diff --git a/provision/acc_provision/templates/aci-containers.yaml b/provision/acc_provision/templates/aci-containers.yaml index 1672d34e1..d3a15f0d8 100644 --- a/provision/acc_provision/templates/aci-containers.yaml +++ b/provision/acc_provision/templates/aci-containers.yaml @@ -2690,6 +2690,9 @@ data: {% if config.kube_config.apic_connection_retry_limit %} "apic-connection-retry-limit": {{ config.kube_config.apic_connection_retry_limit|json}}, {% endif %} + {% if config.kube_config.disable_service_vlan_preprovisioning %} + "disable-service-vlan-preprovisioning": {{ config.kube_config.disable_service_vlan_preprovisioning|json }}, + {% endif %} {# Commenting code to disable the install_istio flag as the functionality is disabled to remove dependency from istio.io/istio package. diff --git a/provision/acc_provision/templates/provision-config.yaml b/provision/acc_provision/templates/provision-config.yaml index fedb32ea6..2e4db2208 100644 --- a/provision/acc_provision/templates/provision-config.yaml +++ b/provision/acc_provision/templates/provision-config.yaml @@ -162,6 +162,7 @@ registry: # enable_hpp_direct: True # default is False, set to True to enable HPP distribution via Kubernetes control plane for faster convergence and reduce load on fabric # unknown_mac_unicast_action: "flood" # override if needed, default is "proxy" # opflex_agent_reset_wait_delay: 10 # override if needed, default is 5 + # disable_service_vlan_preprovisioning : True # default is False, set to True if you want to disable proactive vlan programming on all OpenStack compute hosts when using the OpenShift-on-OpenStack deployment model # # Configuration for ACI CNI Operator diff --git a/provision/testdata/with_overrides.apic.txt b/provision/testdata/with_overrides.apic.txt index cb435ac87..ecbe7476d 100644 --- a/provision/testdata/with_overrides.apic.txt +++ b/provision/testdata/with_overrides.apic.txt @@ -190,7 +190,7 @@ None { "vmmInjectedClusterDetails": { "attributes": { - "accProvisionInput": "operator_managed_config:\n enable_updates: true\naci_config:\n system_id: kube\n use_legacy_kube_naming_convention: true\n cluster_tenant: demo\n apic_hosts:\n - 10.30.120.100\n apic_login:\n username: admin\n apic_version: '5.0'\n aep: kube-aep\n apic_subscription_delay: 100\n opflex_device_delete_timeout: 1200\n apic_refreshticker_adjust: 150\n vrf:\n name: kubernetes-vrf\n tenant: common\n l3out:\n name: l3out\n external_networks:\n - l3out\n physical_domain:\n domain: kubernetes-control\n sync_login:\n certfile: user.crt\n keyfile: user.key\n vmm_domain:\n domain: kubernetes1\n controller: kubernetes1\n encap_type: vxlan\n mcast_range:\n start: 225.2.1.1\n end: 225.2.255.255\n client_ssl: false\nnet_config:\n node_subnet: 10.1.0.1/16\n pod_subnet: 10.2.0.1/16\n pod_subnet_chunk_size: 24\n extern_dynamic: 10.4.0.1/16\n extern_static: 10.3.0.1/24\n node_svc_subnet: 10.6.0.1/24\n kubeapi_vlan: 4001\n service_vlan: 4003\n infra_vlan: 4093\n disable_wait_for_network: true\nkube_config:\n aci_multipod: true\n opflex_device_reconnect_wait_timeout: 10\n dhcp_renew_max_retry_count: 10\n dhcp_delay: 10\n use_external_service_ip_allocator: true\n use_privileged_containers: true\n use_openshift_security_context_constraints: true\n allow_kube_api_default_epg: true\n no_wait_for_service_ep_readiness: true\n hpp_optimization: true\n service_graph_endpoint_add_delay:\n delay: 30\n services:\n - name: ingress-service\n namespace: openshift-ingress\n - name: monitoring-service\n namespace: openshift-monitoring\n delay: 60\n add_external_subnets_to_rdconfig: true\n snat_operator:\n disable_periodic_snat_global_info_sync: true\n sleep_time_snat_global_info_sync: 60\n node_snat_redirect_exclude:\n - group: router\n labels:\n - worker\n - router\n - infra\n - group: infra\n labels:\n - infra\n - router\n image_pull_policy: IfNotPresent\n opflex_agent_policy_retry_delay_timer: 10\n use_system_node_priority_class: true\n ovs_memory_request: 512Mi\n ovs_memory_limit: 2Gi\n aci_containers_controller_memory_request: 256Mi\n aci_containers_controller_memory_limit: 5Gi\n aci_containers_host_memory_request: 256Mi\n aci_containers_host_memory_limit: 5Gi\n mcast_daemon_memory_request: 256Mi\n mcast_daemon_memory_limit: 5Gi\n opflex_agent_memory_request: 256Mi\n opflex_agent_memory_limit: 5Gi\n acc_provision_operator_memory_request: 256Mi\n acc_provision_operator_memory_limit: 5Gi\n aci_containers_operator_memory_request: 256Mi\n aci_containers_operator_memory_limit: 5Gi\n toleration_seconds: 100\n opflex_openssl_compat: true\n enable_opflex_agent_reconnect: true\n opflex_agent_statistics: false\n opflex_startup_enabled: true\n opflex_startup_policy_duration: 20\n opflex_startup_resolve_aft_conn: true\n opflex_switch_sync_delay: 10\n opflex_switch_sync_dynamic: 20\n add_external_contract_to_default_epg: true\n apic_connection_retry_limit: 10\n disable_hpp_rendering: true\n taint_not_ready_node: true\n enable_hpp_direct: true\n unknown_mac_unicast_action: flood\n opflex_agent_reset_wait_delay: 10\nregistry:\n image_prefix: noiro\n aci_cni_operator_version: AciCniOperatorTag\n use_digest: true\nlogging:\n controller_log_level: debug\n hostagent_log_level: debug\n opflexagent_log_level: info\n operator_log_level: debug\nnodepodif_config:\n enable: true\ndrop_log_config:\n disable_events: true\n", + "accProvisionInput": "operator_managed_config:\n enable_updates: true\naci_config:\n system_id: kube\n use_legacy_kube_naming_convention: true\n cluster_tenant: demo\n apic_hosts:\n - 10.30.120.100\n apic_login:\n username: admin\n apic_version: '5.0'\n aep: kube-aep\n apic_subscription_delay: 100\n opflex_device_delete_timeout: 1200\n apic_refreshticker_adjust: 150\n vrf:\n name: kubernetes-vrf\n tenant: common\n l3out:\n name: l3out\n external_networks:\n - l3out\n physical_domain:\n domain: kubernetes-control\n sync_login:\n certfile: user.crt\n keyfile: user.key\n vmm_domain:\n domain: kubernetes1\n controller: kubernetes1\n encap_type: vxlan\n mcast_range:\n start: 225.2.1.1\n end: 225.2.255.255\n client_ssl: false\nnet_config:\n node_subnet: 10.1.0.1/16\n pod_subnet: 10.2.0.1/16\n pod_subnet_chunk_size: 24\n extern_dynamic: 10.4.0.1/16\n extern_static: 10.3.0.1/24\n node_svc_subnet: 10.6.0.1/24\n kubeapi_vlan: 4001\n service_vlan: 4003\n infra_vlan: 4093\n disable_wait_for_network: true\nkube_config:\n aci_multipod: true\n opflex_device_reconnect_wait_timeout: 10\n dhcp_renew_max_retry_count: 10\n dhcp_delay: 10\n use_external_service_ip_allocator: true\n use_privileged_containers: true\n use_openshift_security_context_constraints: true\n allow_kube_api_default_epg: true\n no_wait_for_service_ep_readiness: true\n hpp_optimization: true\n service_graph_endpoint_add_delay:\n delay: 30\n services:\n - name: ingress-service\n namespace: openshift-ingress\n - name: monitoring-service\n namespace: openshift-monitoring\n delay: 60\n add_external_subnets_to_rdconfig: true\n snat_operator:\n disable_periodic_snat_global_info_sync: true\n sleep_time_snat_global_info_sync: 60\n node_snat_redirect_exclude:\n - group: router\n labels:\n - worker\n - router\n - infra\n - group: infra\n labels:\n - infra\n - router\n image_pull_policy: IfNotPresent\n opflex_agent_policy_retry_delay_timer: 10\n use_system_node_priority_class: true\n ovs_memory_request: 512Mi\n ovs_memory_limit: 2Gi\n aci_containers_controller_memory_request: 256Mi\n aci_containers_controller_memory_limit: 5Gi\n aci_containers_host_memory_request: 256Mi\n aci_containers_host_memory_limit: 5Gi\n mcast_daemon_memory_request: 256Mi\n mcast_daemon_memory_limit: 5Gi\n opflex_agent_memory_request: 256Mi\n opflex_agent_memory_limit: 5Gi\n acc_provision_operator_memory_request: 256Mi\n acc_provision_operator_memory_limit: 5Gi\n aci_containers_operator_memory_request: 256Mi\n aci_containers_operator_memory_limit: 5Gi\n toleration_seconds: 100\n opflex_openssl_compat: true\n enable_opflex_agent_reconnect: true\n opflex_agent_statistics: false\n opflex_startup_enabled: true\n opflex_startup_policy_duration: 20\n opflex_startup_resolve_aft_conn: true\n opflex_switch_sync_delay: 10\n opflex_switch_sync_dynamic: 20\n add_external_contract_to_default_epg: true\n apic_connection_retry_limit: 10\n disable_hpp_rendering: true\n taint_not_ready_node: true\n enable_hpp_direct: true\n unknown_mac_unicast_action: flood\n opflex_agent_reset_wait_delay: 10\n disable_service_vlan_preprovisioning: true\nregistry:\n image_prefix: noiro\n aci_cni_operator_version: AciCniOperatorTag\n use_digest: true\nlogging:\n controller_log_level: debug\n hostagent_log_level: debug\n opflexagent_log_level: info\n operator_log_level: debug\nnodepodif_config:\n enable: true\ndrop_log_config:\n disable_events: true\n", "userKey": "dummy\n", "userCert": "dummy\n" } diff --git a/provision/testdata/with_overrides.inp.yaml b/provision/testdata/with_overrides.inp.yaml index a8908050b..e222388ea 100644 --- a/provision/testdata/with_overrides.inp.yaml +++ b/provision/testdata/with_overrides.inp.yaml @@ -114,6 +114,7 @@ kube_config: enable_hpp_direct: True unknown_mac_unicast_action: "flood" opflex_agent_reset_wait_delay: 10 + disable_service_vlan_preprovisioning: True registry: image_prefix: noiro diff --git a/provision/testdata/with_overrides.kube.yaml b/provision/testdata/with_overrides.kube.yaml index 7e7e3266c..3c2323c24 100644 --- a/provision/testdata/with_overrides.kube.yaml +++ b/provision/testdata/with_overrides.kube.yaml @@ -1431,7 +1431,7 @@ metadata: data: spec: flavor: kubernetes-1.30 - config: "\napiVersion: v1\nkind: Namespace\nmetadata:\n name: aci-containers-system\n labels:\n aci-containers-config-version: \"dummy\"\n annotations:\n openshift.io/node-selector: ''\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodepodifs.aci.aw\nspec:\n group: aci.aw\n names:\n kind: NodePodIF\n listKind: NodePodIFList\n plural: nodepodifs\n singular: nodepodif\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n podifs:\n type: array\n items:\n type: object\n properties:\n containerID:\n type: string\n epg:\n type: string\n ifname:\n type: string\n ipaddr:\n type: string\n macaddr:\n type: string\n podname:\n type: string\n podns:\n type: string\n vtep:\n type: string\n required:\n - spec\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatglobalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatGlobalInfo\n listKind: SnatGlobalInfoList\n plural: snatglobalinfos\n singular: snatglobalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n description: SnatGlobalInfo is the Schema for the snatglobalinfos API\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n globalInfos:\n additionalProperties:\n items:\n properties:\n macAddress:\n type: string\n portRanges:\n items:\n properties:\n end:\n maximum: 65535\n minimum: 1\n type: integer\n start:\n maximum: 65535\n minimum: 1\n type: integer\n type: object\n type: array\n snatIp:\n type: string\n snatIpUid:\n type: string\n snatPolicyName:\n type: string\n required:\n - macAddress\n - portRanges\n - snatIp\n - snatIpUid\n - snatPolicyName\n type: object\n type: array\n type: object\n required:\n - globalInfos\n type: object\n status:\n description: SnatGlobalInfoStatus defines the observed state of SnatGlobalInfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatlocalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatLocalInfo\n listKind: SnatLocalInfoList\n plural: snatlocalinfos\n singular: snatlocalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: SnatLocalInfoSpec defines the desired state of SnatLocalInfo\n properties:\n localInfos:\n items:\n properties:\n podName:\n type: string\n podNamespace:\n type: string\n podUid:\n type: string\n snatPolicies:\n items:\n properties:\n destIp:\n items:\n type: string\n type: array\n name:\n type: string\n snatIp:\n type: string\n required:\n - destIp\n - name\n - snatIp\n type: object\n type: array\n required:\n - podName\n - podNamespace\n - podUid\n - snatPolicies\n type: object\n type: array\n required:\n - localInfos\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatpolicies.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatPolicy\n listKind: SnatPolicyList\n plural: snatpolicies\n singular: snatpolicy\n scope: Cluster\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n selector:\n type: object\n properties:\n labels:\n type: object\n description: 'Selection of Pods'\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n snatIp:\n type: array\n items:\n type: string\n destIp:\n type: array\n items:\n type: string\n status:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodeinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: NodeInfo\n listKind: NodeInfoList\n plural: nodeinfos\n singular: nodeinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n macaddress:\n type: string\n snatpolicynames:\n additionalProperties:\n type: boolean\n type: object\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: rdconfigs.aci.snat\nspec:\n group: aci.snat\n names:\n kind: RdConfig\n listKind: RdConfigList\n plural: rdconfigs\n singular: rdconfig\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n discoveredsubnets:\n items:\n type: string\n type: array\n usersubnets:\n items:\n type: string\n type: array\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.aci.netpol\nspec:\n group: aci.netpol\n names:\n kind: NetworkPolicy\n listKind: NetworkPolicyList\n plural: networkpolicies\n singular: networkpolicy\n scope: Namespaced\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n description: Network Policy describes traffic flow at IP address or port level\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs default to false.\n type: boolean\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n to:\n description: Rule is matched if traffic is intended for workloads selected by this field. If this field is empty or missing, this rule matches all destinations.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n toFqDn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - enableLogging\n - toFqDn\n type: object\n type: array\n ingress:\n description: Set of ingress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false.\n type: boolean\n from:\n description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n type: object\n type: array\n policyTypes:\n items:\n description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8\n type: string\n type: array\n priority:\n description: Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.\n type: integer\n type:\n description: type of the policy.\n type: string\n required:\n - type\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: dnsnetworkpolicies.aci.dnsnetpol\nspec:\n group: aci.dnsnetpol\n names:\n kind: DnsNetworkPolicy\n listKind: DnsNetworkPolicyList\n plural: dnsnetworkpolicies\n singular: dnsnetworkpolicy\n scope: Namespaced\n versions:\n - name: v1beta\n schema:\n openAPIV3Schema:\n description: dns network Policy\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n properties:\n toFqdn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - toFqdn\n type: object\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: qospolicies.aci.qos\nspec:\n group: aci.qos\n names:\n kind: QosPolicy\n listKind: QosPolicyList\n plural: qospolicies\n singular: qospolicy\n scope: Namespaced\n preserveUnknownFields: false\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n podSelector:\n description: 'Selection of Pods'\n type: object\n properties:\n matchLabels:\n type: object\n description:\n ingress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n egress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n dscpmark:\n type: integer\n default: 0\n minimum: 0\n maximum: 63\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: netflowpolicies.aci.netflow\nspec:\n group: aci.netflow\n names:\n kind: NetflowPolicy\n listKind: NetflowPolicyList\n plural: netflowpolicies\n singular: netflowpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n flowSamplingPolicy:\n type: object\n properties:\n destIp:\n type: string\n destPort:\n type: integer\n minimum: 0\n maximum: 65535\n default: 2055\n flowType:\n type: string\n enum:\n - netflow\n - ipfix\n default: netflow\n activeFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 3600\n default: 60\n idleFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 600\n default: 15\n samplingRate:\n type: integer\n minimum: 0\n maximum: 1000\n default: 0\n required:\n - destIp\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: erspanpolicies.aci.erspan\nspec:\n group: aci.erspan\n names:\n kind: ErspanPolicy\n listKind: ErspanPolicyList\n plural: erspanpolicies\n singular: erspanpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n selector:\n type: object\n description: 'Selection of Pods'\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n source:\n type: object\n properties:\n adminState:\n description: Administrative state.\n default: start\n type: string\n enum:\n - start\n - stop\n direction:\n description: Direction of the packets to monitor.\n default: both\n type: string\n enum:\n - in\n - out\n - both\n destination:\n type: object\n properties:\n destIP:\n description: Destination IP of the ERSPAN packet.\n type: string\n flowID:\n description: Unique flow ID of the ERSPAN packet.\n default: 1\n type: integer\n minimum: 1\n maximum: 1023\n required:\n - destIP\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: enabledroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: EnableDropLog\n listKind: EnableDropLogList\n plural: enabledroplogs\n singular: enabledroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of EnableDropLog\n type: object\n properties:\n disableDefaultDropLog:\n description: Disables the default droplog enabled by acc-provision.