From 37c7150f79b4cee0974921e064a9452b1ab8e890 Mon Sep 17 00:00:00 2001 From: JeffinKottaram Date: Mon, 1 Jul 2024 00:35:53 -0700 Subject: [PATCH] go generte --- data/data.json | 56 +++++++++++++++++++++++++++----------------------- 1 file changed, 30 insertions(+), 26 deletions(-) diff --git a/data/data.json b/data/data.json index 500df42bd..a68f8efac 100644 --- a/data/data.json +++ b/data/data.json @@ -13320,12 +13320,12 @@ "ingressWebhook": "rancher/mirrored-ingress-nginx-kube-webhook-certgen:v20231011-8b53cabe0", "metricsServer": "rancher/mirrored-metrics-server:v0.6.3", "windowsPodInfraContainer": "rancher/mirrored-pause:3.7", - "aciCniDeployContainer": "noiro/cnideploy:6.0.4.1.81c2369", - "aciHostContainer": "noiro/aci-containers-host:6.0.4.1.81c2369", - "aciOpflexContainer": "noiro/opflex:6.0.4.1.81c2369", - "aciMcastContainer": "noiro/opflex:6.0.4.1.81c2369", - "aciOvsContainer": "noiro/openvswitch:6.0.4.1.81c2369", - "aciControllerContainer": "noiro/aci-containers-controller:6.0.4.1.81c2369" + "aciCniDeployContainer": "noiro/cnideploy:6.0.4.2.81c2369", + "aciHostContainer": "noiro/aci-containers-host:6.0.4.2.81c2369", + "aciOpflexContainer": "noiro/opflex:6.0.4.2.81c2369", + "aciMcastContainer": "noiro/opflex:6.0.4.2.81c2369", + "aciOvsContainer": "noiro/openvswitch:6.0.4.2.81c2369", + "aciControllerContainer": "noiro/aci-containers-controller:6.0.4.2.81c2369" }, "v1.27.6-rancher1-1": { "etcd": "rancher/mirrored-coreos-etcd:v3.5.7", @@ -13527,12 +13527,12 @@ "ingressWebhook": "rancher/mirrored-ingress-nginx-kube-webhook-certgen:v20231226-1a7112e06", "metricsServer": "rancher/mirrored-metrics-server:v0.7.0", "windowsPodInfraContainer": "rancher/mirrored-pause:3.7", - "aciCniDeployContainer": "noiro/cnideploy:6.0.4.1.81c2369", - "aciHostContainer": "noiro/aci-containers-host:6.0.4.1.81c2369", - "aciOpflexContainer": "noiro/opflex:6.0.4.1.81c2369", - "aciMcastContainer": "noiro/opflex:6.0.4.1.81c2369", - "aciOvsContainer": "noiro/openvswitch:6.0.4.1.81c2369", - "aciControllerContainer": "noiro/aci-containers-controller:6.0.4.1.81c2369" + "aciCniDeployContainer": "noiro/cnideploy:6.0.4.2.81c2369", + "aciHostContainer": "noiro/aci-containers-host:6.0.4.2.81c2369", + "aciOpflexContainer": "noiro/opflex:6.0.4.2.81c2369", + "aciMcastContainer": "noiro/opflex:6.0.4.2.81c2369", + "aciOvsContainer": "noiro/openvswitch:6.0.4.2.81c2369", + "aciControllerContainer": "noiro/aci-containers-controller:6.0.4.2.81c2369" }, "v1.28.7-rancher1-1": { "etcd": "rancher/mirrored-coreos-etcd:v3.5.10", @@ -13691,12 +13691,12 @@ "ingressWebhook": "rancher/mirrored-ingress-nginx-kube-webhook-certgen:v20231226-1a7112e06", "metricsServer": "rancher/mirrored-metrics-server:v0.7.0", "windowsPodInfraContainer": "rancher/mirrored-pause:3.7", - "aciCniDeployContainer": "noiro/cnideploy:6.0.4.1.81c2369", - "aciHostContainer": "noiro/aci-containers-host:6.0.4.1.81c2369", - "aciOpflexContainer": "noiro/opflex:6.0.4.1.81c2369", - "aciMcastContainer": "noiro/opflex:6.0.4.1.81c2369", - "aciOvsContainer": "noiro/openvswitch:6.0.4.1.81c2369", - "aciControllerContainer": "noiro/aci-containers-controller:6.0.4.1.81c2369" + "aciCniDeployContainer": "noiro/cnideploy:6.0.4.2.81c2369", + "aciHostContainer": "noiro/aci-containers-host:6.0.4.2.81c2369", + "aciOpflexContainer": "noiro/opflex:6.0.4.2.81c2369", + "aciMcastContainer": "noiro/opflex:6.0.4.2.81c2369", + "aciOvsContainer": "noiro/openvswitch:6.0.4.2.81c2369", + "aciControllerContainer": "noiro/aci-containers-controller:6.0.4.2.81c2369" }, "v1.30.2-rancher1-1": { "etcd": "rancher/mirrored-coreos-etcd:v3.5.12", @@ -13730,12 +13730,12 @@ "ingressWebhook": "rancher/mirrored-ingress-nginx-kube-webhook-certgen:v1.4.1", "metricsServer": "rancher/mirrored-metrics-server:v0.7.1", "windowsPodInfraContainer": "rancher/mirrored-pause:3.7", - "aciCniDeployContainer": "noiro/cnideploy:6.0.4.1.81c2369", - "aciHostContainer": "noiro/aci-containers-host:6.0.4.1.81c2369", - "aciOpflexContainer": "noiro/opflex:6.0.4.1.81c2369", - "aciMcastContainer": "noiro/opflex:6.0.4.1.81c2369", - "aciOvsContainer": "noiro/openvswitch:6.0.4.1.81c2369", - "aciControllerContainer": "noiro/aci-containers-controller:6.0.4.1.81c2369" + "aciCniDeployContainer": "noiro/cnideploy:6.0.4.2.81c2369", + "aciHostContainer": "noiro/aci-containers-host:6.0.4.2.81c2369", + "aciOpflexContainer": "noiro/opflex:6.0.4.2.81c2369", + "aciMcastContainer": "noiro/opflex:6.0.4.2.81c2369", + "aciOvsContainer": "noiro/openvswitch:6.0.4.2.81c2369", + "aciControllerContainer": "noiro/aci-containers-controller:6.0.4.2.81c2369" }, "v1.8.11-rancher2-1": { "etcd": "rancher/coreos-etcd:v3.0.17", @@ -13874,9 +13874,12 @@ "\u003e=1.26.8-rancher1-1 \u003c1.26.11-rancher2-2": "aci-v6.0.3.1", "\u003e=1.27.0-rancher1-1 \u003c1.27.8-rancher2-1": "aci-v5.2.7.1", "\u003e=1.27.10-rancher1-2 \u003c1.27.11-rancher1-1": "aci-v6.0.3.3", - "\u003e=1.27.11-rancher1-1": "aci-v6.0.4.1", + "\u003e=1.27.11-rancher1-1 \u003c 1.27.15-rancher1-1": "aci-v6.0.4.1", + "\u003e=1.27.15-rancher1-1 \u003c 1.28.0-rancher0": "aci-v6.0.4.2", "\u003e=1.27.8-rancher2-1 \u003c1.27.8-rancher2-2": "aci-v6.0.3.1", - "\u003e=1.27.8-rancher2-2 \u003c1.27.10-rancher1-2": "aci-v6.0.3.2" + "\u003e=1.27.8-rancher2-2 \u003c1.27.10-rancher1-2": "aci-v6.0.3.2", + "\u003e=1.28.0-rancher0 \u003c 1.28.11-rancher1-1": "aci-v6.0.4.1", + "\u003e=1.28.11-rancher1-1": "aci-v6.0.4.2" }, "calico": { "\u003e=1.13.0-rancher0 \u003c1.15.0-rancher0": "calico-v1.13", @@ -14045,6 +14048,7 @@ "aci-v6.0.3.2": "\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: acicontainersoperators.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AciContainersOperator\n listKind: AciContainersOperatorList\n plural: acicontainersoperators\n singular: acicontainersoperator\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: acicontainersoperator owns the lifecycle of ACI objects in the cluster\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AciContainersOperatorSpec defines the desired spec for ACI Objects\n properties:\n flavor:\n type: string\n config:\n type: string\n type: object\n status:\n description: AciContainersOperatorStatus defines the successful completion of AciContainersOperator\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: Namespace\nmetadata:\n name: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodepodifs.aci.aw\nspec:\n group: aci.aw\n names:\n kind: NodePodIF\n listKind: NodePodIFList\n plural: nodepodifs\n singular: nodepodif\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n podifs:\n type: array\n items:\n type: object\n properties:\n containerID:\n type: string\n epg:\n type: string\n ifname:\n type: string\n ipaddr:\n type: string\n macaddr:\n type: string\n podname:\n type: string\n podns:\n type: string\n vtep:\n type: string\n required:\n - spec\n type: object\n---\n{{- if eq .UseAciCniPriorityClass \"true\"}}\napiVersion: scheduling.k8s.io/v1beta1\nkind: PriorityClass\nmetadata:\n name: acicni-priority\nvalue: 1000000000\nglobalDefault: false\ndescription: \"This priority class is used for ACI-CNI resources\"\n---\n{{- end }}\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatglobalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatGlobalInfo\n listKind: SnatGlobalInfoList\n plural: snatglobalinfos\n singular: snatglobalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n description: SnatGlobalInfo is the Schema for the snatglobalinfos API\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n globalInfos:\n additionalProperties:\n items:\n properties:\n macAddress:\n type: string\n portRanges:\n items:\n properties:\n end:\n maximum: 65535\n minimum: 1\n type: integer\n start:\n maximum: 65535\n minimum: 1\n type: integer\n type: object\n type: array\n snatIp:\n type: string\n snatIpUid:\n type: string\n snatPolicyName:\n type: string\n required:\n - macAddress\n - portRanges\n - snatIp\n - snatIpUid\n - snatPolicyName\n type: object\n type: array\n type: object\n required:\n - globalInfos\n type: object\n status:\n description: SnatGlobalInfoStatus defines the observed state of SnatGlobalInfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatlocalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatLocalInfo\n listKind: SnatLocalInfoList\n plural: snatlocalinfos\n singular: snatlocalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: SnatLocalInfoSpec defines the desired state of SnatLocalInfo\n properties:\n localInfos:\n items:\n properties:\n podName:\n type: string\n podNamespace:\n type: string\n podUid:\n type: string\n snatPolicies:\n items:\n properties:\n destIp:\n items:\n type: string\n type: array\n name:\n type: string\n snatIp:\n type: string\n required:\n - destIp\n - name\n - snatIp\n type: object\n type: array\n required:\n - podName\n - podNamespace\n - podUid\n - snatPolicies\n type: object\n type: array\n required:\n - localInfos\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatpolicies.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatPolicy\n listKind: SnatPolicyList\n plural: snatpolicies\n singular: snatpolicy\n scope: Cluster\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n selector:\n type: object\n properties:\n labels:\n type: object\n description: 'Selection of Pods'\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n type: object\n snatIp:\n type: array\n items:\n type: string\n destIp:\n type: array\n items:\n type: string\n type: object\n status:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodeinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: NodeInfo\n listKind: NodeInfoList\n plural: nodeinfos\n singular: nodeinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n macaddress:\n type: string\n snatpolicynames:\n additionalProperties:\n type: boolean\n type: object\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: rdconfigs.aci.snat\nspec:\n group: aci.snat\n names:\n kind: RdConfig\n listKind: RdConfigList\n plural: rdconfigs\n singular: rdconfig\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n discoveredsubnets:\n items:\n type: string\n type: array\n usersubnets:\n items:\n type: string\n type: array\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.aci.netpol\nspec:\n group: aci.netpol\n names:\n kind: NetworkPolicy\n listKind: NetworkPolicyList\n plural: networkpolicies\n singular: networkpolicy\n scope: Namespaced\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n description: Network Policy describes traffic flow at IP address or port level\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs default to false.\n type: boolean\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n to:\n description: Rule is matched if traffic is intended for workloads selected by this field. If this field is empty or missing, this rule matches all destinations.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n toFqDn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - enableLogging\n - toFqDn\n type: object\n type: array\n ingress:\n description: Set of ingress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false.\n type: boolean\n from:\n description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n type: object\n type: array\n policyTypes:\n items:\n description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8\n type: string\n type: array\n priority:\n description: Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.\n type: integer\n type:\n description: type of the policy.\n type: string\n required:\n - type\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: dnsnetworkpolicies.aci.dnsnetpol\nspec:\n group: aci.dnsnetpol\n names:\n kind: DnsNetworkPolicy\n listKind: DnsNetworkPolicyList\n plural: dnsnetworkpolicies\n singular: dnsnetworkpolicy\n scope: Namespaced\n versions:\n - name: v1beta\n schema:\n openAPIV3Schema:\n description: dns network Policy\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n properties:\n toFqdn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - toFqdn\n type: object\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: qospolicies.aci.qos\nspec:\n group: aci.qos\n names:\n kind: QosPolicy\n listKind: QosPolicyList\n plural: qospolicies\n singular: qospolicy\n scope: Namespaced\n preserveUnknownFields: false\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n podSelector:\n description: 'Selection of Pods'\n type: object\n properties:\n matchLabels:\n type: object\n description:\n ingress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n egress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n dscpmark:\n type: integer\n default: 0\n minimum: 0\n maximum: 63\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: netflowpolicies.aci.netflow\nspec:\n group: aci.netflow\n names:\n kind: NetflowPolicy\n listKind: NetflowPolicyList\n plural: netflowpolicies\n singular: netflowpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n flowSamplingPolicy:\n type: object\n properties:\n destIp:\n type: string\n destPort:\n type: integer\n minimum: 0\n maximum: 65535\n default: 2055\n flowType:\n type: string\n enum:\n - netflow\n - ipfix\n default: netflow\n activeFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 3600\n default: 60\n idleFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 600\n default: 15\n samplingRate:\n type: integer\n minimum: 0\n maximum: 1000\n default: 0\n required:\n - destIp\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: erspanpolicies.aci.erspan\nspec:\n group: aci.erspan\n names:\n kind: ErspanPolicy\n listKind: ErspanPolicyList\n plural: erspanpolicies\n singular: erspanpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n selector:\n type: object\n description: 'Selection of Pods'\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n source:\n type: object\n properties:\n adminState:\n description: Administrative state.\n default: start\n type: string\n enum:\n - start\n - stop\n direction:\n description: Direction of the packets to monitor.\n default: both\n type: string\n enum:\n - in\n - out\n - both\n destination:\n type: object\n properties:\n destIP:\n description: Destination IP of the ERSPAN packet.\n type: string\n flowID:\n description: Unique flow ID of the ERSPAN packet.\n default: 1\n type: integer\n minimum: 1\n maximum: 1023\n required:\n - destIP\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: enabledroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: EnableDropLog\n listKind: EnableDropLogList\n plural: enabledroplogs\n singular: enabledroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of EnableDropLog\n type: object\n properties:\n disableDefaultDropLog:\n description: Disables the default droplog enabled by acc-provision.\n default: false\n type: boolean\n nodeSelector:\n type: object\n description: Drop logging is enabled on nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: prunedroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: PruneDropLog\n listKind: PruneDropLogList\n plural: prunedroplogs\n singular: prunedroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of PruneDropLog\n type: object\n properties:\n nodeSelector:\n type: object\n description: Drop logging filters are applied to nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n dropLogFilters:\n type: object\n properties:\n srcIP:\n type: string\n destIP:\n type: string\n srcMAC:\n type: string\n destMAC:\n type: string\n srcPort:\n type: integer\n destPort:\n type: integer\n ipProto:\n type: integer\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: accprovisioninputs.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AccProvisionInput\n listKind: AccProvisionInputList\n plural: accprovisioninputs\n singular: accprovisioninput\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: accprovisioninput defines the input configuration for ACI CNI\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AccProvisionInputSpec defines the desired spec for accprovisioninput object\n properties:\n acc_provision_input:\n type: object\n properties:\n operator_managed_config:\n type: object\n properties:\n enable_updates:\n type: boolean\n aci_config:\n type: object\n properties:\n sync_login:\n type: object\n properties:\n certfile:\n type: string\n keyfile:\n type: string\n client_ssl:\n type: boolean\n net_config:\n type: object\n properties:\n interface_mtu:\n type: integer\n service_monitor_interval:\n type: integer\n pbr_tracking_non_snat:\n type: boolean\n pod_subnet_chunk_size:\n type: integer\n disable_wait_for_network:\n type: boolean\n duration_wait_for_network:\n type: integer\n registry:\n type: object\n properties:\n image_prefix:\n type: string\n image_pull_secret:\n type: string\n aci_containers_operator_version:\n type: string\n aci_containers_controller_version:\n type: string\n aci_containers_host_version:\n type: string\n acc_provision_operator_version:\n type: string\n aci_cni_operator_version:\n type: string\n cnideploy_version:\n type: string\n opflex_agent_version:\n type: string\n openvswitch_version:\n type: string\n gbp_version:\n type: string\n logging:\n type: object\n properties:\n controller_log_level:\n type: string\n hostagent_log_level:\n type: string\n opflexagent_log_level:\n type: string\n istio_config:\n type: object\n properties:\n install_istio:\n type: boolean\n install_profile:\n type: string\n multus:\n type: object\n properties:\n disable:\n type: boolean\n drop_log_config:\n type: object\n properties:\n enable:\n type: boolean\n nodepodif_config:\n type: object\n properties:\n enable:\n type: boolean\n sriov_config:\n type: object\n properties:\n enable:\n type: boolean\n kube_config:\n type: object\n properties:\n ovs_memory_limit:\n type: string\n use_privileged_containers:\n type: boolean\n image_pull_policy:\n type: string\n reboot_opflex_with_ovs:\n type: string\n snat_operator:\n type: object\n properties:\n port_range:\n type: object\n properties:\n start:\n type: integer\n end:\n type: integer\n ports_per_node:\n type: integer\n contract_scope:\n type: string\n disable_periodic_snat_global_info_sync:\n type: boolean\n type: object\n status:\n description: AccProvisionInputStatus defines the successful completion of AccProvisionInput\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: aci-containers-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n controller-config: |-\n {\n \"log-level\": \"{{.ControllerLogLevel}}\",\n \"apic-hosts\": {{.ApicHosts}},\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if .OpflexDeviceReconnectWaitTimeout }}\n \"opflex-device-reconnect-wait-timeout\": {{.OpflexDeviceReconnectWaitTimeout}},\n{{- end}}\n \"apic-refreshtime\": \"{{.ApicRefreshTime}}\",\n \"apic-subscription-delay\": {{.ApicSubscriptionDelay}},\n \"apic_refreshticker_adjust\": \"{{.ApicRefreshTickerAdjust}}\",\n \"apic-username\": \"{{.ApicUserName}}\",\n \"apic-private-key-path\": \"/usr/local/etc/aci-cert/user.key\",\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-policy-tenant\": \"{{.Tenant}}\",\n{{- if ne .CApic \"false\"}}\n \"lb-type\": \"None\",\n{{- end}}\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n{{- if ne .NoWaitForServiceEpReadiness \"false\"}}\n \"no-wait-for-service-ep-readiness\": {{.NoWaitForServiceEpReadiness}},\n{{- end}}\n{{- if ne .ServiceGraphEndpointAddDelay \"0\"}}\n \"service-graph-endpoint-add-delay\" : {\n \"delay\": {{.ServiceGraphEndpointAddDelay}},\n \"services\": [{{- range $index, $item :=.ServiceGraphEndpointAddServices }}{{- if $index}},{{end}}{ {{- range $k, $v := $item }}\"{{ $k }}\": \"{{ $v }}\"{{if eq $k \"name\"}},{{end}}{{- end}}}{{end}}]\n },\n{{- end}}\n{{- if ne .AddExternalSubnetsToRdconfig \"false\"}}\n \"add-external-subnets-to-rdconfig\": {{.AddExternalSubnetsToRdconfig}},\n{{- end}}\n{{- if ne .DisablePeriodicSnatGlobalInfoSync \"false\"}}\n \"disable-periodic-snat-global-info-sync\": {{.DisablePeriodicSnatGlobalInfoSync}},\n{{- end}}\n{{- if .NodeSnatRedirectExclude }}\n \"node-snat-redirect-exclude\": [{{ range $index,$item := .NodeSnatRedirectExclude}}{{- if $index}}, {{end }}{\"group\": \"{{ index $item \"group\" }}\", \"labels\": {{ index $item \"labels\" }}}{{ end }}],\n{{- end }}\n \"opflex-device-delete-timeout\": {{.OpflexDeviceDeleteTimeout}},\n \"sleep-time-snat-global-info-sync\": {{.SleepTimeSnatGlobalInfoSync}},\n \"install-istio\": {{.InstallIstio}},\n \"istio-profile\": \"{{.IstioProfile}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-podbd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-pod-bd\",\n \"aci-nodebd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-node-bd\",\n{{- end}}\n \"aci-service-phys-dom\": \"{{.SystemIdentifier}}-pdom\",\n \"aci-service-encap\": \"vlan-{{.ServiceVlan}}\",\n \"aci-service-monitor-interval\": {{.ServiceMonitorInterval}},\n \"aci-pbr-tracking-non-snat\": {{.PBRTrackingNonSnat}},\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"aci-l3out\": \"{{.L3Out}}\",\n \"aci-ext-networks\": {{.L3OutExternalNetworks}},\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .AddExternalContractToDefaultEpg \"false\"}}\n \"add-external-contract-to-default-epg\": {{.AddExternalContractToDefaultEpg}},\n{{- end}} \n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}\"\n{{- end}}\n },\n \"max-nodes-svc-graph\": {{.MaxNodesSvcGraph}},\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"service-ip-pool\": [{{- range $index, $item := .ServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"extern-static\": [{{- range $index, $item := .StaticExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"extern-dynamic\": [{{- range $index, $item := .DynamicExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"snat-contract-scope\": \"{{.SnatContractScope}}\",\n \"static-service-ip-pool\": [{{- range $index, $item := .StaticServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End }}\" }{{end}}],\n \"pod-ip-pool\": [{{- range $index, $item := .PodIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"pod-subnet-chunk-size\": {{.PodSubnetChunkSize}},\n \"node-service-ip-pool\": [\n {\n \"end\": \"{{.NodeServiceIPEnd}}\",\n \"start\": \"{{.NodeServiceIPStart}}\"\n }\n ],\n \"node-service-subnets\": [\n \"{{.ServiceGraphSubnet}}\"\n ],\n \"enable_endpointslice\": {{.EnableEndpointSlice}}\n }\n host-agent-config: |-\n {\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .EpRegistry \"\"}}\n \"ep-registry\": \"{{.EpRegistry}}\",\n{{- else}}\n \"ep-registry\": null,\n{{- end}}\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if ne .DhcpRenewMaxRetryCount \"0\" }}\n \"dhcp-renew-max-retry-count\": {{.DhcpRenewMaxRetryCount}},\n{{- end}}\n{{- if ne .DhcpDelay \"0\" }}\n \"dhcp-delay\": {{.DhcpDelay}},\n{{- end}}\n{{- if ne .EnableOpflexAgentReconnect \"false\"}}\n \"enable-opflex-agent-reconnect\": {{.EnableOpflexAgentReconnect}},\n{{- end}}\n{{- if ne .OpflexMode \"\"}}\n \"opflex-mode\": \"{{.OpflexMode}}\",\n{{- else}}\n \"opflex-mode\": null,\n{{- end}}\n \"log-level\": \"{{.HostAgentLogLevel}}\",\n \"aci-snat-namespace\": \"{{.SnatNamespace}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"service-vlan\": {{.ServiceVlan}},\n \"kubeapi-vlan\": {{.KubeAPIVlan}},\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n \"pod-subnet\": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"node-subnet\": [{{- range $index, $item := .NodeSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"encap-type\": \"{{.EncapType}}\",\n \"aci-infra-vlan\": {{.InfraVlan}},\n{{- if .MTU}}\n{{- if ne .MTU 0}}\n \"interface-mtu\": {{.MTU}},\n{{- end}}\n{{- end}}\n{{- if .MTUHeadRoom}}\n{{- if ne .MTUHeadRoom \"0\"}}\n \"interface-mtu-headroom\": {{.MTUHeadRoom}},\n{{- end}}\n{{- end}}\n \"cni-netconfig\": [{{- range $index, $item := .PodNetwork }}{{- if $index}},{{end}}{ \"gateway\": \"{{ $item.Gateway }}\", \"subnet\": \"{{ $item.Subnet }}\", \"routes\": [{ \"dst\": \"0.0.0.0/0\", \"gw\": \"{{ $item.Gateway }}\" }]}{{end}}],\n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-default\"\n{{- end}}\n },\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"enable-drop-log\": {{.DropLogEnable}},\n \"enable_endpointslice\": {{.EnableEndpointSlice}},\n \"enable-nodepodif\": {{.NodePodIfEnable}},\n \"enable-ovs-hw-offload\": {{.SriovEnable}}\n }\n opflex-agent-config: |-\n {\n \"log\": {\n \"level\": \"{{.OpflexAgentLogLevel}}\"\n },\n \"opflex\": {\n{{- if eq .OpflexClientSSL \"false\"}}\n \"ssl\": { \"mode\": \"disabled\"},\n{{- end}}\n{{- if eq .OpflexAgentStatistics \"false\"}}\n \"statistics\" : { \"mode\" : \"off\" },\n{{- end}}\n{{- if ne .OpflexAgentPolicyRetryDelayTimer \"10\" }}\n \"timers\" : { \"policy-retry-delay\": {{.OpflexAgentPolicyRetryDelayTimer}} },\n{{- end}}\n \"notif\" : { \"enabled\" : \"false\" },\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOpflexAsyncjsonEnabled}} }\n },\n \"ovs\": {\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOvsAsyncjsonEnabled}} }\n }\n }\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: snat-operator-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n \"start\": \"{{.SnatPortRangeStart}}\"\n \"end\": \"{{.SnatPortRangeEnd}}\"\n \"ports-per-node\": \"{{.SnatPortsPerNode}}\"\n---\napiVersion: v1\nkind: Secret\nmetadata:\n name: aci-user-cert\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n user.key: {{.ApicUserKey}}\n user.crt: {{.ApicUserCrt}}\n---\n{{- if eq .CApic \"true\"}}\napiVersion: v1\nkind: Secret\nmetadata:\n name: kafka-client-certificates\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n ca.crt: {{.KafkaClientCrt}}\n kafka-client.crt: {{.KafkaClientCrt}}\n kafka-client.key: {{.KafkaClientKey}}\n---\n{{- end}}\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-host-agent\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\n{{- if eq .UseClusterRole \"true\"}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - events\n - replicationcontrollers\n - serviceaccounts\n verbs:\n - list\n - watch\n - get\n - patch\n - create\n - update\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - '*'\n- apiGroups:\n - \"rbac.authorization.k8s.io\"\n resources:\n - clusterroles\n - clusterrolebindings\n verbs:\n - '*'\n{{- if ne .InstallIstio \"false\"}}\n- apiGroups:\n - \"install.istio.io\"\n resources:\n - istiocontrolplanes\n - istiooperators\n verbs:\n - '*'\n- apiGroups:\n - \"aci.istio\"\n resources:\n - aciistiooperators\n - aciistiooperator\n verbs:\n - '*'\n{{- end}}\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n - daemonsets\n - statefulsets\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - services/status\n verbs:\n - update\n- apiGroups:\n - \"monitoring.coreos.com\"\n resources:\n - servicemonitors\n verbs:\n - get\n - create\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies/finalizers\n - snatpolicies/status\n - nodeinfos\n verbs:\n - update\n - create\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatglobalinfos\n - snatpolicies\n - nodeinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.netflow\"\n resources:\n - netflowpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.erspan\"\n resources:\n - erspanpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - '*'\n- apiGroups:\n - apps.openshift.io\n resources:\n - deploymentconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.dnsnetpol\"\n resources:\n - dnsnetworkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n---\n{{- end}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-host-agent\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - replicationcontrollers\n verbs:\n - list\n - watch\n - get\n{{- if ne .DropLogEnable \"false\"}}\n - update\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n{{- end}}\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies\n - snatglobalinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.droplog\"\n resources:\n - enabledroplogs\n - prunedroplogs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - nodeinfos\n - snatlocalinfos\n verbs:\n - create\n - update\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - \"*\"\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-controller\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-controller\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-controller\n namespace: aci-containers-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-host-agent\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-host-agent\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-host-agent\n namespace: aci-containers-system\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-host\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-host\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-host\n network-plugin: aci-containers\n annotations:\n prometheus.io/scrape: \"true\"\n prometheus.io/port: \"9612\"\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n tolerations:\n - operator: Exists\n initContainers:\n - name: cnideploy\n image: {{.AciCniDeployContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersHostPriorityClass}} \n priorityClassName: aci-containers-host\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-host\n image: {{.AciHostContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersHostMemoryLimit ) ( .AciContainersHostMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersHostMemoryLimit }}\n memory: \"{{ .AciContainersHostMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersHostMemoryRequest }}\n memory: \"{{ .AciContainersHostMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n - NET_ADMIN\n - SYS_PTRACE\n - NET_RAW\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: TENANT\n value: \"{{.Tenant}}\"\n{{- if ne .MultusDisable \"true\"}}\n - name: MULTUS\n value: true\n{{- end}}\n{{- if eq .DisableWaitForNetwork \"true\"}}\n - name: DISABLE_WAIT_FOR_NETWORK\n value: true\n{{- else}}\n - name: DURATION_WAIT_FOR_NETWORK\n value: \"{{.DurationWaitForNetwork}}\"\n{{- end}}\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n - name: cni-conf\n mountPath: /mnt/cni-conf\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: host-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n{{- if eq .AciMultipod \"true\" }}\n - name: dhclient\n mountPath: /var/lib/dhclient\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - mountPath: /run/netns\n name: host-run-netns\n readOnly: true\n mountPropagation: HostToContainer\n{{- end}}\n{{- if ne .MultusDisable \"true\"}}\n - name: multus-cni-conf\n mountPath: /mnt/multus-cni-conf\n{{- end}}\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8090\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n - name: opflex-agent\n env:\n - name: REBOOT_WITH_OVS\n value: \"true\"\n{{- if ne .OpflexOpensslCompat \"false\"}}\n - name: OPENSSL_CONF\n value: \"/etc/pki/tls/openssl11.cnf\" \n{{- end}}\n image: {{.AciOpflexContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .OpflexAgentMemoryLimit ) ( .OpflexAgentMemoryRequest )}}\n resources:\n limits:\n{{- if .OpflexAgentMemoryLimit }}\n memory: \"{{ .OpflexAgentMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .OpflexAgentMemoryRequest }}\n memory: \"{{ .OpflexAgentMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}} \n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: opflex-config-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/conf.d\n{{- if eq .RunOpflexServerContainer \"true\"}}\n - name: opflex-server\n image: {{.AciOpflexContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-opflexserver.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n capabilities:\n add:\n - NET_ADMIN\n ports:\n - containerPort: {{.OpflexServerPort}}\n - name: metrics\n containerPort: 9632\n terminationMessagePath: /dev/termination-log\n terminationMessagePolicy: File\n volumeMounts:\n - name: opflex-server-config-volume\n mountPath: /usr/local/etc/opflex-server\n - name: hostvar\n mountPath: /usr/local/var\n{{- end}}\n{{- if ne .OpflexMode \"overlay\"}}\n - name: mcast-daemon\n image: {{.AciMcastContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-mcastdaemon.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .McastDaemonMemoryLimit ) ( .McastDaemonMemoryRequest )}}\n resources:\n limits:\n{{- if .McastDaemonMemoryLimit }}\n memory: \"{{ .McastDaemonMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .McastDaemonMemoryRequest }}\n memory: \"{{ .McastDaemonMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n{{- if eq .UsePrivilegedContainer \"true\"}}\n securityContext:\n privileged: true\n{{- end}}\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n{{- end}}\n restartPolicy: Always\n volumes:\n - name: cni-bin\n hostPath:\n path: /opt\n - name: cni-conf\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: host-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: host-agent-config\n path: host-agent.conf\n - name: opflex-hostconfig-volume\n emptyDir:\n medium: Memory\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .AciMultipod \"true\" }}\n{{- if eq .AciMultipodUbuntu \"true\" }}\n - name: dhclient\n hostPath:\n path: /var/lib/dhcp\n{{- else}}\n - name: dhclient\n hostPath:\n path: /var/lib/dhclient\n{{- end}}\n{{- end}}\n - name: opflex-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: opflex-agent-config\n path: local.conf\n{{- if eq .UseOpflexServerVolume \"true\"}}\n - name: opflex-server-config-volume\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - name: host-run-netns\n hostPath:\n path: /run/netns\n{{- end}}\n{{- if ne .MultusDisable \"true\" }}\n - name: multus-cni-conf\n hostPath:\n path: /var/run/multus/\n{{- end}}\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-openvswitch\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{end}}\n tolerations:\n - operator: Exists \n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersOpenvswitchPriorityClass}} \n priorityClassName: aci-containers-openvswitch\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-openvswitch\n image: {{.AciOpenvSwitchContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n resources:\n limits:\n memory: \"{{.OVSMemoryLimit}}\"\n requests:\n memory: \"{{.OVSMemoryRequest}}\"\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n - SYS_MODULE\n - SYS_NICE\n - IPC_LOCK\n env:\n - name: OVS_RUNDIR\n value: /usr/local/var/run/openvswitch\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: hostetc\n mountPath: /usr/local/etc\n - name: hostmodules\n mountPath: /lib/modules\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n livenessProbe:\n exec:\n command:\n - /usr/local/bin/liveness-ovs.sh\n restartPolicy: Always\n volumes:\n - name: hostetc\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: hostmodules\n hostPath:\n path: /lib/modules\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nspec:\n replicas: 1\n strategy:\n type: Recreate\n selector:\n matchLabels:\n name: aci-containers-controller\n network-plugin: aci-containers\n template:\n metadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n name: aci-containers-controller\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n serviceAccountName: aci-containers-controller\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n{{- if .Tolerations }}\n tolerations:\n{{ toYaml .Tolerations | indent 6}}\n{{- else }}\n tolerations:\n - effect: NoExecute\n operator: Exists\n tolerationSeconds: {{ .TolerationSeconds }}\n - effect: NoSchedule\n key: node.kubernetes.io/not-ready\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n{{- end }}\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersControllerPriorityClass}} \n priorityClassName: aci-containers-controller\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-node-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-controller\n image: {{.AciControllerContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersControllerMemoryLimit ) ( .AciContainersControllerMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersControllerMemoryLimit }}\n memory: \"{{ .AciContainersControllerMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersControllerMemoryRequest }}\n memory: \"{{ .AciContainersControllerMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n env:\n - name: WATCH_NAMESPACE\n value: \"\"\n - name: ACI_SNAT_NAMESPACE\n value: \"aci-containers-system\"\n - name: ACI_SNAGLOBALINFO_NAME\n value: \"snatglobalinfo\"\n - name: ACI_RDCONFIG_NAME\n value: \"routingdomain-config\"\n - name: SYSTEM_NAMESPACE\n value: \"aci-containers-system\"\n volumeMounts:\n - name: controller-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n - name: aci-user-cert-volume\n mountPath: /usr/local/etc/aci-cert/\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8091\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n volumes:\n{{- if eq .CApic \"true\"}}\n - name: kafka-certs\n secret:\n secretName: kafka-client-certificates\n{{- end}}\n - name: aci-user-cert-volume\n secret:\n secretName: aci-user-cert\n - name: controller-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: controller-config\n path: controller.conf\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .CApic \"true\"}}\n---\napiVersion: aci.aw/v1\nkind: PodIF\nmetadata:\n name: inet-route\n namespace: kube-system\nstatus:\n epg: aci-containers-inet-out\n ipaddr: 0.0.0.0/0\n{{- end}}\n---\napiVersion: v1\nkind: LimitRange\nmetadata:\n name: memory-limit-range\n namespace: aci-containers-system\nspec:\n limits:\n - default:\n memory: {{ .AciContainersMemoryLimit }}\n defaultRequest:\n memory: {{ .AciContainersMemoryRequest }}\n type: Container\n", "aci-v6.0.3.3": "\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: acicontainersoperators.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AciContainersOperator\n listKind: AciContainersOperatorList\n plural: acicontainersoperators\n singular: acicontainersoperator\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: acicontainersoperator owns the lifecycle of ACI objects in the cluster\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AciContainersOperatorSpec defines the desired spec for ACI Objects\n properties:\n flavor:\n type: string\n config:\n type: string\n type: object\n status:\n description: AciContainersOperatorStatus defines the successful completion of AciContainersOperator\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: Namespace\nmetadata:\n name: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodepodifs.aci.aw\nspec:\n group: aci.aw\n names:\n kind: NodePodIF\n listKind: NodePodIFList\n plural: nodepodifs\n singular: nodepodif\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n podifs:\n type: array\n items:\n type: object\n properties:\n containerID:\n type: string\n epg:\n type: string\n ifname:\n type: string\n ipaddr:\n type: string\n macaddr:\n type: string\n podname:\n type: string\n podns:\n type: string\n vtep:\n type: string\n required:\n - spec\n type: object\n---\n{{- if eq .UseAciCniPriorityClass \"true\"}}\napiVersion: scheduling.k8s.io/v1beta1\nkind: PriorityClass\nmetadata:\n name: acicni-priority\nvalue: 1000000000\nglobalDefault: false\ndescription: \"This priority class is used for ACI-CNI resources\"\n---\n{{- end }}\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatglobalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatGlobalInfo\n listKind: SnatGlobalInfoList\n plural: snatglobalinfos\n singular: snatglobalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n description: SnatGlobalInfo is the Schema for the snatglobalinfos API\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n globalInfos:\n additionalProperties:\n items:\n properties:\n macAddress:\n type: string\n portRanges:\n items:\n properties:\n end:\n maximum: 65535\n minimum: 1\n type: integer\n start:\n maximum: 65535\n minimum: 1\n type: integer\n type: object\n type: array\n snatIp:\n type: string\n snatIpUid:\n type: string\n snatPolicyName:\n type: string\n required:\n - macAddress\n - portRanges\n - snatIp\n - snatIpUid\n - snatPolicyName\n type: object\n type: array\n type: object\n required:\n - globalInfos\n type: object\n status:\n description: SnatGlobalInfoStatus defines the observed state of SnatGlobalInfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatlocalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatLocalInfo\n listKind: SnatLocalInfoList\n plural: snatlocalinfos\n singular: snatlocalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: SnatLocalInfoSpec defines the desired state of SnatLocalInfo\n properties:\n localInfos:\n items:\n properties:\n podName:\n type: string\n podNamespace:\n type: string\n podUid:\n type: string\n snatPolicies:\n items:\n properties:\n destIp:\n items:\n type: string\n type: array\n name:\n type: string\n snatIp:\n type: string\n required:\n - destIp\n - name\n - snatIp\n type: object\n type: array\n required:\n - podName\n - podNamespace\n - podUid\n - snatPolicies\n type: object\n type: array\n required:\n - localInfos\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatpolicies.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatPolicy\n listKind: SnatPolicyList\n plural: snatpolicies\n singular: snatpolicy\n scope: Cluster\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n selector:\n type: object\n properties:\n labels:\n type: object\n description: 'Selection of Pods'\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n type: object\n snatIp:\n type: array\n items:\n type: string\n destIp:\n type: array\n items:\n type: string\n type: object\n status:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodeinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: NodeInfo\n listKind: NodeInfoList\n plural: nodeinfos\n singular: nodeinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n macaddress:\n type: string\n snatpolicynames:\n additionalProperties:\n type: boolean\n type: object\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: rdconfigs.aci.snat\nspec:\n group: aci.snat\n names:\n kind: RdConfig\n listKind: RdConfigList\n plural: rdconfigs\n singular: rdconfig\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n discoveredsubnets:\n items:\n type: string\n type: array\n usersubnets:\n items:\n type: string\n type: array\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.aci.netpol\nspec:\n group: aci.netpol\n names:\n kind: NetworkPolicy\n listKind: NetworkPolicyList\n plural: networkpolicies\n singular: networkpolicy\n scope: Namespaced\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n description: Network Policy describes traffic flow at IP address or port level\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs default to false.\n type: boolean\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n to:\n description: Rule is matched if traffic is intended for workloads selected by this field. If this field is empty or missing, this rule matches all destinations.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n toFqDn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - enableLogging\n - toFqDn\n type: object\n type: array\n ingress:\n description: Set of ingress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false.\n type: boolean\n from:\n description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n type: object\n type: array\n policyTypes:\n items:\n description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8\n type: string\n type: array\n priority:\n description: Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.\n type: integer\n type:\n description: type of the policy.\n type: string\n required:\n - type\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: dnsnetworkpolicies.aci.dnsnetpol\nspec:\n group: aci.dnsnetpol\n names:\n kind: DnsNetworkPolicy\n listKind: DnsNetworkPolicyList\n plural: dnsnetworkpolicies\n singular: dnsnetworkpolicy\n scope: Namespaced\n versions:\n - name: v1beta\n schema:\n openAPIV3Schema:\n description: dns network Policy\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n properties:\n toFqdn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - toFqdn\n type: object\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: qospolicies.aci.qos\nspec:\n group: aci.qos\n names:\n kind: QosPolicy\n listKind: QosPolicyList\n plural: qospolicies\n singular: qospolicy\n scope: Namespaced\n preserveUnknownFields: false\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n podSelector:\n description: 'Selection of Pods'\n type: object\n properties:\n matchLabels:\n type: object\n description:\n ingress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n egress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n dscpmark:\n type: integer\n default: 0\n minimum: 0\n maximum: 63\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: netflowpolicies.aci.netflow\nspec:\n group: aci.netflow\n names:\n kind: NetflowPolicy\n listKind: NetflowPolicyList\n plural: netflowpolicies\n singular: netflowpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n flowSamplingPolicy:\n type: object\n properties:\n destIp:\n type: string\n destPort:\n type: integer\n minimum: 0\n maximum: 65535\n default: 2055\n flowType:\n type: string\n enum:\n - netflow\n - ipfix\n default: netflow\n activeFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 3600\n default: 60\n idleFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 600\n default: 15\n samplingRate:\n type: integer\n minimum: 0\n maximum: 1000\n default: 0\n required:\n - destIp\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: erspanpolicies.aci.erspan\nspec:\n group: aci.erspan\n names:\n kind: ErspanPolicy\n listKind: ErspanPolicyList\n plural: erspanpolicies\n singular: erspanpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n selector:\n type: object\n description: 'Selection of Pods'\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n source:\n type: object\n properties:\n adminState:\n description: Administrative state.\n default: start\n type: string\n enum:\n - start\n - stop\n direction:\n description: Direction of the packets to monitor.