable status.
    -auth
    +initContainers
    - -Auth + +[]PolicyRecommendationDeploymentInitContainer @@ -11252,24 +18762,9 @@ Auth (Optional)

    -Deprecated. Please use the Authentication CR for configuring authentication. -

    - -
    - -state
    - -string - - -    		 - -

    -State provides user-readable status. +InitContainers is a list of PolicyRecommendation init containers. +If specified, this overrides the specified PolicyRecommendation Deployment init containers. +If omitted, the PolicyRecommendation Deployment will use its default values for its init containers.

    -conditions
    +containers
    - -[]Kubernetes meta/v1.Condition + +[]PolicyRecommendationDeploymentContainer @@ -11289,36 +18784,24 @@ State provides user-readable status. (Optional)

    -Conditions represents the latest observed set of conditions for the component. A component may be one or more of -Ready, Progressing, Degraded or other customer types. +Containers is a list of PolicyRecommendation containers. +If specified, this overrides the specified PolicyRecommendation Deployment containers. +If omitted, the PolicyRecommendation Deployment will use its default values for its containers.

    -

    Metadata

    +

    PolicyRecommendationDeploymentPodTemplateSpec

    (Appears on: -APIServerDeployment, -APIServerDeploymentPodTemplateSpec, -CSINodeDriverDaemonSet, -CSINodeDriverDaemonSetPodTemplateSpec, -CalicoKubeControllersDeployment, -CalicoKubeControllersDeploymentPodTemplateSpec, -CalicoNodeDaemonSet, -CalicoNodeDaemonSetPodTemplateSpec, -CalicoNodeWindowsDaemonSet, -CalicoNodeWindowsDaemonSetPodTemplateSpec, -CalicoWindowsUpgradeDaemonSet, -CalicoWindowsUpgradeDaemonSetPodTemplateSpec, -TyphaDeployment, -TyphaDeploymentPodTemplateSpec) +PolicyRecommendationDeploymentSpec)

    -Metadata contains the standard Kubernetes labels and annotations fields. +PolicyRecommendationDeploymentPodTemplateSpec is the PolicyRecommendation Deployment’s PodTemplateSpec

    @@ -11331,29 +18814,11 @@ Metadata contains the standard Kubernetes labels and annotations fields. - - - - @@ -11361,45 +18826,67 @@ map[string]string (Optional)

    -Annotations is a map of arbitrary non-identifying metadata. Each of these -key/value pairs are added to the object’s annotations provided the key does not -already exist in the object’s annotations. +Spec is the PolicyRecommendation Deployment’s PodSpec.

    +
    +
    +
    -labels
    - -map[string]string - - -    		 - -(Optional) -

    -Labels is a map of string keys and values that may match replicaset and -service selectors. Each of these key/value pairs are added to the -object’s labels provided the key does not already exist in the object’s labels. -

    - -
    - -annotations
    +spec
    -map[string]string + +PolicyRecommendationDeploymentPodSpec +
    +
    -

    MetadataAccessAllowedType -(string alias)

    +

    PolicyRecommendationDeploymentSpec

    (Appears on: -AmazonCloudIntegrationSpec) +PolicyRecommendationDeployment)

    -MetadataAccessAllowedType +PolicyRecommendationDeploymentSpec defines configuration for the PolicyRecommendation Deployment.

    -

    MonitorSpec

    -

    + + + + + + + + + + + + + +
    FieldDescription
    -(Appears on: -Monitor) +template
    + + +PolicyRecommendationDeploymentPodTemplateSpec + + -

    +    		 + +(Optional)

    -MonitorSpec defines the desired state of Tigera monitor. +Template describes the PolicyRecommendation Deployment pod that will be created.

    -

    MonitorStatus

    + +
    +

    PolicyRecommendationSpec

    (Appears on: -Monitor) +PolicyRecommendation)

    -MonitorStatus defines the observed state of Tigera monitor. +PolicyRecommendationSpec defines configuration for the Calico Enterprise Policy Recommendation +service.

    @@ -11412,94 +18899,127 @@ MonitorStatus defines the observed state of Tigera monitor. + +
    -state
    +policyRecommendationDeployment
    -string + +PolicyRecommendationDeployment +     		+(Optional)

    -State provides user-readable status. +PolicyRecommendation configures the PolicyRecommendation Deployment.

