Skip to content

Commit

Permalink
Update docs for 3.29
Browse files Browse the repository at this point in the history
  • Loading branch information
@tomastigera
tomastigera committed Sep 18, 2024
1 parent 36d2b77 commit b6fb080
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 3 deletions.
10 changes: 7 additions & 3 deletions calico/reference/felix/configuration.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,9 +104,7 @@ The full list of parameters which can be set is as follows.

#### Feature Gates

* `BPFConnectTimeLoadBalancingWorkaround` - Use when connect-time loadbalancer (CTLB) is turned off or if you want to turn it off for UDP only. When CTLB is turned off, host networked processes cannot always reach services. This workaround makes sure that they can. When CTLB is turned on, UDP clients may get stuck sending traffic to endpoint that does not exist anymore. So CTLB needs to be turned off sometimes.
* `enabled` - when CTLB is turned off make sure that services are always accessible.
* `udp` - turns off CTLB for UDP only and makes sure that services are always accessible. Preferred setting to make sure that DNS works.
There are currently no feature gates.

### Go runtime configuration

Expand Down Expand Up @@ -179,6 +177,8 @@ See the [HOWTO guide](../../operations/ebpf/enabling-ebpf.mdx) for step-by step
| BPFEnabled / <br/> FELIX_BPFENABLED | Enable eBPF dataplane mode. eBPF mode has a number of limitations, see the [HOWTO guide](../../operations/ebpf/enabling-ebpf.mdx). | true, false | false |
| BPFDisableUnprivileged / <br/> FELIX_BPFDISABLEUNPRIVILEGED | If true, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable unprivileged use of BPF. This ensures that unprivileged users cannot access Calico's BPF maps and cannot insert their own BPF programs to interfere with the ones that {{prodname}} installs. | true, false | true |
| BPFLogLevel / <br/> FELIX_BPFLOGLEVEL | The log level used by the BPF programs. The logs are emitted to the BPF trace pipe, accessible with the command `tc exec BPF debug`. | Off,Info,Debug | Off |
| BPFLogFilters / <br/> FELIX_ BPFLOGFILTERS | It is a map of key=values where the value is a pcap filter expression and the key is an interface name. Special values of 'all' denotes all interfaces, 'weps' all workload endpoints and 'heps' all host endpoints. When specified as an env var, it accepts a comma-separated list of key=values. It is unset by default which means all debug logs are emitted when BPFLogLevel is Debug. | string | "" |

Check failure on line 180 in calico/reference/felix/configuration.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'pcap'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'pcap'?", "location": {"path": "calico/reference/felix/configuration.mdx", "range": {"start": {"line": 180, "column": 136}}}, "severity": "ERROR"}
| BPFCTLBLogFilter / <br/> FELIX_BPFCTLBLOGFILTER | Specifies, what is logged by connect time load balancer (CTLB) when BPFLogLevel is debug and BPFLogFilters is set. Must be set to 'all' to see CTLB logs. | string | "" |
| BPFDataIfacePattern / <br/> FELIX_BPFDATAIFACEPATTERN | Controls which interfaces Felix should attach BPF programs to catch traffic to/from the external network. This needs to match the interfaces that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to NodePorts and services from outside the cluster. It should not match the workload interfaces (usually named cali...).. | regular expression | ^((en&#124;wl&#124;ww&#124;sl&#124;ib) [Popsvx]&#46;&#124;&#42; &#124;(eth &#124;wlan &#124;wwan)&#46;&#124;&#42;&#124;tunl0$ &#124; vxlan.calico$ &#124; wireguard.cali$ &#124; wg-v6.cali$) |
| BPFL3IfacePattern / <br/> FELIX_BPFL3IFACEPATTERN | Allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices) in addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster. | regular expression | "" |
| BPFConnectTimeLoadBalancingEnabled / <br/> FELIX_BPFCONNECTTIMELOADBALANCINGENABLED | Controls whether Felix installs the connect-time load balancer. In the current release, the connect-time load balancer is required for the host to reach kubernetes services. | true,false | true |
Expand All @@ -199,6 +199,10 @@ See the [HOWTO guide](../../operations/ebpf/enabling-ebpf.mdx) for step-by step
| BPFMapSizeRoute / <br/> FELIX_BPFMapSizeRoute | Controls the size of the route map. The routes map should be large enough to hold one entry per workload and a handful of entries per host (enough to cover its own IPs and tunnel IPs). | int | 262144 |
| BPFHostConntrackBypass / <br/> FELIX_BPFHostConntrackBypass | Controls whether to bypass Linux conntrack in BPF mode for workloads and services. | true,false | true |
| BPFPolicyDebugEnabled / <br/> FELIX_BPFPOLICYDEBUGENABLED | In eBPF dataplane mode, Felix records detailed information about the BPF policy programs, which can be examined with the calico-bpf command-line tool. | true, false | true |
| BPFForceTrackPacketsFromIfaces / <br/> FELIX_BPFFORCETRACKPACKETSFROMIFACES | In BPF mode, forces traffic from these interfaces to skip Calico's iptables NOTRACK rule, allowing traffic from those interfaces to be tracked by Linux conntrack. Should only be used for interfaces that are not used for the Calico fabric. For example, a docker bridge device for non-Calico-networked containers. [Default: docker+] | string | "docker+" |
| BPFDisableGROForIfaces / <br/> FELIX_BPFDISABLEGROFORIFACES | A regular expression that controls which interfaces Felix should disable the Generic Receive Offload [GRO] option. It should not match the workload interfaces (usually named cali...). | string | "" |
| BPFExcludeCIDRsFromNAT / <br/> FELIX_BPFEXCLUDECIDRSFROMNATIS | A list of CIDRs that are to be excluded from NAT resolution so that host can handle them. A typical usecase is node local DNS cache. Set it to your kube-dns service IP if you want to use node local DNS cache. | string | "" |
| BPFRedirectToPeer <br/> FELIX_BPFREDIRECTTOPEER | Controls whether it is allowed to forward straight to the peer side of the workload devicesi which makes ingress into the workloads from outside the node faster. It is enabled for any host L2 devices by default (L2Only), but it breaks TCP dump on the host side of workload device as it bypasses it on ingress. iSet it to Disable to make tcpdump work as expected. Value of Enabled also allows redirection from L3 host devices like IPIP tunnel or Wireguard directly to the peer side of the workload's device. However, it breaks tools like tcpdump on the peer side. Use Enabled with caution. | string | "L2Only" |

