diff --git a/pkg/imports/crds/calico/policy.networking.k8s.io/policy.networking.k8s.io_clusternetworkpolicies.yaml b/pkg/imports/crds/calico/policy.networking.k8s.io/policy.networking.k8s.io_clusternetworkpolicies.yaml index cced723679..da9eddbbf0 100644 --- a/pkg/imports/crds/calico/policy.networking.k8s.io/policy.networking.k8s.io_clusternetworkpolicies.yaml +++ b/pkg/imports/crds/calico/policy.networking.k8s.io/policy.networking.k8s.io_clusternetworkpolicies.yaml @@ -2,8 +2,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/300 - policy.networking.k8s.io/bundle-version: v0.1.7 + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/347 + policy.networking.k8s.io/bundle-version: v0.2.0 policy.networking.k8s.io/channel: standard name: clusternetworkpolicies.policy.networking.k8s.io spec: diff --git a/pkg/imports/crds/calico/v1.crd.projectcalico.org/crd.projectcalico.org_bgpconfigurations.yaml b/pkg/imports/crds/calico/v1.crd.projectcalico.org/crd.projectcalico.org_bgpconfigurations.yaml index f9feaa87fd..610ead12b6 100644 --- a/pkg/imports/crds/calico/v1.crd.projectcalico.org/crd.projectcalico.org_bgpconfigurations.yaml +++ b/pkg/imports/crds/calico/v1.crd.projectcalico.org/crd.projectcalico.org_bgpconfigurations.yaml @@ -80,7 +80,7 @@ spec: x-kubernetes-map-type: atomic maxItems: 500 type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic ignoredInterfaces: description: IgnoredInterfaces indicates the network interfaces that @@ -202,7 +202,7 @@ spec: x-kubernetes-map-type: atomic maxItems: 500 type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic programClusterRoutes: description: |- ProgramClusterRoutes controls how a cluster node gets a route to a workload on another node, @@ -228,7 +228,7 @@ spec: type: object x-kubernetes-map-type: atomic type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic serviceExternalIPs: description: |- ServiceExternalIPs are the CIDR blocks for Kubernetes Service External IPs. @@ -244,7 +244,7 @@ spec: type: object x-kubernetes-map-type: atomic type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic serviceLoadBalancerAggregation: default: Enabled description: |- @@ -271,7 +271,7 @@ spec: type: object x-kubernetes-map-type: atomic type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic type: object x-kubernetes-validations: - message: diff --git a/pkg/imports/crds/calico/v1.crd.projectcalico.org/crd.projectcalico.org_felixconfigurations.yaml b/pkg/imports/crds/calico/v1.crd.projectcalico.org/crd.projectcalico.org_felixconfigurations.yaml index 202667e04f..2cda28eaf2 100644 --- a/pkg/imports/crds/calico/v1.crd.projectcalico.org/crd.projectcalico.org_felixconfigurations.yaml +++ b/pkg/imports/crds/calico/v1.crd.projectcalico.org/crd.projectcalico.org_felixconfigurations.yaml @@ -294,6 +294,14 @@ spec: [Default: unset - read from net.ipv4.ipfrag_time] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string + bpfIPFragmentReassemblyEnabled: + description: |- + BPFIPFragmentReassemblyEnabled controls whether Felix loads the BPF program that + reassembles out-of-order IP fragments from external networks. This program requires + a kernel newer than 5.10. When enabled (the default) and the program fails to load, + Felix reports not-ready until the user sets this to false. When false, fragmented + packets from external sources are dropped. [Default: true] + type: boolean bpfJITHardening: allOf: - enum: @@ -1101,6 +1109,22 @@ spec: "NftablesRefreshInterval controls the interval at which Felix periodically refreshes the nftables rules. [Default: 90s]" type: string + nodeSelector: + description: |- + NodeSelector is an optional label selector that restricts this FelixConfiguration + to apply only to nodes that match the given selector. This field is only valid + on FelixConfiguration resources whose name is not "default" and does not start + with "node.". For resources named "default", the configuration applies globally + to all nodes. For resources named "node.", the configuration applies to + the named node only. + + At most one selector-scoped FelixConfiguration should match any given node. + If multiple selector-scoped resources match, the oldest (by creation + timestamp) is used and a warning is logged. This prevents an accidentally + created conflicting resource from disrupting an existing, working + configuration. + maxLength: 1024 + type: string openstackRegion: description: |- OpenstackRegion is the name of the region that a particular Felix belongs to. In a multi-region @@ -1434,5 +1458,13 @@ spec: == 0 || (isIP(self.deviceRouteSourceAddressIPv6) && ip(self.deviceRouteSourceAddressIPv6).family() == 6)" type: object + x-kubernetes-validations: + - message: + nodeSelector must not be set on the 'default' or per-node ('node.*') + FelixConfiguration + reason: FieldValueForbidden + rule: + "self.metadata.name == 'default' || self.metadata.name.startsWith('node.') + ? !has(self.spec.nodeSelector) : true" served: true storage: true diff --git a/pkg/imports/crds/calico/v3.projectcalico.org/projectcalico.org_bgpconfigurations.yaml b/pkg/imports/crds/calico/v3.projectcalico.org/projectcalico.org_bgpconfigurations.yaml index 3590a345ff..ebf7a35a8c 100644 --- a/pkg/imports/crds/calico/v3.projectcalico.org/projectcalico.org_bgpconfigurations.yaml +++ b/pkg/imports/crds/calico/v3.projectcalico.org/projectcalico.org_bgpconfigurations.yaml @@ -82,7 +82,7 @@ spec: x-kubernetes-map-type: atomic maxItems: 500 type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic ignoredInterfaces: description: IgnoredInterfaces indicates the network interfaces that @@ -204,7 +204,7 @@ spec: x-kubernetes-map-type: atomic maxItems: 500 type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic programClusterRoutes: description: |- ProgramClusterRoutes controls how a cluster node gets a route to a workload on another node, @@ -230,7 +230,7 @@ spec: type: object x-kubernetes-map-type: atomic type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic serviceExternalIPs: description: |- ServiceExternalIPs are the CIDR blocks for Kubernetes Service External IPs. @@ -246,7 +246,7 @@ spec: type: object x-kubernetes-map-type: atomic type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic serviceLoadBalancerAggregation: default: Enabled description: |- @@ -273,7 +273,7 @@ spec: type: object x-kubernetes-map-type: atomic type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic type: object x-kubernetes-validations: - message: diff --git a/pkg/imports/crds/calico/v3.projectcalico.org/projectcalico.org_felixconfigurations.yaml b/pkg/imports/crds/calico/v3.projectcalico.org/projectcalico.org_felixconfigurations.yaml index 5e55968dbd..5691f46c5c 100644 --- a/pkg/imports/crds/calico/v3.projectcalico.org/projectcalico.org_felixconfigurations.yaml +++ b/pkg/imports/crds/calico/v3.projectcalico.org/projectcalico.org_felixconfigurations.yaml @@ -293,6 +293,14 @@ spec: [Default: unset - read from net.ipv4.ipfrag_time] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string + bpfIPFragmentReassemblyEnabled: + description: |- + BPFIPFragmentReassemblyEnabled controls whether Felix loads the BPF program that + reassembles out-of-order IP fragments from external networks. This program requires + a kernel newer than 5.10. When enabled (the default) and the program fails to load, + Felix reports not-ready until the user sets this to false. When false, fragmented + packets from external sources are dropped. [Default: true] + type: boolean bpfJITHardening: allOf: - enum: @@ -1100,6 +1108,22 @@ spec: "NftablesRefreshInterval controls the interval at which Felix periodically refreshes the nftables rules. [Default: 90s]" type: string + nodeSelector: + description: |- + NodeSelector is an optional label selector that restricts this FelixConfiguration + to apply only to nodes that match the given selector. This field is only valid + on FelixConfiguration resources whose name is not "default" and does not start + with "node.". For resources named "default", the configuration applies globally + to all nodes. For resources named "node.", the configuration applies to + the named node only. + + At most one selector-scoped FelixConfiguration should match any given node. + If multiple selector-scoped resources match, the oldest (by creation + timestamp) is used and a warning is logged. This prevents an accidentally + created conflicting resource from disrupting an existing, working + configuration. + maxLength: 1024 + type: string openstackRegion: description: |- OpenstackRegion is the name of the region that a particular Felix belongs to. In a multi-region @@ -1436,5 +1460,13 @@ spec: - metadata - spec type: object + x-kubernetes-validations: + - message: + nodeSelector must not be set on the 'default' or per-node ('node.*') + FelixConfiguration + reason: FieldValueForbidden + rule: + "self.metadata.name == 'default' || self.metadata.name.startsWith('node.') + ? !has(self.spec.nodeSelector) : true" served: true storage: true diff --git a/pkg/imports/crds/enterprise/01-crd-eck-bundle.yaml b/pkg/imports/crds/enterprise/01-crd-eck-bundle.yaml index c9b16893c5..03965ba6b1 100644 --- a/pkg/imports/crds/enterprise/01-crd-eck-bundle.yaml +++ b/pkg/imports/crds/enterprise/01-crd-eck-bundle.yaml @@ -9,7 +9,7 @@ metadata: labels: app.kubernetes.io/instance: 'elastic-operator' app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.3.0' + app.kubernetes.io/version: '3.3.2' name: agents.agent.k8s.elastic.co spec: group: agent.k8s.elastic.co @@ -502,7 +502,7 @@ metadata: labels: app.kubernetes.io/instance: 'elastic-operator' app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.3.0' + app.kubernetes.io/version: '3.3.2' name: apmservers.apm.k8s.elastic.co spec: group: apm.k8s.elastic.co @@ -1024,7 +1024,7 @@ metadata: labels: app.kubernetes.io/instance: 'elastic-operator' app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.3.0' + app.kubernetes.io/version: '3.3.2' name: autoopsagentpolicies.autoops.k8s.elastic.co spec: group: autoops.k8s.elastic.co @@ -1068,6 +1068,32 @@ spec: type: object image: type: string + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic podTemplate: type: object x-kubernetes-preserve-unknown-fields: true @@ -1141,7 +1167,7 @@ metadata: labels: app.kubernetes.io/instance: 'elastic-operator' app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.3.0' + app.kubernetes.io/version: '3.3.2' name: beats.beat.k8s.elastic.co spec: group: beat.k8s.elastic.co @@ -1380,7 +1406,7 @@ metadata: labels: app.kubernetes.io/instance: 'elastic-operator' app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.3.0' + app.kubernetes.io/version: '3.3.2' name: elasticmapsservers.maps.k8s.elastic.co spec: group: maps.k8s.elastic.co @@ -1637,7 +1663,7 @@ metadata: labels: app.kubernetes.io/instance: 'elastic-operator' app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.3.0' + app.kubernetes.io/version: '3.3.2' name: elasticsearchautoscalers.autoscaling.k8s.elastic.co spec: group: autoscaling.k8s.elastic.co @@ -1894,7 +1920,7 @@ metadata: labels: app.kubernetes.io/instance: 'elastic-operator' app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.3.0' + app.kubernetes.io/version: '3.3.2' name: elasticsearches.elasticsearch.k8s.elastic.co spec: group: elasticsearch.k8s.elastic.co @@ -3263,7 +3289,7 @@ metadata: labels: app.kubernetes.io/instance: 'elastic-operator' app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.3.0' + app.kubernetes.io/version: '3.3.2' name: enterprisesearches.enterprisesearch.k8s.elastic.co spec: group: enterprisesearch.k8s.elastic.co @@ -3741,7 +3767,7 @@ metadata: labels: app.kubernetes.io/instance: 'elastic-operator' app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.3.0' + app.kubernetes.io/version: '3.3.2' name: kibanas.kibana.k8s.elastic.co spec: group: kibana.k8s.elastic.co @@ -4309,7 +4335,7 @@ metadata: labels: app.kubernetes.io/instance: 'elastic-operator' app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.3.0' + app.kubernetes.io/version: '3.3.2' name: logstashes.logstash.k8s.elastic.co spec: group: logstash.k8s.elastic.co @@ -4852,7 +4878,7 @@ metadata: labels: app.kubernetes.io/instance: 'elastic-operator' app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.3.0' + app.kubernetes.io/version: '3.3.2' name: packageregistries.packageregistry.k8s.elastic.co spec: group: packageregistry.k8s.elastic.co @@ -5094,7 +5120,7 @@ metadata: labels: app.kubernetes.io/instance: 'elastic-operator' app.kubernetes.io/name: 'eck-operator-crds' - app.kubernetes.io/version: '3.3.0' + app.kubernetes.io/version: '3.3.2' name: stackconfigpolicies.stackconfigpolicy.k8s.elastic.co spec: group: stackconfigpolicy.k8s.elastic.co diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_alertexceptions.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_alertexceptions.yaml index 1ad463f35f..2ddec8906d 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_alertexceptions.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_alertexceptions.yaml @@ -66,6 +66,10 @@ spec: - selector - startTime type: object + x-kubernetes-validations: + - message: endTime must be after startTime + reason: FieldValueInvalid + rule: "!has(self.endTime) || self.endTime > self.startTime" status: description: AlertExceptionStatus contains the status of an alert exception. type: object diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_bgpconfigurations.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_bgpconfigurations.yaml index 2594566578..a555861dbd 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_bgpconfigurations.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_bgpconfigurations.yaml @@ -80,7 +80,7 @@ spec: x-kubernetes-map-type: atomic maxItems: 500 type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic extensions: additionalProperties: type: string @@ -209,7 +209,7 @@ spec: x-kubernetes-map-type: atomic maxItems: 500 type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic programClusterRoutes: description: |- ProgramClusterRoutes controls how a cluster node gets a route to a workload on another node, @@ -235,7 +235,7 @@ spec: type: object x-kubernetes-map-type: atomic type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic serviceExternalIPs: description: |- ServiceExternalIPs are the CIDR blocks for Kubernetes Service External IPs. @@ -251,7 +251,7 @@ spec: type: object x-kubernetes-map-type: atomic type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic serviceLoadBalancerAggregation: default: Enabled description: |- @@ -278,7 +278,7 @@ spec: type: object x-kubernetes-map-type: atomic type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic type: object x-kubernetes-validations: - message: diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_bgppeers.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_bgppeers.yaml index 658c79ad5b..76d48506ee 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_bgppeers.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_bgppeers.yaml @@ -48,6 +48,9 @@ spec: each received route, for peerings generated by this BGPPeer resource. Default value "Recursive" means "gateway recursive". "DirectIfDirectlyConnected" means to configure "gateway direct" when the peer is directly connected. + enum: + - Recursive + - DirectIfDirectlyConnected type: string extensions: additionalProperties: @@ -64,6 +67,9 @@ spec: Specifies whether and how to detect loss of connectivity on the peerings generated by this BGPPeer resource. Default value "None" means nothing beyond BGP's own (slow) hold timer. "BFDIfDirectlyConnected" means to use BFD when the peer is directly connected. + enum: + - None + - BFDIfDirectlyConnected type: string filters: description: The ordered set of BGPFilters applied on this BGP peer. @@ -199,6 +205,9 @@ spec: Specifies restart behaviour to configure on the peerings generated by this BGPPeer resource. Default value "GracefulRestart" means traditional graceful restart. "LongLivedGracefulRestart" means LLGR according to draft-uttaro-idr-bgp-persistence-05. + enum: + - GracefulRestart + - LongLivedGracefulRestart type: string reversePeering: allOf: diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_egressgatewaypolicies.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_egressgatewaypolicies.yaml index d549a61ce5..1e9e5462c8 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_egressgatewaypolicies.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_egressgatewaypolicies.yaml @@ -70,6 +70,7 @@ spec: description: |- MaxNextHops specifies the maximum number of egress gateway replicas from the selected deployment that a pod should depend on. + minimum: 0 type: integer namespaceSelector: description: diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_felixconfigurations.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_felixconfigurations.yaml index 3fb486a024..cf462a5aba 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_felixconfigurations.