\n default: false\n type: boolean\n nodeSelector:\n type: object\n description: Drop logging is enabled on nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: prunedroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: PruneDropLog\n listKind: PruneDropLogList\n plural: prunedroplogs\n singular: prunedroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of PruneDropLog\n type: object\n properties:\n nodeSelector:\n type: object\n description: Drop logging filters are applied to nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n dropLogFilters:\n type: object\n properties:\n srcIP:\n type: string\n destIP:\n type: string\n srcMAC:\n type: string\n destMAC:\n type: string\n srcPort:\n type: integer\n destPort:\n type: integer\n ipProto:\n type: integer\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: hostprotpols.aci.hpp\nspec:\n group: aci.hpp\n names:\n kind: HostprotPol\n listKind: HostprotPolList\n plural: hostprotpols\n singular: hostprotpol\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n description: 'APIVersion defines the versioned schema of this\n representation of an object.Servers should convert recognized\n schemas to the latest internal value, and may reject\n unrecognized values.\n More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n kind:\n type: string\n description: 'Kind is a string value representing the REST resource\n this object represents. Servers may infer this from the endpoint\n the client submits requests to. Cannot be updated. In CamelCase.\n More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n metadata:\n type: object\n spec:\n type: object\n properties:\n name:\n type: string\n networkPolicies:\n type: array\n items:\n type: string\n hostprotSubj:\n type: array\n items:\n type: object\n properties:\n name:\n type: string\n hostprotRule:\n type: array\n items:\n type: object\n properties:\n name:\n type: string\n protocol:\n type: string\n description: Protocol\n rsRemoteIpContainer:\n type: array\n items:\n type: string\n toPort:\n type: string\n description: ToPort\n connTrack:\n type: string\n description: ConnTrack\n direction:\n type: string\n description: Direction\n ethertype:\n type: string\n description: Ethertype\n fromPort:\n type: string\n description: FromPort\n hostprotServiceRemoteIps:\n type: array\n items:\n type: string\n hostprotFilterContainer:\n type: object\n properties:\n hostprotFilter:\n type: array\n items:\n type: object\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n type: array\n items:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: hostprotremoteipcontainers.aci.hpp\nspec:\n group: aci.hpp\n names:\n kind: HostprotRemoteIpContainer\n listKind: HostprotRemoteIpContainerList\n plural: hostprotremoteipcontainers\n singular: hostprotremoteipcontainer\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n description: 'APIVersion defines the versioned schema of this representation of an object.\n Servers should convert recognized schemas to the latest internal value, and\n may reject unrecognized values.\n More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n kind:\n type: string\n description: 'Kind is a string value representing the REST resource this object represents.\n Servers may infer this from the endpoint the client submits requests to.\n Cannot be updated.\n In CamelCase.\n More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n metadata:\n type: object\n spec:\n type: object\n properties:\n name:\n type: string\n hostprotRemoteIp:\n type: array\n items:\n type: object\n properties:\n addr:\n type: string\n hppEpLabel:\n type: array\n items:\n type: object\n properties:\n key:\n type: string\n value:\n type: string\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: aci-containers-config\n namespace: kube-system\n labels:\n aci-containers-config-version: \"dummy\"\n network-plugin: aci-containers\ndata:\n controller-config: |-\n {\n \"flavor\": \"kubernetes-1.30\",\n \"log-level\": \"debug\",\n \"apic-hosts\": [\n \"10.30.120.100\"\n ],\n \"aci-multipod\": true,\n \"unknown-mac-unicast-action\": \"flood\",\n \"enable-opflex-agent-reconnect\": true,\n \"opflex-device-reconnect-wait-timeout\": 10,\n \"apic-subscription-delay\": 100,\n \"apic-refreshticker-adjust\": \"150\",\n \"apic-username\": \"kube\",\n \"apic-private-key-path\": \"/usr/local/etc/aci-cert/user.key\",\n \"aci-prefix\": \"kube\",\n \"aci-vmm-type\": \"Kubernetes\",\n \"aci-vmm-domain\": \"kubernetes1\",\n \"aci-vmm-controller\": \"kubernetes1\",\n \"aci-policy-tenant\": \"kube\",\n \"hpp-optimization\": true,\n \"disable-hpp-rendering\": true,\n \"enable-hpp-direct\": true,\n \"no-wait-for-service-ep-readiness\": true,\n \"service-graph-endpoint-add-delay\": {\n \"delay\": 30,\n \"services\": [\n {\n \"name\": \"ingress-service\",\n \"namespace\": \"openshift-ingress\"\n },\n {\n \"delay\": 60,\n \"name\": \"monitoring-service\",\n \"namespace\": \"openshift-monitoring\"\n }\n ]\n },\n \"add-external-subnets-to-rdconfig\": true,\n \"disable-periodic-snat-global-info-sync\": true,\n \"opflex-device-delete-timeout\": 1200,\n \"sleep-time-snat-global-info-sync\": 60,\n \"node-snat-redirect-exclude\": [\n {\n \"group\": \"router\",\n \"labels\": [\n \"worker\",\n \"router\",\n \"infra\"\n ]\n },\n {\n \"group\": \"infra\",\n \"labels\": [\n \"infra\",\n \"router\"\n ]\n }\n ],\n \"apic-connection-retry-limit\": 10,\n \"aci-podbd-dn\": \"uni/tn-kube/BD-kube-pod-bd\",\n \"aci-nodebd-dn\": \"uni/tn-kube/BD-kube-node-bd\",\n \"aci-service-phys-dom\": \"kubernetes-control\",\n \"aci-service-encap\": \"vlan-4003\",\n \"aci-service-monitor-interval\": 5,\n \"aci-pbr-tracking-non-snat\": false,\n \"aci-vrf-tenant\": \"common\",\n \"aci-vrf-dn\": \"uni/tn-common/ctx-kubernetes-vrf\",\n \"aci-l3out\": \"l3out\",\n \"aci-ext-networks\": [\n \"l3out\"\n ],\n \"aci-vrf\": \"kubernetes-vrf\",\n \"app-profile\": \"kubernetes\",\n \"add-external-contract-to-default-epg\": true,\n \"default-endpoint-group\": {\n \"policy-space\": \"kube\",\n \"name\": \"kubernetes|kube-default\"\n },\n \"max-nodes-svc-graph\": 32,\n \"namespace-default-endpoint-group\": {\n \"istio-operator\": {\n \"policy-space\": \"kube\",\n \"name\": \"kubernetes|kube-istio\"\n },\n \"istio-system\": {\n \"policy-space\": \"kube\",\n \"name\": \"kubernetes|kube-istio\"\n },\n \"kube-system\": {\n \"policy-space\": \"kube\",\n \"name\": \"kubernetes|kube-system\"\n } },\n \"service-ip-pool\": [\n {\n \"end\": \"10.4.255.254\",\n \"start\": \"10.4.0.2\"\n }\n ],\n \"extern-static\": [\"10.3.0.1/24\"],\n \"extern-dynamic\": [\"10.4.0.1/16\"],\n \"snat-contract-scope\": \"global\",\n \"static-service-ip-pool\": [\n {\n \"end\": \"10.3.0.254\",\n \"start\": \"10.3.0.2\"\n }\n ],\n \"allocate-service-ips\": false,\n \"taint-not-ready-node\": true,\n \"pod-ip-pool\": [\n {\n \"end\": \"10.2.255.254\",\n \"start\": \"10.2.0.2\"\n }\n ],\n \"pod-subnet\": [\n \"10.2.0.1/16\"\n ],\n \"pod-subnet-chunk-size\": 24,\n \"node-service-ip-pool\": [\n {\n \"end\": \"10.6.0.254\",\n \"start\": \"10.6.0.2\"\n }\n ],\n \"node-service-subnets\": [\n \"10.6.0.1/24\"\n ]\n }\n host-agent-config: |-\n {\n \"flavor\": \"kubernetes-1.30\",\n \"app-profile\": \"kubernetes\",\n \"aci-multipod\": true,\n \"dhcp-renew-max-retry-count\": 10,\n \"dhcp-delay\": 10,\n \"opflex-mode\": null,\n \"enable-opflex-agent-reconnect\": true,\n \"log-level\": \"debug\",\n \"aci-snat-namespace\": \"aci-containers-system\",\n \"aci-vmm-type\": \"Kubernetes\",\n \"aci-vmm-domain\": \"kubernetes1\",\n \"aci-vmm-controller\": \"kubernetes1\",\n \"aci-prefix\": \"kube\",\n \"aci-vrf\": \"kubernetes-vrf\",\n \"aci-vrf-tenant\": \"common\",\n \"service-vlan\": 4003,\n \"kubeapi-vlan\": 4001,\n \"hpp-optimization\": true,\n \"disable-hpp-rendering\": true,\n \"enable-hpp-direct\": true,\n \"pod-subnet\": [\n \"10.2.0.1/16\"\n ],\n \"node-subnet\": [\n \"10.1.0.1/16\"\n ],\n \"encap-type\": \"vxlan\",\n \"aci-infra-vlan\": 4093,\n \"cni-netconfig\": [\n {\n \"gateway\": \"10.2.0.1\",\n \"routes\": [\n {\n \"dst\": \"0.0.0.0/0\",\n \"gw\": \"10.2.0.1\"\n }\n ],\n \"subnet\": \"10.2.0.0/16\"\n }\n ],\n \"default-endpoint-group\": {\n \"policy-space\": \"kube\",\n \"name\": \"kubernetes|kube-default\"\n },\n \"namespace-default-endpoint-group\": {\n \"istio-operator\": {\n \"policy-space\": \"kube\",\n \"name\": \"kubernetes|kube-istio\"\n },\n \"istio-system\": {\n \"policy-space\": \"kube\",\n \"name\": \"kubernetes|kube-istio\"\n },\n \"kube-system\": {\n \"policy-space\": \"kube\",\n \"name\": \"kubernetes|kube-system\"\n } },\n \"enable-drop-log\": true,\n \"packet-event-notification-socket\": \"\",\n \"enable-nodepodif\": true,\n \"taint-not-ready-node\": true,\n \"enable-ovs-hw-offload\": false\n }\n opflex-agent-config: |-\n {\n \"log\": {\n \"level\": \"info\"\n },\n \"opflex\": {\n \"notif\" : { \"enabled\" : \"false\" },\n \"startup\": {\n \"enabled\": true,\n \"policy-file\": \"/usr/local/var/lib/opflex-agent-ovs/startup/pol.json\",\n \"policy-duration\": 20,\n \"resolve-aft-conn\": true\n },\n \"timers\" : {\n \"policy-retry-delay\" : 10,\n \"reset-wait-delay\" : 10,\n \"switch-sync-delay\": 10,\n \"switch-sync-dynamic\": 20\n },\n \"asyncjson\": { \"enabled\" : \"false\" }\n ,\"enable-local-netpol\": true\n ,\"ssl\": { \"mode\": \"disabled\" }\n ,\"statistics\" : { \"mode\" : \"off\" }\n },\n \"ovs\": {\n \"asyncjson\": { \"enabled\" : \"false\" }\n },\n \"prometheus\": {\n \"enabled\": \"false\"\n }\n }\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: snat-operator-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"dummy\"\n network-plugin: aci-containers\ndata:\n \"start\": \"5000\"\n \"end\": \"65000\"\n \"ports-per-node\": \"3000\"\n---\napiVersion: v1\nkind: Secret\nmetadata:\n name: aci-user-cert\n namespace: kube-system\n labels:\n aci-containers-config-version: \"dummy\"\ndata:\n user.key: ZHVtbXkK\n user.crt: ZHVtbXkK\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-controller\n namespace: kube-system\n labels:\n aci-containers-config-version: \"dummy\"\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-host-agent\n namespace: kube-system\n labels:\n aci-containers-config-version: \"dummy\"\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"dummy\"\n network-plugin: aci-containers\n name: aci-containers-controller\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - events\n - replicationcontrollers\n - serviceaccounts\n verbs:\n - list\n - watch\n - get\n - patch\n - create\n - update\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - '*'\n- apiGroups:\n - \"rbac.authorization.k8s.io\"\n resources:\n - clusterroles\n - clusterrolebindings\n verbs:\n - '*'\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n - daemonsets\n - statefulsets\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - services/status\n verbs:\n - update\n- apiGroups:\n - \"monitoring.coreos.com\"\n resources:\n - servicemonitors\n verbs:\n - get\n - create\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies/finalizers\n - snatpolicies/status\n - nodeinfos\n verbs:\n - update\n - create\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatglobalinfos\n - snatpolicies\n - nodeinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.netflow\"\n resources:\n - netflowpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.erspan\"\n resources:\n - erspanpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - '*'\n- apiGroups:\n - apps.openshift.io\n resources:\n - deploymentconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.dnsnetpol\"\n resources:\n - dnsnetworkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.hpp\"\n resources:\n - hostprotpols\n - hostprotremoteipcontainers\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"dummy\"\n network-plugin: aci-containers\n name: aci-containers-host-agent\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - replicationcontrollers\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies\n - snatglobalinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.droplog\"\n resources:\n - enabledroplogs\n - prunedroplogs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - nodeinfos\n - snatlocalinfos\n verbs:\n - create\n - update\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - \"*\"\n- apiGroups:\n - \"aci.hpp\"\n resources:\n - hostprotpols\n - hostprotremoteipcontainers\n verbs:\n - list\n - watch\n - get\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-controller\n labels:\n aci-containers-config-version: \"dummy\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-controller\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-controller\n namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-host-agent\n labels:\n aci-containers-config-version: \"dummy\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-host-agent\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-host-agent\n namespace: kube-system\n---\nkind: SecurityContextConstraints\napiVersion: security.openshift.io/v1\nmetadata:\n name: aci-containers-scc\n labels:\n aci-containers-config-version: \"dummy\"\nusers:\n- system:serviceaccount:kube-system:aci-containers-controller\n- system:serviceaccount:kube-system:aci-containers-host-agent\nallowHostDirVolumePlugin: true\nallowHostIPC: true\nallowHostNetwork: true\nallowHostPID: true\nallowHostPorts: true\nallowPrivilegedContainer: true\nallowedCapabilities:\n- '*'\ndefaultAddCapabilities: []\nrequiredDropCapabilities: []\nreadOnlyRootFilesystem: false\nfsGroup:\n type: RunAsAny\nrunAsUser:\n type: RunAsAny\nseLinuxContext:\n type: RunAsAny\nsupplementalGroups:\n type: RunAsAny\nseccompProfiles:\n- '*'\nvolumes:\n- '*'\npriority: 100\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-host\n namespace: kube-system\n labels:\n aci-containers-config-version: \"dummy\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-host\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-host\n network-plugin: aci-containers\n annotations:\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n tolerations:\n - operator: Exists\n priorityClassName: system-node-critical\n containers:\n - name: aci-containers-host\n image: noiro/aci-containers-host@sha256:6.1.1.2.81c2369\n imagePullPolicy: IfNotPresent\n resources:\n limits:\n memory: \"5Gi\"\n requests:\n memory: \"256Mi\"\n securityContext:\n privileged: true\n capabilities:\n add:\n - SYS_ADMIN\n - NET_ADMIN\n - SYS_PTRACE\n - NET_RAW\n env:\n - name: GOTRACEBACK\n value: \"2\"\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: TENANT\n value: \"kube\"\n - name: NODE_EPG\n value: \"kubernetes|kube-nodes\"\n - name: DISABLE_WAIT_FOR_NETWORK\n value: 'True'\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n - name: cni-conf\n mountPath: /mnt/cni-conf\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: host-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n - name: dhclient\n mountPath: /var/lib/dhclient\n - mountPath: /run/netns\n name: host-run-netns\n readOnly: true\n mountPropagation: HostToContainer\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8090\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n - name: opflex-agent\n env:\n - name: REBOOT_WITH_OVS\n value: \"true\"\n - name: OPENSSL_CONF\n value: \"/etc/pki/tls/openssl11.cnf\"\n image: noiro/opflex@sha256:6.1.1.2.81c2369\n imagePullPolicy: IfNotPresent\n resources:\n limits:\n memory: \"5Gi\"\n requests:\n memory: \"256Mi\"\n securityContext:\n privileged: true\n capabilities:\n add:\n - NET_ADMIN\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: opflex-config-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/conf.d\n - name: mcast-daemon\n image: noiro/opflex@sha256:6.1.1.2.81c2369\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-mcastdaemon.sh\"]\n imagePullPolicy: IfNotPresent\n resources:\n limits:\n memory: \"5Gi\"\n requests:\n memory: \"256Mi\"\n securityContext:\n privileged: true\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n restartPolicy: Always\n volumes:\n - name: cni-bin\n hostPath:\n path: /opt\n - name: cni-conf\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: host-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: host-agent-config\n path: host-agent.conf\n - name: opflex-hostconfig-volume\n emptyDir:\n medium: Memory\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n - name: dhclient\n hostPath:\n path: /var/lib/dhclient\n - name: opflex-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: opflex-agent-config\n path: local.conf\n - name: host-run-netns\n hostPath:\n path: /run/netns\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-openvswitch\n namespace: kube-system\n labels:\n aci-containers-config-version: \"dummy\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n tolerations:\n - operator: Exists\n priorityClassName: system-node-critical\n containers:\n - name: aci-containers-openvswitch\n image: noiro/openvswitch@sha256:6.1.1.2.81c2369\n imagePullPolicy: IfNotPresent\n resources:\n limits:\n memory: \"2Gi\"\n requests:\n memory: \"512Mi\"\n securityContext:\n privileged: true\n capabilities:\n add:\n - NET_ADMIN\n - SYS_MODULE\n - SYS_NICE\n - IPC_LOCK\n env:\n - name: OVS_RUNDIR\n value: /usr/local/var/run/openvswitch\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: hostetc\n mountPath: /usr/local/etc\n - name: hostmodules\n mountPath: /lib/modules\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n livenessProbe:\n exec:\n command:\n - /usr/local/bin/liveness-ovs.sh\n restartPolicy: Always\n volumes:\n - name: hostetc\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: hostmodules\n hostPath:\n path: /lib/modules\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: aci-containers-controller\n namespace: kube-system\n labels:\n aci-containers-config-version: \"dummy\"\n network-plugin: aci-containers\n name: aci-containers-controller\nspec:\n replicas: 1\n strategy:\n type: Recreate\n selector:\n matchLabels:\n name: aci-containers-controller\n network-plugin: aci-containers\n template:\n metadata:\n name: aci-containers-controller\n namespace: kube-system\n labels:\n name: aci-containers-controller\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n serviceAccountName: aci-containers-controller\n tolerations:\n - effect: NoExecute\n key: node.kubernetes.io/unreachable\n operator: Exists\n tolerationSeconds: 100\n - effect: NoExecute\n key: node.kubernetes.io/not-ready\n operator: Exists\n tolerationSeconds: 100\n - effect: NoSchedule\n key: node.kubernetes.io/not-ready\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n priorityClassName: system-node-critical\n containers:\n - name: aci-containers-controller\n image: noiro/aci-containers-controller@sha256:6.1.1.2.81c2369\n imagePullPolicy: IfNotPresent\n resources:\n limits:\n memory: \"5Gi\"\n requests:\n memory: \"256Mi\"\n env:\n - name: WATCH_NAMESPACE\n value: \"\"\n - name: ACI_SNAT_NAMESPACE\n value: \"aci-containers-system\"\n - name: ACI_SNAGLOBALINFO_NAME\n value: \"snatglobalinfo\"\n - name: ACI_RDCONFIG_NAME\n value: \"routingdomain-config\"\n - name: SYSTEM_NAMESPACE\n value: \"kube-system\"\n volumeMounts:\n - name: controller-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n - name: aci-user-cert-volume\n mountPath: /usr/local/etc/aci-cert/\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8091\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n volumes:\n - name: aci-user-cert-volume\n secret:\n secretName: aci-user-cert\n - name: controller-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: controller-config\n path: controller.conf\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n---\napiVersion: v1\nkind: LimitRange\nmetadata:\n name: memory-limit-range\n namespace: kube-system\nspec:\n limits:\n - default:\n memory: 3Gi\n defaultRequest:\n memory: 128Mi\n type: Container\n" + config: "\napiVersion: v1\nkind: Namespace\nmetadata:\n name: aci-containers-system\n labels:\n aci-containers-config-version: \"dummy\"\n annotations:\n openshift.io/node-selector: ''\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodepodifs.aci.aw\nspec:\n group: aci.aw\n names:\n kind: NodePodIF\n listKind: NodePodIFList\n plural: nodepodifs\n singular: nodepodif\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n podifs:\n type: array\n items:\n type: object\n properties:\n containerID:\n type: string\n epg:\n type: string\n ifname:\n type: string\n ipaddr:\n type: string\n macaddr:\n type: string\n podname:\n type: string\n podns:\n type: string\n vtep:\n type: string\n required:\n - spec\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatglobalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatGlobalInfo\n listKind: SnatGlobalInfoList\n plural: snatglobalinfos\n singular: snatglobalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n description: SnatGlobalInfo is the Schema for the snatglobalinfos API\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n globalInfos:\n additionalProperties:\n items:\n properties:\n macAddress:\n type: string\n portRanges:\n items:\n properties:\n end:\n maximum: 65535\n minimum: 1\n type: integer\n start:\n maximum: 65535\n minimum: 1\n type: integer\n type: object\n type: array\n snatIp:\n type: string\n snatIpUid:\n type: string\n snatPolicyName:\n type: string\n required:\n - macAddress\n - portRanges\n - snatIp\n - snatIpUid\n - snatPolicyName\n type: object\n type: array\n type: object\n required:\n - globalInfos\n type: object\n status:\n description: SnatGlobalInfoStatus defines the observed state of SnatGlobalInfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatlocalinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatLocalInfo\n listKind: SnatLocalInfoList\n plural: snatlocalinfos\n singular: snatlocalinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n description: SnatLocalInfoSpec defines the desired state of SnatLocalInfo\n properties:\n localInfos:\n items:\n properties:\n podName:\n type: string\n podNamespace:\n type: string\n podUid:\n type: string\n snatPolicies:\n items:\n properties:\n destIp:\n items:\n type: string\n type: array\n name:\n type: string\n snatIp:\n type: string\n required:\n - destIp\n - name\n - snatIp\n type: object\n type: array\n required:\n - podName\n - podNamespace\n - podUid\n - snatPolicies\n type: object\n type: array\n required:\n - localInfos\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: snatpolicies.aci.snat\nspec:\n group: aci.snat\n names:\n kind: SnatPolicy\n listKind: SnatPolicyList\n plural: snatpolicies\n singular: snatpolicy\n scope: Cluster\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n type: object\n properties:\n selector:\n type: object\n properties:\n labels:\n type: object\n description: 'Selection of Pods'\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n snatIp:\n type: array\n items:\n type: string\n destIp:\n type: array\n items:\n type: string\n status:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: nodeinfos.aci.snat\nspec:\n group: aci.snat\n names:\n kind: NodeInfo\n listKind: NodeInfoList\n plural: nodeinfos\n singular: nodeinfo\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n macaddress:\n type: string\n snatpolicynames:\n additionalProperties:\n type: boolean\n type: object\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: rdconfigs.aci.snat\nspec:\n group: aci.snat\n names:\n kind: RdConfig\n listKind: RdConfigList\n plural: rdconfigs\n singular: rdconfig\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n discoveredsubnets:\n items:\n type: string\n type: array\n usersubnets:\n items:\n type: string\n type: array\n type: object\n status:\n description: NodeinfoStatus defines the observed state of Nodeinfo\n type: object\n type: object\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: networkpolicies.aci.netpol\nspec:\n group: aci.netpol\n names:\n kind: NetworkPolicy\n listKind: NetworkPolicyList\n plural: networkpolicies\n singular: networkpolicy\n scope: Namespaced\n versions:\n - name: v1\n schema:\n openAPIV3Schema:\n description: Network Policy describes traffic flow at IP address or port level\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs default to false.\n type: boolean\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n to:\n description: Rule is matched if traffic is intended for workloads selected by this field. If this field is empty or missing, this rule matches all destinations.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n toFqDn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - enableLogging\n - toFqDn\n type: object\n type: array\n ingress:\n description: Set of ingress rules evaluated based on the order in which they are set.\n items:\n properties:\n action:\n description: Action specifies the action to be applied on the rule.\n type: string\n enableLogging:\n description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false.\n type: boolean\n from:\n description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources.\n items:\n properties:\n ipBlock:\n description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.\n properties:\n cidr:\n description: CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"\n type: string\n except:\n description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range\n items:\n type: string\n type: array\n required:\n - cidr\n type: object\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.\n properties:\n matchExpressions:\n description: matchExpressions is a list of label selector requirements. The requirements are ANDed.\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n type: array\n ports:\n description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.\n items:\n description: NetworkPolicyPort describes the port and protocol to match in a rule.\n properties:\n endPort:\n description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified.\n format: int32\n type: integer\n port:\n anyOf:\n - type: integer\n - type: string\n description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.\n x-kubernetes-int-or-string: true\n protocol:\n default: TCP\n description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.\n type: string\n type: object\n type: array\n type: object\n type: array\n policyTypes:\n items:\n description: Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8\n type: string\n type: array\n priority:\n description: Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.\n type: integer\n type:\n description: type of the policy.