### Kubernetes-specific configuration

Expand Down
5 changes: 5 additions & 0 deletions calico_versioned_docs/version-3.28/reference/felix/configuration.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,8 @@ See the [HOWTO guide](../../operations/ebpf/enabling-ebpf.mdx) for step-by step
| BPFEnabled / <br/> FELIX_BPFENABLED | Enable eBPF dataplane mode. eBPF mode has a number of limitations, see the [HOWTO guide](../../operations/ebpf/enabling-ebpf.mdx). | true, false | false |
| BPFDisableUnprivileged / <br/> FELIX_BPFDISABLEUNPRIVILEGED | If true, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable unprivileged use of BPF. This ensures that unprivileged users cannot access Calico's BPF maps and cannot insert their own BPF programs to interfere with the ones that {{prodname}} installs. | true, false | true |
| BPFLogLevel / <br/> FELIX_BPFLOGLEVEL | The log level used by the BPF programs. The logs are emitted to the BPF trace pipe, accessible with the command `tc exec BPF debug`. | Off,Info,Debug | Off |
| BPFLogFilters / <br/> FELIX_ BPFLOGFILTERS | It is a map of key=values where the value is a pcap filter expression and the key is an interface name. Special values of 'all' denotes all interfaces, 'weps' all workload endpoints and 'heps' all host endpoints. When specified as an env var, it accepts a comma-separated list of key=values. It is unset by default which means all debug logs are emitted when BPFLogLevel is Debug. | string | "" |

Check failure on line 170 in calico_versioned_docs/version-3.28/reference/felix/configuration.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'pcap'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'pcap'?", "location": {"path": "calico_versioned_docs/version-3.28/reference/felix/configuration.mdx", "range": {"start": {"line": 170, "column": 136}}}, "severity": "ERROR"}

Check failure on line 170 in calico_versioned_docs/version-3.28/reference/felix/configuration.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'weps'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'weps'?", "location": {"path": "calico_versioned_docs/version-3.28/reference/felix/configuration.mdx", "range": {"start": {"line": 170, "column": 242}}}, "severity": "ERROR"}

Check failure on line 170 in calico_versioned_docs/version-3.28/reference/felix/configuration.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'heps'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'heps'?", "location": {"path": "calico_versioned_docs/version-3.28/reference/felix/configuration.mdx", "range": {"start": {"line": 170, "column": 276}}}, "severity": "ERROR"}