\n default: both\n type: string\n enum:\n - in\n - out\n - both\n destination:\n type: object\n properties:\n destIP:\n description: Destination IP of the ERSPAN packet.\n type: string\n flowID:\n description: Unique flow ID of the ERSPAN packet.\n default: 1\n type: integer\n minimum: 1\n maximum: 1023\n required:\n - destIP\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: enabledroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: EnableDropLog\n listKind: EnableDropLogList\n plural: enabledroplogs\n singular: enabledroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of EnableDropLog\n type: object\n properties:\n disableDefaultDropLog:\n description: Disables the default droplog enabled by acc-provision.\n default: false\n type: boolean\n nodeSelector:\n type: object\n description: Drop logging is enabled on nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: prunedroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: PruneDropLog\n listKind: PruneDropLogList\n plural: prunedroplogs\n singular: prunedroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of PruneDropLog\n type: object\n properties:\n nodeSelector:\n type: object\n description: Drop logging filters are applied to nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n dropLogFilters:\n type: object\n properties:\n srcIP:\n type: string\n destIP:\n type: string\n srcMAC:\n type: string\n destMAC:\n type: string\n srcPort:\n type: integer\n destPort:\n type: integer\n ipProto:\n type: integer\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: accprovisioninputs.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AccProvisionInput\n listKind: AccProvisionInputList\n plural: accprovisioninputs\n singular: accprovisioninput\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: accprovisioninput defines the input configuration for ACI CNI\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AccProvisionInputSpec defines the desired spec for accprovisioninput object\n properties:\n acc_provision_input:\n type: object\n properties:\n operator_managed_config:\n type: object\n properties:\n enable_updates:\n type: boolean\n aci_config:\n type: object\n properties:\n sync_login:\n type: object\n properties:\n certfile:\n type: string\n keyfile:\n type: string\n client_ssl:\n type: boolean\n net_config:\n type: object\n properties:\n interface_mtu:\n type: integer\n service_monitor_interval:\n type: integer\n pbr_tracking_non_snat:\n type: boolean\n pod_subnet_chunk_size:\n type: integer\n disable_wait_for_network:\n type: boolean\n duration_wait_for_network:\n type: integer\n registry:\n type: object\n properties:\n image_prefix:\n type: string\n image_pull_secret:\n type: string\n aci_containers_operator_version:\n type: string\n aci_containers_controller_version:\n type: string\n aci_containers_host_version:\n type: string\n acc_provision_operator_version:\n type: string\n aci_cni_operator_version:\n type: string\n cnideploy_version:\n type: string\n opflex_agent_version:\n type: string\n openvswitch_version:\n type: string\n gbp_version:\n type: string\n logging:\n type: object\n properties:\n controller_log_level:\n type: string\n hostagent_log_level:\n type: string\n opflexagent_log_level:\n type: string\n istio_config:\n type: object\n properties:\n install_istio:\n type: boolean\n install_profile:\n type: string\n multus:\n type: object\n properties:\n disable:\n type: boolean\n drop_log_config:\n type: object\n properties:\n enable:\n type: boolean\n nodepodif_config:\n type: object\n properties:\n enable:\n type: boolean\n sriov_config:\n type: object\n properties:\n enable:\n type: boolean\n kube_config:\n type: object\n properties:\n ovs_memory_limit:\n type: string\n use_privileged_containers:\n type: boolean\n image_pull_policy:\n type: string\n reboot_opflex_with_ovs:\n type: string\n snat_operator:\n type: object\n properties:\n port_range:\n type: object\n properties:\n start:\n type: integer\n end:\n type: integer\n ports_per_node:\n type: integer\n contract_scope:\n type: string\n disable_periodic_snat_global_info_sync:\n type: boolean\n type: object\n status:\n description: AccProvisionInputStatus defines the successful completion of AccProvisionInput\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: aci-containers-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n controller-config: |-\n {\n \"log-level\": \"{{.ControllerLogLevel}}\",\n \"apic-hosts\": {{.ApicHosts}},\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if .OpflexDeviceReconnectWaitTimeout }}\n \"opflex-device-reconnect-wait-timeout\": {{.OpflexDeviceReconnectWaitTimeout}},\n{{- end}}\n \"apic-refreshtime\": \"{{.ApicRefreshTime}}\",\n \"apic-subscription-delay\": {{.ApicSubscriptionDelay}},\n \"apic_refreshticker_adjust\": \"{{.ApicRefreshTickerAdjust}}\",\n \"apic-username\": \"{{.ApicUserName}}\",\n \"apic-private-key-path\": \"/usr/local/etc/aci-cert/user.key\",\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-policy-tenant\": \"{{.Tenant}}\",\n{{- if ne .CApic \"false\"}}\n \"lb-type\": \"None\",\n{{- end}}\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n{{- if ne .NoWaitForServiceEpReadiness \"false\"}}\n \"no-wait-for-service-ep-readiness\": {{.NoWaitForServiceEpReadiness}},\n{{- end}}\n{{- if ne .ServiceGraphEndpointAddDelay \"0\"}}\n \"service-graph-endpoint-add-delay\" : {\n \"delay\": {{.ServiceGraphEndpointAddDelay}},\n \"services\": [{{- range $index, $item :=.ServiceGraphEndpointAddServices }}{{- if $index}},{{end}}{ {{- range $k, $v := $item }}\"{{ $k }}\": \"{{ $v }}\"{{if eq $k \"name\"}},{{end}}{{- end}}}{{end}}]\n },\n{{- end}}\n{{- if ne .AddExternalSubnetsToRdconfig \"false\"}}\n \"add-external-subnets-to-rdconfig\": {{.AddExternalSubnetsToRdconfig}},\n{{- end}}\n{{- if ne .DisablePeriodicSnatGlobalInfoSync \"false\"}}\n \"disable-periodic-snat-global-info-sync\": {{.DisablePeriodicSnatGlobalInfoSync}},\n{{- end}}\n{{- if .NodeSnatRedirectExclude }}\n \"node-snat-redirect-exclude\": [{{ range $index,$item := .NodeSnatRedirectExclude}}{{- if $index}}, {{end }}{\"group\": \"{{ index $item \"group\" }}\", \"labels\": {{ index $item \"labels\" }}}{{ end }}],\n{{- end }}\n \"opflex-device-delete-timeout\": {{.OpflexDeviceDeleteTimeout}},\n \"sleep-time-snat-global-info-sync\": {{.SleepTimeSnatGlobalInfoSync}},\n \"install-istio\": {{.InstallIstio}},\n \"istio-profile\": \"{{.IstioProfile}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-podbd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-pod-bd\",\n \"aci-nodebd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-node-bd\",\n{{- end}}\n \"aci-service-phys-dom\": \"{{.SystemIdentifier}}-pdom\",\n \"aci-service-encap\": \"vlan-{{.ServiceVlan}}\",\n \"aci-service-monitor-interval\": {{.ServiceMonitorInterval}},\n \"aci-pbr-tracking-non-snat\": {{.PBRTrackingNonSnat}},\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"aci-l3out\": \"{{.L3Out}}\",\n \"aci-ext-networks\": {{.L3OutExternalNetworks}},\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .AddExternalContractToDefaultEpg \"false\"}}\n \"add-external-contract-to-default-epg\": {{.AddExternalContractToDefaultEpg}},\n{{- end}} \n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}\"\n{{- end}}\n },\n \"max-nodes-svc-graph\": {{.MaxNodesSvcGraph}},\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"service-ip-pool\": [{{- range $index, $item := .ServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"extern-static\": [{{- range $index, $item := .StaticExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"extern-dynamic\": [{{- range $index, $item := .DynamicExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"snat-contract-scope\": \"{{.SnatContractScope}}\",\n \"static-service-ip-pool\": [{{- range $index, $item := .StaticServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End }}\" }{{end}}],\n \"pod-ip-pool\": [{{- range $index, $item := .PodIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"pod-subnet-chunk-size\": {{.PodSubnetChunkSize}},\n \"node-service-ip-pool\": [\n {\n \"end\": \"{{.NodeServiceIPEnd}}\",\n \"start\": \"{{.NodeServiceIPStart}}\"\n }\n ],\n \"node-service-subnets\": [\n \"{{.ServiceGraphSubnet}}\"\n ],\n \"enable_endpointslice\": {{.EnableEndpointSlice}}\n }\n host-agent-config: |-\n {\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .EpRegistry \"\"}}\n \"ep-registry\": \"{{.EpRegistry}}\",\n{{- else}}\n \"ep-registry\": null,\n{{- end}}\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if ne .DhcpRenewMaxRetryCount \"0\" }}\n \"dhcp-renew-max-retry-count\": {{.DhcpRenewMaxRetryCount}},\n{{- end}}\n{{- if ne .DhcpDelay \"0\" }}\n \"dhcp-delay\": {{.DhcpDelay}},\n{{- end}}\n{{- if ne .EnableOpflexAgentReconnect \"false\"}}\n \"enable-opflex-agent-reconnect\": {{.EnableOpflexAgentReconnect}},\n{{- end}}\n{{- if ne .OpflexMode \"\"}}\n \"opflex-mode\": \"{{.OpflexMode}}\",\n{{- else}}\n \"opflex-mode\": null,\n{{- end}}\n \"log-level\": \"{{.HostAgentLogLevel}}\",\n \"aci-snat-namespace\": \"{{.SnatNamespace}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"service-vlan\": {{.ServiceVlan}},\n \"kubeapi-vlan\": {{.KubeAPIVlan}},\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n \"pod-subnet\": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"node-subnet\": [{{- range $index, $item := .NodeSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"encap-type\": \"{{.EncapType}}\",\n \"aci-infra-vlan\": {{.InfraVlan}},\n{{- if .MTU}}\n{{- if ne .MTU 0}}\n \"interface-mtu\": {{.MTU}},\n{{- end}}\n{{- end}}\n{{- if .MTUHeadRoom}}\n{{- if ne .MTUHeadRoom \"0\"}}\n \"interface-mtu-headroom\": {{.MTUHeadRoom}},\n{{- end}}\n{{- end}}\n \"cni-netconfig\": [{{- range $index, $item := .PodNetwork }}{{- if $index}},{{end}}{ \"gateway\": \"{{ $item.Gateway }}\", \"subnet\": \"{{ $item.Subnet }}\", \"routes\": [{ \"dst\": \"0.0.0.0/0\", \"gw\": \"{{ $item.Gateway }}\" }]}{{end}}],\n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-default\"\n{{- end}}\n },\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"enable-drop-log\": {{.DropLogEnable}},\n \"enable_endpointslice\": {{.EnableEndpointSlice}},\n \"enable-nodepodif\": {{.NodePodIfEnable}},\n \"enable-ovs-hw-offload\": {{.SriovEnable}}\n }\n opflex-agent-config: |-\n {\n \"log\": {\n \"level\": \"{{.OpflexAgentLogLevel}}\"\n },\n \"opflex\": {\n{{- if eq .OpflexClientSSL \"false\"}}\n \"ssl\": { \"mode\": \"disabled\"},\n{{- end}}\n{{- if eq .OpflexAgentStatistics \"false\"}}\n \"statistics\" : { \"mode\" : \"off\" },\n{{- end}}\n{{- if ne .OpflexAgentPolicyRetryDelayTimer \"10\" }}\n \"timers\" : { \"policy-retry-delay\": {{.OpflexAgentPolicyRetryDelayTimer}} },\n{{- end}}\n \"notif\" : { \"enabled\" : \"false\" },\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOpflexAsyncjsonEnabled}} }\n },\n \"ovs\": {\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOvsAsyncjsonEnabled}} }\n }\n }\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: snat-operator-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n \"start\": \"{{.SnatPortRangeStart}}\"\n \"end\": \"{{.SnatPortRangeEnd}}\"\n \"ports-per-node\": \"{{.SnatPortsPerNode}}\"\n---\napiVersion: v1\nkind: Secret\nmetadata:\n name: aci-user-cert\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n user.key: {{.ApicUserKey}}\n user.crt: {{.ApicUserCrt}}\n---\n{{- if eq .CApic \"true\"}}\napiVersion: v1\nkind: Secret\nmetadata:\n name: kafka-client-certificates\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n ca.crt: {{.KafkaClientCrt}}\n kafka-client.crt: {{.KafkaClientCrt}}\n kafka-client.key: {{.KafkaClientKey}}\n---\n{{- end}}\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-host-agent\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\n{{- if eq .UseClusterRole \"true\"}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - events\n - replicationcontrollers\n - serviceaccounts\n verbs:\n - list\n - watch\n - get\n - patch\n - create\n - update\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - '*'\n- apiGroups:\n - \"rbac.authorization.k8s.io\"\n resources:\n - clusterroles\n - clusterrolebindings\n verbs:\n - '*'\n{{- if ne .InstallIstio \"false\"}}\n- apiGroups:\n - \"install.istio.io\"\n resources:\n - istiocontrolplanes\n - istiooperators\n verbs:\n - '*'\n- apiGroups:\n - \"aci.istio\"\n resources:\n - aciistiooperators\n - aciistiooperator\n verbs:\n - '*'\n{{- end}}\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n - daemonsets\n - statefulsets\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - services/status\n verbs:\n - update\n- apiGroups:\n - \"monitoring.coreos.com\"\n resources:\n - servicemonitors\n verbs:\n - get\n - create\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies/finalizers\n - snatpolicies/status\n - nodeinfos\n verbs:\n - update\n - create\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatglobalinfos\n - snatpolicies\n - nodeinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.netflow\"\n resources:\n - netflowpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.erspan\"\n resources:\n - erspanpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - '*'\n- apiGroups:\n - apps.openshift.io\n resources:\n - deploymentconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.dnsnetpol\"\n resources:\n - dnsnetworkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n---\n{{- end}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-host-agent\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - replicationcontrollers\n verbs:\n - list\n - watch\n - get\n{{- if ne .DropLogEnable \"false\"}}\n - update\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n{{- end}}\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies\n - snatglobalinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.droplog\"\n resources:\n - enabledroplogs\n - prunedroplogs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - nodeinfos\n - snatlocalinfos\n verbs:\n - create\n - update\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - \"*\"\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-controller\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-controller\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-controller\n namespace: aci-containers-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-host-agent\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-host-agent\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-host-agent\n namespace: aci-containers-system\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-host\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-host\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-host\n network-plugin: aci-containers\n annotations:\n prometheus.io/scrape: \"true\"\n prometheus.io/port: \"9612\"\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n tolerations:\n - operator: Exists\n initContainers:\n - name: cnideploy\n image: {{.AciCniDeployContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersHostPriorityClass}} \n priorityClassName: aci-containers-host\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-host\n image: {{.AciHostContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersHostMemoryLimit ) ( .AciContainersHostMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersHostMemoryLimit }}\n memory: \"{{ .AciContainersHostMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersHostMemoryRequest }}\n memory: \"{{ .AciContainersHostMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n - NET_ADMIN\n - SYS_PTRACE\n - NET_RAW\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: TENANT\n value: \"{{.Tenant}}\"\n{{- if ne .MultusDisable \"true\"}}\n - name: MULTUS\n value: true\n{{- end}}\n{{- if eq .DisableWaitForNetwork \"true\"}}\n - name: DISABLE_WAIT_FOR_NETWORK\n value: true\n{{- else}}\n - name: DURATION_WAIT_FOR_NETWORK\n value: \"{{.DurationWaitForNetwork}}\"\n{{- end}}\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n - name: cni-conf\n mountPath: /mnt/cni-conf\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: host-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n{{- if eq .AciMultipod \"true\" }}\n - name: dhclient\n mountPath: /var/lib/dhclient\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - mountPath: /run/netns\n name: host-run-netns\n readOnly: true\n mountPropagation: HostToContainer\n{{- end}}\n{{- if ne .MultusDisable \"true\"}}\n - name: multus-cni-conf\n mountPath: /mnt/multus-cni-conf\n{{- end}}\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8090\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n - name: opflex-agent\n env:\n - name: REBOOT_WITH_OVS\n value: \"true\"\n{{- if ne .OpflexOpensslCompat \"false\"}}\n - name: OPENSSL_CONF\n value: \"/etc/pki/tls/openssl11.cnf\" \n{{- end}}\n image: {{.AciOpflexContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .OpflexAgentMemoryLimit ) ( .OpflexAgentMemoryRequest )}}\n resources:\n limits:\n{{- if .OpflexAgentMemoryLimit }}\n memory: \"{{ .OpflexAgentMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .OpflexAgentMemoryRequest }}\n memory: \"{{ .OpflexAgentMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}} \n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: opflex-config-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/conf.d\n{{- if eq .RunOpflexServerContainer \"true\"}}\n - name: opflex-server\n image: {{.AciOpflexContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-opflexserver.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n capabilities:\n add:\n - NET_ADMIN\n ports:\n - containerPort: {{.OpflexServerPort}}\n - name: metrics\n containerPort: 9632\n terminationMessagePath: /dev/termination-log\n terminationMessagePolicy: File\n volumeMounts:\n - name: opflex-server-config-volume\n mountPath: /usr/local/etc/opflex-server\n - name: hostvar\n mountPath: /usr/local/var\n{{- end}}\n{{- if ne .OpflexMode \"overlay\"}}\n - name: mcast-daemon\n image: {{.AciMcastContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-mcastdaemon.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .McastDaemonMemoryLimit ) ( .McastDaemonMemoryRequest )}}\n resources:\n limits:\n{{- if .McastDaemonMemoryLimit }}\n memory: \"{{ .McastDaemonMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .McastDaemonMemoryRequest }}\n memory: \"{{ .McastDaemonMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n{{- if eq .UsePrivilegedContainer \"true\"}}\n securityContext:\n privileged: true\n{{- end}}\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n{{- end}}\n restartPolicy: Always\n volumes:\n - name: cni-bin\n hostPath:\n path: /opt\n - name: cni-conf\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: host-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: host-agent-config\n path: host-agent.conf\n - name: opflex-hostconfig-volume\n emptyDir:\n medium: Memory\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .AciMultipod \"true\" }}\n{{- if eq .AciMultipodUbuntu \"true\" }}\n - name: dhclient\n hostPath:\n path: /var/lib/dhcp\n{{- else}}\n - name: dhclient\n hostPath:\n path: /var/lib/dhclient\n{{- end}}\n{{- end}}\n - name: opflex-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: opflex-agent-config\n path: local.conf\n{{- if eq .UseOpflexServerVolume \"true\"}}\n - name: opflex-server-config-volume\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - name: host-run-netns\n hostPath:\n path: /run/netns\n{{- end}}\n{{- if ne .MultusDisable \"true\" }}\n - name: multus-cni-conf\n hostPath:\n path: /var/run/multus/\n{{- end}}\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-openvswitch\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{end}}\n tolerations:\n - operator: Exists \n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersOpenvswitchPriorityClass}} \n priorityClassName: aci-containers-openvswitch\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-openvswitch\n image: {{.AciOpenvSwitchContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n resources:\n limits:\n memory: \"{{.OVSMemoryLimit}}\"\n requests:\n memory: \"{{.OVSMemoryRequest}}\"\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n - SYS_MODULE\n - SYS_NICE\n - IPC_LOCK\n env:\n - name: OVS_RUNDIR\n value: /usr/local/var/run/openvswitch\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: hostetc\n mountPath: /usr/local/etc\n - name: hostmodules\n mountPath: /lib/modules\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n livenessProbe:\n exec:\n command:\n - /usr/local/bin/liveness-ovs.sh\n restartPolicy: Always\n volumes:\n - name: hostetc\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: hostmodules\n hostPath:\n path: /lib/modules\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nspec:\n replicas: 1\n strategy:\n type: Recreate\n selector:\n matchLabels:\n name: aci-containers-controller\n network-plugin: aci-containers\n template:\n metadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n name: aci-containers-controller\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n serviceAccountName: aci-containers-controller\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n{{- if .Tolerations }}\n tolerations:\n{{ toYaml .Tolerations | indent 6}}\n{{- else }}\n tolerations:\n - effect: NoExecute\n operator: Exists\n tolerationSeconds: {{ .TolerationSeconds }}\n - effect: NoSchedule\n key: node.kubernetes.io/not-ready\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n{{- end }}\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersControllerPriorityClass}} \n priorityClassName: aci-containers-controller\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-node-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-controller\n image: {{.AciControllerContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersControllerMemoryLimit ) ( .AciContainersControllerMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersControllerMemoryLimit }}\n memory: \"{{ .AciContainersControllerMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersControllerMemoryRequest }}\n memory: \"{{ .AciContainersControllerMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n env:\n - name: WATCH_NAMESPACE\n value: \"\"\n - name: ACI_SNAT_NAMESPACE\n value: \"aci-containers-system\"\n - name: ACI_SNAGLOBALINFO_NAME\n value: \"snatglobalinfo\"\n - name: ACI_RDCONFIG_NAME\n value: \"routingdomain-config\"\n - name: SYSTEM_NAMESPACE\n value: \"aci-containers-system\"\n volumeMounts:\n - name: controller-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n - name: aci-user-cert-volume\n mountPath: /usr/local/etc/aci-cert/\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8091\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n volumes:\n{{- if eq .CApic \"true\"}}\n - name: kafka-certs\n secret:\n secretName: kafka-client-certificates\n{{- end}}\n - name: aci-user-cert-volume\n secret:\n secretName: aci-user-cert\n - name: controller-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: controller-config\n path: controller.conf\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .CApic \"true\"}}\n---\napiVersion: aci.aw/v1\nkind: PodIF\nmetadata:\n name: inet-route\n namespace: kube-system\nstatus:\n epg: aci-containers-inet-out\n ipaddr: 0.0.0.0/0\n{{- end}}\n---\napiVersion: v1\nkind: LimitRange\nmetadata:\n name: memory-limit-range\n namespace: aci-containers-system\nspec:\n limits:\n - default:\n memory: {{ .AciContainersMemoryLimit }}\n defaultRequest:\n memory: {{ .AciContainersMemoryRequest }}\n type: Container\n", "aci-v6.0.4.1": "\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: acicontainersoperators.