diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go index 991944ed7b501..aa4c0b3a15b9b 100644 --- a/pkg/model/iam/iam_builder.go +++ b/pkg/model/iam/iam_builder.go @@ -275,7 +275,7 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { addCiliumEniPermissions(p, resource, b.Cluster.Spec.IAM.Legacy) } - if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Calico != nil && b.Cluster.Spec.Networking.Calico.AwsSrcDstCheck != "" { + if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Calico != nil && (b.Cluster.Spec.Networking.Calico.CrossSubnet || b.Cluster.Spec.Networking.Calico.AwsSrcDstCheck != "") { addCalicoSrcDstCheckPermissions(p) } @@ -314,7 +314,7 @@ func (r *NodeRoleNode) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) { addLyftVPCPermissions(p, resource, b.Cluster.Spec.IAM.Legacy, b.Cluster.GetName()) } - if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Calico != nil && b.Cluster.Spec.Networking.Calico.AwsSrcDstCheck != "" { + if b.Cluster.Spec.Networking != nil && b.Cluster.Spec.Networking.Calico != nil && (b.Cluster.Spec.Networking.Calico.CrossSubnet || b.Cluster.Spec.Networking.Calico.AwsSrcDstCheck != "") { addCalicoSrcDstCheckPermissions(p) } diff --git a/upup/models/bindata.go b/upup/models/bindata.go index 37dd89655deb3..d19a08d6c1d4d 100644 --- a/upup/models/bindata.go +++ b/upup/models/bindata.go @@ -9422,6 +9422,29 @@ spec: description: Selector for the nodes that should have this peering. When this is set, the Node field must be empty. type: string + password: + description: Optional BGP password for the peerings generated by this + BGPPeer resource. + properties: + secretKeyRef: + description: Selects a key of a secret in the node pod's namespace. + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be + defined + type: boolean + required: + - key + type: object + type: object peerIP: description: The IP address of the peer followed by an optional port number to peer with. If port number is given, format should be ` + "`" + `[]:port` + "`" + ` @@ -9629,6 +9652,16 @@ spec: spec: description: FelixConfigurationSpec contains the values of the Felix configuration. properties: + allowIPIPPacketsFromWorkloads: + description: 'AllowIPIPPacketsFromWorkloads controls whether Felix + will add a rule to drop IPIP encapsulated traffic from workloads + [Default: false]' + type: boolean + allowVXLANPacketsFromWorkloads: + description: 'AllowVXLANPacketsFromWorkloads controls whether Felix + will add a rule to drop VXLAN encapsulated traffic from workloads + [Default: false]' + type: boolean awsSrcDstCheck: description: 'Set source-destination-check on AWS EC2 instances. Accepted value must be one of "DoNothing", "Enabled" or "Disabled". [Default: @@ -12539,6 +12572,14 @@ rules: - namespaces verbs: - get + - apiGroups: [""] + resources: + - secrets + verbs: + # Needed when configuring bgp password in bgppeer + - watch + - list + - get - apiGroups: [""] resources: - endpoints @@ -12755,7 +12796,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: calico/typha:v3.16.1 + - image: calico/typha:v3.16.3 name: calico-typha ports: - containerPort: 5473 @@ -12872,7 +12913,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: calico/cni:v3.16.1 + image: calico/cni:v3.16.3 command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: - configMapRef: @@ -12899,7 +12940,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: calico/cni:v3.16.1 + image: calico/cni:v3.16.3 command: ["/opt/cni/bin/install"] envFrom: - configMapRef: @@ -12940,7 +12981,7 @@ spec: # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver - image: calico/pod2daemon-flexvol:v3.16.1 + image: calico/pod2daemon-flexvol:v3.16.3 volumeMounts: - name: flexvol-driver-host mountPath: /host/driver @@ -12951,7 +12992,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: calico/node:v3.16.1 + image: calico/node:v3.16.3 envFrom: - configMapRef: # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. @@ -13193,7 +13234,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: calico/kube-controllers:v3.16.1 + image: calico/kube-controllers:v3.16.3 env: # Choose which controllers to run. - name: ENABLED_CONTROLLERS diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template index 2089bff2e200a..b7b9cc4c31e50 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template @@ -259,6 +259,29 @@ spec: description: Selector for the nodes that should have this peering. When this is set, the Node field must be empty. type: string + password: + description: Optional BGP password for the peerings generated by this + BGPPeer resource. + properties: + secretKeyRef: + description: Selects a key of a secret in the node pod's namespace. + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be + defined + type: boolean + required: + - key + type: object + type: object peerIP: description: The IP address of the peer followed by an optional port number to peer with. If port number is given, format should be `[]:port` @@ -466,6 +489,16 @@ spec: spec: description: FelixConfigurationSpec contains the values of the Felix configuration. properties: + allowIPIPPacketsFromWorkloads: + description: 'AllowIPIPPacketsFromWorkloads controls whether Felix + will add a rule to drop IPIP encapsulated traffic from workloads + [Default: false]' + type: boolean + allowVXLANPacketsFromWorkloads: + description: 'AllowVXLANPacketsFromWorkloads controls whether Felix + will add a rule to drop VXLAN encapsulated traffic from workloads + [Default: false]' + type: boolean awsSrcDstCheck: description: 'Set source-destination-check on AWS EC2 instances. Accepted value must be one of "DoNothing", "Enabled" or "Disabled". [Default: @@ -3376,6 +3409,14 @@ rules: - namespaces verbs: - get + - apiGroups: [""] + resources: + - secrets + verbs: + # Needed when configuring bgp password in bgppeer + - watch + - list + - get - apiGroups: [""] resources: - endpoints @@ -3592,7 +3633,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: calico/typha:v3.16.1 + - image: calico/typha:v3.16.3 name: calico-typha ports: - containerPort: 5473 @@ -3709,7 +3750,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: calico/cni:v3.16.1 + image: calico/cni:v3.16.3 command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: - configMapRef: @@ -3736,7 +3777,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: calico/cni:v3.16.1 + image: calico/cni:v3.16.3 command: ["/opt/cni/bin/install"] envFrom: - configMapRef: @@ -3777,7 +3818,7 @@ spec: # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver - image: calico/pod2daemon-flexvol:v3.16.1 + image: calico/pod2daemon-flexvol:v3.16.3 volumeMounts: - name: flexvol-driver-host mountPath: /host/driver @@ -3788,7 +3829,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: calico/node:v3.16.1 + image: calico/node:v3.16.3 envFrom: - configMapRef: # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. @@ -4030,7 +4071,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: calico/kube-controllers:v3.16.1 + image: calico/kube-controllers:v3.16.3 env: # Choose which controllers to run. - name: ENABLED_CONTROLLERS diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go index 9965b132f30e8..0eda37507ef11 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go @@ -858,7 +858,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann "k8s-1.7": "2.6.12-kops.1", "k8s-1.7-v3": "3.8.0-kops.2", "k8s-1.12": "3.9.6-kops.1", - "k8s-1.16": "3.16.1-kops.3", + "k8s-1.16": "3.16.3-kops.1", } {