\n type: string\n required:\n - type\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: dnsnetworkpolicies.aci.dnsnetpol\nspec:\n group: aci.dnsnetpol\n names:\n kind: DnsNetworkPolicy\n listKind: DnsNetworkPolicyList\n plural: dnsnetworkpolicies\n singular: dnsnetworkpolicy\n scope: Namespaced\n versions:\n - name: v1beta\n schema:\n openAPIV3Schema:\n description: dns network Policy\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n metadata:\n type: object\n spec:\n properties:\n appliedTo:\n properties:\n namespaceSelector:\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n podSelector:\n description: allow ingress from the same namespace\n properties:\n matchExpressions:\n items:\n properties:\n key:\n type: string\n operator:\n description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\n type: string\n values:\n description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\n items:\n type: string\n type: array\n required:\n - key\n - operator\n type: object\n type: array\n matchLabels:\n additionalProperties:\n type: string\n type: object\n type: object\n type: object\n egress:\n description: Set of egress rules evaluated based on the order in which they are set.\n properties:\n toFqdn:\n properties:\n matchNames:\n items:\n type: string\n type: array\n required:\n - matchNames\n type: object\n required:\n - toFqdn\n type: object\n type: object\n required:\n - spec\n type: object\n served: true\n storage: true\nstatus:\n acceptedNames:\n kind: \"\"\n plural: \"\"\n conditions: []\n storedVersions: []\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: qospolicies.aci.qos\nspec:\n group: aci.qos\n names:\n kind: QosPolicy\n listKind: QosPolicyList\n plural: qospolicies\n singular: qospolicy\n scope: Namespaced\n preserveUnknownFields: false\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n podSelector:\n description: 'Selection of Pods'\n type: object\n properties:\n matchLabels:\n type: object\n description:\n ingress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n egress:\n type: object\n properties:\n policing_rate:\n type: integer\n minimum: 0\n policing_burst:\n type: integer\n minimum: 0\n dscpmark:\n type: integer\n default: 0\n minimum: 0\n maximum: 63\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: netflowpolicies.aci.netflow\nspec:\n group: aci.netflow\n names:\n kind: NetflowPolicy\n listKind: NetflowPolicyList\n plural: netflowpolicies\n singular: netflowpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n flowSamplingPolicy:\n type: object\n properties:\n destIp:\n type: string\n destPort:\n type: integer\n minimum: 0\n maximum: 65535\n default: 2055\n flowType:\n type: string\n enum:\n - netflow\n - ipfix\n default: netflow\n activeFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 3600\n default: 60\n idleFlowTimeOut:\n type: integer\n minimum: 0\n maximum: 600\n default: 15\n samplingRate:\n type: integer\n minimum: 0\n maximum: 1000\n default: 0\n required:\n - destIp\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: erspanpolicies.aci.erspan\nspec:\n group: aci.erspan\n names:\n kind: ErspanPolicy\n listKind: ErspanPolicyList\n plural: erspanpolicies\n singular: erspanpolicy\n scope: Cluster\n preserveUnknownFields: false\n versions:\n - name: v1alpha\n served: true\n storage: true\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n type: object\n properties:\n selector:\n type: object\n description: 'Selection of Pods'\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n namespace:\n type: string\n source:\n type: object\n properties:\n adminState:\n description: Administrative state.\n default: start\n type: string\n enum:\n - start\n - stop\n direction:\n description: Direction of the packets to monitor.\n default: both\n type: string\n enum:\n - in\n - out\n - both\n destination:\n type: object\n properties:\n destIP:\n description: Destination IP of the ERSPAN packet.\n type: string\n flowID:\n description: Unique flow ID of the ERSPAN packet.\n default: 1\n type: integer\n minimum: 1\n maximum: 1023\n required:\n - destIP\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: enabledroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: EnableDropLog\n listKind: EnableDropLogList\n plural: enabledroplogs\n singular: enabledroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of EnableDropLog\n type: object\n properties:\n disableDefaultDropLog:\n description: Disables the default droplog enabled by acc-provision.\n default: false\n type: boolean\n nodeSelector:\n type: object\n description: Drop logging is enabled on nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: prunedroplogs.aci.droplog\nspec:\n group: aci.droplog\n names:\n kind: PruneDropLog\n listKind: PruneDropLogList\n plural: prunedroplogs\n singular: prunedroplog\n scope: Cluster\n versions:\n - name: v1alpha1\n served: true\n storage: true\n schema:\n # openAPIV3Schema is the schema for validating custom objects.\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n kind:\n type: string\n spec:\n description: Defines the desired state of PruneDropLog\n type: object\n properties:\n nodeSelector:\n type: object\n description: Drop logging filters are applied to nodes selected based on labels\n properties:\n labels:\n type: object\n properties:\n additionalProperties:\n type: string\n dropLogFilters:\n type: object\n properties:\n srcIP:\n type: string\n destIP:\n type: string\n srcMAC:\n type: string\n destMAC:\n type: string\n srcPort:\n type: integer\n destPort:\n type: integer\n ipProto:\n type: integer\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: hostprotpols.aci.hpp\nspec:\n group: aci.hpp\n names:\n kind: HostprotPol\n listKind: HostprotPolList\n plural: hostprotpols\n singular: hostprotpol\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n description: 'APIVersion defines the versioned schema of this\n representation of an object.Servers should convert recognized\n schemas to the latest internal value, and may reject\n unrecognized values.\n More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n kind:\n type: string\n description: 'Kind is a string value representing the REST resource\n this object represents. Servers may infer this from the endpoint\n the client submits requests to. Cannot be updated. In CamelCase.\n More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n metadata:\n type: object\n spec:\n type: object\n properties:\n name:\n type: string\n networkPolicies:\n type: array\n items:\n type: string\n hostprotSubj:\n type: array\n items:\n type: object\n properties:\n name:\n type: string\n hostprotRule:\n type: array\n items:\n type: object\n properties:\n name:\n type: string\n protocol:\n type: string\n description: Protocol\n rsRemoteIpContainer:\n type: array\n items:\n type: string\n toPort:\n type: string\n description: ToPort\n connTrack:\n type: string\n description: ConnTrack\n direction:\n type: string\n description: Direction\n ethertype:\n type: string\n description: Ethertype\n fromPort:\n type: string\n description: FromPort\n hostprotServiceRemoteIps:\n type: array\n items:\n type: string\n hostprotFilterContainer:\n type: object\n properties:\n hostprotFilter:\n type: array\n items:\n type: object\n properties:\n key:\n type: string\n operator:\n type: string\n values:\n type: array\n items:\n type: string\n---\napiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n name: hostprotremoteipcontainers.aci.hpp\nspec:\n group: aci.hpp\n names:\n kind: HostprotRemoteIpContainer\n listKind: HostprotRemoteIpContainerList\n plural: hostprotremoteipcontainers\n singular: hostprotremoteipcontainer\n scope: Namespaced\n versions:\n - name: v1\n served: true\n storage: true\n subresources:\n status: {}\n schema:\n openAPIV3Schema:\n type: object\n properties:\n apiVersion:\n type: string\n description: 'APIVersion defines the versioned schema of this representation of an object.\n Servers should convert recognized schemas to the latest internal value, and\n may reject unrecognized values.\n More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'\n kind:\n type: string\n description: 'Kind is a string value representing the REST resource this object represents.\n Servers may infer this from the endpoint the client submits requests to.\n Cannot be updated.\n In CamelCase.