    +

    PolicyRecommendationStatus

    +

    + +(Appears on: +PolicyRecommendation) + +

    +

    +PolicyRecommendationStatus defines the observed state of Tigera policy recommendation. +

    + + + + + + + +
    FieldDescription
    -conditions
    +state
    - -[]Kubernetes meta/v1.Condition - +string     		-(Optional)

    -Conditions represents the latest observed set of conditions for the component. A component may be one or more of -Ready, Progressing, Degraded or other customer types. +State provides user-readable status.

    -

    MultiInterfaceMode +

    ProductVariant (string alias)

    (Appears on: -CalicoNetworkSpec) +InstallationSpec, +InstallationStatus)

    -MultiInterfaceMode describes the method of providing multiple pod interfaces. +ProductVariant represents the variant of the product.

    -One of: None, Multus +One of: Calico, TigeraSecureEnterprise

    -

    NATOutgoingType -(string alias)

    +

    Prometheus

    (Appears on: -IPPool) +MonitorSpec)

    -

    -NATOutgoingType describe the type of outgoing NAT to use. -

    -

    -One of: Enabled, Disabled -

    -

    NativeIP -(string alias)

    -

    + + + + + + + + + + + + + +
    FieldDescription
    -(Appears on: -AWSEgressGateway) +spec
    + + +PrometheusSpec + + -

    +    		 + +(Optional)

    -NativeIP defines if Egress Gateway pods should have AWS IPs. -When NativeIP is enabled, the IPPools should be backed by AWS subnet. +Spec is the specification of the Prometheus.

    -

    NodeAddressAutodetection

    +
    +
    + +
    + +
    +

    PrometheusContainer

    (Appears on: -CalicoNetworkSpec) +CommonPrometheusFields)

    -NodeAddressAutodetection provides configuration options for auto-detecting node addresses. At most one option -can be used. If no detection option is specified, then IP auto detection will be disabled for this address family and IPs -must be specified directly on the Node resource. +PrometheusContainer is a Prometheus container.

    @@ -11512,18 +19032,16 @@ must be specified directly on the Node resource. @@ -11531,10 +19049,10 @@ filtering based on well-known interface names. + +
    -firstFound
    +name
    -bool +string     		-(Optional)

    -FirstFound uses default interface matching parameters to select an interface, performing best-effort -filtering based on well-known interface names. +Name is an enum which identifies the Prometheus Deployment container by name.

    -kubernetes
    +resources
    - -KubernetesAutodetectionMethod + +Kubernetes core/v1.ResourceRequirements @@ -11543,35 +19061,100 @@ KubernetesAutodetectionMethod (Optional)

    -Kubernetes configures Calico to detect node addresses based on the Kubernetes API. +Resources allows customization of limits and requests for compute resources such as cpu and memory. +If specified, this overrides the named Prometheus container’s resources. +If omitted, the Prometheus will use its default value for this container’s resources.

    +

    PrometheusSpec

    +

    + +(Appears on: +Prometheus) + +

    + + + + + + + + + +
    FieldDescription
    -interface
    +commonPrometheusFields
    -string + +CommonPrometheusFields +     		-(Optional)

    -Interface enables IP auto-detection based on interfaces that match the given regex. +CommonPrometheusFields are the options available to both the Prometheus server and agent.

    +

    PromptType +(string alias)

    +

    + +(Appears on: +AuthenticationOIDC) + +

    +

    +PromptType is a value that specifies whether the identity provider prompts the end user for re-authentication and +consent. +One of: None, Login, Consent, SelectAccount. +

    +

    Provider +(string alias)

    +

    + +(Appears on: +InstallationSpec) + +

    +

    +Provider represents a particular provider or flavor of Kubernetes. Valid options +are: EKS, GKE, AKS, RKE2, OpenShift, DockerEnterprise, TKG. +

    +

    Retention

    +

    + +(Appears on: +LogStorageSpec) + +

    +

    +Retention defines how long data is retained in an Elasticsearch cluster before it is cleared. +

    + + + + + + + + @@ -11579,8 +19162,9 @@ string (Optional)

