Update Calico config for eBPF mode

k8s/crds/kops.k8s.io_clusters.yaml

@@ -2144,6 +2144,9 @@ spec:
                       bpfExternalServiceMode:
                         description: 'BPFExternalServiceMode controls how traffic from outside the cluster to NodePorts and ClusterIPs is handled. In Tunnel mode, packet is tunneled from the ingress host to the host with the backing pod and back again. In DSR mode, traffic is tunneled to the host with the backing pod and then returned directly; this requires a network that allows direct return. Default: Tunnel (other options: DSR)'
                         type: string
+                      bpfKubeProxyIptablesCleanupEnabled:
+                        description: BPFKubeProxyIptablesCleanupEnabled controls whether Felix will clean up the iptables rules created by the Kubernetes kube-proxy; should only be enabled if kube-proxy is not running.
+                        type: boolean
                       bpfLogLevel:
                         description: 'BPFLogLevel controls the log level used by the BPF programs. The logs are emitted to the BPF trace pipe, accessible with the command tc exec BPF debug. Default: Off (other options: Info, Debug)'
                         type: string

pkg/apis/kops/networking.go

@@ -108,6 +108,9 @@ type CalicoNetworkingSpec struct {
 	// this requires a network that allows direct return.
 	// Default: Tunnel (other options: DSR)
 	BPFExternalServiceMode string `json:"bpfExternalServiceMode,omitempty"`
+	// BPFKubeProxyIptablesCleanupEnabled controls whether Felix will clean up the iptables rules
+	// created by the Kubernetes kube-proxy; should only be enabled if kube-proxy is not running.
+	BPFKubeProxyIptablesCleanupEnabled bool `json:"bpfKubeProxyIptablesCleanupEnabled,omitempty"`
 	// BPFLogLevel controls the log level used by the BPF programs. The logs are emitted
 	// to the BPF trace pipe, accessible with the command tc exec BPF debug.
 	// Default: Off (other options: Info, Debug)

pkg/apis/kops/v1alpha2/networking.go

@@ -108,6 +108,9 @@ type CalicoNetworkingSpec struct {
 	// this requires a network that allows direct return.
 	// Default: Tunnel (other options: DSR)
 	BPFExternalServiceMode string `json:"bpfExternalServiceMode,omitempty"`
+	// BPFKubeProxyIptablesCleanupEnabled controls whether Felix will clean up the iptables rules
+	// created by the Kubernetes kube-proxy; should only be enabled if kube-proxy is not running.
+	BPFKubeProxyIptablesCleanupEnabled bool `json:"bpfKubeProxyIptablesCleanupEnabled,omitempty"`
 	// BPFLogLevel controls the log level used by the BPF programs. The logs are emitted
 	// to the BPF trace pipe, accessible with the command tc exec BPF debug.
 	// Default: Off (other options: Info, Debug)

upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template

@@ -1,6 +1,18 @@
-# Pulled and modified from:
-#   https://docs.projectcalico.org/v3.16/manifests/calico-bpf.yaml
-#   https://docs.projectcalico.org/v3.16/manifests/calico-typha.yaml
+# Pulled and modified from: https://docs.projectcalico.org/v3.16/manifests/calico-typha.yaml
+
+{{- if .Networking.Calico.BPFEnabled }}
+---
+# Set these to the IP and port of your API server; In BPF mode, we need to connect directly to the
+# API server because we take over kube-proxy's role.
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: kubernetes-services-endpoint
+  namespace: kube-system
+data:
+  KUBERNETES_SERVICE_HOST: "{{ .MasterInternalName }}"
+  KUBERNETES_SERVICE_PORT: "443"
+{{- end }}
 
