Kubernetes controllers configuration
A Calico Enterprise Kubernetes controllers configuration resource (KubeControllersConfiguration) represents configuration options for the Calico Enterprise Kubernetes controllers.
Sample YAML
apiVersion: projectcalico.org/v3
kind: KubeControllersConfiguration
metadata:
name: default
spec:
logSeverityScreen: Info
healthChecks: Enabled
prometheusMetricsPort: 9094
controllers:
node:
reconcilerPeriod: 5m
leakGracePeriod: 15m
syncLabels: Enabled
hostEndpoint:
autoCreate: Disabled
createDefaultHostEndpoint: Enabled
templates:
- generateName: custom-host-endpoint
interfaceCIDRs:
- 1.2.3.0/24
nodeSelector: "has(my-label)"
labels:
key: value
loadbalancer:
assignIPs: AllServices
Kubernetes controllers configuration definition
Metadata
| Field | Description | Accepted Values | Schema |
|---|---|---|---|
| name | Unique name to describe this resource instance. Required. | Must be default | string |
- Calico Enterprise automatically creates a resource named
defaultcontaining the configuration settings, only the namedefaultis used and only one object of this type is allowed. You can use calicoctl to view and edit these settings
Spec
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| logSeverityScreen | The log severity above which logs are sent to the stdout. | Debug, Info, Warning, Error, Fatal | string | Info |
| healthChecks | Enable support for health checks | Enabled, Disabled | string | Enabled |
| prometheusMetricsPort | Port on which to serve prometheus metrics. | Set to 0 to disable, > 0 to enable. | TCP port | 9094 |
| controllers | Enabled controllers and their settings | Controllers |
Controllers
| Field | Description | Schema |
|---|---|---|
| node | Enable and configure the node controller | omit to disable, or NodeController |
| federatedservices | Enable and configure the federated services controller | omit to disable, or FederatedServicesController |
NodeController
The node controller automatically cleans up configuration for nodes that no longer exist. Optionally, it can create host endpoints for all Kubernetes nodes.
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| reconcilerPeriod | Period to perform reconciliation with the Calico Enterprise datastore | Duration string | 5m | |
| syncLabels | When enabled, Kubernetes node labels will be copied to Calico Enterprise node objects. | Enabled, Disabled | string | Enabled |
| hostEndpoint | Configures the host endpoint controlle | HostEndpoint | ||
| leakGracePeriod | Grace period to use when garbage collecting suspected leaked IP addresses. | Duration string | 15m |
HostEndpoint
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| autoCreate | When enabled, automatically create host endpoints | Enabled, Disabled | string | Disabled |
| createDefaultHostEndpoint | When enabled, default host endpoint will be created | Enabled, Disabled | string | Enabled |
| templates | Controls creation of custom host endpoints | Template |
Template
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| generateName | Unique name used as suffix for host endpoints created based on this template | Alphanumeric string | string | |
| nodeSelector | Selects the nodes for which this template should create host endpoints | Selector | all() | |
| interfaceCIDRs | This configuration defines which IP addresses from a node's specification (including standard, tunnel, and WireGuard IPs) are eligible for inclusion in the generated HostEndpoint. IP addresses must fall within the provided CIDR ranges to be considered. If no address on the node matches the specified CIDRs, the HostEndpoint creation is skipped. | List of valid CIDRs | List string | |
| labels | Labels to be added to generated host endpoints matching this template | map of string key to string values |
Selectors
A label selector is an expression which either matches or does not match a resource based on its labels.
Calico Enterprise label selectors support a number of operators, which can be combined into larger expressions using the boolean operators and parentheses.
| Expression | Meaning |
|---|---|
| Logical operators | |
( <expression> ) | Matches if and only if <expression> matches. (Parentheses are used for grouping expressions.) |
! <expression> | Matches if and only if <expression> does not match. Tip: ! is a special character at the start of a YAML string, if you need to use ! at the start of a YAML string, enclose the string in quotes. |
<expression 1> && <expression 2> | "And": matches if and only if both <expression 1>, and, <expression 2> matches |
<expression 1> || <expression 2> | "Or": matches if and only if either <expression 1>, or, <expression 2> matches. |
| Match operators | |
all() | Match all in-scope resources. To match no resources, combine this operator with ! to form !all(). |
global() | Match all non-namespaced resources. Useful in a namespaceSelector to select global resources such as global network sets. |
k == 'v' | Matches resources with the label 'k' and value 'v'. |
k != 'v' | Matches resources without label 'k' or with label 'k' and value not equal to v |
has(k) | Matches resources with label 'k', independent of value. To match pods that do not have label k, combine this operator with ! to form !has(k) |
k in { 'v1', 'v2' } | Matches resources with label 'k' and value in the given set |
k not in { 'v1', 'v2' } | Matches resources without label 'k' or with label 'k' and value not in the given set |
k contains 's' | Matches resources with label 'k' and value containing the substring 's' |
k starts with 's' | Matches resources with label 'k' and value starting with the substring 's' |
k ends with 's' | Matches resources with label 'k' and value ending with the substring 's' |
Operators have the following precedence:
- Highest: all the match operators
- Parentheses
( ... ) - Negation with
! - Conjunction with
&& - Lowest: Disjunction with
||
For example, the expression
! has(my-label) || my-label starts with 'prod' && role in {'frontend','business'}
Would be "bracketed" like this:
((!(has(my-label)) || ((my-label starts with 'prod') && (role in {'frontend','business'}))
It would match:
- Any resource that did not have label "my-label".
- Any resource that both:
- Has a value for
my-labelthat starts with "prod", and, - Has a role label with value either "frontend", or "business".
- Has a value for
FederatedServicesController
The federated services controller syncs Kubernetes services from remote clusters defined through RemoteClusterConfigurations.
| Field | Description | Schema | Default |
|---|---|---|---|
| reconcilerPeriod | Period to perform reconciliation with the Calico Enterprise datastore | Duration string | 5m |
LoadBalancerController
The load balancer controller manages IPAM for Services of type LoadBalancer.
| Field | Description | Accepted Values | Schema | Default |
|---|---|---|---|---|
| assignIPs | Mode in which LoadBalancer controller operates | AllServices, RequestedServicesOnly | String | AllServices |
Supported operations
| Datastore type | Create | Delete (Global default) | Update | Get/List | Notes |
|---|---|---|---|---|---|
| Kubernetes API server | Yes | Yes | Yes | Yes |