\n More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'\n metadata:\n type: object\n spec:\n type: object\n properties:\n name:\n type: string\n hostprotRemoteIp:\n type: array\n items:\n type: object\n properties:\n addr:\n type: string\n hppEpLabel:\n type: array\n items:\n type: object\n properties:\n key:\n type: string\n value:\n type: string\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: aci-containers-config\n namespace: kube-system\n labels:\n aci-containers-config-version: \"dummy\"\n network-plugin: aci-containers\ndata:\n controller-config: |-\n {\n \"flavor\": \"kubernetes-1.30\",\n \"log-level\": \"debug\",\n \"apic-hosts\": [\n \"10.30.120.100\"\n ],\n \"aci-multipod\": true,\n \"unknown-mac-unicast-action\": \"flood\",\n \"enable-opflex-agent-reconnect\": true,\n \"opflex-device-reconnect-wait-timeout\": 10,\n \"apic-subscription-delay\": 100,\n \"apic-refreshticker-adjust\": \"150\",\n \"apic-username\": \"kube\",\n \"apic-private-key-path\": \"/usr/local/etc/aci-cert/user.key\",\n \"aci-prefix\": \"kube\",\n \"aci-vmm-type\": \"Kubernetes\",\n \"aci-vmm-domain\": \"kubernetes1\",\n \"aci-vmm-controller\": \"kubernetes1\",\n \"aci-policy-tenant\": \"kube\",\n \"hpp-optimization\": true,\n \"disable-hpp-rendering\": true,\n \"enable-hpp-direct\": true,\n \"no-wait-for-service-ep-readiness\": true,\n \"service-graph-endpoint-add-delay\": {\n \"delay\": 30,\n \"services\": [\n {\n \"name\": \"ingress-service\",\n \"namespace\": \"openshift-ingress\"\n },\n {\n \"delay\": 60,\n \"name\": \"monitoring-service\",\n \"namespace\": \"openshift-monitoring\"\n }\n ]\n },\n \"add-external-subnets-to-rdconfig\": true,\n \"disable-periodic-snat-global-info-sync\": true,\n \"opflex-device-delete-timeout\": 1200,\n \"sleep-time-snat-global-info-sync\": 60,\n \"node-snat-redirect-exclude\": [\n {\n \"group\": \"router\",\n \"labels\": [\n \"worker\",\n \"router\",\n \"infra\"\n ]\n },\n {\n \"group\": \"infra\",\n \"labels\": [\n \"infra\",\n \"router\"\n ]\n }\n ],\n \"apic-connection-retry-limit\": 10,\n \"disable-service-vlan-preprovisioning\": true,\n \"aci-podbd-dn\": \"uni/tn-kube/BD-kube-pod-bd\",\n \"aci-nodebd-dn\": \"uni/tn-kube/BD-kube-node-bd\",\n \"aci-service-phys-dom\": \"kubernetes-control\",\n \"aci-service-encap\": \"vlan-4003\",\n \"aci-service-monitor-interval\": 5,\n \"aci-pbr-tracking-non-snat\": false,\n \"aci-vrf-tenant\": \"common\",\n \"aci-vrf-dn\": \"uni/tn-common/ctx-kubernetes-vrf\",\n \"aci-l3out\": \"l3out\",\n \"aci-ext-networks\": [\n \"l3out\"\n ],\n \"aci-vrf\": \"kubernetes-vrf\",\n \"app-profile\": \"kubernetes\",\n \"add-external-contract-to-default-epg\": true,\n \"default-endpoint-group\": {\n \"policy-space\": \"kube\",\n \"name\": \"kubernetes|kube-default\"\n },\n \"max-nodes-svc-graph\": 32,\n \"namespace-default-endpoint-group\": {\n \"istio-operator\": {\n \"policy-space\": \"kube\",\n \"name\": \"kubernetes|kube-istio\"\n },\n \"istio-system\": {\n \"policy-space\": \"kube\",\n \"name\": \"kubernetes|kube-istio\"\n },\n \"kube-system\": {\n \"policy-space\": \"kube\",\n \"name\": \"kubernetes|kube-system\"\n } },\n \"service-ip-pool\": [\n {\n \"end\": \"10.4.255.254\",\n \"start\": \"10.4.0.2\"\n }\n ],\n \"extern-static\": [\"10.3.0.1/24\"],\n \"extern-dynamic\": [\"10.4.0.1/16\"],\n \"snat-contract-scope\": \"global\",\n \"static-service-ip-pool\": [\n {\n \"end\": \"10.3.0.254\",\n \"start\": \"10.3.0.2\"\n }\n ],\n \"allocate-service-ips\": false,\n \"taint-not-ready-node\": true,\n \"pod-ip-pool\": [\n {\n \"end\": \"10.2.255.254\",\n \"start\": \"10.2.0.2\"\n }\n ],\n \"pod-subnet\": [\n \"10.2.0.1/16\"\n ],\n \"pod-subnet-chunk-size\": 24,\n \"node-service-ip-pool\": [\n {\n \"end\": \"10.6.0.254\",\n \"start\": \"10.6.0.2\"\n }\n ],\n \"node-service-subnets\": [\n \"10.6.0.1/24\"\n ]\n }\n host-agent-config: |-\n {\n \"flavor\": \"kubernetes-1.30\",\n \"app-profile\": \"kubernetes\",\n \"aci-multipod\": true,\n \"dhcp-renew-max-retry-count\": 10,\n \"dhcp-delay\": 10,\n \"opflex-mode\": null,\n \"enable-opflex-agent-reconnect\": true,\n \"log-level\": \"debug\",\n \"aci-snat-namespace\": \"aci-containers-system\",\n \"aci-vmm-type\": \"Kubernetes\",\n \"aci-vmm-domain\": \"kubernetes1\",\n \"aci-vmm-controller\": \"kubernetes1\",\n \"aci-prefix\": \"kube\",\n \"aci-vrf\": \"kubernetes-vrf\",\n \"aci-vrf-tenant\": \"common\",\n \"service-vlan\": 4003,\n \"kubeapi-vlan\": 4001,\n \"hpp-optimization\": true,\n \"disable-hpp-rendering\": true,\n \"enable-hpp-direct\": true,\n \"pod-subnet\": [\n \"10.2.0.1/16\"\n ],\n \"node-subnet\": [\n \"10.1.0.1/16\"\n ],\n \"encap-type\": \"vxlan\",\n \"aci-infra-vlan\": 4093,\n \"cni-netconfig\": [\n {\n \"gateway\": \"10.2.0.1\",\n \"routes\": [\n {\n \"dst\": \"0.0.0.0/0\",\n \"gw\": \"10.2.0.1\"\n }\n ],\n \"subnet\": \"10.2.0.0/16\"\n }\n ],\n \"default-endpoint-group\": {\n \"policy-space\": \"kube\",\n \"name\": \"kubernetes|kube-default\"\n },\n \"namespace-default-endpoint-group\": {\n \"istio-operator\": {\n \"policy-space\": \"kube\",\n \"name\": \"kubernetes|kube-istio\"\n },\n \"istio-system\": {\n \"policy-space\": \"kube\",\n \"name\": \"kubernetes|kube-istio\"\n },\n \"kube-system\": {\n \"policy-space\": \"kube\",\n \"name\": \"kubernetes|kube-system\"\n } },\n \"enable-drop-log\": true,\n \"packet-event-notification-socket\": \"\",\n \"enable-nodepodif\": true,\n \"taint-not-ready-node\": true,\n \"enable-ovs-hw-offload\": false\n }\n opflex-agent-config: |-\n {\n \"log\": {\n \"level\": \"info\"\n },\n \"opflex\": {\n \"notif\" : { \"enabled\" : \"false\" },\n \"startup\": {\n \"enabled\": true,\n \"policy-file\": \"/usr/local/var/lib/opflex-agent-ovs/startup/pol.json\",\n \"policy-duration\": 20,\n \"resolve-aft-conn\": true\n },\n \"timers\" : {\n \"policy-retry-delay\" : 10,\n \"reset-wait-delay\" : 10,\n \"switch-sync-delay\": 10,\n \"switch-sync-dynamic\": 20\n },\n \"asyncjson\": { \"enabled\" : \"false\" }\n ,\"enable-local-netpol\": true\n ,\"ssl\": { \"mode\": \"disabled\" }\n ,\"statistics\" : { \"mode\" : \"off\" }\n },\n \"ovs\": {\n \"asyncjson\": { \"enabled\" : \"false\" }\n },\n \"prometheus\": {\n \"enabled\": \"false\"\n }\n }\n---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: snat-operator-config\n namespace: aci-containers-system\n labels:\n aci-containers-config-version: \"dummy\"\n network-plugin: aci-containers\ndata:\n \"start\": \"5000\"\n \"end\": \"65000\"\n \"ports-per-node\": \"3000\"\n---\napiVersion: v1\nkind: Secret\nmetadata:\n name: aci-user-cert\n namespace: kube-system\n labels:\n aci-containers-config-version: \"dummy\"\ndata:\n user.key: ZHVtbXkK\n user.crt: ZHVtbXkK\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-controller\n namespace: kube-system\n labels:\n aci-containers-config-version: \"dummy\"\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: aci-containers-host-agent\n namespace: kube-system\n labels:\n aci-containers-config-version: \"dummy\"\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"dummy\"\n network-plugin: aci-containers\n name: aci-containers-controller\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - events\n - replicationcontrollers\n - serviceaccounts\n verbs:\n - list\n - watch\n - get\n - patch\n - create\n - update\n - delete\n- apiGroups:\n - \"\"\n resources:\n - configmaps\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - '*'\n- apiGroups:\n - \"rbac.authorization.k8s.io\"\n resources:\n - clusterroles\n - clusterrolebindings\n verbs:\n - '*'\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n - daemonsets\n - statefulsets\n verbs:\n - '*'\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - services/status\n verbs:\n - update\n- apiGroups:\n - \"monitoring.coreos.com\"\n resources:\n - servicemonitors\n verbs:\n - get\n - create\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies/finalizers\n - snatpolicies/status\n - nodeinfos\n verbs:\n - update\n - create\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatglobalinfos\n - snatpolicies\n - nodeinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.netflow\"\n resources:\n - netflowpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.erspan\"\n resources:\n - erspanpolicies\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - '*'\n- apiGroups:\n - apps.openshift.io\n resources:\n - deploymentconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.dnsnetpol\"\n resources:\n - dnsnetworkpolicies\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - delete\n- apiGroups:\n - \"aci.hpp\"\n resources:\n - hostprotpols\n - hostprotremoteipcontainers\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n labels:\n aci-containers-config-version: \"dummy\"\n network-plugin: aci-containers\n name: aci-containers-host-agent\nrules:\n- apiGroups:\n - \"\"\n resources:\n - nodes\n - namespaces\n - pods\n - endpoints\n - services\n - replicationcontrollers\n verbs:\n - list\n - watch\n - get\n - update\n- apiGroups:\n - \"\"\n resources:\n - events\n verbs:\n - create\n - patch\n- apiGroups:\n - \"apiextensions.k8s.io\"\n resources:\n - customresourcedefinitions\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"networking.k8s.io\"\n resources:\n - networkpolicies\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"apps\"\n resources:\n - deployments\n - replicasets\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - snatpolicies\n - snatglobalinfos\n - rdconfigs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.qos\"\n resources:\n - qospolicies\n verbs:\n - list\n - watch\n - get\n - create\n - update\n - delete\n - patch\n- apiGroups:\n - \"aci.droplog\"\n resources:\n - enabledroplogs\n - prunedroplogs\n