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AciContainersOperator\n listKind: AciContainersOperatorList\n plural: acicontainersoperators\n singular: acicontainersoperator\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: acicontainersoperator owns the lifecycle of ACI objects in the cluster\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AciContainersOperatorSpec defines the desired spec for ACI Objects\n properties:\n flavor:\n type: string\n config:\n type: string\n type: object\n status:\n description: AciContainersOperatorStatus defines the successful completion of AciContainersOperator\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: Namespace\nmetadata:\n name: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodepodifs.aci.aw\nspec:\n group: aci.aw\n names:\n kind: NodePodIF\n listKind: NodePodIFList\n plural: nodepodifs\n singular: nodepodif\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n podifs:\n type: array\n items:\n type: object\n properties:\n containerID:\n type: string\n epg:\n type: string\n ifname:\n type: string\n ipaddr:\n type: string\n macaddr:\n type: string\n podname:\n type: string\n podns:\n type: string\n vtep:\n type: string\n required:\n - spec\n type: object\n---\n{{- if eq .UseAciCniPriorityClass \"true\"}}\napiVersion: scheduling.k8s.io/v1beta1\nkind: PriorityClass\nmetadata:\n name: acicni-priority\nvalue: 1000000000\nglobalDefault: false\ndescription: \"This priority class is used for ACI-CNI resources\"\n---\n{{- end }}\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatglobalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatGlobalInfo\n listKind: SnatGlobalInfoList\n plural: snatglobalinfos\n singular: snatglobalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n description: SnatGlobalInfo is the Schema for the snatglobalinfos API\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n globalInfos:\n additionalProperties:\n items:\n properties:\n macAddress:\n type: string\n portRanges:\n items:\n properties:\n end:\n maximum: 65535\n minimum: 1\n type: integer\n start:\n maximum: 65535\n minimum: 1\n type: integer\n type: object\n type: array\n snatIp:\n type: string\n snatIpUid:\n type: string\n snatPolicyName:\n type: string\n required:\n - macAddress\n - portRanges\n - snatIp\n - snatIpUid\n - snatPolicyName\n type: object\n type: array\n type: object\n required:\n - globalInfos\n type: object\n status:\n description: SnatGlobalInfoStatus defines the observed state of SnatGlobalInfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatlocalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatLocalInfo\n listKind: SnatLocalInfoList\n plural: snatlocalinfos\n singular: snatlocalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: SnatLocalInfoSpec defines the desired state of SnatLocalInfo\n properties:\n localInfos:\n items:\n properties:\n podName:\n type: string\n podNamespace:\n type: string\n podUid:\n type: string\n snatPolicies:\n items:\n properties:\n destIp:\n items:\n type: string\n type: array\n name:\n type: string\n snatIp:\n type: string\n required:\n - destIp\n - name\n - snatIp\n type: object\n type: array\n required:\n - podName\n - podNamespace\n - podUid\n - snatPolicies\n type: object\n type: array\n required:\n - localInfos\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatpolicies.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatPolicy\n listKind: SnatPolicyList\n plural: snatpolicies\n singular: snatpolicy\n scope: Cluster\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n selector:\n type: object\n properties:\n labels:\n type: object\n description: 'Selection of Pods'\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n type: object\n snatIp:\n type: array\n items:\n type: string\n destIp:\n type: array\n items:\n type: string\n type: object\n status:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodeinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: NodeInfo\n listKind: NodeInfoList\n plural: nodeinfos\n singular: nodeinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n macaddress:\n type: string\n snatpolicynames:\n additionalProperties:\n type: boolean\n type: object\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: rdconfigs.aci.snat\nspec:\n group: aci.snat\n names:\n kind: RdConfig\n listKind: RdConfigList\n plural: rdconfigs\n singular: rdconfig\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n discoveredsubnets:\n items:\n type: string\n type: array\n usersubnets:\n items:\n type: string\n type: array\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.aci.netpol\nspec:\n group: aci.netpol\n names:\n kind: NetworkPolicy\n listKind: NetworkPolicyList\n plural: networkpolicies\n singular: networkpolicy\n scope: Namespaced\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n description: Network Policy describes traffic flow at IP address or port level\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs default to false.\n type: boolean\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n to:\n description: Rule is matched if traffic is intended for workloads selected by this field. If this field is empty or missing, this rule matches all destinations.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n toFqDn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - enableLogging\n - toFqDn\n type: object\n type: array\n ingress:\n description: Set of ingress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false.\n type: boolean\n from:\n description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n type: object\n type: array\n policyTypes:\n items:\n description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8\n type: string\n type: array\n priority:\n description: Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.\n type: integer\n type:\n description: type of the policy.\n type: string\n required:\n - type\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: dnsnetworkpolicies.aci.dnsnetpol\nspec:\n group: aci.dnsnetpol\n names:\n kind: DnsNetworkPolicy\n listKind: DnsNetworkPolicyList\n plural: dnsnetworkpolicies\n singular: dnsnetworkpolicy\n scope: Namespaced\n versions:\n - name: v1beta\n schema:\n openAPIV3Schema:\n description: dns network Policy\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n properties:\n toFqdn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - toFqdn\n type: object\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: qospolicies.aci.qos\nspec:\n group: aci.qos\n names:\n kind: QosPolicy\n listKind: QosPolicyList\n plural: qospolicies\n singular: qospolicy\n scope: Namespaced\n preserveUnknownFields: false\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n podSelector:\n description: 'Selection of Pods'\n type: object\n properties:\n matchLabels:\n type: object\n description:\n ingress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n egress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n dscpmark:\n type: integer\n default: 0\n minimum: 0\n maximum: 63\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: netflowpolicies.aci.netflow\nspec:\n group: aci.netflow\n names:\n kind: NetflowPolicy\n listKind: NetflowPolicyList\n plural: netflowpolicies\n singular: netflowpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n flowSamplingPolicy:\n type: object\n properties:\n destIp:\n type: string\n destPort:\n type: integer\n minimum: 0\n maximum: 65535\n default: 2055\n flowType:\n type: string\n enum:\n - netflow\n - ipfix\n default: netflow\n activeFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 3600\n default: 60\n idleFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 600\n default: 15\n samplingRate:\n type: integer\n minimum: 0\n maximum: 1000\n default: 0\n required:\n - destIp\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: erspanpolicies.aci.erspan\nspec:\n group: aci.erspan\n names:\n kind: ErspanPolicy\n listKind: ErspanPolicyList\n plural: erspanpolicies\n singular: erspanpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n selector:\n type: object\n description: 'Selection of Pods'\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n source:\n type: object\n properties:\n adminState:\n description: Administrative state.\n default: start\n type: string\n enum:\n - start\n - stop\n direction:\n description: Direction of the packets to monitor.\n default: both\n type: string\n enum:\n - in\n - out\n - both\n destination:\n type: object\n properties:\n destIP:\n description: Destination IP of the ERSPAN packet.\n type: string\n flowID:\n description: Unique flow ID of the ERSPAN packet.\n default: 1\n type: integer\n minimum: 1\n maximum: 1023\n required:\n - destIP\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: enabledroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: EnableDropLog\n listKind: EnableDropLogList\n plural: enabledroplogs\n singular: enabledroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of EnableDropLog\n type: object\n properties:\n disableDefaultDropLog:\n description: Disables the default droplog enabled by acc-provision.\n default: false\n type: boolean\n nodeSelector:\n type: object\n description: Drop logging is enabled on nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: prunedroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: PruneDropLog\n listKind: PruneDropLogList\n plural: prunedroplogs\n singular: prunedroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of PruneDropLog\n type: object\n properties:\n nodeSelector:\n type: object\n description: Drop logging filters are applied to nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n dropLogFilters:\n type: object\n properties:\n srcIP:\n type: string\n destIP:\n type: string\n srcMAC:\n type: string\n destMAC:\n type: string\n srcPort:\n type: integer\n destPort:\n type: integer\n ipProto:\n type: integer\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: accprovisioninputs.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AccProvisionInput\n listKind: AccProvisionInputList\n plural: accprovisioninputs\n singular: accprovisioninput\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: accprovisioninput defines the input configuration for ACI CNI\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AccProvisionInputSpec defines the desired spec for accprovisioninput object\n properties:\n acc_provision_input:\n type: object\n properties:\n operator_managed_config:\n type: object\n properties:\n enable_updates:\n type: boolean\n aci_config:\n type: object\n properties:\n sync_login:\n type: object\n properties:\n certfile:\n type: string\n keyfile:\n type: string\n client_ssl:\n type: boolean\n net_config:\n type: object\n properties:\n interface_mtu:\n type: integer\n service_monitor_interval:\n type: integer\n pbr_tracking_non_snat:\n type: boolean\n pod_subnet_chunk_size:\n type: integer\n disable_wait_for_network:\n type: boolean\n duration_wait_for_network:\n type: integer\n registry:\n type: object\n properties:\n image_prefix:\n type: string\n image_pull_secret:\n type: string\n aci_containers_operator_version:\n type: string\n aci_containers_controller_version:\n type: string\n aci_containers_host_version:\n type: string\n acc_provision_operator_version:\n type: string\n aci_cni_operator_version:\n type: string\n cnideploy_version:\n type: string\n opflex_agent_version:\n type: string\n openvswitch_version:\n type: string\n gbp_version:\n type: string\n logging:\n type: object\n properties:\n controller_log_level:\n type: string\n hostagent_log_level:\n type: string\n opflexagent_log_level:\n type: string\n istio_config:\n type: object\n properties:\n install_istio:\n type: boolean\n install_profile:\n type: string\n multus:\n type: object\n properties:\n disable:\n type: boolean\n drop_log_config:\n type: object\n properties:\n enable:\n type: boolean\n nodepodif_config:\n type: object\n properties:\n enable:\n type: boolean\n sriov_config:\n type: object\n properties:\n enable:\n type: boolean\n kube_config:\n type: object\n properties:\n ovs_memory_limit:\n type: string\n use_privileged_containers:\n type: boolean\n image_pull_policy:\n type: string\n reboot_opflex_with_ovs:\n type: string\n snat_operator:\n type: object\n properties:\n port_range:\n type: object\n properties:\n start:\n type: integer\n end:\n type: integer\n ports_per_node:\n type: integer\n contract_scope:\n type: string\n disable_periodic_snat_global_info_sync:\n type: boolean\n type: object\n status:\n description: AccProvisionInputStatus defines the successful completion of AccProvisionInput\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: aci-containers-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n controller-config: |-\n {\n \"log-level\": \"{{.ControllerLogLevel}}\",\n \"apic-hosts\": {{.ApicHosts}},\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if .OpflexDeviceReconnectWaitTimeout }}\n \"opflex-device-reconnect-wait-timeout\": {{.OpflexDeviceReconnectWaitTimeout}},\n{{- end}}\n \"apic-refreshtime\": \"{{.ApicRefreshTime}}\",\n \"apic-subscription-delay\": {{.ApicSubscriptionDelay}},\n \"apic_refreshticker_adjust\": \"{{.ApicRefreshTickerAdjust}}\",\n \"apic-username\": \"{{.ApicUserName}}\",\n \"apic-private-key-path\": \"/usr/local/etc/aci-cert/user.key\",\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-policy-tenant\": \"{{.Tenant}}\",\n{{- if ne .CApic \"false\"}}\n \"lb-type\": \"None\",\n{{- end}}\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n{{- if ne .DisableHppRendering \"false\"}}\n \"disable-hpp-rendering\": {{.DisableHppRendering}},\n{{- end}}\n{{- if ne .NoWaitForServiceEpReadiness \"false\"}}\n \"no-wait-for-service-ep-readiness\": {{.NoWaitForServiceEpReadiness}},\n{{- end}}\n{{- if ne .ServiceGraphEndpointAddDelay \"0\"}}\n \"service-graph-endpoint-add-delay\" : {\n \"delay\": {{.ServiceGraphEndpointAddDelay}},\n \"services\": [{{- range $index, $item :=.ServiceGraphEndpointAddServices }}{{- if $index}},{{end}}{ {{- range $k, $v := $item }}\"{{ $k }}\": \"{{ $v }}\"{{if eq $k \"name\"}},{{end}}{{- end}}}{{end}}]\n },\n{{- end}}\n{{- if ne .AddExternalSubnetsToRdconfig \"false\"}}\n \"add-external-subnets-to-rdconfig\": {{.AddExternalSubnetsToRdconfig}},\n{{- end}}\n{{- if ne .DisablePeriodicSnatGlobalInfoSync \"false\"}}\n \"disable-periodic-snat-global-info-sync\": {{.DisablePeriodicSnatGlobalInfoSync}},\n{{- end}}\n{{- if .NodeSnatRedirectExclude }}\n \"node-snat-redirect-exclude\": [{{ range $index,$item := .NodeSnatRedirectExclude}}{{- if $index}}, {{end }}{\"group\": \"{{ index $item \"group\" }}\", \"labels\": {{ index $item \"labels\" }}}{{ end }}],\n{{- end }}\n{{- if .ApicConnectionRetryLimit}}\n \"apic-connection-retry-limit\": {{.ApicConnectionRetryLimit}},\n{{- end}}\n \"opflex-device-delete-timeout\": {{.OpflexDeviceDeleteTimeout}},\n \"sleep-time-snat-global-info-sync\": {{.SleepTimeSnatGlobalInfoSync}},\n \"install-istio\": {{.InstallIstio}},\n \"istio-profile\": \"{{.IstioProfile}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-podbd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-pod-bd\",\n \"aci-nodebd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-node-bd\",\n{{- end}}\n \"aci-service-phys-dom\": \"{{.SystemIdentifier}}-pdom\",\n \"aci-service-encap\": \"vlan-{{.ServiceVlan}}\",\n \"aci-service-monitor-interval\": {{.ServiceMonitorInterval}},\n \"aci-pbr-tracking-non-snat\": {{.PBRTrackingNonSnat}},\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"aci-l3out\": \"{{.L3Out}}\",\n \"aci-ext-networks\": {{.L3OutExternalNetworks}},\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .AddExternalContractToDefaultEpg \"false\"}}\n \"add-external-contract-to-default-epg\": {{.AddExternalContractToDefaultEpg}},\n{{- end}} \n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}\"\n{{- end}}\n },\n \"max-nodes-svc-graph\": {{.MaxNodesSvcGraph}},\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"service-ip-pool\": [{{- range $index, $item := .ServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"extern-static\": [{{- range $index, $item := .StaticExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"extern-dynamic\": [{{- range $index, $item := .DynamicExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"snat-contract-scope\": \"{{.SnatContractScope}}\",\n \"static-service-ip-pool\": [{{- range $index, $item := .StaticServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End }}\" }{{end}}],\n{{- if and (ne .TaintNotReadyNode \"false\") (ne .TaintNotReadyNode \"False\") }}\n \"taint-not-ready\": true,\n{{- end}}\n \"pod-ip-pool\": [{{- range $index, $item := .PodIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"pod-subnet\": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"pod-subnet-chunk-size\": {{.PodSubnetChunkSize}},\n \"node-service-ip-pool\": [\n {\n \"end\": \"{{.NodeServiceIPEnd}}\",\n \"start\": \"{{.NodeServiceIPStart}}\"\n }\n ],\n \"node-service-subnets\": [\n \"{{.ServiceGraphSubnet}}\"\n ],\n \"enable_endpointslice\": {{.EnableEndpointSlice}}\n }\n host-agent-config: |-\n {\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .EpRegistry \"\"}}\n \"ep-registry\": \"{{.EpRegistry}}\",\n{{- else}}\n \"ep-registry\": null,\n{{- end}}\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if ne .DhcpRenewMaxRetryCount \"0\" }}\n \"dhcp-renew-max-retry-count\": {{.DhcpRenewMaxRetryCount}},\n{{- end}}\n{{- if ne .DhcpDelay \"0\" }}\n \"dhcp-delay\": {{.DhcpDelay}},\n{{- end}}\n{{- if ne .EnableOpflexAgentReconnect \"false\"}}\n \"enable-opflex-agent-reconnect\": {{.EnableOpflexAgentReconnect}},\n{{- end}}\n{{- if ne .OpflexMode \"\"}}\n \"opflex-mode\": \"{{.OpflexMode}}\",\n{{- else}}\n \"opflex-mode\": null,\n{{- end}}\n \"log-level\": \"{{.HostAgentLogLevel}}\",\n \"aci-snat-namespace\": \"{{.SnatNamespace}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"service-vlan\": {{.ServiceVlan}},\n \"kubeapi-vlan\": {{.KubeAPIVlan}},\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n{{- if ne .DisableHppRendering \"false\"}}\n \"disable-hpp-rendering\": {{.DisableHppRendering}},\n{{- end}}\n \"pod-subnet\": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"node-subnet\": [{{- range $index, $item := .NodeSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"encap-type\": \"{{.EncapType}}\",\n \"aci-infra-vlan\": {{.InfraVlan}},\n{{- if .MTU}}\n{{- if ne .MTU 0}}\n \"interface-mtu\": {{.MTU}},\n{{- end}}\n{{- end}}\n{{- if .MTUHeadRoom}}\n{{- if ne .MTUHeadRoom \"0\"}}\n \"interface-mtu-headroom\": {{.MTUHeadRoom}},\n{{- end}}\n{{- end}}\n \"cni-netconfig\": [{{- range $index, $item := .PodNetwork }}{{- if $index}},{{end}}{ \"gateway\": \"{{ $item.Gateway }}\", \"subnet\": \"{{ $item.Subnet }}\", \"routes\": [{ \"dst\": \"0.0.0.0/0\", \"gw\": \"{{ $item.Gateway }}\" }]}{{end}}],\n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-default\"\n{{- end}}\n },\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"enable-drop-log\": {{.DropLogEnable}},\n{{- if and (ne .DropLogDisableEvents \"false\") (ne .DropLogDisableEvents \"False\")}}\n \"packet-event-notification-socket\": \"\",\n{{- end}}\n \"enable_endpointslice\": {{.EnableEndpointSlice}},\n \"enable-nodepodif\": {{.NodePodIfEnable}},\n{{- if and (ne .TaintNotReadyNode \"false\") (ne .TaintNotReadyNode \"False\") }}\n \"taint-not-ready\": true,\n{{- end}} \n \"enable-ovs-hw-offload\": {{.SriovEnable}}\n }\n opflex-agent-config: |-\n {\n \"log\": {\n \"level\": \"{{.OpflexAgentLogLevel}}\"\n },\n \"opflex\": {\n{{- if eq .OpflexClientSSL \"false\"}}\n \"ssl\": { \"mode\": \"disabled\"},\n{{- end}}\n{{- if eq .OpflexAgentStatistics \"false\"}}\n \"statistics\" : { \"mode\" : \"off\" },\n{{- end}}\n{{- if ne .OpflexAgentPolicyRetryDelayTimer \"10\" }}\n \"timers\" : { \"policy-retry-delay\": {{.OpflexAgentPolicyRetryDelayTimer}} },\n{{- end}}\n \"notif\" : { \"enabled\" : \"false\" },\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOpflexAsyncjsonEnabled}} }\n },\n \"ovs\": {\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOvsAsyncjsonEnabled}} }\n }\n }\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: snat-operator-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n \"start\": \"{{.SnatPortRangeStart}}\"\n \"end\": \"{{.SnatPortRangeEnd}}\"\n \"ports-per-node\": \"{{.SnatPortsPerNode}}\"\n---\napiVersion: v1\nkind: Secret\nmetadata:\n name: aci-user-cert\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n user.key: {{.ApicUserKey}}\n user.crt: {{.ApicUserCrt}}\n---\n{{- if eq .CApic \"true\"}}\napiVersion: v1\nkind: Secret\nmetadata:\n name: kafka-client-certificates\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n ca.crt: {{.KafkaClientCrt}}\n kafka-client.crt: {{.KafkaClientCrt}}\n kafka-client.key: {{.KafkaClientKey}}\n---\n{{- end}}\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-host-agent\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\n{{- if eq .UseClusterRole \"true\"}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - events\n - replicationcontrollers\n - serviceaccounts\n verbs:\n - list\n - watch\n - get\n - patch\n - create\n - update\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - '*'\n- apiGroups:\n - \"rbac.authorization.k8s.io\"\n resources:\n - clusterroles\n - clusterrolebindings\n verbs:\n - '*'\n{{- if ne .InstallIstio \"false\"}}\n- apiGroups:\n - \"install.istio.io\"\n resources:\n - istiocontrolplanes\n - istiooperators\n verbs:\n - '*'\n- apiGroups:\n - \"aci.istio\"\n resources:\n - aciistiooperators\n - aciistiooperator\n verbs:\n - '*'\n{{- end}}\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n - daemonsets\n - statefulsets\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - services/status\n verbs:\n - update\n- apiGroups:\n - \"monitoring.coreos.com\"\n resources:\n - servicemonitors\n verbs:\n - get\n - create\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies/finalizers\n - snatpolicies/status\n - nodeinfos\n verbs:\n - update\n - create\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatglobalinfos\n - snatpolicies\n - nodeinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.netflow\"\n resources:\n - netflowpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.erspan\"\n resources:\n - erspanpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - '*'\n- apiGroups:\n - apps.openshift.io\n resources:\n - deploymentconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.dnsnetpol\"\n