    -SkipInterface enables IP auto-detection based on interfaces that do not match -the given regex. +Flows configures the retention period for flow logs, in days. Logs written on a day that started at least this long ago +are removed. To keep logs for at least x days, use a retention period of x+1. +Default: 8

    @@ -11588,9 +19172,9 @@ the given regex. @@ -11598,8 +19182,9 @@ string (Optional)

    -CanReach enables IP auto-detection based on which source address on the node is used to reach the -specified IP or domain. +AuditReports configures the retention period for audit logs, in days. Logs written on a day that started at least this long ago are +removed. To keep logs for at least x days, use a retention period of x+1. +Default: 91

    @@ -11607,49 +19192,32 @@ specified IP or domain. - -
    FieldDescription
    -skipInterface
    +flows
    -string +int32
    -canReach
    +auditReports
    -string +int32
    -cidrs
    +snapshots
    -[]string +int32     		+(Optional)

    -CIDRS enables IP auto-detection based on which addresses on the nodes are within -one of the provided CIDRs. +Snapshots configures the retention period for snapshots, in days. Snapshots are periodic captures +of resources which along with audit events are used to generate reports. +Consult the Compliance Reporting documentation for more details on snapshots. +Logs written on a day that started at least this long ago are +removed. To keep logs for at least x days, use a retention period of x+1. +Default: 91

    -

    NodeAffinity

    -

    - -(Appears on: -TyphaAffinity) - -

    -

    -NodeAffinity is similar to *v1.NodeAffinity, but allows us to limit available schedulers. -

    - - - - - - - - @@ -11657,9 +19225,12 @@ NodeAffinity is similar to *v1.NodeAffinity, but allows us to limit available sc (Optional)

    -The scheduler will prefer to schedule pods to nodes that satisfy -the affinity expressions specified by this field, but it may choose -a node that violates one or more of the expressions. +ComplianceReports configures the retention period for compliance reports, in days. Reports are output +from the analysis of the system state and audit events for compliance reporting. +Consult the Compliance Reporting documentation for more details on reports. +Logs written on a day that started at least this long ago are +removed. To keep logs for at least x days, use a retention period of x+1. +Default: 91

    @@ -11667,11 +19238,9 @@ a node that violates one or more of the expressions. @@ -11679,76 +19248,44 @@ Kubernetes core/v1.NodeSelector (Optional)

    -WARNING: Please note that if the affinity requirements specified by this field are not met at -scheduling time, the pod will NOT be scheduled onto the node. -There is no fallback to another affinity rules with this setting. -This may cause networking disruption or even catastrophic failure! -PreferredDuringSchedulingIgnoredDuringExecution should be used for affinity -unless there is a specific well understood reason to use RequiredDuringSchedulingIgnoredDuringExecution and -you can guarantee that the RequiredDuringSchedulingIgnoredDuringExecution will always have sufficient nodes to satisfy the requirement. -NOTE: RequiredDuringSchedulingIgnoredDuringExecution is set by default for AKS nodes, -to avoid scheduling Typhas on virtual-nodes. -If the affinity requirements specified by this field cease to be met -at some point during pod execution (e.g. due to an update), the system -may or may not try to eventually evict the pod from its node. +DNSLogs configures the retention period for DNS logs, in days. Logs written on a day that started at least this long ago +are removed. To keep logs for at least x days, use a retention period of x+1. +Default: 8

    - -
    FieldDescription
    -preferredDuringSchedulingIgnoredDuringExecution
    +complianceReports
    - -[]Kubernetes core/v1.PreferredSchedulingTerm - +int32
    -requiredDuringSchedulingIgnoredDuringExecution
    - - -Kubernetes core/v1.NodeSelector - +dnsLogs
    + +int32
    -

    NodeSet

    -

    - -(Appears on: -Nodes) - -

    -

    -NodeSets defines configuration specific to each Elasticsearch Node Set -

    - - - - - - - -
    FieldDescription
    -selectionAttributes
    +bgpLogs
    - -[]NodeSetSelectionAttribute - +int32     		+(Optional)

