Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DOCS#2082] Documents configurations for CNI policy-setup timeouts #1373

Merged
merged 1 commit into from
Mar 15, 2024
Merged

[DOCS#2082] Documents configurations for CNI policy-setup timeouts #1373

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions calico/reference/configure-cni-plugins.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,52 @@

When using `type: k8s`, the {{prodname}} CNI plugin requires read-only Kubernetes API access to the `Pods` resource in all namespaces.


### Enabling policy setup timeout

The `policy_setup_timeout_seconds` option makes the {{prodname}} CNI plugin wait to start a new pod until one of the following conditions occurs:

- The pod's policy has finished being programmed.
- A specified amount of time has elapsed.

By setting this option, you can avoid errors that can occur when a pod tries to start before the pod's policy is programmed.

Example CNI config:

Check failure on line 261 in calico/reference/configure-cni-plugins.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'config'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'config'?", "location": {"path": "calico/reference/configure-cni-plugins.mdx", "range": {"start": {"line": 261, "column": 13}}}, "severity": "ERROR"}

```json
{
"name": "any_name",
"cniVersion": "0.1.0",
"type": "calico",
"ipam": {
"type": "calico-ipam",
"policy_setup_timeout_seconds": 10
}
}
```

The {{prodname}} CNI plugin uses {{prodname}}'s `endpoint-status` directory to determine when the dataplane has been programmed for a pod.

Check failure on line 275 in calico/reference/configure-cni-plugins.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'dataplane'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'dataplane'?", "location": {"path": "calico/reference/configure-cni-plugins.mdx", "range": {"start": {"line": 275, "column": 99}}}, "severity": "ERROR"}
By default, the {{prodname}} CNI plugin will look for the directory at: `/var/run/calico/endpoint-status`.
To enable and adjust where {{prodname}} writes `endpoint-status`, the `endpointStatusPathPrefix` option must be configured for [Felix](./felix/configuration.mdx).

To adjust where the {{prodname}} CNI plugin looks for {{prodname}}'s `endpoint-status` directory, you must set the `endpoint_status_dir` option.

Example CNI config:

Check failure on line 281 in calico/reference/configure-cni-plugins.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'config'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'config'?", "location": {"path": "calico/reference/configure-cni-plugins.mdx", "range": {"start": {"line": 281, "column": 13}}}, "severity": "ERROR"}

```json
{
"name": "any_name",
"cniVersion": "0.1.0",
"type": "calico",
"ipam": {
"type": "calico-ipam",
"policy_setup_timeout_seconds": 10,
"endpoint_status_dir": "/path/to/endpoint-status"
}
}
```


## IPAM

### Using host-local IPAM
Expand Down
1 change: 1 addition & 0 deletions calico/reference/felix/configuration.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ The full list of parameters which can be set is as follows.
| `DisableConntrackInvalidCheck` | `FELIX_DISABLECONNTRACKINVALIDCHECK` | Disable the dropping of packets that aren't either a valid handshake or part of an established connection. [Default: `false`] | boolean |
| `EndpointReportingDelaySecs` | `FELIX_ENDPOINTREPORTINGDELAYSECS` | Set the endpoint reporting delay between status check intervals, in seconds. Only used if endpoint reporting is enabled. [Default: `1`] | int |
| `EndpointReportingEnabled` | `FELIX_ENDPOINTREPORTINGENABLED` | Enable the endpoint status reporter. [Default: `false`] | boolean |
| `EndpointStatusPathPrefix` | `FELIX_ENDPOINTSTATUSPATHPREFIX` | Path to the directory where Felix should create the `endpoint-status` directory. Choosing a mounted volume such as `/var/run/calico` is recommended as the directory can then be monitored by host processes such as the Calico CNI. Leaving this field empty disables endpoint-status files. [Default: ""] | string |
| `ExternalNodesCIDRList` | `FELIX_EXTERNALNODESCIDRLIST` | Comma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: ""] | string |
| `FailsafeInboundHostPorts` | `FELIX_FAILSAFEINBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value `none`. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: `tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
| `FailsafeOutboundHostPorts` | `FELIX_FAILSAFEOUTBOUNDHOSTPORTS` | Comma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to "tcp". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value `none`. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: `udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667`] | string |
Expand Down
1 change: 1 addition & 0 deletions calico/reference/resources/felixconfig.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ spec:
| deviceRouteSourceAddress | IPv4 address to set as the source hint for routes programmed by Felix. When not set the source address for local traffic from host to workload will be determined by the kernel. | IPv4 | string | `""` |
| deviceRouteSourceAddressIPv6 | IPv6 address to set as the source hint for routes programmed by Felix. When not set the source address for local traffic from host to workload will be determined by the kernel. | IPv6 | string | `""` |
| deviceRouteProtocol | This defines the route protocol added to programmed device routes. | Protocol | int | RTPROT_BOOT |
| endpointStatusPathPrefix | Path to the directory where Felix should create the `endpoint-status` directory. Choosing a mounted volume such as `/var/run/calico` is recommended as the directory can then be monitored by host processes such as the Calico CNI. Leaving this field empty disables endpoint-status files. | Any existing path in the calico-node container | string | `""`| | string |
| externalNodesCIDRList | A comma-delimited list of CIDRs of external non-calico nodes, which can source tunnel traffic for acceptance by calico-nodes. | IPv4 | string | `""` |
| failsafeInboundHostPorts | UDP/TCP/SCTP protocol/cidr/port groupings that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. The default value allows SSH access, etcd, BGP, DHCP and the Kubernetes API. | | List of [ProtoPort](#protoport) | <p><code>- protocol: tcp<br/>&nbsp;&nbsp;port: 22<br/>- protocol: udp<br/>&nbsp;&nbsp;port: 68<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 179<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 2379<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 2380<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 5473<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 6443<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 6666<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 6667</code></p> |
| failsafeOutboundHostPorts | UDP/TCP/SCTP protocol/port groupings that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. | | List of [ProtoPort](#protoport) | <p><code>- protocol: udp<br/>&nbsp;&nbsp;port: 53<br/>- protocol: udp<br/>&nbsp;&nbsp;port: 67<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 179<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 2379<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 2380<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 5473<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 6443<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 6666<br/>- protocol: tcp<br/>&nbsp;&nbsp;port: 6667</code></p> |
Expand Down
Loading