Check failure on line 170 in calico_versioned_docs/version-3.28/reference/felix/configuration.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'env'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'env'?", "location": {"path": "calico_versioned_docs/version-3.28/reference/felix/configuration.mdx", "range": {"start": {"line": 170, "column": 323}}}, "severity": "ERROR"}
| BPFCTLBLogFilter / <br/> FELIX_BPFCTLBLOGFILTER | Specifies, what is logged by connect time load balancer (CTLB) when BPFLogLevel is debug and BPFLogFilters is set. Must be set to 'all' to see CTLB logs. | string | "" |
| BPFDataIfacePattern / <br/> FELIX_BPFDATAIFACEPATTERN | Controls which interfaces Felix should attach BPF programs to catch traffic to/from the external network. This needs to match the interfaces that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to NodePorts and services from outside the cluster. It should not match the workload interfaces (usually named cali...).. | regular expression | ^((en&#124;wl&#124;ww&#124;sl&#124;ib) [Popsvx]&#46;&#124;&#42; &#124;(eth &#124;wlan &#124;wwan)&#46;&#124;&#42;&#124;tunl0$ &#124; vxlan.calico$ &#124; wireguard.cali$ &#124; wg-v6.cali$) |
| BPFL3IfacePattern / <br/> FELIX_BPFL3IFACEPATTERN | Allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices) in addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster. | regular expression | "" |
| BPFConnectTimeLoadBalancingEnabled / <br/> FELIX_BPFCONNECTTIMELOADBALANCINGENABLED | Controls whether Felix installs the connect-time load balancer. In the current release, the connect-time load balancer is required for the host to reach kubernetes services. | true,false | true |
Expand All @@ -187,6 +189,9 @@ See the [HOWTO guide](../../operations/ebpf/enabling-ebpf.mdx) for step-by step
| BPFMapSizeRoute / <br/> FELIX_BPFMapSizeRoute | Controls the size of the route map. The routes map should be large enough to hold one entry per workload and a handful of entries per host (enough to cover its own IPs and tunnel IPs). | int | 262144 |
| BPFHostConntrackBypass / <br/> FELIX_BPFHostConntrackBypass | Controls whether to bypass Linux conntrack in BPF mode for workloads and services. | true,false | true |
| BPFPolicyDebugEnabled / <br/> FELIX_BPFPOLICYDEBUGENABLED | In eBPF dataplane mode, Felix records detailed information about the BPF policy programs, which can be examined with the calico-bpf command-line tool. | true, false | true |
| BPFForceTrackPacketsFromIfaces / <br/> FELIX_BPFFORCETRACKPACKETSFROMIFACES | In BPF mode, forces traffic from these interfaces to skip Calico's iptables NOTRACK rule, allowing traffic from those interfaces to be tracked by Linux conntrack. Should only be used for interfaces that are not used for the Calico fabric. For example, a docker bridge device for non-Calico-networked containers. [Default: docker+] | string | "docker+" |

Check failure on line 192 in calico_versioned_docs/version-3.28/reference/felix/configuration.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'conntrack'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'conntrack'?", "location": {"path": "calico_versioned_docs/version-3.28/reference/felix/configuration.mdx", "range": {"start": {"line": 192, "column": 241}}}, "severity": "ERROR"}
| BPFDisableGROForIfaces / <br/> FELIX_BPFDISABLEGROFORIFACES | A regular expression that controls which interfaces Felix should disable the Generic Receive Offload [GRO] option. It should not match the workload interfaces (usually named cali...). | string | "" |

Check failure on line 193 in calico_versioned_docs/version-3.28/reference/felix/configuration.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'cali'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'cali'?", "location": {"path": "calico_versioned_docs/version-3.28/reference/felix/configuration.mdx", "range": {"start": {"line": 193, "column": 263}}}, "severity": "ERROR"}
| BPFExcludeCIDRsFromNAT / <br/> FELIX_BPFEXCLUDECIDRSFROMNATIS | A list of CIDRs that are to be excluded from NAT resolution so that host can handle them. A typical usecase is node local DNS cache. Set it to your kube-dns service IP if you want to use node local DNS cache. | string | "" |

Check failure on line 194 in calico_versioned_docs/version-3.28/reference/felix/configuration.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'usecase'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'usecase'?", "location": {"path": "calico_versioned_docs/version-3.28/reference/felix/configuration.mdx", "range": {"start": {"line": 194, "column": 189}}}, "severity": "ERROR"}

Check failure on line 194 in calico_versioned_docs/version-3.28/reference/felix/configuration.mdx

View workflow job for this annotation

GitHub Actions / runner / vale 

[vale] reported by reviewdog 🐶
[Vale.Terms] Use 'DNS' instead of 'dns'.

Raw Output:
{"message": "[Vale.Terms] Use 'DNS' instead of 'dns'.", "location": {"path": "calico_versioned_docs/version-3.28/reference/felix/configuration.mdx", "range": {"start": {"line": 194, "column": 242}}}, "severity": "ERROR"}

### Kubernetes-specific configuration

Expand Down

0 comments on commit b6fb080

Please sign in to comment.