resources:\n - dnsnetworkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n---\n{{- end}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-host-agent\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - replicationcontrollers\n verbs:\n - list\n - watch\n - get\n{{- if ne .DropLogEnable \"false\"}}\n - update\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n{{- end}}\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies\n - snatglobalinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.droplog\"\n resources:\n - enabledroplogs\n - prunedroplogs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - nodeinfos\n - snatlocalinfos\n verbs:\n - create\n - update\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - \"*\"\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-controller\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-controller\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-controller\n namespace: aci-containers-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-host-agent\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-host-agent\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-host-agent\n namespace: aci-containers-system\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-host\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-host\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-host\n network-plugin: aci-containers\n annotations:\n prometheus.io/scrape: \"true\"\n prometheus.io/port: \"9612\"\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n tolerations:\n - operator: Exists\n initContainers:\n - name: cnideploy\n image: {{.AciCniDeployContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersHostPriorityClass}} \n priorityClassName: aci-containers-host\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-host\n image: {{.AciHostContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersHostMemoryLimit ) ( .AciContainersHostMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersHostMemoryLimit }}\n memory: \"{{ .AciContainersHostMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersHostMemoryRequest }}\n memory: \"{{ .AciContainersHostMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n - NET_ADMIN\n - SYS_PTRACE\n - NET_RAW\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: TENANT\n value: \"{{.Tenant}}\"\n{{- if ne .MultusDisable \"true\"}}\n - name: MULTUS\n value: true\n{{- end}}\n{{- if eq .DisableWaitForNetwork \"true\"}}\n - name: DISABLE_WAIT_FOR_NETWORK\n value: true\n{{- else}}\n - name: DURATION_WAIT_FOR_NETWORK\n value: \"{{.DurationWaitForNetwork}}\"\n{{- end}}\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n - name: cni-conf\n mountPath: /mnt/cni-conf\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: host-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n{{- if eq .AciMultipod \"true\" }}\n - name: dhclient\n mountPath: /var/lib/dhclient\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - mountPath: /run/netns\n name: host-run-netns\n readOnly: true\n mountPropagation: HostToContainer\n{{- end}}\n{{- if ne .MultusDisable \"true\"}}\n - name: multus-cni-conf\n mountPath: /mnt/multus-cni-conf\n{{- end}}\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8090\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n - name: opflex-agent\n env:\n - name: REBOOT_WITH_OVS\n value: \"true\"\n{{- if ne .OpflexOpensslCompat \"false\"}}\n - name: OPENSSL_CONF\n value: \"/etc/pki/tls/openssl11.cnf\" \n{{- end}}\n image: {{.AciOpflexContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .OpflexAgentMemoryLimit ) ( .OpflexAgentMemoryRequest )}}\n resources:\n limits:\n{{- if .OpflexAgentMemoryLimit }}\n memory: \"{{ .OpflexAgentMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .OpflexAgentMemoryRequest }}\n memory: \"{{ .OpflexAgentMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}} \n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: opflex-config-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/conf.d\n{{- if eq .RunOpflexServerContainer \"true\"}}\n - name: opflex-server\n image: {{.AciOpflexContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-opflexserver.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n capabilities:\n add:\n - NET_ADMIN\n ports:\n - containerPort: {{.OpflexServerPort}}\n - name: metrics\n containerPort: 9632\n terminationMessagePath: /dev/termination-log\n terminationMessagePolicy: File\n volumeMounts:\n - name: opflex-server-config-volume\n mountPath: /usr/local/etc/opflex-server\n - name: hostvar\n mountPath: /usr/local/var\n{{- end}}\n{{- if ne .OpflexMode \"overlay\"}}\n - name: mcast-daemon\n image: {{.AciMcastContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-mcastdaemon.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .McastDaemonMemoryLimit ) ( .McastDaemonMemoryRequest )}}\n resources:\n limits:\n{{- if .McastDaemonMemoryLimit }}\n memory: \"{{ .McastDaemonMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .McastDaemonMemoryRequest }}\n memory: \"{{ .McastDaemonMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n{{- if eq .UsePrivilegedContainer \"true\"}}\n securityContext:\n privileged: true\n{{- end}}\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n{{- end}}\n restartPolicy: Always\n volumes:\n - name: cni-bin\n hostPath:\n path: /opt\n - name: cni-conf\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: host-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: host-agent-config\n path: host-agent.conf\n - name: opflex-hostconfig-volume\n emptyDir:\n medium: Memory\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .AciMultipod \"true\" }}\n{{- if eq .AciMultipodUbuntu \"true\" }}\n - name: dhclient\n hostPath:\n path: /var/lib/dhcp\n{{- else}}\n - name: dhclient\n hostPath:\n path: /var/lib/dhclient\n{{- end}}\n{{- end}}\n - name: opflex-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: opflex-agent-config\n path: local.conf\n{{- if eq .UseOpflexServerVolume \"true\"}}\n - name: opflex-server-config-volume\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - name: host-run-netns\n hostPath:\n path: /run/netns\n{{- end}}\n{{- if ne .MultusDisable \"true\" }}\n - name: multus-cni-conf\n hostPath:\n path: /var/run/multus/\n{{- end}}\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-openvswitch\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{end}}\n tolerations:\n - operator: Exists \n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersOpenvswitchPriorityClass}} \n priorityClassName: aci-containers-openvswitch\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-openvswitch\n image: {{.AciOpenvSwitchContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n resources:\n limits:\n memory: \"{{.OVSMemoryLimit}}\"\n requests:\n memory: \"{{.OVSMemoryRequest}}\"\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n - SYS_MODULE\n - SYS_NICE\n - IPC_LOCK\n env:\n - name: OVS_RUNDIR\n value: /usr/local/var/run/openvswitch\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: hostetc\n mountPath: /usr/local/etc\n - name: hostmodules\n mountPath: /lib/modules\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n livenessProbe:\n exec:\n command:\n - /usr/local/bin/liveness-ovs.sh\n restartPolicy: Always\n volumes:\n - name: hostetc\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: hostmodules\n hostPath:\n path: /lib/modules\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nspec:\n replicas: 1\n strategy:\n type: Recreate\n selector:\n matchLabels:\n name: aci-containers-controller\n network-plugin: aci-containers\n template:\n metadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n name: aci-containers-controller\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n serviceAccountName: aci-containers-controller\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n{{- if .Tolerations }}\n tolerations:\n{{ toYaml .Tolerations | indent 6}}\n{{- else }}\n tolerations:\n - effect: NoExecute\n operator: Exists\n tolerationSeconds: {{ .TolerationSeconds }}\n - effect: NoSchedule\n key: node.kubernetes.io/not-ready\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n{{- end }}\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersControllerPriorityClass}} \n priorityClassName: aci-containers-controller\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-node-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-controller\n image: {{.AciControllerContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersControllerMemoryLimit ) ( .AciContainersControllerMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersControllerMemoryLimit }}\n memory: \"{{ .AciContainersControllerMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersControllerMemoryRequest }}\n memory: \"{{ .AciContainersControllerMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n env:\n - name: WATCH_NAMESPACE\n value: \"\"\n - name: ACI_SNAT_NAMESPACE\n value: \"aci-containers-system\"\n - name: ACI_SNAGLOBALINFO_NAME\n value: \"snatglobalinfo\"\n - name: ACI_RDCONFIG_NAME\n value: \"routingdomain-config\"\n - name: SYSTEM_NAMESPACE\n value: \"aci-containers-system\"\n volumeMounts:\n - name: controller-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n - name: aci-user-cert-volume\n mountPath: /usr/local/etc/aci-cert/\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8091\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n volumes:\n{{- if eq .CApic \"true\"}}\n - name: kafka-certs\n secret:\n secretName: kafka-client-certificates\n{{- end}}\n - name: aci-user-cert-volume\n secret:\n secretName: aci-user-cert\n - name: controller-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: controller-config\n path: controller.conf\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .CApic \"true\"}}\n---\napiVersion: aci.aw/v1\nkind: PodIF\nmetadata:\n name: inet-route\n namespace: kube-system\nstatus:\n epg: aci-containers-inet-out\n ipaddr: 0.0.0.0/0\n{{- end}}\n---\napiVersion: v1\nkind: LimitRange\nmetadata:\n name: memory-limit-range\n namespace: aci-containers-system\nspec:\n limits:\n - default:\n memory: {{ .AciContainersMemoryLimit }}\n defaultRequest:\n memory: {{ .AciContainersMemoryRequest }}\n type: Container\n", + "aci-v6.0.4.2": "\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: acicontainersoperators.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AciContainersOperator\n listKind: AciContainersOperatorList\n plural: acicontainersoperators\n singular: acicontainersoperator\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: acicontainersoperator owns the lifecycle of ACI objects in the cluster\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AciContainersOperatorSpec defines the desired spec for ACI Objects\n properties:\n flavor:\n type: string\n config:\n type: string\n type: object\n status:\n description: AciContainersOperatorStatus defines the successful completion of AciContainersOperator\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: Namespace\nmetadata:\n name: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodepodifs.aci.aw\nspec:\n group: aci.aw\n names:\n kind: NodePodIF\n listKind: NodePodIFList\n plural: nodepodifs\n singular: nodepodif\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n podifs:\n type: array\n items:\n type: object\n properties:\n containerID:\n type: string\n epg:\n type: string\n ifname:\n type: string\n ipaddr:\n type: string\n macaddr:\n type: string\n podname:\n type: string\n podns:\n type: string\n vtep:\n type: string\n required:\n - spec\n type: object\n---\n{{- if eq .UseAciCniPriorityClass \"true\"}}\napiVersion: scheduling.k8s.io/v1beta1\nkind: PriorityClass\nmetadata:\n name: acicni-priority\nvalue: 1000000000\nglobalDefault: false\ndescription: \"This priority class is used for ACI-CNI resources\"\n---\n{{- end }}\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatglobalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatGlobalInfo\n listKind: SnatGlobalInfoList\n plural: snatglobalinfos\n singular: snatglobalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n description: SnatGlobalInfo is the Schema for the snatglobalinfos API\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n globalInfos:\n additionalProperties:\n items:\n properties:\n macAddress:\n type: string\n portRanges:\n items:\n properties:\n end:\n maximum: 65535\n minimum: 1\n type: integer\n start:\n maximum: 65535\n minimum: 1\n type: integer\n type: object\n type: array\n snatIp:\n type: string\n snatIpUid:\n type: string\n snatPolicyName:\n type: string\n required:\n - macAddress\n - portRanges\n - snatIp\n - snatIpUid\n - snatPolicyName\n type: object\n type: array\n type: object\n required:\n - globalInfos\n type: object\n status:\n description: SnatGlobalInfoStatus defines the observed state of SnatGlobalInfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatlocalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatLocalInfo\n listKind: SnatLocalInfoList\n plural: snatlocalinfos\n singular: snatlocalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: SnatLocalInfoSpec defines the desired state of SnatLocalInfo\n properties:\n localInfos:\n items:\n properties:\n podName:\n type: string\n podNamespace:\n type: string\n podUid:\n type: string\n snatPolicies:\n items:\n properties:\n destIp:\n items:\n type: string\n type: array\n name:\n type: string\n snatIp:\n type: string\n required:\n - destIp\n - name\n - snatIp\n type: object\n type: array\n required:\n - podName\n - podNamespace\n - podUid\n - snatPolicies\n type: object\n type: array\n required:\n - localInfos\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatpolicies.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatPolicy\n listKind: SnatPolicyList\n plural: snatpolicies\n singular: snatpolicy\n scope: Cluster\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n selector:\n type: object\n properties:\n labels:\n type: object\n description: 'Selection of Pods'\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n type: object\n snatIp:\n type: array\n items:\n type: string\n destIp:\n type: array\n items:\n type: string\n type: object\n status:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodeinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: NodeInfo\n listKind: NodeInfoList\n plural: nodeinfos\n singular: nodeinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n macaddress:\n type: string\n snatpolicynames:\n additionalProperties:\n type: boolean\n type: object\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: rdconfigs.aci.snat\nspec:\n group: aci.snat\n names:\n kind: RdConfig\n listKind: RdConfigList\n plural: rdconfigs\n singular: rdconfig\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n discoveredsubnets:\n items:\n type: string\n type: array\n usersubnets:\n items:\n type: string\n type: array\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.aci.netpol\nspec:\n group: aci.netpol\n names:\n kind: NetworkPolicy\n listKind: NetworkPolicyList\n plural: networkpolicies\n singular: networkpolicy\n scope: Namespaced\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n description: Network Policy describes traffic flow at IP address or port level\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs default to false.\n type: boolean\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n to:\n description: Rule is matched if traffic is intended for workloads selected by this field. If this field is empty or missing, this rule matches all destinations.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n toFqDn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - enableLogging\n - toFqDn\n type: object\n type: array\n ingress:\n description: Set of ingress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false.\n type: boolean\n from:\n description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicys Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n type: object\n type: array\n policyTypes:\n items:\n description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8\n type: string\n type: array\n priority:\n description: Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.\n type: integer\n type:\n description: type of the policy.\n type: string\n required:\n - type\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: dnsnetworkpolicies.aci.dnsnetpol\nspec:\n group: aci.dnsnetpol\n names:\n kind: DnsNetworkPolicy\n listKind: DnsNetworkPolicyList\n plural: dnsnetworkpolicies\n singular: dnsnetworkpolicy\n scope: Namespaced\n versions:\n - name: v1beta\n schema:\n openAPIV3Schema:\n description: dns network Policy\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a keys relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n properties:\n toFqdn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - toFqdn\n type: object\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: qospolicies.aci.qos\nspec:\n group: aci.qos\n names:\n kind: QosPolicy\n listKind: QosPolicyList\n plural: qospolicies\n singular: qospolicy\n scope: Namespaced\n preserveUnknownFields: false\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n podSelector:\n description: 'Selection of Pods'\n type: object\n properties:\n matchLabels:\n type: object\n description:\n ingress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n egress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n dscpmark:\n type: integer\n default: 0\n minimum: 0\n maximum: 63\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: netflowpolicies.aci.netflow\nspec:\n group: aci.netflow\n names:\n kind: NetflowPolicy\n listKind: NetflowPolicyList\n plural: netflowpolicies\n singular: netflowpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n flowSamplingPolicy:\n type: object\n properties:\n destIp:\n type: string\n destPort:\n type: integer\n minimum: 0\n maximum: 65535\n default: 2055\n flowType:\n type: string\n enum:\n - netflow\n - ipfix\n default: netflow\n activeFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 3600\n default: 60\n idleFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 600\n default: 15\n samplingRate:\n type: integer\n minimum: 0\n maximum: 1000\n default: 0\n required:\n - destIp\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: erspanpolicies.aci.erspan\nspec:\n group: aci.erspan\n names:\n kind: ErspanPolicy\n listKind: ErspanPolicyList\n plural: erspanpolicies\n singular: erspanpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n selector:\n type: object\n description: 'Selection of Pods'\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n source:\n type: object\n properties:\n adminState:\n description: Administrative state.\n default: start\n type: string\n enum:\n - start\n - stop\n direction:\n description: Direction of the packets to monitor.\n default: both\n type: string\n enum:\n - in\n - out\n - both\n destination:\n type: object\n properties:\n destIP:\n description: Destination IP of the ERSPAN packet.\n type: string\n flowID:\n description: Unique flow ID of the ERSPAN packet.\n default: 1\n type: integer\n minimum: 1\n maximum: 1023\n required:\n - destIP\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: enabledroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: EnableDropLog\n listKind: EnableDropLogList\n plural: enabledroplogs\n singular: enabledroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of EnableDropLog\n type: object\n properties:\n disableDefaultDropLog:\n description: Disables the default droplog enabled by acc-provision.\n default: false\n type: boolean\n nodeSelector:\n type: object\n description: Drop logging is enabled on nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: prunedroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: PruneDropLog\n listKind: PruneDropLogList\n plural: prunedroplogs\n singular: prunedroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of PruneDropLog\n type: object\n properties:\n nodeSelector:\n type: object\n description: Drop logging filters are applied to nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n dropLogFilters:\n type: object\n properties:\n srcIP:\n type: string\n destIP:\n type: string\n srcMAC:\n type: string\n destMAC:\n type: string\n srcPort:\n type: integer\n destPort:\n type: integer\n ipProto:\n type: integer\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: accprovisioninputs.aci.ctrl\nspec:\n group: aci.ctrl\n names:\n kind: AccProvisionInput\n listKind: AccProvisionInputList\n plural: accprovisioninputs\n singular: accprovisioninput\n scope: Namespaced\n versions:\n - name: v1alpha1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n description: accprovisioninput defines the input configuration for ACI CNI\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: AccProvisionInputSpec defines the desired spec for accprovisioninput object\n properties:\n acc_provision_input:\n type: object\n properties:\n operator_managed_config:\n type: object\n properties:\n enable_updates:\n type: boolean\n aci_config:\n type: object\n properties:\n sync_login:\n type: object\n properties:\n certfile:\n type: string\n keyfile:\n type: string\n client_ssl:\n type: boolean\n net_config:\n type: object\n properties:\n interface_mtu:\n type: integer\n service_monitor_interval:\n type: integer\n pbr_tracking_non_snat:\n type: boolean\n pod_subnet_chunk_size:\n type: integer\n disable_wait_for_network:\n type: boolean\n duration_wait_for_network:\n type: integer\n registry:\n type: object\n properties:\n image_prefix:\n type: string\n image_pull_secret:\n type: string\n aci_containers_operator_version:\n type: string\n aci_containers_controller_version:\n type: string\n aci_containers_host_version:\n type: string\n acc_provision_operator_version:\n type: string\n aci_cni_operator_version:\n type: string\n cnideploy_version:\n type: string\n opflex_agent_version:\n type: string\n openvswitch_version:\n type: string\n gbp_version:\n type: string\n logging:\n type: object\n properties:\n controller_log_level:\n type: string\n hostagent_log_level:\n type: string\n opflexagent_log_level:\n type: string\n istio_config:\n type: object\n properties:\n install_profile:\n type: string\n multus:\n type: object\n properties:\n disable:\n type: boolean\n drop_log_config:\n type: object\n properties:\n enable:\n type: boolean\n nodepodif_config:\n type: object\n properties:\n enable:\n type: boolean\n sriov_config:\n type: object\n properties:\n enable:\n type: boolean\n kube_config:\n type: object\n properties:\n ovs_memory_limit:\n type: string\n use_privileged_containers:\n type: boolean\n image_pull_policy:\n type: string\n reboot_opflex_with_ovs:\n type: string\n snat_operator:\n type: object\n properties:\n port_range:\n type: object\n properties:\n start:\n type: integer\n end:\n type: integer\n ports_per_node:\n type: integer\n contract_scope:\n type: string\n disable_periodic_snat_global_info_sync:\n type: boolean\n type: object\n status:\n description: AccProvisionInputStatus defines the successful completion of AccProvisionInput\n properties:\n status:\n type: boolean\n type: object\n required:\n - spec\n type: object\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: aci-containers-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n controller-config: |-\n {\n \"log-level\": \"{{.ControllerLogLevel}}\",\n \"apic-hosts\": {{.ApicHosts}},\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if .OpflexDeviceReconnectWaitTimeout }}\n \"opflex-device-reconnect-wait-timeout\": {{.OpflexDeviceReconnectWaitTimeout}},\n{{- end}}\n \"apic-refreshtime\": \"{{.ApicRefreshTime}}\",\n \"apic-subscription-delay\": {{.ApicSubscriptionDelay}},\n \"apic_refreshticker_adjust\": \"{{.ApicRefreshTickerAdjust}}\",\n \"apic-username\": \"{{.ApicUserName}}\",\n \"apic-private-key-path\": \"/usr/local/etc/aci-cert/user.key\",\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-policy-tenant\": \"{{.Tenant}}\",\n{{- if ne .CApic \"false\"}}\n \"lb-type\": \"None\",\n{{- end}}\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n{{- if ne .DisableHppRendering \"false\"}}\n \"disable-hpp-rendering\": {{.DisableHppRendering}},\n{{- end}}\n{{- if ne .NoWaitForServiceEpReadiness \"false\"}}\n \"no-wait-for-service-ep-readiness\": {{.NoWaitForServiceEpReadiness}},\n{{- end}}\n{{- if ne .ServiceGraphEndpointAddDelay \"0\"}}\n \"service-graph-endpoint-add-delay\" : {\n \"delay\": {{.ServiceGraphEndpointAddDelay}},\n \"services\": [{{- range $index, $item :=.ServiceGraphEndpointAddServices }}{{- if $index}},{{end}}{ {{- range $k, $v := $item }}\"{{ $k }}\": \"{{ $v }}\"{{if eq $k \"name\"}},{{end}}{{- end}}}{{end}}]\n },\n{{- end}}\n{{- if ne .AddExternalSubnetsToRdconfig \"false\"}}\n \"add-external-subnets-to-rdconfig\": {{.AddExternalSubnetsToRdconfig}},\n{{- end}}\n{{- if ne .DisablePeriodicSnatGlobalInfoSync \"false\"}}\n \"disable-periodic-snat-global-info-sync\": {{.DisablePeriodicSnatGlobalInfoSync}},\n{{- end}}\n{{- if .NodeSnatRedirectExclude }}\n \"node-snat-redirect-exclude\": [{{ range $index,$item := .NodeSnatRedirectExclude}}{{- if $index}}, {{end }}{\"group\": \"{{ index $item \"group\" }}\", \"labels\": {{ index $item \"labels\" }}}{{ end }}],\n{{- end }}\n{{- if .ApicConnectionRetryLimit}}\n \"apic-connection-retry-limit\": {{.ApicConnectionRetryLimit}},\n{{- end}}\n \"opflex-device-delete-timeout\": {{.OpflexDeviceDeleteTimeout}},\n \"sleep-time-snat-global-info-sync\": {{.SleepTimeSnatGlobalInfoSync}},\n{{- /* Commenting code to disable the install_istio flag as the functionality\n is disabled to remove dependency from istio.io/istio package.