From b6fb08099958137feeba3d1391395fad484ebb17 Mon Sep 17 00:00:00 2001 From: Tomas Hruby Date: Wed, 18 Sep 2024 10:33:38 -0700 Subject: [PATCH] Update docs for 3.29 --- calico/reference/felix/configuration.mdx | 10 +++++++--- .../version-3.28/reference/felix/configuration.mdx | 5 +++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/calico/reference/felix/configuration.mdx b/calico/reference/felix/configuration.mdx index 9e797a7463..de67918d42 100644 --- a/calico/reference/felix/configuration.mdx +++ b/calico/reference/felix/configuration.mdx @@ -104,9 +104,7 @@ The full list of parameters which can be set is as follows. #### Feature Gates -* `BPFConnectTimeLoadBalancingWorkaround` - Use when connect-time loadbalancer (CTLB) is turned off or if you want to turn it off for UDP only. When CTLB is turned off, host networked processes cannot always reach services. This workaround makes sure that they can. When CTLB is turned on, UDP clients may get stuck sending traffic to endpoint that does not exist anymore. So CTLB needs to be turned off sometimes. - * `enabled` - when CTLB is turned off make sure that services are always accessible. - * `udp` - turns off CTLB for UDP only and makes sure that services are always accessible. Preferred setting to make sure that DNS works. +There are currently no feature gates. ### Go runtime configuration @@ -179,6 +177,8 @@ See the [HOWTO guide](../../operations/ebpf/enabling-ebpf.mdx) for step-by step | BPFEnabled /
FELIX_BPFENABLED | Enable eBPF dataplane mode. eBPF mode has a number of limitations, see the [HOWTO guide](../../operations/ebpf/enabling-ebpf.mdx). | true, false | false | | BPFDisableUnprivileged /
FELIX_BPFDISABLEUNPRIVILEGED | If true, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable unprivileged use of BPF. This ensures that unprivileged users cannot access Calico's BPF maps and cannot insert their own BPF programs to interfere with the ones that {{prodname}} installs. | true, false | true | | BPFLogLevel /
FELIX_BPFLOGLEVEL | The log level used by the BPF programs. The logs are emitted to the BPF trace pipe, accessible with the command `tc exec BPF debug`. | Off,Info,Debug | Off | +| BPFLogFilters /
FELIX_ BPFLOGFILTERS | It is a map of key=values where the value is a pcap filter expression and the key is an interface name. Special values of 'all' denotes all interfaces, 'weps' all workload endpoints and 'heps' all host endpoints. When specified as an env var, it accepts a comma-separated list of key=values. It is unset by default which means all debug logs are emitted when BPFLogLevel is Debug. | string | "" | +| BPFCTLBLogFilter /
FELIX_BPFCTLBLOGFILTER | Specifies, what is logged by connect time load balancer (CTLB) when BPFLogLevel is debug and BPFLogFilters is set. Must be set to 'all' to see CTLB logs. | string | "" | | BPFDataIfacePattern /
FELIX_BPFDATAIFACEPATTERN | Controls which interfaces Felix should attach BPF programs to catch traffic to/from the external network. This needs to match the interfaces that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to NodePorts and services from outside the cluster. It should not match the workload interfaces (usually named cali...).. | regular expression | ^((en|wl|ww|sl|ib) [Popsvx].|* |(eth |wlan |wwan).|*|tunl0$ | vxlan.calico$ | wireguard.cali$ | wg-v6.cali$) | | BPFL3IfacePattern /
FELIX_BPFL3IFACEPATTERN | Allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices) in addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster. | regular expression | "" | | BPFConnectTimeLoadBalancingEnabled /
FELIX_BPFCONNECTTIMELOADBALANCINGENABLED | Controls whether Felix installs the connect-time load balancer. In the current release, the connect-time load balancer is required for the host to reach kubernetes services. | true,false | true | @@ -199,6 +199,10 @@ See the [HOWTO guide](../../operations/ebpf/enabling-ebpf.mdx) for step-by step | BPFMapSizeRoute /
FELIX_BPFMapSizeRoute | Controls the size of the route map. The routes map should be large enough to hold one entry per workload and a handful of entries per host (enough to cover its own IPs and tunnel IPs). | int | 262144 | | BPFHostConntrackBypass /
FELIX_BPFHostConntrackBypass | Controls whether to bypass Linux conntrack in BPF mode for workloads and services. | true,false | true | | BPFPolicyDebugEnabled /
FELIX_BPFPOLICYDEBUGENABLED | In eBPF dataplane mode, Felix records detailed information about the BPF policy programs, which can be examined with the calico-bpf command-line tool. | true, false | true | +| BPFForceTrackPacketsFromIfaces /
FELIX_BPFFORCETRACKPACKETSFROMIFACES | In BPF mode, forces traffic from these interfaces to skip Calico's iptables NOTRACK rule, allowing traffic from those interfaces to be tracked by Linux conntrack. Should only be used for interfaces that are not used for the Calico fabric. For example, a docker bridge device for non-Calico-networked containers. [Default: docker+] | string | "docker+" | +| BPFDisableGROForIfaces /
FELIX_BPFDISABLEGROFORIFACES | A regular expression that controls which interfaces Felix should disable the Generic Receive Offload [GRO] option. It should not match the workload interfaces (usually named cali...). | string | "" | +| BPFExcludeCIDRsFromNAT /