    -SelectionAttributes defines K8s node attributes a NodeSet should use when setting the Node Affinity selectors and -Elasticsearch cluster awareness attributes for the Elasticsearch nodes. The list of SelectionAttributes are used -to define Node Affinities and set the node awareness configuration in the running Elasticsearch instance. +BGPLogs configures the retention period for BGP logs, in days. Logs written on a day that started at least this long ago +are removed. To keep logs for at least x days, use a retention period of x+1. +Default: 8

    -

    NodeSetSelectionAttribute

    +

    S3StoreSpec

    (Appears on: -NodeSet) +AdditionalLogStoreSpec)

    -NodeSetSelectionAttribute defines a K8s node “attribute” the Elasticsearch nodes should be aware of. The “Name” and “Value” -are used together to set the “awareness” attributes in Elasticsearch, while the “NodeLabel” and “Value” are used together -to define Node Affinity for the Pods created for the Elasticsearch nodes. +S3StoreSpec defines configuration for exporting logs to Amazon S3.

    @@ -11761,7 +19298,7 @@ to define Node Affinity for the Pods created for the Elasticsearch nodes.
    -name
    +region
    string @@ -11769,13 +19306,16 @@ string     		+

    +AWS Region of the S3 bucket +
    -nodeLabel
    +bucketName
    string @@ -11783,13 +19323,16 @@ string     		+

    +Name of the S3 bucket to send logs +
    -value
    +bucketPath
    string @@ -11797,20 +19340,20 @@ string     		+

    +Path in the S3 bucket where to send logs +
    -

    Nodes

    +

    SNIMatch

    (Appears on: -LogStorageSpec) +TLSPassThroughRouteSpec) -

    -

    -Nodes defines the configuration for a set of identical Elasticsearch cluster nodes, each of type master, data, and ingest.

    @@ -11823,36 +19366,52 @@ Nodes defines the configuration for a set of identical Elasticsearch cluster nod + +
    -count
    +serverName
    -int64 +string

    -Count defines the number of nodes in the Elasticsearch cluster. +ServerName is used to match the server name for the request.

    +

    ServiceMonitor

    +

    + +(Appears on: +ExternalPrometheus) + +

    + + + + + + + + @@ -11860,72 +19419,79 @@ NodeSets defines configuration specific to each Elasticsearch Node Set
    FieldDescription
    -nodeSets
    +labels
    - -[]NodeSet - +map[string]string     		-(Optional)

    -NodeSets defines configuration specific to each Elasticsearch Node Set +Labels are the metadata.labels of the ServiceMonitor. When combined with spec.serviceMonitorSelector.matchLabels +on your prometheus instance, the service monitor will automatically be picked up. +Default: k8s-app=tigera-prometheus

    -resourceRequirements
    +endpoints
    - -Kubernetes core/v1.ResourceRequirements + +[]Endpoint     		-(Optional)

    -ResourceRequirements defines the resource limits and requirements for the Elasticsearch cluster. +The endpoints to scrape. This struct contains a subset of the Endpoint as defined in the prometheus docs. Fields +related to connecting to our Prometheus server are automatically set by the operator.

    -

    NonPrivilegedType -(string alias)

    +

    SplunkStoreSpec

    (Appears on: -InstallationSpec) +AdditionalLogStoreSpec)

    -NonPrivilegedType specifies whether Calico runs as permissioned or not -

    -

    -One of: Enabled, Disabled +SplunkStoreSpec defines configuration for exporting logs to splunk.

    -

    OIDCType -(string alias)

    -

    + + + + + + + + + + + + + +
    FieldDescription
    -(Appears on: -AuthenticationOIDC) +endpoint
    + +string + + +    		 -

    -OIDCType defines how OIDC is configured for Tigera Enterprise. Dex should be the best option for most use-cases. -The Tigera option can help in specific use-cases, for instance, when you are unable to configure a client secret. -One of: Dex, Tigera +Location for splunk’s http event collector end point. example https://1.2.3.4:8088

    -

    PolicyRecommendationSpec

    + +
    +

    StatusConditionType +(string alias)

    (Appears on: -PolicyRecommendation) +TigeraStatusCondition)

    -PolicyRecommendationSpec defines configuration for the Calico Enterprise Policy Recommendation -service. +StatusConditionType is a type of condition that may apply to a particular component.