\n Vulnerabilties were detected by quay.io security scan of aci-containers-controller\n and aci-containers-operator images for istio.io/istio package \n \"install-istio\": {{.InstallIstio}},\n \"istio-profile\": \"{{.IstioProfile}}\",\n*/}}\n{{- if ne .CApic \"true\"}}\n \"aci-podbd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-pod-bd\",\n \"aci-nodebd-dn\": \"uni/tn-{{.Tenant}}/BD-aci-containers-{{.SystemIdentifier}}-node-bd\",\n{{- end}}\n \"aci-service-phys-dom\": \"{{.SystemIdentifier}}-pdom\",\n \"aci-service-encap\": \"vlan-{{.ServiceVlan}}\",\n \"aci-service-monitor-interval\": {{.ServiceMonitorInterval}},\n \"aci-pbr-tracking-non-snat\": {{.PBRTrackingNonSnat}},\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"aci-l3out\": \"{{.L3Out}}\",\n \"aci-ext-networks\": {{.L3OutExternalNetworks}},\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .AddExternalContractToDefaultEpg \"false\"}}\n \"add-external-contract-to-default-epg\": {{.AddExternalContractToDefaultEpg}},\n{{- end}} \n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}\"\n{{- end}}\n },\n \"max-nodes-svc-graph\": {{.MaxNodesSvcGraph}},\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"service-ip-pool\": [{{- range $index, $item := .ServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"extern-static\": [{{- range $index, $item := .StaticExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"extern-dynamic\": [{{- range $index, $item := .DynamicExternalSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"snat-contract-scope\": \"{{.SnatContractScope}}\",\n \"static-service-ip-pool\": [{{- range $index, $item := .StaticServiceIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End }}\" }{{end}}],\n{{- if and (ne .TaintNotReadyNode \"false\") (ne .TaintNotReadyNode \"False\") }}\n \"taint-not-ready\": true,\n{{- end}}\n \"pod-ip-pool\": [{{- range $index, $item := .PodIPPool }}{{- if $index}},{{end}}{ \"start\": \"{{ $item.Start }}\", \"end\": \"{{ $item.End}}\" }{{end}}],\n \"pod-subnet\": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"pod-subnet-chunk-size\": {{.PodSubnetChunkSize}},\n \"node-service-ip-pool\": [\n {\n \"end\": \"{{.NodeServiceIPEnd}}\",\n \"start\": \"{{.NodeServiceIPStart}}\"\n }\n ],\n \"node-service-subnets\": [\n \"{{.ServiceGraphSubnet}}\"\n ],\n \"enable_endpointslice\": {{.EnableEndpointSlice}}\n }\n host-agent-config: |-\n {\n \"app-profile\": \"aci-containers-{{.SystemIdentifier}}\",\n{{- if ne .EpRegistry \"\"}}\n \"ep-registry\": \"{{.EpRegistry}}\",\n{{- else}}\n \"ep-registry\": null,\n{{- end}}\n{{- if ne .AciMultipod \"false\" }}\n \"aci-multipod\": {{.AciMultipod}},\n{{- end}}\n{{- if ne .DhcpRenewMaxRetryCount \"0\" }}\n \"dhcp-renew-max-retry-count\": {{.DhcpRenewMaxRetryCount}},\n{{- end}}\n{{- if ne .DhcpDelay \"0\" }}\n \"dhcp-delay\": {{.DhcpDelay}},\n{{- end}}\n{{- if ne .EnableOpflexAgentReconnect \"false\"}}\n \"enable-opflex-agent-reconnect\": {{.EnableOpflexAgentReconnect}},\n{{- end}}\n{{- if ne .OpflexMode \"\"}}\n \"opflex-mode\": \"{{.OpflexMode}}\",\n{{- else}}\n \"opflex-mode\": null,\n{{- end}}\n \"log-level\": \"{{.HostAgentLogLevel}}\",\n \"aci-snat-namespace\": \"{{.SnatNamespace}}\",\n \"aci-vmm-type\": \"Kubernetes\",\n{{- if ne .VmmDomain \"\"}}\n \"aci-vmm-domain\": \"{{.VmmDomain}}\",\n{{- else}}\n \"aci-vmm-domain\": \"{{.SystemIdentifier}}\",\n{{- end}}\n{{- if ne .VmmController \"\"}}\n \"aci-vmm-controller\": \"{{.VmmController}}\",\n{{- else}}\n \"aci-vmm-controller\": \"{{.SystemIdentifier}}\",\n{{- end}}\n \"aci-prefix\": \"{{.SystemIdentifier}}\",\n{{- if ne .CApic \"true\"}}\n \"aci-vrf\": \"{{.VRFName}}\",\n{{- else}}\n \"aci-vrf\": \"{{.OverlayVRFName}}\",\n{{- end}}\n \"aci-vrf-tenant\": \"{{.VRFTenant}}\",\n \"service-vlan\": {{.ServiceVlan}},\n \"kubeapi-vlan\": {{.KubeAPIVlan}},\n{{- if ne .HppOptimization \"false\"}}\n \"hpp-optimization\": {{.HppOptimization}},\n{{- end}}\n{{- if ne .DisableHppRendering \"false\"}}\n \"disable-hpp-rendering\": {{.DisableHppRendering}},\n{{- end}}\n \"pod-subnet\": [{{- range $index, $item := .PodSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"node-subnet\": [{{- range $index, $item := .NodeSubnet }}{{- if $index}},{{end}}{{$item}}{{end}}],\n \"encap-type\": \"{{.EncapType}}\",\n \"aci-infra-vlan\": {{.InfraVlan}},\n{{- if .MTU}}\n{{- if ne .MTU 0}}\n \"interface-mtu\": {{.MTU}},\n{{- end}}\n{{- end}}\n{{- if .MTUHeadRoom}}\n{{- if ne .MTUHeadRoom \"0\"}}\n \"interface-mtu-headroom\": {{.MTUHeadRoom}},\n{{- end}}\n{{- end}}\n \"cni-netconfig\": [{{- range $index, $item := .PodNetwork }}{{- if $index}},{{end}}{ \"gateway\": \"{{ $item.Gateway }}\", \"subnet\": \"{{ $item.Subnet }}\", \"routes\": [{ \"dst\": \"0.0.0.0/0\", \"gw\": \"{{ $item.Gateway }}\" }]}{{end}}],\n \"default-endpoint-group\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-default\"\n{{- else}}\n \"name\": \"aci-containers-default\"\n{{- end}}\n },\n \"namespace-default-endpoint-group\": {\n \"aci-containers-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"istio-operator\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"istio-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-istio\"\n{{- else}}\n \"name\": \"aci-containers-istio\"\n{{- end}}\n },\n \"kube-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-system\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-prometheus\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n },\n \"cattle-logging\": {\n \"policy-space\": \"{{.Tenant}}\",\n{{- if ne .CApic \"true\"}}\n \"name\": \"aci-containers-{{.SystemIdentifier}}|aci-containers-system\"\n{{- else}}\n \"name\": \"aci-containers-system\"\n{{- end}}\n } },\n \"enable-drop-log\": {{.DropLogEnable}},\n{{- if and (ne .DropLogDisableEvents \"false\") (ne .DropLogDisableEvents \"False\")}}\n \"packet-event-notification-socket\": \"\",\n{{- end}}\n \"enable_endpointslice\": {{.EnableEndpointSlice}},\n \"enable-nodepodif\": {{.NodePodIfEnable}},\n{{- if and (ne .TaintNotReadyNode \"false\") (ne .TaintNotReadyNode \"False\") }}\n \"taint-not-ready\": true,\n{{- end}} \n \"enable-ovs-hw-offload\": {{.SriovEnable}}\n }\n opflex-agent-config: |-\n {\n \"log\": {\n \"level\": \"{{.OpflexAgentLogLevel}}\"\n },\n \"opflex\": {\n{{- if eq .OpflexClientSSL \"false\"}}\n \"ssl\": { \"mode\": \"disabled\"},\n{{- end}}\n{{- if eq .OpflexAgentStatistics \"false\"}}\n \"statistics\" : { \"mode\" : \"off\" },\n{{- end}}\n \"timers\" : {\n{{- if .OpflexAgentPolicyRetryDelayTimer}}\n \"policy-retry-delay\": {{.OpflexAgentPolicyRetryDelayTimer}},\n{{- end}}\n \"switch-sync-delay\": {{.OpflexSwitchSyncDelay}},\n \"switch-sync-dynamic\": {{.OpflexSwitchSyncDynamic}}\n },\n \"startup\": {\n \"enabled\": \"{{.OpflexStartupEnabled}}\",\n \"policy-file\": \"/usr/local/var/lib/opflex-agent-ovs/startup/pol.json\",\n \"policy-duration\": {{.OpflexStartupPolicyDuration}},\n \"resolve-aft-conn\": \"{{.OpflexStartupResolveAftConn}}\"\n },\n \"notif\" : { \"enabled\" : \"false\" },\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOpflexAsyncjsonEnabled}} }\n },\n \"ovs\": {\n \"asyncjson\": { \"enabled\" : {{.OpflexAgentOvsAsyncjsonEnabled}} }\n }\n }\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: snat-operator-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\ndata:\n \"start\": \"{{.SnatPortRangeStart}}\"\n \"end\": \"{{.SnatPortRangeEnd}}\"\n \"ports-per-node\": \"{{.SnatPortsPerNode}}\"\n---\napiVersion: v1\nkind: Secret\nmetadata:\n name: aci-user-cert\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n user.key: {{.ApicUserKey}}\n user.crt: {{.ApicUserCrt}}\n---\n{{- if eq .CApic \"true\"}}\napiVersion: v1\nkind: Secret\nmetadata:\n name: kafka-client-certificates\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\ndata:\n ca.crt: {{.KafkaClientCrt}}\n kafka-client.crt: {{.KafkaClientCrt}}\n kafka-client.key: {{.KafkaClientKey}}\n---\n{{- end}}\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-host-agent\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n---\n{{- if eq .UseClusterRole \"true\"}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - events\n - replicationcontrollers\n - serviceaccounts\n verbs:\n - list\n - watch\n - get\n - patch\n - create\n - update\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - '*'\n- apiGroups:\n - \"rbac.authorization.k8s.io\"\n resources:\n - clusterroles\n - clusterrolebindings\n verbs:\n - '*'\n{{- /* Commenting code to disable the install_istio flag as the functionality\n is disabled to remove dependency from istio.io/istio package.\n Vulnerabilties were detected by quay.io security scan of aci-containers-controller\n and aci-containers-operator images for istio.io/istio package\n{{- if ne .InstallIstio \"false\"}}\n- apiGroups:\n - \"install.istio.io\"\n resources:\n - istiocontrolplanes\n - istiooperators\n verbs:\n - '*'\n- apiGroups:\n - \"aci.istio\"\n resources:\n - aciistiooperators\n - aciistiooperator\n verbs:\n - '*'\n{{- end}}\n*/}}\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n - daemonsets\n - statefulsets\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - services/status\n verbs:\n - update\n- apiGroups:\n - \"monitoring.coreos.com\"\n resources:\n - servicemonitors\n verbs:\n - get\n - create\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies/finalizers\n - snatpolicies/status\n - nodeinfos\n verbs:\n - update\n - create\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatglobalinfos\n - snatpolicies\n - nodeinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.netflow\"\n resources:\n - netflowpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.erspan\"\n resources:\n - erspanpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - '*'\n- apiGroups:\n - apps.openshift.io\n resources:\n - deploymentconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.dnsnetpol\"\n resources:\n - dnsnetworkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n---\n{{- end}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-host-agent\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - replicationcontrollers\n verbs:\n - list\n - watch\n - get\n{{- if ne .DropLogEnable \"false\"}}\n - update\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n{{- end}}\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies\n - snatglobalinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.droplog\"\n resources:\n - enabledroplogs\n - prunedroplogs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - nodeinfos\n - snatlocalinfos\n verbs:\n - create\n - update\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - \"*\"\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-controller\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-controller\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-controller\n namespace: aci-containers-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-host-agent\n labels:\n aci-containers-config-version: \"{{.Token}}\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-host-agent\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-host-agent\n namespace: aci-containers-system\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-host\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-host\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-host\n network-plugin: aci-containers\n annotations:\n prometheus.io/scrape: \"true\"\n prometheus.io/port: \"9612\"\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n tolerations:\n - operator: Exists\n initContainers:\n - name: cnideploy\n image: {{.AciCniDeployContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersHostPriorityClass}} \n priorityClassName: aci-containers-host\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-host\n image: {{.AciHostContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersHostMemoryLimit ) ( .AciContainersHostMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersHostMemoryLimit }}\n memory: \"{{ .AciContainersHostMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersHostMemoryRequest }}\n memory: \"{{ .AciContainersHostMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - SYS_ADMIN\n - NET_ADMIN\n - SYS_PTRACE\n - NET_RAW\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: TENANT\n value: \"{{.Tenant}}\"\n{{- if ne .MultusDisable \"true\"}}\n - name: MULTUS\n value: true\n{{- end}}\n{{- if eq .DisableWaitForNetwork \"true\"}}\n - name: DISABLE_WAIT_FOR_NETWORK\n value: true\n{{- else}}\n - name: DURATION_WAIT_FOR_NETWORK\n value: \"{{.DurationWaitForNetwork}}\"\n{{- end}}\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n - name: cni-conf\n mountPath: /mnt/cni-conf\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: host-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n{{- if eq .AciMultipod \"true\" }}\n - name: dhclient\n mountPath: /var/lib/dhclient\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - mountPath: /run/netns\n name: host-run-netns\n readOnly: true\n mountPropagation: HostToContainer\n{{- end}}\n{{- if ne .MultusDisable \"true\"}}\n - name: multus-cni-conf\n mountPath: /mnt/multus-cni-conf\n{{- end}}\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8090\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n - name: opflex-agent\n env:\n - name: REBOOT_WITH_OVS\n value: \"true\"\n{{- if ne .OpflexOpensslCompat \"false\"}}\n - name: OPENSSL_CONF\n value: \"/etc/pki/tls/openssl11.cnf\" \n{{- end}}\n image: {{.AciOpflexContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .OpflexAgentMemoryLimit ) ( .OpflexAgentMemoryRequest )}}\n resources:\n limits:\n{{- if .OpflexAgentMemoryLimit }}\n memory: \"{{ .OpflexAgentMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .OpflexAgentMemoryRequest }}\n memory: \"{{ .OpflexAgentMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}} \n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: opflex-config-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/conf.d\n{{- if eq .RunOpflexServerContainer \"true\"}}\n - name: opflex-server\n image: {{.AciOpflexContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-opflexserver.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n securityContext:\n capabilities:\n add:\n - NET_ADMIN\n ports:\n - containerPort: {{.OpflexServerPort}}\n - name: metrics\n containerPort: 9632\n terminationMessagePath: /dev/termination-log\n terminationMessagePolicy: File\n volumeMounts:\n - name: opflex-server-config-volume\n mountPath: /usr/local/etc/opflex-server\n - name: hostvar\n mountPath: /usr/local/var\n{{- end}}\n{{- if ne .OpflexMode \"overlay\"}}\n - name: mcast-daemon\n image: {{.AciMcastContainer}}\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-mcastdaemon.sh\"]\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .McastDaemonMemoryLimit ) ( .McastDaemonMemoryRequest )}}\n resources:\n limits:\n{{- if .McastDaemonMemoryLimit }}\n memory: \"{{ .McastDaemonMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .McastDaemonMemoryRequest }}\n memory: \"{{ .McastDaemonMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n{{- if eq .UsePrivilegedContainer \"true\"}}\n securityContext:\n privileged: true\n{{- end}}\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n{{- end}}\n restartPolicy: Always\n volumes:\n - name: cni-bin\n hostPath:\n path: /opt\n - name: cni-conf\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: host-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: host-agent-config\n path: host-agent.conf\n - name: opflex-hostconfig-volume\n emptyDir:\n medium: Memory\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .AciMultipod \"true\" }}\n{{- if eq .AciMultipodUbuntu \"true\" }}\n - name: dhclient\n hostPath:\n path: /var/lib/dhcp\n{{- else}}\n - name: dhclient\n hostPath:\n path: /var/lib/dhclient\n{{- end}}\n{{- end}}\n - name: opflex-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: opflex-agent-config\n path: local.conf\n{{- if eq .UseOpflexServerVolume \"true\"}}\n - name: opflex-server-config-volume\n{{- end}}\n{{- if eq .UseHostNetnsVolume \"true\"}}\n - name: host-run-netns\n hostPath:\n path: /run/netns\n{{- end}}\n{{- if ne .MultusDisable \"true\" }}\n - name: multus-cni-conf\n hostPath:\n path: /var/run/multus/\n{{- end}}\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-openvswitch\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{end}}\n tolerations:\n - operator: Exists \n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersOpenvswitchPriorityClass}} \n priorityClassName: aci-containers-openvswitch\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-cluster-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-openvswitch\n image: {{.AciOpenvSwitchContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n resources:\n limits:\n memory: \"{{.OVSMemoryLimit}}\"\n requests:\n memory: \"{{.OVSMemoryRequest}}\"\n securityContext:\n{{- if eq .UsePrivilegedContainer \"true\"}}\n privileged: true\n{{- end}}\n capabilities:\n add:\n - NET_ADMIN\n - SYS_MODULE\n - SYS_NICE\n - IPC_LOCK\n env:\n - name: OVS_RUNDIR\n value: /usr/local/var/run/openvswitch\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: hostetc\n mountPath: /usr/local/etc\n - name: hostmodules\n mountPath: /lib/modules\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n livenessProbe:\n exec:\n command:\n - /usr/local/bin/liveness-ovs.sh\n restartPolicy: Always\n volumes:\n - name: hostetc\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: hostmodules\n hostPath:\n path: /lib/modules\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"{{.Token}}\"\n network-plugin: aci-containers\n name: aci-containers-controller\nspec:\n replicas: 1\n strategy:\n type: Recreate\n selector:\n matchLabels:\n name: aci-containers-controller\n network-plugin: aci-containers\n template:\n metadata:\n name: aci-containers-controller\n namespace: aci-containers-system\n labels:\n name: aci-containers-controller\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n serviceAccountName: aci-containers-controller\n{{- if ne .ImagePullSecret \"\"}}\n imagePullSecrets:\n - name: {{.ImagePullSecret}}\n{{- end}}\n{{- if .Tolerations }}\n tolerations:\n{{ toYaml .Tolerations | indent 6}}\n{{- else }}\n tolerations:\n - effect: NoExecute\n key: node.kubernetes.io/unreachable\n operator: Exists\n tolerationSeconds: {{ .TolerationSeconds }}\n - effect: NoExecute\n key: node.kubernetes.io/not-ready\n operator: Exists\n tolerationSeconds: {{ .TolerationSeconds }}\n - effect: NoSchedule\n key: node.kubernetes.io/not-ready\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/controlplane\n value: \"true\"\n operator: Equal\n - effect: NoExecute\n key: node-role.kubernetes.io/etcd\n value: \"true\"\n operator: Equal\n{{- end }}\n{{- if ne .UseSystemNodePriorityClass \"false\"}}\n priorityClassName: system-node-critical\n{{- else if .UseAciContainersControllerPriorityClass}} \n priorityClassName: aci-containers-controller\n{{- else}} \n{{- if ne .NoPriorityClass \"true\"}}\n priorityClassName: system-node-critical\n{{- end}}\n{{- if eq .UseAciCniPriorityClass \"true\"}}\n priorityClassName: acicni-priority\n{{- end}}\n{{- end}}\n containers:\n - name: aci-containers-controller\n image: {{.AciControllerContainer}}\n imagePullPolicy: {{.ImagePullPolicy}}\n{{- if or ( .AciContainersControllerMemoryLimit ) ( .AciContainersControllerMemoryRequest )}}\n resources:\n limits:\n{{- if .AciContainersControllerMemoryLimit }}\n memory: \"{{ .AciContainersControllerMemoryLimit }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryLimit }}\"\n{{- end}}\n requests:\n{{- if .AciContainersControllerMemoryRequest }}\n memory: \"{{ .AciContainersControllerMemoryRequest }}\"\n{{- else}}\n memory: \"{{ .AciContainersMemoryRequest }}\"\n{{- end}}\n{{- end}}\n env:\n - name: WATCH_NAMESPACE\n value: \"\"\n - name: ACI_SNAT_NAMESPACE\n value: \"aci-containers-system\"\n - name: ACI_SNAGLOBALINFO_NAME\n value: \"snatglobalinfo\"\n - name: ACI_RDCONFIG_NAME\n value: \"routingdomain-config\"\n - name: SYSTEM_NAMESPACE\n value: \"aci-containers-system\"\n volumeMounts:\n - name: controller-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n - name: aci-user-cert-volume\n mountPath: /usr/local/etc/aci-cert/\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8091\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n volumes:\n{{- if eq .CApic \"true\"}}\n - name: kafka-certs\n secret:\n secretName: kafka-client-certificates\n{{- end}}\n - name: aci-user-cert-volume\n secret:\n secretName: aci-user-cert\n - name: controller-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: controller-config\n path: controller.conf\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n{{- if eq .CApic \"true\"}}\n---\napiVersion: aci.aw/v1\nkind: PodIF\nmetadata:\n name: inet-route\n namespace: kube-system\nstatus:\n epg: aci-containers-inet-out\n ipaddr: 0.0.0.0/0\n{{- end}}\n---\napiVersion: v1\nkind: LimitRange\nmetadata:\n name: memory-limit-range\n namespace: aci-containers-system\nspec:\n limits:\n - default:\n memory: {{ .AciContainersMemoryLimit }}\n defaultRequest:\n memory: {{ .AciContainersMemoryRequest }}\n type: Container\n", "calico-v1.13": "\n{{if eq .RBACConfig \"rbac\"}}\n## start rbac here\n\n# Include a clusterrole for the calico-node DaemonSet,\n# and bind it to the calico-node serviceaccount.