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_felixconfigurations.yaml @@ -313,6 +313,24 @@ spec: BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing determines the CTLB behavior. [Default: Enabled] type: string + bpfIPFragTimeout: + description: |- + BPFIPFragTimeout, in BPF mode, controls the timeout for IP fragment reassembly. + This is the maximum time that the BPF dataplane will wait for all fragments of a + fragmented IP packet to arrive before discarding them. If left unset, the value + is read from the Linux kernel sysctl net.ipv4.ipfrag_time (which defaults to 30 + seconds). + [Default: unset - read from net.ipv4.ipfrag_time] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + bpfIPFragmentReassemblyEnabled: + description: |- + BPFIPFragmentReassemblyEnabled controls whether Felix loads the BPF program that + reassembles out-of-order IP fragments from external networks. This program requires + a kernel newer than 5.10. When enabled (the default) and the program fails to load, + Felix reports not-ready until the user sets this to false. When false, fragmented + packets from external sources are dropped. [Default: true] + type: boolean bpfJITHardening: allOf: - enum: @@ -1248,6 +1266,9 @@ spec: description: |- IPSecMode controls which mode IPSec is operating on. Default value means IPSec is not enabled. [Default: ""] + enum: + - "" + - PSK type: string ipsecPolicyRefreshInterval: description: |- @@ -1697,6 +1718,22 @@ spec: "NftablesRefreshInterval controls the interval at which Felix periodically refreshes the nftables rules. [Default: 90s]" type: string + nodeSelector: + description: |- + NodeSelector is an optional label selector that restricts this FelixConfiguration + to apply only to nodes that match the given selector. This field is only valid + on FelixConfiguration resources whose name is not "default" and does not start + with "node.". For resources named "default", the configuration applies globally + to all nodes. For resources named "node.", the configuration applies to + the named node only. + + At most one selector-scoped FelixConfiguration should match any given node. + If multiple selector-scoped resources match, the oldest (by creation + timestamp) is used and a warning is logged. This prevents an accidentally + created conflicting resource from disrupting an existing, working + configuration. + maxLength: 1024 + type: string openstackRegion: description: |- OpenstackRegion is the name of the region that a particular Felix belongs to. In a multi-region @@ -2180,5 +2217,13 @@ spec: == 0 || (isIP(self.deviceRouteSourceAddressIPv6) && ip(self.deviceRouteSourceAddressIPv6).family() == 6)" type: object + x-kubernetes-validations: + - message: + nodeSelector must not be set on the 'default' or per-node ('node.*') + FelixConfiguration + reason: FieldValueForbidden + rule: + "self.metadata.name == 'default' || self.metadata.name.startsWith('node.') + ? !has(self.spec.nodeSelector) : true" served: true storage: true diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalalerts.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalalerts.yaml index c587774f49..58b2b0b79b 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalalerts.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalalerts.yaml @@ -49,11 +49,27 @@ spec: description: |- Compare the value of the metric to the threshold using this condition. Only used if Type is RuleBased. + enum: + - eq + - not_eq + - gt + - gte + - lt + - lte + maxLength: 16 type: string dataSet: description: |- DataSet determines which dataset type the Query will use. Required and used only if Type is RuleBased. + enum: + - flows + - dns + - audit + - l7 + - waf + - vulnerability + maxLength: 32 type: string description: description: Human-readable description of the template. @@ -73,6 +89,7 @@ spec: description: |- Which field to aggregate results by if using a metric other than count. Only used if Type is RuleBased. + maxLength: 256 type: string lookback: description: |- @@ -84,6 +101,13 @@ spec: A metric to apply to aggregated results. count is the number of log entries matching the aggregation pattern. Others are applied only to numeric fields in the logs. Only used if Type is RuleBased. + enum: + - avg + - max + - min + - sum + - count + maxLength: 16 type: string period: description: |- @@ -133,11 +157,39 @@ spec: description: |- Type will dictate how the fields of the GlobalAlert will be utilized. Each Type will have different usages and defaults for the fields. [Default: RuleBased] + enum: + - RuleBased type: string required: - description - severity type: object + x-kubernetes-validations: + - message: field without metric is invalid + reason: FieldValueInvalid + rule: + "!has(self.field) || size(self.field) == 0 || (has(self.metric) + && size(self.metric) > 0)" + - message: count metric cannot be applied to a field + reason: FieldValueInvalid + rule: + "!has(self.metric) || self.metric != 'count' || !has(self.field) + || size(self.field) == 0" + - message: non-count metrics require a field + reason: FieldValueInvalid + rule: + "!has(self.metric) || self.metric == 'count' || size(self.metric) + == 0 || (has(self.field) && size(self.field) > 0)" + - message: metrics require a condition + reason: FieldValueInvalid + rule: + "!has(self.metric) || size(self.metric) == 0 || (has(self.condition) + && size(self.condition) > 0)" + - message: dataSet is required for RuleBased alerts + reason: FieldValueInvalid + rule: + (has(self.type) && self.type != 'RuleBased') || (has(self.dataSet) + && size(self.dataSet) > 0) status: properties: active: diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalalerttemplates.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalalerttemplates.yaml index e70eb57d23..7f24a5b074 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalalerttemplates.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalalerttemplates.yaml @@ -49,11 +49,27 @@ spec: description: |- Compare the value of the metric to the threshold using this condition. Only used if Type is RuleBased. + enum: + - eq + - not_eq + - gt + - gte + - lt + - lte + maxLength: 16 type: string dataSet: description: |- DataSet determines which dataset type the Query will use. Required and used only if Type is RuleBased. + enum: + - flows + - dns + - audit + - l7 + - waf + - vulnerability + maxLength: 32 type: string description: description: Human-readable description of the template. @@ -73,6 +89,7 @@ spec: description: |- Which field to aggregate results by if using a metric other than count. Only used if Type is RuleBased. + maxLength: 256 type: string lookback: description: |- @@ -84,6 +101,13 @@ spec: A metric to apply to aggregated results. count is the number of log entries matching the aggregation pattern. Others are applied only to numeric fields in the logs. Only used if Type is RuleBased. + enum: + - avg + - max + - min + - sum + - count + maxLength: 16 type: string period: description: |- @@ -133,11 +157,39 @@ spec: description: |- Type will dictate how the fields of the GlobalAlert will be utilized. Each Type will have different usages and defaults for the fields. [Default: RuleBased] + enum: + - RuleBased type: string required: - description - severity type: object + x-kubernetes-validations: + - message: field without metric is invalid + reason: FieldValueInvalid + rule: + "!has(self.field) || size(self.field) == 0 || (has(self.metric) + && size(self.metric) > 0)" + - message: count metric cannot be applied to a field + reason: FieldValueInvalid + rule: + "!has(self.metric) || self.metric != 'count' || !has(self.field) + || size(self.field) == 0" + - message: non-count metrics require a field + reason: FieldValueInvalid + rule: + "!has(self.metric) || self.metric == 'count' || size(self.metric) + == 0 || (has(self.field) && size(self.field) > 0)" + - message: metrics require a condition + reason: FieldValueInvalid + rule: + "!has(self.metric) || size(self.metric) == 0 || (has(self.condition) + && size(self.condition) > 0)" + - message: dataSet is required for RuleBased alerts + reason: FieldValueInvalid + rule: + (has(self.type) && self.type != 'RuleBased') || (has(self.dataSet) + && size(self.dataSet) > 0) type: object served: true storage: true diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalthreatfeeds.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalthreatfeeds.yaml index 765bf020d3..6522f98f8c 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalthreatfeeds.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalthreatfeeds.yaml @@ -99,6 +99,12 @@ spec: recordSize: type: integer type: object + x-kubernetes-validations: + - message: fieldNum and fieldName are mutually exclusive + reason: FieldValueInvalid + rule: + "!has(self.fieldNum) || !has(self.fieldName) || + size(self.fieldName) == 0" json: properties: path: @@ -107,6 +113,12 @@ spec: newlineDelimited: type: object type: object + x-kubernetes-validations: + - message: only one format type may be specified + reason: FieldValueInvalid + rule: + "[has(self.newlineDelimited), has(self.json), has(self.csv)].filter(x, + x).size() <= 1" headers: items: properties: @@ -172,6 +184,10 @@ spec: required: - name type: object + x-kubernetes-validations: + - message: value and valueFrom are mutually exclusive + reason: FieldValueInvalid + rule: "!has(self.value) || !has(self.valueFrom)" type: array x-kubernetes-list-type: atomic url: @@ -185,6 +201,10 @@ spec: - http type: object type: object + x-kubernetes-validations: + - message: DomainNameSet does not support syncing with a GlobalNetworkSet + reason: FieldValueInvalid + rule: self.content != 'DomainNameSet' || !has(self.globalNetworkSet) status: properties: errorConditions: diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_ippools.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_ippools.yaml index 89e558df59..df2abcd4da 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_ippools.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_ippools.yaml @@ -45,14 +45,16 @@ spec: items: description: |- IPPoolAllowedUse defines the allowed uses for an IP pool. - It can be one of "Workload", "Tunnel", or "LoadBalancer". + It can be one of "Workload", "Tunnel", "LoadBalancer" or "HostSecondaryInterface". - "Workload" means the pool is used for workload IP addresses. - "Tunnel" means the pool is used for tunnel IP addresses. - "LoadBalancer" means the pool is used for load balancer IP addresses. + - "HostSecondaryInterface" means the pool is used for host secondary interface IP addresses. enum: - Workload - Tunnel - LoadBalancer + - HostSecondaryInterface type: string maxItems: 10 type: array diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_licensekeys.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_licensekeys.yaml index 89aeb362cf..db528be78a 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_licensekeys.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_licensekeys.yaml @@ -130,8 +130,11 @@ spec: GracePeriod is how long after expiry the license remains functional (e.g. "90d") type: string + maxcores: + description: Maximum Number of Allowed CPU Cores. + type: integer maxnodes: - description: Maximum Number of Allowed Nodes + description: Maximum Number of Allowed Nodes. type: integer package: description: diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_packetcaptures.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_packetcaptures.yaml index 9191942cad..1bfe906625 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_packetcaptures.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_packetcaptures.yaml @@ -112,6 +112,12 @@ spec: format: date-time type: string type: object + x-kubernetes-validations: + - message: endTime must be after startTime + reason: FieldValueInvalid + rule: + "!has(self.endTime) || !has(self.startTime) || self.endTime > + self.startTime" status: description: |- PacketCaptureStatus describes the files that have been captured, for a given PacketCapture, on each node diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_uisettings.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_uisettings.yaml index b15ca554e0..c4af5edb46 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_uisettings.