    -

    PolicyRecommendationStatus

    +

    Sysctl

    (Appears on: -PolicyRecommendation) +CalicoNetworkSpec) -

    -

    -PolicyRecommendationStatus defines the observed state of Tigera policy recommendation.

    @@ -11938,7 +19504,7 @@ PolicyRecommendationStatus defines the observed state of Tigera policy recommend - -
    -state
    +key
    string @@ -11946,63 +19512,50 @@ string     		-

    -State provides user-readable status. -
    -

    ProductVariant -(string alias)

    -

    + + -(Appears on: -InstallationSpec, -InstallationStatus) +value
    + +string + -

    -

    -ProductVariant represents the variant of the product. -

    -

    -One of: Calico, TigeraSecureEnterprise -

    -

    PromptType -(string alias)

    -

    + + -(Appears on: -AuthenticationOIDC) -

    -

    -PromptType is a value that specifies whether the identity provider prompts the end user for re-authentication and -consent. -One of: None, Login, Consent, SelectAccount. -

    -

    Provider + + + + +

    SyslogLogType (string alias)

    (Appears on: -InstallationSpec) +SyslogStoreSpec)

    -Provider represents a particular provider or flavor of Kubernetes. Valid options -are: EKS, GKE, AKS, RKE2, OpenShift, DockerEnterprise. +SyslogLogType represents the allowable log types for syslog. +Allowable values are Audit, DNS, Flows and IDSEvents. +* Audit corresponds to audit logs for both Kubernetes resources and Enterprise custom resources. +* DNS corresponds to DNS logs generated by Calico node. +* Flows corresponds to flow logs generated by Calico node. +* IDSEvents corresponds to event logs for the intrusion detection system (anomaly detection, suspicious IPs, suspicious domains and global alerts).

    -

    Retention

    +

    SyslogStoreSpec

    (Appears on: -LogStorageSpec) +AdditionalLogStoreSpec)

    -Retention defines how long data is retained in an Elasticsearch cluster before it is cleared. +SyslogStoreSpec defines configuration for exporting logs to syslog.

    @@ -12015,39 +19568,16 @@ Retention defines how long data is retained in an Elasticsearch cluster before i - - - - @@ -12055,7 +19585,7 @@ Default: 91 @@ -12078,22 +19605,19 @@ Default: 91 @@ -12101,9 +19625,11 @@ Default: 91 @@ -12111,19 +19637,35 @@ int32 (Optional)

    -DNSLogs configures the retention period for DNS logs, in days. Logs written on a day that started at least this long ago -are removed. To keep logs for at least x days, use a retention period of x+1. -Default: 8 +Encryption configures traffic encryption to the Syslog server. +Default: None

    + +
    -flows
    - -int32 - - -    		 - -(Optional) -

    -Flows configures the retention period for flow logs, in days. Logs written on a day that started at least this long ago -are removed. To keep logs for at least x days, use a retention period of x+1. -Default: 8 -

    - -
    - -auditReports
    +endpoint
    -int32 +string     		- -(Optional) -

    -AuditReports configures the retention period for audit logs, in days. Logs written on a day that started at least this long ago are -removed. To keep logs for at least x days, use a retention period of x+1. -Default: 91 + +

    +Location of the syslog server. example: tcp://1.2.3.4:601

    -snapshots
    +packetSize
    int32 @@ -12065,12 +19595,9 @@ int32 (Optional)

    -Snapshots configures the retention period for snapshots, in days. Snapshots are periodic captures -of resources which along with audit events are used to generate reports. -Consult the Compliance Reporting documentation for more details on snapshots. -Logs written on a day that started at least this long ago are -removed. To keep logs for at least x days, use a retention period of x+1. -Default: 91 +PacketSize defines the maximum size of packets to send to syslog. +In general this is only needed if you notice long logs being truncated. +Default: 1024

    -complianceReports
    +logTypes
    -int32 + +[]SyslogLogType +     		-(Optional)

    -ComplianceReports configures the retention period for compliance reports, in days. Reports are output -from the analysis of the system state and audit events for compliance reporting. -Consult the Compliance Reporting documentation for more details on reports. -Logs written on a day that started at least this long ago are -removed. To keep logs for at least x days, use a retention period of x+1. -Default: 91 +If no values are provided, the list will be updated to include log types Audit, DNS and Flows. +Default: Audit, DNS, Flows