FELIX_BPFEXCLUDECIDRSFROMNATIS | A list of CIDRs that are to be excluded from NAT resolution so that host can handle them. A typical usecase is node local DNS cache. Set it to your kube-dns service IP if you want to use node local DNS cache. | string | "" | +| BPFRedirectToPeer
FELIX_BPFREDIRECTTOPEER | Controls whether it is allowed to forward straight to the peer side of the workload devicesi which makes ingress into the workloads from outside the node faster. It is enabled for any host L2 devices by default (L2Only), but it breaks TCP dump on the host side of workload device as it bypasses it on ingress. iSet it to Disable to make tcpdump work as expected. Value of Enabled also allows redirection from L3 host devices like IPIP tunnel or Wireguard directly to the peer side of the workload's device. However, it breaks tools like tcpdump on the peer side. Use Enabled with caution. | string | "L2Only" | ### Kubernetes-specific configuration diff --git a/calico_versioned_docs/version-3.28/reference/felix/configuration.mdx b/calico_versioned_docs/version-3.28/reference/felix/configuration.mdx index b8e2307985..718bcf3de1 100644 --- a/calico_versioned_docs/version-3.28/reference/felix/configuration.mdx +++ b/calico_versioned_docs/version-3.28/reference/felix/configuration.mdx @@ -167,6 +167,8 @@ See the [HOWTO guide](../../operations/ebpf/enabling-ebpf.mdx) for step-by step | BPFEnabled /
FELIX_BPFENABLED | Enable eBPF dataplane mode. eBPF mode has a number of limitations, see the [HOWTO guide](../../operations/ebpf/enabling-ebpf.mdx). | true, false | false | | BPFDisableUnprivileged /
FELIX_BPFDISABLEUNPRIVILEGED | If true, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable unprivileged use of BPF. This ensures that unprivileged users cannot access Calico's BPF maps and cannot insert their own BPF programs to interfere with the ones that {{prodname}} installs. | true, false | true | | BPFLogLevel /
FELIX_BPFLOGLEVEL | The log level used by the BPF programs. The logs are emitted to the BPF trace pipe, accessible with the command `tc exec BPF debug`. | Off,Info,Debug | Off | +| BPFLogFilters /
FELIX_ BPFLOGFILTERS | It is a map of key=values where the value is a pcap filter expression and the key is an interface name. Special values of 'all' denotes all interfaces, 'weps' all workload endpoints and 'heps' all host endpoints. When specified as an env var, it accepts a comma-separated list of key=values. It is unset by default which means all debug logs are emitted when BPFLogLevel is Debug. | string | "" | +| BPFCTLBLogFilter /
FELIX_BPFCTLBLOGFILTER | Specifies, what is logged by connect time load balancer (CTLB) when BPFLogLevel is debug and BPFLogFilters is set. Must be set to 'all' to see CTLB logs. | string | "" | | BPFDataIfacePattern /
FELIX_BPFDATAIFACEPATTERN | Controls which interfaces Felix should attach BPF programs to catch traffic to/from the external network. This needs to match the interfaces that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to NodePorts and services from outside the cluster. It should not match the workload interfaces (usually named cali...).. | regular expression | ^((en|wl|ww|sl|ib) [Popsvx].|* |(eth |wlan |wwan).|*|tunl0$ | vxlan.calico$ | wireguard.cali$ | wg-v6.cali$) | | BPFL3IfacePattern /
FELIX_BPFL3IFACEPATTERN | Allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices) in addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster. | regular expression | "" | | BPFConnectTimeLoadBalancingEnabled /
FELIX_BPFCONNECTTIMELOADBALANCINGENABLED | Controls whether Felix installs the connect-time load balancer. In the current release, the connect-time load balancer is required for the host to reach kubernetes services. | true,false | true | @@ -187,6 +189,9 @@ See the [HOWTO guide](../../operations/ebpf/enabling-ebpf.mdx) for step-by step | BPFMapSizeRoute /
FELIX_BPFMapSizeRoute | Controls the size of the route map. The routes map should be large enough to hold one entry per workload and a handful of entries per host (enough to cover its own IPs and tunnel IPs). | int | 262144 | | BPFHostConntrackBypass /
FELIX_BPFHostConntrackBypass | Controls whether to bypass Linux conntrack in BPF mode for workloads and services. | true,false | true | | BPFPolicyDebugEnabled /
FELIX_BPFPOLICYDEBUGENABLED | In eBPF dataplane mode, Felix records detailed information about the BPF policy programs, which can be examined with the calico-bpf command-line tool. | true, false | true | +| BPFForceTrackPacketsFromIfaces /
FELIX_BPFFORCETRACKPACKETSFROMIFACES | In BPF mode, forces traffic from these interfaces to skip Calico's iptables NOTRACK rule, allowing traffic from those interfaces to be tracked by Linux conntrack. Should only be used for interfaces that are not used for the Calico fabric. For example, a docker bridge device for non-Calico-networked containers. [Default: docker+] | string | "docker+" | +| BPFDisableGROForIfaces /
FELIX_BPFDISABLEGROFORIFACES | A regular expression that controls which interfaces Felix should disable the Generic Receive Offload [GRO] option. It should not match the workload interfaces (usually named cali...). | string | "" | +| BPFExcludeCIDRsFromNAT /
FELIX_BPFEXCLUDECIDRSFROMNATIS | A list of CIDRs that are to be excluded from NAT resolution so that host can handle them. A typical usecase is node local DNS cache. Set it to your kube-dns service IP if you want to use node local DNS cache. | string | "" | ### Kubernetes-specific configuration