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_uisettings.yaml @@ -179,8 +179,6 @@ spec: type: object type: array x-kubernetes-list-type: atomic - required: - - nodes type: object user: description: |- @@ -330,6 +328,12 @@ spec: - description - group type: object + x-kubernetes-validations: + - message: exactly one of view, layer, or dashboard must be specified + reason: FieldValueInvalid + rule: + "[has(self.view), has(self.layer), has(self.dashboard)].filter(x, + x).size() == 1" type: object served: true storage: true diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_alertexceptions.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_alertexceptions.yaml index 5274cfd2d6..2750ea66d9 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_alertexceptions.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_alertexceptions.yaml @@ -67,6 +67,10 @@ spec: - selector - startTime type: object + x-kubernetes-validations: + - message: endTime must be after startTime + reason: FieldValueInvalid + rule: "!has(self.endTime) || self.endTime > self.startTime" status: description: AlertExceptionStatus contains the status of an alert exception. type: object diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_bgpconfigurations.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_bgpconfigurations.yaml index 3b18633e30..6a11cd0b79 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_bgpconfigurations.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_bgpconfigurations.yaml @@ -82,7 +82,7 @@ spec: x-kubernetes-map-type: atomic maxItems: 500 type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic extensions: additionalProperties: type: string @@ -211,7 +211,7 @@ spec: x-kubernetes-map-type: atomic maxItems: 500 type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic programClusterRoutes: description: |- ProgramClusterRoutes controls how a cluster node gets a route to a workload on another node, @@ -237,7 +237,7 @@ spec: type: object x-kubernetes-map-type: atomic type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic serviceExternalIPs: description: |- ServiceExternalIPs are the CIDR blocks for Kubernetes Service External IPs. @@ -253,7 +253,7 @@ spec: type: object x-kubernetes-map-type: atomic type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic serviceLoadBalancerAggregation: default: Enabled description: |- @@ -280,7 +280,7 @@ spec: type: object x-kubernetes-map-type: atomic type: array - x-kubernetes-list-type: set + x-kubernetes-list-type: atomic type: object x-kubernetes-validations: - message: diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_bgppeers.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_bgppeers.yaml index 2f699313bc..80d512f088 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_bgppeers.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_bgppeers.yaml @@ -79,6 +79,9 @@ spec: each received route, for peerings generated by this BGPPeer resource. Default value "Recursive" means "gateway recursive". "DirectIfDirectlyConnected" means to configure "gateway direct" when the peer is directly connected. + enum: + - Recursive + - DirectIfDirectlyConnected type: string extensions: additionalProperties: @@ -95,6 +98,9 @@ spec: Specifies whether and how to detect loss of connectivity on the peerings generated by this BGPPeer resource. Default value "None" means nothing beyond BGP's own (slow) hold timer. "BFDIfDirectlyConnected" means to use BFD when the peer is directly connected. + enum: + - None + - BFDIfDirectlyConnected type: string filters: description: The ordered set of BGPFilters applied on this BGP peer. @@ -230,6 +236,9 @@ spec: Specifies restart behaviour to configure on the peerings generated by this BGPPeer resource. Default value "GracefulRestart" means traditional graceful restart. "LongLivedGracefulRestart" means LLGR according to draft-uttaro-idr-bgp-persistence-05. + enum: + - GracefulRestart + - LongLivedGracefulRestart type: string reversePeering: allOf: diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_egressgatewaypolicies.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_egressgatewaypolicies.yaml index 9166835525..cae3c4ecbf 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_egressgatewaypolicies.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_egressgatewaypolicies.yaml @@ -70,6 +70,7 @@ spec: description: |- MaxNextHops specifies the maximum number of egress gateway replicas from the selected deployment that a pod should depend on. + minimum: 0 type: integer namespaceSelector: description: diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_felixconfigurations.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_felixconfigurations.yaml index 8bbded9a99..e3c428e0d6 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_felixconfigurations.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_felixconfigurations.yaml @@ -312,6 +312,24 @@ spec: BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing determines the CTLB behavior. [Default: Enabled] type: string + bpfIPFragTimeout: + description: |- + BPFIPFragTimeout, in BPF mode, controls the timeout for IP fragment reassembly. + This is the maximum time that the BPF dataplane will wait for all fragments of a + fragmented IP packet to arrive before discarding them. If left unset, the value + is read from the Linux kernel sysctl net.ipv4.ipfrag_time (which defaults to 30 + seconds). + [Default: unset - read from net.ipv4.ipfrag_time] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + bpfIPFragmentReassemblyEnabled: + description: |- + BPFIPFragmentReassemblyEnabled controls whether Felix loads the BPF program that + reassembles out-of-order IP fragments from external networks. This program requires + a kernel newer than 5.10. When enabled (the default) and the program fails to load, + Felix reports not-ready until the user sets this to false. When false, fragmented + packets from external sources are dropped. [Default: true] + type: boolean bpfJITHardening: allOf: - enum: @@ -1247,6 +1265,9 @@ spec: description: |- IPSecMode controls which mode IPSec is operating on. Default value means IPSec is not enabled. [Default: ""] + enum: + - "" + - PSK type: string ipsecPolicyRefreshInterval: description: |- @@ -1696,6 +1717,22 @@ spec: "NftablesRefreshInterval controls the interval at which Felix periodically refreshes the nftables rules. [Default: 90s]" type: string + nodeSelector: + description: |- + NodeSelector is an optional label selector that restricts this FelixConfiguration + to apply only to nodes that match the given selector. This field is only valid + on FelixConfiguration resources whose name is not "default" and does not start + with "node.". For resources named "default", the configuration applies globally + to all nodes. For resources named "node.", the configuration applies to + the named node only. + + At most one selector-scoped FelixConfiguration should match any given node. + If multiple selector-scoped resources match, the oldest (by creation + timestamp) is used and a warning is logged. This prevents an accidentally + created conflicting resource from disrupting an existing, working + configuration. + maxLength: 1024 + type: string openstackRegion: description: |- OpenstackRegion is the name of the region that a particular Felix belongs to. In a multi-region @@ -2182,5 +2219,13 @@ spec: - metadata - spec type: object + x-kubernetes-validations: + - message: + nodeSelector must not be set on the 'default' or per-node ('node.*') + FelixConfiguration + reason: FieldValueForbidden + rule: + "self.metadata.name == 'default' || self.metadata.name.startsWith('node.') + ? !has(self.spec.nodeSelector) : true" served: true storage: true diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalalerts.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalalerts.yaml index 5e9b436c20..5e176fe3e5 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalalerts.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalalerts.yaml @@ -49,11 +49,27 @@ spec: description: |- Compare the value of the metric to the threshold using this condition. Only used if Type is RuleBased. + enum: + - eq + - not_eq + - gt + - gte + - lt + - lte + maxLength: 16 type: string dataSet: description: |- DataSet determines which dataset type the Query will use. Required and used only if Type is RuleBased. + enum: + - flows + - dns + - audit + - l7 + - waf + - vulnerability + maxLength: 32 type: string description: description: Human-readable description of the template. @@ -73,6 +89,7 @@ spec: description: |- Which field to aggregate results by if using a metric other than count. Only used if Type is RuleBased. + maxLength: 256 type: string lookback: description: |- @@ -84,6 +101,13 @@ spec: A metric to apply to aggregated results. count is the number of log entries matching the aggregation pattern. Others are applied only to numeric fields in the logs. Only used if Type is RuleBased. + enum: + - avg + - max + - min + - sum + - count + maxLength: 16 type: string period: description: |- @@ -133,11 +157,39 @@ spec: description: |- Type will dictate how the fields of the GlobalAlert will be utilized. Each Type will have different usages and defaults for the fields. [Default: RuleBased] + enum: + - RuleBased type: string required: - description - severity type: object + x-kubernetes-validations: + - message: field without metric is invalid + reason: FieldValueInvalid + rule: + "!has(self.field) || size(self.field) == 0 || (has(self.metric) + && size(self.metric) > 0)" + - message: count metric cannot be applied to a field + reason: FieldValueInvalid + rule: + "!has(self.metric) || self.metric != 'count' || !has(self.field) + || size(self.field) == 0" + - message: non-count metrics require a field + reason: FieldValueInvalid + rule: + "!has(self.metric) || self.metric == 'count' || size(self.metric) + == 0 || (has(self.field) && size(self.field) > 0)" + - message: metrics require a condition + reason: FieldValueInvalid + rule: + "!has(self.metric) || size(self.metric) == 0 || (has(self.condition) + && size(self.condition) > 0)" + - message: dataSet is required for RuleBased alerts + reason: FieldValueInvalid + rule: + (has(self.type) && self.type != 'RuleBased') || (has(self.dataSet) + && size(self.dataSet) > 0) status: properties: active: diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalalerttemplates.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalalerttemplates.yaml index 5ae5cec59b..a449bbe2ee 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalalerttemplates.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalalerttemplates.yaml @@ -49,11 +49,27 @@ spec: description: |- Compare the value of the metric to the threshold using this condition. Only used if Type is RuleBased. + enum: + - eq + - not_eq + - gt + - gte + - lt + - lte + maxLength: 16 type: string dataSet: description: |- DataSet determines which dataset type the Query will use. Required and used only if Type is RuleBased. + enum: + - flows + - dns + - audit + - l7 + - waf + - vulnerability + maxLength: 32 type: string description: description: Human-readable description of the template. @@ -73,6 +89,7 @@ spec: description: |- Which field to aggregate results by if using a metric other than count. Only used if Type is RuleBased. + maxLength: 256 type: string lookback: description: |- @@ -84,6 +101,13 @@ spec: A metric to apply to aggregated results. count is the number of log entries matching the aggregation pattern. Others are applied only to numeric fields in the logs. Only used if Type is RuleBased. + enum: + - avg + - max + - min + - sum + - count + maxLength: 16 type: string period: description: |- @@ -133,11 +157,39 @@ spec: description: |- Type will dictate how the fields of the GlobalAlert will be utilized. Each Type will have different usages and defaults