    -dnsLogs
    +encryption
    -int32 + +EncryptionOption +
    +

    TLS

    +

    + +(Appears on: +ManagementClusterSpec) + +

    + + + + + + + + @@ -12131,24 +19673,38 @@ int32 (Optional)

    -BGPLogs configures the retention period for BGP logs, in days. Logs written on a day that started at least this long ago -are removed. To keep logs for at least x days, use a retention period of x+1. -Default: 8 +SecretName indicates the name of the secret in the tigera-operator namespace that contains the private key and certificate that the management cluster uses when it listens for incoming connections. +

    +

    +When set to tigera-management-cluster-connection voltron will use the same cert bundle which Guardian client certs are signed with. +

    +

    +When set to manager-tls, voltron will use the same cert bundle which Manager UI is served with. +This cert bundle must be a publicly signed cert created by the user. +Note that Tigera Operator will generate a self-signed manager-tls cert if one does not exist, +and use of that cert will result in Guardian being unable to verify Voltron’s identity. +

    +

    +If changed on a running cluster with connected managed clusters, all managed clusters will disconnect as they will no longer be able to verify Voltron’s identity. +To reconnect existing managed clusters, change the tls.ca of the managed clusters’ ManagementClusterConnection resource. +

    +

    +One of: tigera-management-cluster-connection, manager-tls +

    +

    +Default: tigera-management-cluster-connection

    FieldDescription
    -bgpLogs
    +secretName
    -int32 +string
    -

    S3StoreSpec

    +

    TLSPassThroughRouteSpec

    (Appears on: -AdditionalLogStoreSpec) +TLSPassThroughRoute) -

    -

    -S3StoreSpec defines configuration for exporting logs to Amazon S3.

    @@ -12161,33 +19717,35 @@ S3StoreSpec defines configuration for exporting logs to Amazon S3. @@ -12195,7 +19753,7 @@ Name of the S3 bucket to send logs
    -region
    +target
    -string + +TargetType +     		-

    -AWS Region of the S3 bucket -
    -bucketName
    +sniMatch
    -string + +SNIMatch +

    -Name of the S3 bucket to send logs +SNIMatch is used to match requests based on the server name for the intended destination server. Matching requests +will be proxied to the Destination.

    -bucketPath
    +destination
    string @@ -12204,22 +19762,19 @@ string

    -Path in the S3 bucket where to send logs +Destination is the destination url to proxy the request to.

    -

    SplunkStoreSpec

    +

    TLSTerminatedRouteSpec

    (Appears on: -AdditionalLogStoreSpec) +TLSTerminatedRoute) -

    -

    -SplunkStoreSpec defines configuration for exporting logs to splunk.

    @@ -12232,71 +19787,43 @@ SplunkStoreSpec defines configuration for exporting logs to splunk. - -
    -endpoint
    +target
    -string + +TargetType +     		-

    -Location for splunk’s http event collector end point. example https://1.2.3.4:8088 -
    -

    StatusConditionType -(string alias)

    -

    - -(Appears on: -TigeraStatusCondition) + + -

    -

    -StatusConditionType is a type of condition that may apply to a particular component. -

    -

    SyslogLogType -(string alias)

    -

    +pathMatch
    + + +PathMatch + + -(Appears on: -SyslogStoreSpec) + + -

    -SyslogLogType represents the allowable log types for syslog. -Allowable values are Audit, DNS, Flows and IDSEvents. -* Audit corresponds to audit logs for both Kubernetes resources and Enterprise custom resources. -* DNS corresponds to DNS logs generated by Calico node. -* Flows corresponds to flow logs generated by Calico node. -* IDSEvents corresponds to event logs for the intrusion detection system (anomaly detection, suspicious IPs, suspicious domains and global alerts). +PathMatch is used to match requests based on what’s in the path. Matching requests will be proxied to the Destination +defined in this structure.