\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1beta1\nmetadata:\n name: calico-node\nrules:\n # The CNI plugin needs to get pods, nodes, and namespaces.\n - apiGroups: [\"\"]\n resources:\n - pods\n - nodes\n - namespaces\n verbs:\n - get\n - apiGroups: [\"\"]\n resources:\n - endpoints\n - services\n verbs:\n # Used to discover service IPs for advertisement.\n - watch\n - list\n # Used to discover Typhas.\n - get\n - apiGroups: [\"\"]\n resources:\n - nodes/status\n verbs:\n # Needed for clearing NodeNetworkUnavailable flag.\n - patch\n # Calico stores some configuration information in node annotations.\n - update\n # Watch for changes to Kubernetes NetworkPolicies.\n - apiGroups: [\"networking.k8s.io\"]\n resources:\n - networkpolicies\n verbs:\n - watch\n - list\n # Used by Calico for policy information.\n - apiGroups: [\"\"]\n resources:\n - pods\n - namespaces\n - serviceaccounts\n verbs:\n - list\n - watch\n # The CNI plugin patches pods/status.\n - apiGroups: [\"\"]\n resources:\n - pods/status\n verbs:\n - patch\n # Calico monitors various CRDs for config.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - globalfelixconfigs\n - felixconfigurations\n - bgppeers\n - globalbgpconfigs\n - bgpconfigurations\n - ippools\n - globalnetworkpolicies\n - globalnetworksets\n - networkpolicies\n - clusterinformations\n - hostendpoints\n verbs:\n - get\n - list\n - watch\n # Calico must create and update some CRDs on startup.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ippools\n - felixconfigurations\n - clusterinformations\n verbs:\n - create\n - update\n # Calico stores some configuration information on the node.\n - apiGroups: [\"\"]\n resources:\n - nodes\n verbs:\n - get\n - list\n - watch\n # These permissions are only requried for upgrade from v2.6, and can\n # be removed after upgrade or on fresh installations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - bgpconfigurations\n - bgppeers\n verbs:\n - create\n - update\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n name: calico-node\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: calico-node\nsubjects:\n- kind: ServiceAccount\n name: calico-node\n namespace: kube-system\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n{{end}}\n## end rbac here\n\n---\n# This ConfigMap is used to configure a self-hosted Calico installation.\nkind: ConfigMap\napiVersion: v1\nmetadata:\n name: calico-config\n namespace: kube-system\ndata:\n # To enable Typha, set this to \"calico-typha\" *and* set a non-zero value for Typha replicas\n # below. We recommend using Typha if you have more than 50 nodes. Above 100 nodes it is\n # essential.\n typha_service_name: \"none\"\n # Configure the Calico backend to use.\n calico_backend: \"bird\"\n\n # Configure the MTU to use\n{{- if .MTU }}\n{{- if ne .MTU 0 }}\n veth_mtu: \"{{.MTU}}\"\n{{- end}}\n{{- else }}\n veth_mtu: \"1440\"\n{{- end}}\n\n # The CNI network configuration to install on each node. The special\n # values in this config will be automatically populated.\n cni_network_config: |-\n {\n \"name\": \"k8s-pod-network\",\n \"cniVersion\": \"0.3.0\",\n \"plugins\": [\n {\n \"type\": \"calico\",\n \"log_level\": \"WARNING\",\n \"datastore_type\": \"kubernetes\",\n \"nodename\": \"__KUBERNETES_NODE_NAME__\",\n \"mtu\": __CNI_MTU__,\n \"ipam\": {\n \"type\": \"host-local\",\n \"subnet\": \"usePodCidr\"\n },\n \"policy\": {\n \"type\": \"k8s\"\n },\n \"kubernetes\": {\n \"kubeconfig\": \"{{.KubeCfg}}\"\n }\n },\n {\n \"type\": \"portmap\",\n \"snat\": true,\n \"capabilities\": {\"portMappings\": true}\n }\n ]\n }\n---\n\n# This manifest installs the calico/node container, as well\n# as the Calico CNI plugins and network config on\n# each master and worker node in a Kubernetes cluster.\nkind: DaemonSet\napiVersion: extensions/v1beta1\nmetadata:\n name: calico-node\n namespace: kube-system\n labels:\n k8s-app: calico-node\nspec:\n selector:\n matchLabels:\n k8s-app: calico-node\n updateStrategy:\n{{if .UpdateStrategy}}\n{{ toYaml .UpdateStrategy | indent 4}}\n{{else}}\n type: RollingUpdate\n rollingUpdate:\n maxUnavailable: 1\n{{end}}\n template:\n metadata:\n labels:\n k8s-app: calico-node\n annotations:\n # This, along with the CriticalAddonsOnly toleration below,\n # marks the pod as a critical add-on, ensuring it gets\n # priority scheduling and that its resources are reserved\n # if it ever gets evicted.\n scheduler.alpha.kubernetes.io/critical-pod: ''\n spec:\n affinity:\n nodeAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n nodeSelectorTerms:\n - matchExpressions:\n - key: beta.kubernetes.io/os\n operator: NotIn\n values:\n - windows\n hostNetwork: true\n{{if .NodeSelector}}\n nodeSelector:\n {{ range $k, $v := .NodeSelector }}\n {{ $k }}: \"{{ $v }}\"\n {{ end }}\n{{end}}\n tolerations:\n # Make sure calico-node gets scheduled on all nodes.\n - effect: NoSchedule\n operator: Exists\n # Mark the pod as a critical add-on for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n - effect: NoExecute\n operator: Exists\n serviceAccountName: calico-node\n # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a \"force\n # deletion\": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.\n terminationGracePeriodSeconds: 0\n initContainers:\n # This container installs the Calico CNI binaries\n # and CNI network config file on each node.\n - name: install-cni\n image: {{.CNIImage}}\n command: [\"/install-cni.sh\"]\n env:\n # Name of the CNI config file to create.\n - name: CNI_CONF_NAME\n value: \"10-calico.conflist\"\n # The CNI network config to install on each node.\n - name: CNI_NETWORK_CONFIG\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: cni_network_config\n # Set the hostname based on the k8s node name.\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n # CNI MTU Config variable\n - name: CNI_MTU\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: veth_mtu\n # Prevents the container from sleeping forever.\n - name: SLEEP\n value: \"false\"\n volumeMounts:\n - mountPath: /host/opt/cni/bin\n name: cni-bin-dir\n - mountPath: /host/etc/cni/net.d\n name: cni-net-dir\n containers:\n # Runs calico/node container on each Kubernetes node. This\n # container programs network policy and routes on each\n # host.\n - name: calico-node\n image: {{.NodeImage}}\n env:\n # Use Kubernetes API as the backing datastore.\n - name: DATASTORE_TYPE\n value: \"kubernetes\"\n # Typha support: controlled by the ConfigMap.\n - name: FELIX_TYPHAK8SSERVICENAME\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: typha_service_name\n # Wait for the datastore.\n - name: WAIT_FOR_DATASTORE\n value: \"true\"\n # Set based on the k8s node name.\n - name: NODENAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n # Choose the backend to use.\n - name: CALICO_NETWORKING_BACKEND\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: calico_backend\n # Cluster type to identify the deployment type\n - name: CLUSTER_TYPE\n value: \"k8s,bgp\"\n # Auto-detect the BGP IP address.\n - name: IP\n value: \"autodetect\"\n # Enable IPIP\n - name: CALICO_IPV4POOL_IPIP\n value: \"Always\"\n # Set MTU for tunnel device used if ipip is enabled\n - name: FELIX_IPINIPMTU\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: veth_mtu\n # The default IPv4 pool to create on startup if none exists. Pod IPs will be\n # chosen from this range. Changing this value after installation will have\n # no effect. This should fall within --cluster-cidr.\n - name: CALICO_IPV4POOL_CIDR\n value: \"{{.ClusterCIDR}}\"\n # Disable file logging so kubectl logs works.\n - name: CALICO_DISABLE_FILE_LOGGING\n value: \"true\"\n # Set Felix endpoint to host default action to ACCEPT.\n - name: FELIX_DEFAULTENDPOINTTOHOSTACTION\n value: \"ACCEPT\"\n # Disable IPv6 on Kubernetes.\n - name: FELIX_IPV6SUPPORT\n value: \"false\"\n # Disable felix logging to file\n - name: FELIX_LOGFILEPATH\n value: \"none\"\n # Disable felix logging for syslog\n - name: FELIX_LOGSEVERITYSYS\n value: \"\"\n # Enable felix logging to stdout\n - name: FELIX_LOGSEVERITYSCREEN\n value: \"Warning\"\n - name: FELIX_HEALTHENABLED\n value: \"true\"\n securityContext:\n privileged: true\n resources:\n requests:\n cpu: 250m\n livenessProbe:\n httpGet:\n path: /liveness\n port: 9099\n host: localhost\n periodSeconds: 10\n initialDelaySeconds: 10\n failureThreshold: 6\n readinessProbe:\n exec:\n command:\n - /bin/calico-node\n - -bird-ready\n - -felix-ready\n periodSeconds: 10\n volumeMounts:\n - mountPath: /lib/modules\n name: lib-modules\n readOnly: true\n - mountPath: /run/xtables.lock\n name: xtables-lock\n readOnly: false\n - mountPath: /var/run/calico\n name: var-run-calico\n readOnly: false\n - mountPath: /var/lib/calico\n name: var-lib-calico\n readOnly: false\n volumes:\n # Used by calico/node.\n - name: lib-modules\n hostPath:\n path: /lib/modules\n - name: var-run-calico\n hostPath:\n path: /var/run/calico\n - name: var-lib-calico\n hostPath:\n path: /var/lib/calico\n - name: xtables-lock\n hostPath:\n path: /run/xtables.lock\n type: FileOrCreate\n # Used to install CNI.\n - name: cni-bin-dir\n hostPath:\n path: /opt/cni/bin\n - name: cni-net-dir\n hostPath:\n path: /etc/cni/net.d\n\n# Create all the CustomResourceDefinitions needed for\n# Calico policy and networking mode.\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: felixconfigurations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: FelixConfiguration\n plural: felixconfigurations\n singular: felixconfiguration\n\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: bgppeers.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BGPPeer\n plural: bgppeers\n singular: bgppeer\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: bgpconfigurations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BGPConfiguration\n plural: bgpconfigurations\n singular: bgpconfiguration\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ippools.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPPool\n plural: ippools\n singular: ippool\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: hostendpoints.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: HostEndpoint\n plural: hostendpoints\n singular: hostendpoint\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: clusterinformations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: ClusterInformation\n plural: clusterinformations\n singular: clusterinformation\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: globalnetworkpolicies.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: GlobalNetworkPolicy\n plural: globalnetworkpolicies\n singular: globalnetworkpolicy\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: globalnetworksets.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: GlobalNetworkSet\n plural: globalnetworksets\n singular: globalnetworkset\n\n---\n\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.crd.projectcalico.org\nspec:\n scope: Namespaced\n group: crd.projectcalico.org\n version: v1\n names:\n kind: NetworkPolicy\n plural: networkpolicies\n singular: networkpolicy\n\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: calico-node\n namespace: kube-system\n\n\n{{if ne .CloudProvider \"none\"}}\n---\nkind: ConfigMap\napiVersion: v1\nmetadata:\n name: {{.CloudProvider}}-ippool\n namespace: kube-system\ndata:\n {{.CloudProvider}}-ippool: |-\n apiVersion: projectcalico.org/v3\n kind: IPPool\n metadata:\n name: ippool-ipip-1\n spec:\n cidr: {{.ClusterCIDR}}\n ipipMode: Always\n natOutgoing: true\n---\napiVersion: v1\nkind: Pod\nmetadata:\n name: calicoctl\n namespace: kube-system\nspec:\n hostNetwork: true\n restartPolicy: OnFailure\n tolerations:\n - effect: NoExecute\n operator: Exists\n - effect: NoSchedule\n operator: Exists\n containers:\n - name: calicoctl\n image: {{.Calicoctl}}\n command: [\"/bin/sh\", \"-c\", \"calicoctl apply -f {{.CloudProvider}}-ippool.yaml\"]\n env:\n - name: DATASTORE_TYPE\n value: kubernetes\n volumeMounts:\n - name: ippool-config\n mountPath: /root/\n volumes:\n - name: ippool-config\n configMap:\n name: {{.CloudProvider}}-ippool\n items:\n - key: {{.CloudProvider}}-ippool\n path: {{.CloudProvider}}-ippool.yaml\n # Mount in the etcd TLS secrets.\n{{end}}\n", "calico-v1.15": "\n{{if eq .RBACConfig \"rbac\"}}\n---\n# Source: calico/templates/rbac.yaml\n# Include a clusterrole for the kube-controllers component,\n# and bind it to the calico-kube-controllers serviceaccount.\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1beta1\nmetadata:\n name: calico-kube-controllers\nrules:\n # Nodes are watched to monitor for deletions.\n - apiGroups: [\"\"]\n resources:\n - nodes\n verbs:\n - watch\n - list\n - get\n # Pods are queried to check for existence.\n - apiGroups: [\"\"]\n resources:\n - pods\n verbs:\n - get\n # IPAM resources are manipulated when nodes are deleted.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ippools\n verbs:\n - list\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - blockaffinities\n - ipamblocks\n - ipamhandles\n verbs:\n - get\n - list\n - create\n - update\n - delete\n # Needs access to update clusterinformations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - clusterinformations\n verbs:\n - get\n - create\n - update\n---\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1beta1\nmetadata:\n name: calico-kube-controllers\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: calico-kube-controllers\nsubjects:\n- kind: ServiceAccount\n name: calico-kube-controllers\n namespace: kube-system\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n---\n# Include a clusterrole for the calico-node DaemonSet,\n# and bind it to the calico-node serviceaccount.\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1beta1\nmetadata:\n name: calico-node\nrules:\n # The CNI plugin needs to get pods, nodes, and namespaces.\n - apiGroups: [\"\"]\n resources:\n - pods\n - nodes\n - namespaces\n verbs:\n - get\n - apiGroups: [\"\"]\n resources:\n - endpoints\n - services\n verbs:\n # Used to discover service IPs for advertisement.\n - watch\n - list\n # Used to discover Typhas.\n - get\n - apiGroups: [\"\"]\n resources:\n - nodes/status\n verbs:\n # Needed for clearing NodeNetworkUnavailable flag.\n - patch\n # Calico stores some configuration information in node annotations.\n - update\n # Watch for changes to Kubernetes NetworkPolicies.\n - apiGroups: [\"networking.k8s.io\"]\n resources:\n - networkpolicies\n verbs:\n - watch\n - list\n # Used by Calico for policy information.\n - apiGroups: [\"\"]\n resources:\n - pods\n - namespaces\n - serviceaccounts\n verbs:\n - list\n - watch\n # The CNI plugin patches pods/status.\n - apiGroups: [\"\"]\n resources:\n - pods/status\n verbs:\n - patch\n # Calico monitors various CRDs for config.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - globalfelixconfigs\n - felixconfigurations\n - bgppeers\n - globalbgpconfigs\n - bgpconfigurations\n - ippools\n - ipamblocks\n - globalnetworkpolicies\n - globalnetworksets\n - networkpolicies\n - networksets\n - clusterinformations\n - hostendpoints\n verbs:\n - get\n - list\n - watch\n # Calico must create and update some CRDs on startup.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ippools\n - felixconfigurations\n - clusterinformations\n verbs:\n - create\n - update\n # Calico stores some configuration information on the node.\n - apiGroups: [\"\"]\n resources:\n - nodes\n verbs:\n - get\n - list\n - watch\n # These permissions are only requried for upgrade from v2.6, and can\n # be removed after upgrade or on fresh installations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - bgpconfigurations\n - bgppeers\n verbs:\n - create\n - update\n # These permissions are required for Calico CNI to perform IPAM allocations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - blockaffinities\n - ipamblocks\n - ipamhandles\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ipamconfigs\n verbs:\n - get\n # Block affinities must also be watchable by confd for route aggregation.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - blockaffinities\n verbs:\n - watch\n # The Calico IPAM migration needs to get daemonsets. These permissions can be\n # removed if not upgrading from an installation using host-local IPAM.\n - apiGroups: [\"apps\"]\n resources:\n - daemonsets\n verbs:\n - get\n---\napiVersion: rbac.authorization.k8s.io/v1beta1\nkind: ClusterRoleBinding\nmetadata:\n name: calico-node\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: calico-node\nsubjects:\n- kind: ServiceAccount\n name: calico-node\n namespace: kube-system\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n{{end}}\n---\n# Source: calico/templates/calico-config.yaml\n# This ConfigMap is used to configure a self-hosted Calico installation.\nkind: ConfigMap\napiVersion: v1\nmetadata:\n name: calico-config\n namespace: kube-system\ndata:\n # Typha is disabled.\n typha_service_name: \"none\"\n # Configure the backend to use.\n calico_backend: \"bird\"\n\n # Configure the MTU to use\n{{- if .MTU }}\n{{- if ne .MTU 0 }}\n veth_mtu: \"{{.MTU}}\"\n{{- end}}\n{{- else }}\n veth_mtu: \"1440\"\n{{- end}}\n\n # The CNI network configuration to install on each node. The special\n # values in this config will be automatically populated.\n cni_network_config: |-\n {\n \"name\": \"k8s-pod-network\",\n \"cniVersion\": \"0.3.0\",\n \"plugins\": [\n {\n \"type\": \"calico\",\n \"log_level\": \"info\",\n \"datastore_type\": \"kubernetes\",\n \"nodename\": \"__KUBERNETES_NODE_NAME__\",\n \"mtu\": __CNI_MTU__,\n \"ipam\": {\n \"type\": \"calico-ipam\"\n },\n \"policy\": {\n \"type\": \"k8s\"\n },\n \"kubernetes\": {\n \"kubeconfig\": \"{{.KubeCfg}}\"\n }\n },\n {\n \"type\": \"portmap\",\n \"snat\": true,\n \"capabilities\": {\"portMappings\": true}\n }\n ]\n }\n---\n# Source: calico/templates/kdd-crds.yaml\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: felixconfigurations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: FelixConfiguration\n plural: felixconfigurations\n singular: felixconfiguration\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ipamblocks.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPAMBlock\n plural: ipamblocks\n singular: ipamblock\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: blockaffinities.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BlockAffinity\n plural: blockaffinities\n singular: blockaffinity\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ipamhandles.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPAMHandle\n plural: ipamhandles\n singular: ipamhandle\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ipamconfigs.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPAMConfig\n plural: ipamconfigs\n singular: ipamconfig\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: bgppeers.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BGPPeer\n plural: bgppeers\n singular: bgppeer\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: bgpconfigurations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BGPConfiguration\n plural: bgpconfigurations\n singular: bgpconfiguration\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ippools.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPPool\n plural: ippools\n singular: ippool\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: hostendpoints.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: HostEndpoint\n plural: hostendpoints\n singular: hostendpoint\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: clusterinformations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: ClusterInformation\n plural: clusterinformations\n singular: clusterinformation\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: globalnetworkpolicies.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: GlobalNetworkPolicy\n plural: globalnetworkpolicies\n singular: globalnetworkpolicy\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: globalnetworksets.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: GlobalNetworkSet\n plural: globalnetworksets\n singular: globalnetworkset\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.crd.projectcalico.org\nspec:\n scope: Namespaced\n group: crd.projectcalico.org\n version: v1\n names:\n kind: NetworkPolicy\n plural: networkpolicies\n singular: networkpolicy\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: networksets.crd.projectcalico.org\nspec:\n scope: Namespaced\n group: crd.projectcalico.org\n version: v1\n names:\n kind: NetworkSet\n plural: networksets\n singular: networkset\n---\n# Source: calico/templates/calico-node.yaml\n# This manifest installs the calico-node container, as well\n# as the CNI plugins and network config on\n# each master and worker node in a Kubernetes cluster.\nkind: DaemonSet\napiVersion: extensions/v1beta1\nmetadata:\n name: calico-node\n namespace: kube-system\n labels:\n k8s-app: calico-node\nspec:\n selector:\n matchLabels:\n k8s-app: calico-node\n updateStrategy:\n{{if .UpdateStrategy}}\n{{ toYaml .UpdateStrategy | indent 4}}\n{{else}}\n type: RollingUpdate\n rollingUpdate:\n maxUnavailable: 1\n{{end}}\n template:\n metadata:\n labels:\n k8s-app: calico-node\n annotations:\n # This, along with the CriticalAddonsOnly toleration below,\n # marks the pod as a critical add-on, ensuring it gets\n # priority scheduling and that its resources are reserved\n # if it ever gets evicted.\n scheduler.alpha.kubernetes.io/critical-pod: ''\n spec:\n nodeSelector:\n beta.kubernetes.io/os: linux\n {{ range $k, $v := .NodeSelector }}\n {{ $k }}: \"{{ $v }}\"\n {{ end }}\n hostNetwork: true\n tolerations:\n # Make sure calico-node gets scheduled on all nodes.\n - effect: NoSchedule\n operator: Exists\n # Mark the pod as a critical add-on for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n - effect: NoExecute\n operator: Exists\n{{if eq .RBACConfig \"rbac\"}}\n serviceAccountName: calico-node\n{{end}}\n # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a \"force\n # deletion\": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.