for the fields. [Default: RuleBased] + enum: + - RuleBased type: string required: - description - severity type: object + x-kubernetes-validations: + - message: field without metric is invalid + reason: FieldValueInvalid + rule: + "!has(self.field) || size(self.field) == 0 || (has(self.metric) + && size(self.metric) > 0)" + - message: count metric cannot be applied to a field + reason: FieldValueInvalid + rule: + "!has(self.metric) || self.metric != 'count' || !has(self.field) + || size(self.field) == 0" + - message: non-count metrics require a field + reason: FieldValueInvalid + rule: + "!has(self.metric) || self.metric == 'count' || size(self.metric) + == 0 || (has(self.field) && size(self.field) > 0)" + - message: metrics require a condition + reason: FieldValueInvalid + rule: + "!has(self.metric) || size(self.metric) == 0 || (has(self.condition) + && size(self.condition) > 0)" + - message: dataSet is required for RuleBased alerts + reason: FieldValueInvalid + rule: + (has(self.type) && self.type != 'RuleBased') || (has(self.dataSet) + && size(self.dataSet) > 0) required: - metadata - spec diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalthreatfeeds.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalthreatfeeds.yaml index 3227b2b54d..19894b4a2e 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalthreatfeeds.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalthreatfeeds.yaml @@ -103,6 +103,12 @@ spec: recordSize: type: integer type: object + x-kubernetes-validations: + - message: fieldNum and fieldName are mutually exclusive + reason: FieldValueInvalid + rule: + "!has(self.fieldNum) || !has(self.fieldName) || + size(self.fieldName) == 0" json: properties: path: @@ -111,6 +117,12 @@ spec: newlineDelimited: type: object type: object + x-kubernetes-validations: + - message: only one format type may be specified + reason: FieldValueInvalid + rule: + "[has(self.newlineDelimited), has(self.json), has(self.csv)].filter(x, + x).size() <= 1" headers: items: properties: @@ -176,6 +188,10 @@ spec: required: - name type: object + x-kubernetes-validations: + - message: value and valueFrom are mutually exclusive + reason: FieldValueInvalid + rule: "!has(self.value) || !has(self.valueFrom)" type: array x-kubernetes-list-type: atomic url: @@ -189,6 +205,10 @@ spec: - http type: object type: object + x-kubernetes-validations: + - message: DomainNameSet does not support syncing with a GlobalNetworkSet + reason: FieldValueInvalid + rule: self.content != 'DomainNameSet' || !has(self.globalNetworkSet) status: properties: errorConditions: diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_ippools.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_ippools.yaml index 285389ad4f..e9bfd125c7 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_ippools.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_ippools.yaml @@ -70,14 +70,16 @@ spec: items: description: |- IPPoolAllowedUse defines the allowed uses for an IP pool. - It can be one of "Workload", "Tunnel", or "LoadBalancer". + It can be one of "Workload", "Tunnel", "LoadBalancer" or "HostSecondaryInterface". - "Workload" means the pool is used for workload IP addresses. - "Tunnel" means the pool is used for tunnel IP addresses. - "LoadBalancer" means the pool is used for load balancer IP addresses. + - "HostSecondaryInterface" means the pool is used for host secondary interface IP addresses. enum: - Workload - Tunnel - LoadBalancer + - HostSecondaryInterface type: string maxItems: 10 type: array diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_licensekeys.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_licensekeys.yaml index d976e115fd..c93478b44a 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_licensekeys.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_licensekeys.yaml @@ -24,6 +24,9 @@ spec: - jsonPath: .status.maxnodes name: Max-Nodes type: integer + - jsonPath: .status.maxcores + name: Max-Cores + type: integer - jsonPath: .status.conditions[?(@.type=='Valid')].status name: Valid type: string @@ -149,8 +152,11 @@ spec: GracePeriod is how long after expiry the license remains functional (e.g. "90d") type: string + maxcores: + description: Maximum Number of Allowed CPU Cores. + type: integer maxnodes: - description: Maximum Number of Allowed Nodes + description: Maximum Number of Allowed Nodes. type: integer package: description: diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_packetcaptures.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_packetcaptures.yaml index 0db8466ce0..60f7270335 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_packetcaptures.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_packetcaptures.yaml @@ -113,6 +113,12 @@ spec: format: date-time type: string type: object + x-kubernetes-validations: + - message: endTime must be after startTime + reason: FieldValueInvalid + rule: + "!has(self.endTime) || !has(self.startTime) || self.endTime > + self.startTime" status: description: Status of the PacketCapture properties: diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_uisettings.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_uisettings.yaml index 2ca0b64761..d78c5049a0 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_uisettings.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_uisettings.yaml @@ -180,8 +180,6 @@ spec: type: object type: array x-kubernetes-list-type: atomic - required: - - nodes type: object user: description: |- @@ -331,9 +329,17 @@ spec: - description - group type: object + x-kubernetes-validations: + - message: exactly one of view, layer, or dashboard must be specified + reason: FieldValueInvalid + rule: + "[has(self.view), has(self.layer), has(self.dashboard)].filter(x, + x).size() == 1" required: - metadata - spec type: object + selectableFields: + - jsonPath: .spec.group served: true storage: true