 ---
 # Source: calico/templates/calico-config.yaml
@@ -13,12 +25,6 @@ metadata:
   labels:
     role.kubernetes.io/networking: "1"
 data:
-  {{- if .Networking.Calico.BPFEnabled }}
-  # Set these to the IP and port of your API server; In BPF mode, we need to connect directly to the
-  # API server because we take over kube-proxy's role.
-  kubernetes_service_host: "{{ .MasterInternalName }}"
-  kubernetes_service_port: "443"
-  {{- end }}
   # You must set a non-zero value for Typha replicas below.
   typha_service_name: "{{- if .Networking.Calico.TyphaReplicas -}}calico-typha{{- else -}}none{{- end -}}"
   # Configure the backend to use.
@@ -3417,14 +3423,6 @@ rules:
       - namespaces
     verbs:
       - get
-  - apiGroups: [""]
-    resources:
-      - secrets
-    verbs:
-      # Needed when configuring bgp password in bgppeer
-      - watch
-      - list
-      - get
   - apiGroups: [""]
     resources:
       - endpoints
@@ -3641,7 +3639,7 @@ spec:
       securityContext:
         fsGroup: 65534
       containers:
-      - image: calico/typha:v3.16.3
+      - image: calico/typha:v3.16.4
         name: calico-typha
         ports:
         - containerPort: 5473
@@ -3758,27 +3756,14 @@ spec:
         # It can be deleted if this is a fresh installation, or if you have already
         # upgraded to use calico-ipam.
         - name: upgrade-ipam
-          image: calico/cni:v3.16.3
+          image: calico/cni:v3.16.4
           command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
           envFrom:
           - configMapRef:
               # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
               name: kubernetes-services-endpoint
               optional: true
           env:
-            {{- if .Networking.Calico.BPFEnabled }}
-            # Overrides for kubernetes API server host/port. Needed in BPF mode.
-            - name: KUBERNETES_SERVICE_HOST
-              valueFrom:
-                configMapKeyRef:
-                  name: calico-config
-                  key: kubernetes_service_host
-            - name: KUBERNETES_SERVICE_PORT
-              valueFrom:
-                configMapKeyRef:
-                  name: calico-config
-                  key: kubernetes_service_port
-            {{- end }}
             - name: KUBERNETES_NODE_NAME
               valueFrom:
                 fieldRef:
@@ -3798,27 +3783,14 @@ spec:
         # This container installs the CNI binaries
         # and CNI network config file on each node.
         - name: install-cni
-          image: calico/cni:v3.16.3
+          image: calico/cni:v3.16.4
           command: ["/opt/cni/bin/install"]
           envFrom:
           - configMapRef:
               # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
               name: kubernetes-services-endpoint
               optional: true
           env:
-            {{- if .Networking.Calico.BPFEnabled }}
-            # Overrides for kubernetes API server host/port. Needed in BPF mode.
-            - name: KUBERNETES_SERVICE_HOST
-              valueFrom:
-                configMapKeyRef:
-                  name: calico-config
-                  key: kubernetes_service_host
-            - name: KUBERNETES_SERVICE_PORT
-              valueFrom:
-                configMapKeyRef:
-                  name: calico-config
-                  key: kubernetes_service_port
-            {{- end }}
             # Name of the CNI config file to create.
             - name: CNI_CONF_NAME
               value: "10-calico.conflist"
@@ -3852,7 +3824,7 @@ spec:
         # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
         # to communicate with Felix over the Policy Sync API.
         - name: flexvol-driver
-          image: calico/pod2daemon-flexvol:v3.16.3
+          image: calico/pod2daemon-flexvol:v3.16.4
           volumeMounts:
           - name: flexvol-driver-host
             mountPath: /host/driver
@@ -3863,26 +3835,13 @@ spec:
         # container programs network policy and routes on each
         # host.
         - name: calico-node
-          image: calico/node:v3.16.3
+          image: calico/node:v3.16.4
           envFrom:
           - configMapRef:
               # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
               name: kubernetes-services-endpoint
               optional: true
           env:
-            {{- if .Networking.Calico.BPFEnabled }}
-            # Overrides for kubernetes API server host/port. Needed in BPF mode.
-            - name: KUBERNETES_SERVICE_HOST
-              valueFrom:
-                configMapKeyRef:
-                  name: calico-config
-                  key: kubernetes_service_host
-            - name: KUBERNETES_SERVICE_PORT
-              valueFrom:
-                configMapKeyRef:
-                  name: calico-config
-                  key: kubernetes_service_port
-            {{- end }}
             # Use Kubernetes API as the backing datastore.
             - name: DATASTORE_TYPE
               value: "kubernetes"
@@ -3972,6 +3931,9 @@ spec:
             # Controls how traffic from outside the cluster to NodePorts and ClusterIPs is handled
             - name: FELIX_BPFEXTERNALSERVICEMODE
               value: "{{- or .Networking.Calico.BPFExternalServiceMode "Tunnel" }}"
+            # Controls whether Felix will clean up the iptables rules created by the Kubernetes kube-proxy
+            - name: FELIX_BPFKUBEPROXYIPTABLESCLEANUPENABLED
+              value: "{{- .Networking.Calico.BPFKubeProxyIptablesCleanupEnabled }}"
             # Controls the log level used by the BPF programs
             - name: FELIX_BPFLOGLEVEL
               value: "{{- or .Networking.Calico.BPFLogLevel "Off" }}"
@@ -4130,7 +4092,7 @@ spec:
       priorityClassName: system-cluster-critical
       containers:
         - name: calico-kube-controllers
-          image: calico/kube-controllers:v3.16.3
+          image: calico/kube-controllers:v3.16.4
           env:
             # Choose which controllers to run.
             - name: ENABLED_CONTROLLERS