\n terminationGracePeriodSeconds: 0\n initContainers:\n # This container performs upgrade from host-local IPAM to calico-ipam.\n # It can be deleted if this is a fresh installation, or if you have already\n # upgraded to use calico-ipam.\n - name: upgrade-ipam\n image: {{.CNIImage}}\n command: [\"/opt/cni/bin/calico-ipam\", \"-upgrade\"]\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: CALICO_NETWORKING_BACKEND\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: calico_backend\n volumeMounts:\n - mountPath: /var/lib/cni/networks\n name: host-local-net-dir\n - mountPath: /host/opt/cni/bin\n name: cni-bin-dir\n # This container installs the CNI binaries\n # and CNI network config file on each node.\n - name: install-cni\n image: {{.CNIImage}}\n command: [\"/install-cni.sh\"]\n env:\n # Name of the CNI config file to create.\n - name: CNI_CONF_NAME\n value: \"10-calico.conflist\"\n # The CNI network config to install on each node.\n - name: CNI_NETWORK_CONFIG\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: cni_network_config\n # Set the hostname based on the k8s node name.\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n # CNI MTU Config variable\n - name: CNI_MTU\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: veth_mtu\n # Prevents the container from sleeping forever.\n - name: SLEEP\n value: \"false\"\n volumeMounts:\n - mountPath: /host/opt/cni/bin\n name: cni-bin-dir\n - mountPath: /host/etc/cni/net.d\n name: cni-net-dir\n containers:\n # Runs calico-node container on each Kubernetes node. This\n # container programs network policy and routes on each\n # host.\n - name: calico-node\n image: {{.NodeImage}}\n env:\n # Use Kubernetes API as the backing datastore.\n - name: DATASTORE_TYPE\n value: \"kubernetes\"\n # Wait for the datastore.\n - name: WAIT_FOR_DATASTORE\n value: \"true\"\n # Set based on the k8s node name.\n - name: NODENAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n # Choose the backend to use.\n - name: CALICO_NETWORKING_BACKEND\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: calico_backend\n # Cluster type to identify the deployment type\n - name: CLUSTER_TYPE\n value: \"k8s,bgp\"\n # Auto-detect the BGP IP address.\n - name: IP\n value: \"autodetect\"\n # Enable IPIP\n - name: CALICO_IPV4POOL_IPIP\n value: \"Always\"\n # Set MTU for tunnel device used if ipip is enabled\n - name: FELIX_IPINIPMTU\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: veth_mtu\n # The default IPv4 pool to create on startup if none exists. Pod IPs will be\n # chosen from this range. Changing this value after installation will have\n # no effect. This should fall within --cluster-cidr.\n - name: CALICO_IPV4POOL_CIDR\n value: \"{{.ClusterCIDR}}\"\n # Disable file logging so kubectl logs works.\n - name: CALICO_DISABLE_FILE_LOGGING\n value: \"true\"\n # Set Felix endpoint to host default action to ACCEPT.\n - name: FELIX_DEFAULTENDPOINTTOHOSTACTION\n value: \"ACCEPT\"\n # Disable IPv6 on Kubernetes.\n - name: FELIX_IPV6SUPPORT\n value: \"false\"\n # Set Felix logging to \"info\"\n - name: FELIX_LOGSEVERITYSCREEN\n value: \"info\"\n - name: FELIX_HEALTHENABLED\n value: \"true\"\n securityContext:\n privileged: true\n resources:\n requests:\n cpu: 250m\n livenessProbe:\n httpGet:\n path: /liveness\n port: 9099\n host: localhost\n periodSeconds: 10\n initialDelaySeconds: 10\n failureThreshold: 6\n readinessProbe:\n exec:\n command:\n - /bin/calico-node\n - -bird-ready\n - -felix-ready\n periodSeconds: 10\n volumeMounts:\n - mountPath: /lib/modules\n name: lib-modules\n readOnly: true\n - mountPath: /run/xtables.lock\n name: xtables-lock\n readOnly: false\n - mountPath: /var/run/calico\n name: var-run-calico\n readOnly: false\n - mountPath: /var/lib/calico\n name: var-lib-calico\n readOnly: false\n volumes:\n # Used by calico-node.\n - name: lib-modules\n hostPath:\n path: /lib/modules\n - name: var-run-calico\n hostPath:\n path: /var/run/calico\n - name: var-lib-calico\n hostPath:\n path: /var/lib/calico\n - name: xtables-lock\n hostPath:\n path: /run/xtables.lock\n type: FileOrCreate\n # Used to install CNI.\n - name: cni-bin-dir\n hostPath:\n path: /opt/cni/bin\n - name: cni-net-dir\n hostPath:\n path: /etc/cni/net.d\n # Mount in the directory for host-local IPAM allocations. This is\n # used when upgrading from host-local to calico-ipam, and can be removed\n # if not using the upgrade-ipam init container.\n - name: host-local-net-dir\n hostPath:\n path: /var/lib/cni/networks\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: calico-node\n namespace: kube-system\n---\n# Source: calico/templates/calico-kube-controllers.yaml\n# See https://github.com/projectcalico/kube-controllers\napiVersion: extensions/v1beta1\nkind: Deployment\nmetadata:\n name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\n annotations:\n scheduler.alpha.kubernetes.io/critical-pod: ''\nspec:\n # The controller can only have a single active instance.\n replicas: 1\n strategy:\n type: Recreate\n template:\n metadata:\n name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\n spec:\n nodeSelector:\n beta.kubernetes.io/os: linux\n tolerations:\n # Make sure calico-node gets scheduled on all nodes.\n - effect: NoSchedule\n operator: Exists\n # Mark the pod as a critical add-on for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n - effect: NoExecute\n operator: Exists\n{{if eq .RBACConfig \"rbac\"}}\n serviceAccountName: calico-kube-controllers\n{{end}}\n containers:\n - name: calico-kube-controllers\n image: {{.ControllersImage}}\n env:\n # Choose which controllers to run.\n - name: ENABLED_CONTROLLERS\n value: node\n - name: DATASTORE_TYPE\n value: kubernetes\n readinessProbe:\n exec:\n command:\n - /usr/bin/check-status\n - -r\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: calico-kube-controllers\n namespace: kube-system\n", "calico-v1.15-privileged": "\n# CalicoTemplateV115Privileged\n{{if eq .RBACConfig \"rbac\"}}\n# Source: calico/templates/rbac.yaml\n# Include a clusterrole for the kube-controllers component,\n# and bind it to the calico-kube-controllers serviceaccount.\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: calico-kube-controllers\nrules:\n # Nodes are watched to monitor for deletions.\n - apiGroups: [\"\"]\n resources:\n - nodes\n verbs:\n - watch\n - list\n - get\n # Pods are queried to check for existence.\n - apiGroups: [\"\"]\n resources:\n - pods\n verbs:\n - get\n # IPAM resources are manipulated when nodes are deleted.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ippools\n verbs:\n - list\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - blockaffinities\n - ipamblocks\n - ipamhandles\n verbs:\n - get\n - list\n - create\n - update\n - delete\n # Needs access to update clusterinformations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - clusterinformations\n verbs:\n - get\n - create\n - update\n---\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: calico-kube-controllers\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: calico-kube-controllers\nsubjects:\n- kind: ServiceAccount\n name: calico-kube-controllers\n namespace: kube-system\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n---\n# Include a clusterrole for the calico-node DaemonSet,\n# and bind it to the calico-node serviceaccount.\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: calico-node\nrules:\n # The CNI plugin needs to get pods, nodes, and namespaces.\n - apiGroups: [\"\"]\n resources:\n - pods\n - nodes\n - namespaces\n verbs:\n - get\n - apiGroups: [\"\"]\n resources:\n - endpoints\n - services\n verbs:\n # Used to discover service IPs for advertisement.\n - watch\n - list\n # Used to discover Typhas.\n - get\n # Pod CIDR auto-detection on kubeadm needs access to config maps.\n - apiGroups: [\"\"]\n resources:\n - configmaps\n verbs:\n - get\n - apiGroups: [\"\"]\n resources:\n - nodes/status\n verbs:\n # Needed for clearing NodeNetworkUnavailable flag.\n - patch\n # Calico stores some configuration information in node annotations.\n - update\n # Watch for changes to Kubernetes NetworkPolicies.\n - apiGroups: [\"networking.k8s.io\"]\n resources:\n - networkpolicies\n verbs:\n - watch\n - list\n # Used by Calico for policy information.\n - apiGroups: [\"\"]\n resources:\n - pods\n - namespaces\n - serviceaccounts\n verbs:\n - list\n - watch\n # The CNI plugin patches pods/status.\n - apiGroups: [\"\"]\n resources:\n - pods/status\n verbs:\n - patch\n # Calico monitors various CRDs for config.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - globalfelixconfigs\n - felixconfigurations\n - bgppeers\n - globalbgpconfigs\n - bgpconfigurations\n - ippools\n - ipamblocks\n - globalnetworkpolicies\n - globalnetworksets\n - networkpolicies\n - networksets\n - clusterinformations\n - hostendpoints\n - blockaffinities\n verbs:\n - get\n - list\n - watch\n # Calico must create and update some CRDs on startup.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ippools\n - felixconfigurations\n - clusterinformations\n verbs:\n - create\n - update\n # Calico stores some configuration information on the node.\n - apiGroups: [\"\"]\n resources:\n - nodes\n verbs:\n - get\n - list\n - watch\n # These permissions are only requried for upgrade from v2.6, and can\n # be removed after upgrade or on fresh installations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - bgpconfigurations\n - bgppeers\n verbs:\n - create\n - update\n # These permissions are required for Calico CNI to perform IPAM allocations.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - blockaffinities\n - ipamblocks\n - ipamhandles\n verbs:\n - get\n - list\n - create\n - update\n - delete\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - ipamconfigs\n verbs:\n - get\n # Block affinities must also be watchable by confd for route aggregation.\n - apiGroups: [\"crd.projectcalico.org\"]\n resources:\n - blockaffinities\n verbs:\n - watch\n # The Calico IPAM migration needs to get daemonsets. These permissions can be\n # removed if not upgrading from an installation using host-local IPAM.\n - apiGroups: [\"apps\"]\n resources:\n - daemonsets\n verbs:\n - get\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: calico-node\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: calico-node\nsubjects:\n- kind: ServiceAccount\n name: calico-node\n namespace: kube-system\n- apiGroup: rbac.authorization.k8s.io\n kind: Group\n name: system:nodes\n{{end}}\n---\n# Source: calico/templates/calico-config.yaml\n# This ConfigMap is used to configure a self-hosted Calico installation.\nkind: ConfigMap\napiVersion: v1\nmetadata:\n name: calico-config\n namespace: kube-system\ndata:\n # Typha is disabled.\n typha_service_name: \"none\"\n # Configure the backend to use.\n calico_backend: \"bird\"\n\n # Configure the MTU to use\n{{- if .MTU }}\n{{- if ne .MTU 0 }}\n veth_mtu: \"{{.MTU}}\"\n{{- end}}\n{{- else }}\n veth_mtu: \"1440\"\n{{- end}}\n\n # The CNI network configuration to install on each node. The special\n # values in this config will be automatically populated.\n cni_network_config: |-\n {\n \"name\": \"k8s-pod-network\",\n \"cniVersion\": \"0.3.1\",\n \"plugins\": [\n {\n \"type\": \"calico\",\n \"log_level\": \"info\",\n \"datastore_type\": \"kubernetes\",\n \"nodename\": \"__KUBERNETES_NODE_NAME__\",\n \"mtu\": __CNI_MTU__,\n \"ipam\": {\n \"type\": \"calico-ipam\"\n },\n \"policy\": {\n \"type\": \"k8s\"\n },\n \"kubernetes\": {\n \"kubeconfig\": \"{{.KubeCfg}}\"\n }\n },\n {\n \"type\": \"portmap\",\n \"snat\": true,\n \"capabilities\": {\"portMappings\": true}\n },\n {\n \"type\": \"bandwidth\",\n \"capabilities\": {\"bandwidth\": true}\n }\n ]\n }\n---\n# Source: calico/templates/kdd-crds.yaml\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: felixconfigurations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: FelixConfiguration\n plural: felixconfigurations\n singular: felixconfiguration\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ipamblocks.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPAMBlock\n plural: ipamblocks\n singular: ipamblock\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: blockaffinities.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BlockAffinity\n plural: blockaffinities\n singular: blockaffinity\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ipamhandles.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPAMHandle\n plural: ipamhandles\n singular: ipamhandle\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ipamconfigs.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPAMConfig\n plural: ipamconfigs\n singular: ipamconfig\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: bgppeers.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BGPPeer\n plural: bgppeers\n singular: bgppeer\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: bgpconfigurations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: BGPConfiguration\n plural: bgpconfigurations\n singular: bgpconfiguration\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: ippools.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: IPPool\n plural: ippools\n singular: ippool\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: hostendpoints.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: HostEndpoint\n plural: hostendpoints\n singular: hostendpoint\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: clusterinformations.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: ClusterInformation\n plural: clusterinformations\n singular: clusterinformation\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: globalnetworkpolicies.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: GlobalNetworkPolicy\n plural: globalnetworkpolicies\n singular: globalnetworkpolicy\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: globalnetworksets.crd.projectcalico.org\nspec:\n scope: Cluster\n group: crd.projectcalico.org\n version: v1\n names:\n kind: GlobalNetworkSet\n plural: globalnetworksets\n singular: globalnetworkset\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.crd.projectcalico.org\nspec:\n scope: Namespaced\n group: crd.projectcalico.org\n version: v1\n names:\n kind: NetworkPolicy\n plural: networkpolicies\n singular: networkpolicy\n---\napiVersion: apiextensions.k8s.io/v1beta1\nkind: CustomResourceDefinition\nmetadata:\n name: networksets.crd.projectcalico.org\nspec:\n scope: Namespaced\n group: crd.projectcalico.org\n version: v1\n names:\n kind: NetworkSet\n plural: networksets\n singular: networkset\n---\n# Source: calico/templates/calico-node.yaml\n# This manifest installs the calico-node container, as well\n# as the CNI plugins and network config on\n# each master and worker node in a Kubernetes cluster.\nkind: DaemonSet\napiVersion: apps/v1\nmetadata:\n name: calico-node\n namespace: kube-system\n labels:\n k8s-app: calico-node\nspec:\n selector:\n matchLabels:\n k8s-app: calico-node\n updateStrategy:\n{{if .UpdateStrategy}}\n{{ toYaml .UpdateStrategy | indent 4}}\n{{else}}\n type: RollingUpdate\n rollingUpdate:\n maxUnavailable: 1\n{{end}}\n template:\n metadata:\n labels:\n k8s-app: calico-node\n annotations:\n # This, along with the CriticalAddonsOnly toleration below,\n # marks the pod as a critical add-on, ensuring it gets\n # priority scheduling and that its resources are reserved\n # if it ever gets evicted.\n scheduler.alpha.kubernetes.io/critical-pod: ''\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n {{ range $k, $v := .NodeSelector }}\n {{ $k }}: \"{{ $v }}\"\n {{ end }}\n hostNetwork: true\n tolerations:\n # Make sure calico-node gets scheduled on all nodes.\n - effect: NoSchedule\n operator: Exists\n # Mark the pod as a critical add-on for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n - effect: NoExecute\n operator: Exists\n{{if eq .RBACConfig \"rbac\"}}\n serviceAccountName: calico-node\n{{end}}\n # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a \"force\n # deletion\": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.\n terminationGracePeriodSeconds: 0\n # Rancher specific change\n priorityClassName: {{ .CalicoNodePriorityClassName | default \"system-node-critical\" }}\n initContainers:\n # This container performs upgrade from host-local IPAM to calico-ipam.\n # It can be deleted if this is a fresh installation, or if you have already\n # upgraded to use calico-ipam.\n - name: upgrade-ipam\n image: {{.CNIImage}}\n command: [\"/opt/cni/bin/calico-ipam\", \"-upgrade\"]\n env:\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: CALICO_NETWORKING_BACKEND\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: calico_backend\n volumeMounts:\n - mountPath: /var/lib/cni/networks\n name: host-local-net-dir\n - mountPath: /host/opt/cni/bin\n name: cni-bin-dir\n securityContext:\n privileged: true\n # This container installs the CNI binaries\n # and CNI network config file on each node.\n - name: install-cni\n image: {{.CNIImage}}\n command: [\"/install-cni.sh\"]\n env:\n # Name of the CNI config file to create.\n - name: CNI_CONF_NAME\n value: \"10-calico.conflist\"\n # The CNI network config to install on each node.\n - name: CNI_NETWORK_CONFIG\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: cni_network_config\n # Set the hostname based on the k8s node name.\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n # CNI MTU Config variable\n - name: CNI_MTU\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: veth_mtu\n # Prevents the container from sleeping forever.\n - name: SLEEP\n value: \"false\"\n volumeMounts:\n - mountPath: /host/opt/cni/bin\n name: cni-bin-dir\n - mountPath: /host/etc/cni/net.d\n name: cni-net-dir\n securityContext:\n privileged: true\n # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes\n # to communicate with Felix over the Policy Sync API.\n - name: flexvol-driver\n image: {{.FlexVolImg}}\n volumeMounts:\n - name: flexvol-driver-host\n mountPath: /host/driver\n securityContext:\n privileged: true\n containers:\n # Runs calico-node container on each Kubernetes node. This\n # container programs network policy and routes on each\n # host.\n - name: calico-node\n image: {{.NodeImage}}\n env:\n # Use Kubernetes API as the backing datastore.\n - name: DATASTORE_TYPE\n value: \"kubernetes\"\n # Wait for the datastore.\n - name: WAIT_FOR_DATASTORE\n value: \"true\"\n # Set based on the k8s node name.\n - name: NODENAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n # Choose the backend to use.\n - name: CALICO_NETWORKING_BACKEND\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: calico_backend\n # Cluster type to identify the deployment type\n - name: CLUSTER_TYPE\n value: \"k8s,bgp\"\n # Auto-detect the BGP IP address.\n - name: IP\n value: \"autodetect\"\n # Enable IPIP\n - name: CALICO_IPV4POOL_IPIP\n value: \"Always\"\n # Set MTU for tunnel device used if ipip is enabled\n - name: FELIX_IPINIPMTU\n valueFrom:\n configMapKeyRef:\n name: calico-config\n key: veth_mtu\n # The default IPv4 pool to create on startup if none exists. Pod IPs will be\n # chosen from this range. Changing this value after installation will have\n # no effect. This should fall within --cluster-cidr.\n - name: CALICO_IPV4POOL_CIDR\n value: \"{{.ClusterCIDR}}\"\n # Disable file logging so kubectl logs works.\n - name: CALICO_DISABLE_FILE_LOGGING\n value: \"true\"\n # Set Felix endpoint to host default action to ACCEPT.\n - name: FELIX_DEFAULTENDPOINTTOHOSTACTION\n value: \"ACCEPT\"\n # Disable IPv6 on Kubernetes.\n - name: FELIX_IPV6SUPPORT\n value: \"false\"\n # Set Felix logging to \"info\"\n - name: FELIX_LOGSEVERITYSCREEN\n value: \"info\"\n - name: FELIX_HEALTHENABLED\n value: \"true\"\n securityContext:\n privileged: true\n resources:\n requests:\n cpu: 250m\n livenessProbe:\n exec:\n command:\n - /bin/calico-node\n - -felix-live\n - -bird-live\n periodSeconds: 10\n initialDelaySeconds: 10\n failureThreshold: 6\n readinessProbe:\n exec:\n command:\n - /bin/calico-node\n - -felix-ready\n - -bird-ready\n periodSeconds: 10\n volumeMounts:\n - mountPath: /lib/modules\n name: lib-modules\n readOnly: true\n - mountPath: /run/xtables.lock\n name: xtables-lock\n readOnly: false\n - mountPath: /var/run/calico\n name: var-run-calico\n readOnly: false\n - mountPath: /var/lib/calico\n name: var-lib-calico\n readOnly: false\n - name: policysync\n mountPath: /var/run/nodeagent\n volumes:\n # Used by calico-node.\n - name: lib-modules\n hostPath:\n path: /lib/modules\n - name: var-run-calico\n hostPath:\n path: /var/run/calico\n - name: var-lib-calico\n hostPath:\n path: /var/lib/calico\n - name: xtables-lock\n hostPath:\n path: /run/xtables.lock\n type: FileOrCreate\n # Used to install CNI.\n - name: cni-bin-dir\n hostPath:\n path: /opt/cni/bin\n - name: cni-net-dir\n hostPath:\n path: /etc/cni/net.d\n # Mount in the directory for host-local IPAM allocations. This is\n # used when upgrading from host-local to calico-ipam, and can be removed\n # if not using the upgrade-ipam init container.\n - name: host-local-net-dir\n hostPath:\n path: /var/lib/cni/networks\n # Used to create per-pod Unix Domain Sockets\n - name: policysync\n hostPath:\n type: DirectoryOrCreate\n path: /var/run/nodeagent\n # Used to install Flex Volume Driver\n - name: flexvol-driver-host\n hostPath:\n type: DirectoryOrCreate\n{{- if .FlexVolPluginDir }}\n path: {{.FlexVolPluginDir}}\n{{- else }}\n path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds\n{{- end }}\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: calico-kube-controllers\n namespace: kube-system\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: calico-node\n namespace: kube-system\n---\n# Source: calico/templates/calico-kube-controllers.yaml\n# See https://github.com/projectcalico/kube-controllers\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\nspec:\n # The controllers can only have a single active instance.\n replicas: 1\n selector:\n matchLabels:\n k8s-app: calico-kube-controllers\n strategy:\n type: Recreate\n template:\n metadata:\n name: calico-kube-controllers\n namespace: kube-system\n labels:\n k8s-app: calico-kube-controllers\n annotations:\n scheduler.alpha.kubernetes.io/critical-pod: ''\n spec:\n nodeSelector:\n kubernetes.io/os: linux\n tolerations:\n # Make sure calico-node gets scheduled on all nodes.\n - effect: NoSchedule\n operator: Exists\n # Mark the pod as a critical add-on for rescheduling.\n - key: CriticalAddonsOnly\n operator: Exists\n - effect: NoExecute\n operator: Exists\n{{if eq .RBACConfig \"rbac\"}}\n serviceAccountName: calico-kube-controllers\n{{end}}\n priorityClassName: system-cluster-critical\n containers:\n - name: calico-kube-controllers\n image: {{.ControllersImage}}\n env:\n # Choose which controllers to run.\n - name: ENABLED_CONTROLLERS\n value: node\n - name: DATASTORE_TYPE\n value: kubernetes\n readinessProbe:\n exec:\n command:\n - /usr/bin/check-status\n - -r\n",