    -

    SyslogStoreSpec

    -

    - -(Appears on: -AdditionalLogStoreSpec) -

    -

    -SyslogStoreSpec defines configuration for exporting logs to syslog. -

    - - - - - + - - @@ -12313,19 +19840,19 @@ Location of the syslog server. example: tcp://1.2.3.4:601 @@ -12333,19 +19860,20 @@ Default: 1024 @@ -12353,10 +19881,10 @@ Default: Audit, DNS, Flows - -
    FieldDescription
    -endpoint
    +destination
    string @@ -12305,7 +19832,7 @@ string

    -Location of the syslog server. example: tcp://1.2.3.4:601 +Destination is the destination URL where matching traffic is routed to.

    -packetSize
    +caBundle
    -int32 + +Kubernetes core/v1.ConfigMapKeySelector +     		-(Optional)

    -PacketSize defines the maximum size of packets to send to syslog. -In general this is only needed if you notice long logs being truncated. -Default: 1024 +CABundle is where we read the CA bundle from to authenticate the +destination (if non-empty)

    -logTypes
    +mtlsCert
    - -[]SyslogLogType + +Kubernetes core/v1.SecretKeySelector     		+(Optional)

    -If no values are provided, the list will be updated to include log types Audit, DNS and Flows. -Default: Audit, DNS, Flows +ForwardingMTLSCert is the certificate used for mTLS between voltron and the destination. Either both ForwardingMTLSCert +and ForwardingMTLSKey must be specified, or neither can be specified.

    -encryption
    +mtlsKey
    - -EncryptionOption + +Kubernetes core/v1.SecretKeySelector @@ -12365,35 +19893,18 @@ EncryptionOption (Optional)

    -Encryption configures traffic encryption to the Syslog server. -Default: None +ForwardingMTLSKey is the key used for mTLS between voltron and the destination. Either both ForwardingMTLSCert +and ForwardingMTLSKey must be specified, or neither can be specified.

    -

    TLS

    -

    - -(Appears on: -ManagementClusterSpec) - -

    - - - - - - - - @@ -12401,32 +19912,23 @@ string (Optional)

    -SecretName indicates the name of the secret in the tigera-operator namespace that contains the private key and certificate that the management cluster uses when it listens for incoming connections. -

    -

    -When set to tigera-management-cluster-connection voltron will use the same cert bundle which Guardian client certs are signed with. -

    -

    -When set to manager-tls, voltron will use the same cert bundle which Manager UI is served with. -This cert bundle must be a publicly signed cert created by the user. -Note that Tigera Operator will generate a self-signed manager-tls cert if one does not exist, -and use of that cert will result in Guardian being unable to verify Voltron’s identity. -

    -

    -If changed on a running cluster with connected managed clusters, all managed clusters will disconnect as they will no longer be able to verify Voltron’s identity. -To reconnect existing managed clusters, change the tls.ca of the managed clusters’ ManagementClusterConnection resource. -

    -

    -One of: tigera-management-cluster-connection, manager-tls -

    -

    -Default: tigera-management-cluster-connection +Unauthenticated says whether the request should go through authentication. This is only applicable if the Target +is UI.

    FieldDescription
    -secretName
    +unauthenticated
    -string +bool
    +

    TargetType +(string alias)

    +

    + +(Appears on: +TLSPassThroughRouteSpec, +TLSTerminatedRouteSpec) + +

    TenantElasticSpec

    @@ -12459,7 +19961,7 @@ string -kibana_url
    +kibanaURL
    string @@ -12591,6 +20093,44 @@ ControlPlaneReplicas defines how many replicas of the control plane core compone in the Tenant’s namespace. Defaults to the controlPlaneReplicas in Installation CR

    + + + + + +linseedDeployment
    + + +LinseedDeployment + + + + + + +

    +LinseedDeployment configures the linseed Deployment. +

    + + + + + + +dashboardsJob
    + + +DashboardsJob + + + + + + +

    +DashboardsJob configures the Dashboards job +

    + diff --git a/calico/reference/installation/_api.mdx b/calico/reference/installation/_api.mdx index 5930c66358..67779b1430 100644 --- a/calico/reference/installation/_api.mdx +++ b/calico/reference/installation/_api.mdx @@ -5054,7 +5054,7 @@ string

    -When a CSR is issued to the certificates.k8s.io API, the signerName is added to the request to accommodate for clusters +When a CSR is issued to the certificates.k8s.io API, the signerName is added to the request in order to accommodate for clusters with multiple signers. Must be formatted as: <my-domain>/<my-signername>.