verbs:\n - list\n - watch\n - get\n- apiGroups:\n - \"aci.snat\"\n resources:\n - nodeinfos\n - snatlocalinfos\n verbs:\n - create\n - update\n - list\n - watch\n - get\n - delete\n- apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.netpol\"\n resources:\n - networkpolicies\n verbs:\n - get\n - list\n - watch\n- apiGroups:\n - \"aci.aw\"\n resources:\n - nodepodifs\n verbs:\n - \"*\"\n- apiGroups:\n - \"aci.hpp\"\n resources:\n - hostprotpols\n - hostprotremoteipcontainers\n verbs:\n - list\n - watch\n - get\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-controller\n labels:\n aci-containers-config-version: \"dummy\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-controller\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-controller\n namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: aci-containers-host-agent\n labels:\n aci-containers-config-version: \"dummy\"\nroleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: aci-containers-host-agent\nsubjects:\n- kind: ServiceAccount\n name: aci-containers-host-agent\n namespace: kube-system\n---\nkind: SecurityContextConstraints\napiVersion: security.openshift.io/v1\nmetadata:\n name: aci-containers-scc\n labels:\n aci-containers-config-version: \"dummy\"\nusers:\n- system:serviceaccount:kube-system:aci-containers-controller\n- system:serviceaccount:kube-system:aci-containers-host-agent\nallowHostDirVolumePlugin: true\nallowHostIPC: true\nallowHostNetwork: true\nallowHostPID: true\nallowHostPorts: true\nallowPrivilegedContainer: true\nallowedCapabilities:\n- '*'\ndefaultAddCapabilities: []\nrequiredDropCapabilities: []\nreadOnlyRootFilesystem: false\nfsGroup:\n type: RunAsAny\nrunAsUser:\n type: RunAsAny\nseLinuxContext:\n type: RunAsAny\nsupplementalGroups:\n type: RunAsAny\nseccompProfiles:\n- '*'\nvolumes:\n- '*'\npriority: 100\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-host\n namespace: kube-system\n labels:\n aci-containers-config-version: \"dummy\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-host\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-host\n network-plugin: aci-containers\n annotations:\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n tolerations:\n - operator: Exists\n priorityClassName: system-node-critical\n containers:\n - name: aci-containers-host\n image: noiro/aci-containers-host@sha256:6.1.1.2.81c2369\n imagePullPolicy: IfNotPresent\n resources:\n limits:\n memory: \"5Gi\"\n requests:\n memory: \"256Mi\"\n securityContext:\n privileged: true\n capabilities:\n add:\n - SYS_ADMIN\n - NET_ADMIN\n - SYS_PTRACE\n - NET_RAW\n env:\n - name: GOTRACEBACK\n value: \"2\"\n - name: KUBERNETES_NODE_NAME\n valueFrom:\n fieldRef:\n fieldPath: spec.nodeName\n - name: TENANT\n value: \"kube\"\n - name: NODE_EPG\n value: \"kubernetes|kube-nodes\"\n - name: DISABLE_WAIT_FOR_NETWORK\n value: 'True'\n volumeMounts:\n - name: cni-bin\n mountPath: /mnt/cni-bin\n - name: cni-conf\n mountPath: /mnt/cni-conf\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: host-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n - name: dhclient\n mountPath: /var/lib/dhclient\n - mountPath: /run/netns\n name: host-run-netns\n readOnly: true\n mountPropagation: HostToContainer\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8090\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n - name: opflex-agent\n env:\n - name: REBOOT_WITH_OVS\n value: \"true\"\n - name: OPENSSL_CONF\n value: \"/etc/pki/tls/openssl11.cnf\"\n image: noiro/opflex@sha256:6.1.1.2.81c2369\n imagePullPolicy: IfNotPresent\n resources:\n limits:\n memory: \"5Gi\"\n requests:\n memory: \"256Mi\"\n securityContext:\n privileged: true\n capabilities:\n add:\n - NET_ADMIN\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: opflex-hostconfig-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/base-conf.d\n - name: opflex-config-volume\n mountPath: /usr/local/etc/opflex-agent-ovs/conf.d\n - name: mcast-daemon\n image: noiro/opflex@sha256:6.1.1.2.81c2369\n command: [\"/bin/sh\"]\n args: [\"/usr/local/bin/launch-mcastdaemon.sh\"]\n imagePullPolicy: IfNotPresent\n resources:\n limits:\n memory: \"5Gi\"\n requests:\n memory: \"256Mi\"\n securityContext:\n privileged: true\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n restartPolicy: Always\n volumes:\n - name: cni-bin\n hostPath:\n path: /opt\n - name: cni-conf\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: host-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: host-agent-config\n path: host-agent.conf\n - name: opflex-hostconfig-volume\n emptyDir:\n medium: Memory\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n - name: dhclient\n hostPath:\n path: /var/lib/dhclient\n - name: opflex-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: opflex-agent-config\n path: local.conf\n - name: host-run-netns\n hostPath:\n path: /run/netns\n---\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: aci-containers-openvswitch\n namespace: kube-system\n labels:\n aci-containers-config-version: \"dummy\"\n network-plugin: aci-containers\nspec:\n updateStrategy:\n type: RollingUpdate\n selector:\n matchLabels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n template:\n metadata:\n labels:\n name: aci-containers-openvswitch\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n hostPID: true\n hostIPC: true\n serviceAccountName: aci-containers-host-agent\n tolerations:\n - operator: Exists\n priorityClassName: system-node-critical\n containers:\n - name: aci-containers-openvswitch\n image: noiro/openvswitch@sha256:6.1.1.2.81c2369\n imagePullPolicy: IfNotPresent\n resources:\n limits:\n memory: \"2Gi\"\n requests:\n memory: \"512Mi\"\n securityContext:\n privileged: true\n capabilities:\n add:\n - NET_ADMIN\n - SYS_MODULE\n - SYS_NICE\n - IPC_LOCK\n env:\n - name: OVS_RUNDIR\n value: /usr/local/var/run/openvswitch\n volumeMounts:\n - name: hostvar\n mountPath: /usr/local/var\n - name: hostrun\n mountPath: /run\n - name: hostrun\n mountPath: /usr/local/run\n - name: hostetc\n mountPath: /usr/local/etc\n - name: hostmodules\n mountPath: /lib/modules\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n livenessProbe:\n exec:\n command:\n - /usr/local/bin/liveness-ovs.sh\n restartPolicy: Always\n volumes:\n - name: hostetc\n hostPath:\n path: /etc\n - name: hostvar\n hostPath:\n path: /var\n - name: hostrun\n hostPath:\n path: /run\n - name: hostmodules\n hostPath:\n path: /lib/modules\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: aci-containers-controller\n namespace: kube-system\n labels:\n aci-containers-config-version: \"dummy\"\n network-plugin: aci-containers\n name: aci-containers-controller\nspec:\n replicas: 1\n strategy:\n type: Recreate\n selector:\n matchLabels:\n name: aci-containers-controller\n network-plugin: aci-containers\n template:\n metadata:\n name: aci-containers-controller\n namespace: kube-system\n labels:\n name: aci-containers-controller\n network-plugin: aci-containers\n spec:\n hostNetwork: true\n serviceAccountName: aci-containers-controller\n tolerations:\n - effect: NoExecute\n key: node.kubernetes.io/unreachable\n operator: Exists\n tolerationSeconds: 100\n - effect: NoExecute\n key: node.kubernetes.io/not-ready\n operator: Exists\n tolerationSeconds: 100\n - effect: NoSchedule\n key: node.kubernetes.io/not-ready\n operator: Exists\n - effect: NoSchedule\n key: node-role.kubernetes.io/master\n operator: Exists\n priorityClassName: system-node-critical\n containers:\n - name: aci-containers-controller\n image: noiro/aci-containers-controller@sha256:6.1.1.2.81c2369\n imagePullPolicy: IfNotPresent\n resources:\n limits:\n memory: \"5Gi\"\n requests:\n memory: \"256Mi\"\n env:\n - name: WATCH_NAMESPACE\n value: \"\"\n - name: ACI_SNAT_NAMESPACE\n value: \"aci-containers-system\"\n - name: ACI_SNAGLOBALINFO_NAME\n value: \"snatglobalinfo\"\n - name: ACI_RDCONFIG_NAME\n value: \"routingdomain-config\"\n - name: SYSTEM_NAMESPACE\n value: \"kube-system\"\n volumeMounts:\n - name: controller-config-volume\n mountPath: /usr/local/etc/aci-containers/\n - name: varlogpods\n mountPath: /var/log/pods\n readOnly: true\n - name: varlogcontainers\n mountPath: /var/log/containers\n readOnly: true\n - name: varlibdocker\n mountPath: /var/lib/docker\n readOnly: true\n - name: aci-user-cert-volume\n mountPath: /usr/local/etc/aci-cert/\n livenessProbe:\n failureThreshold: 10\n httpGet:\n path: /status\n port: 8091\n scheme: HTTP\n initialDelaySeconds: 120\n periodSeconds: 60\n successThreshold: 1\n timeoutSeconds: 30\n volumes:\n - name: aci-user-cert-volume\n secret:\n secretName: aci-user-cert\n - name: controller-config-volume\n configMap:\n name: aci-containers-config\n items:\n - key: controller-config\n path: controller.conf\n - name: varlogpods\n hostPath:\n path: /var/log/pods\n - name: varlogcontainers\n hostPath:\n path: /var/log/containers\n - name: varlibdocker\n hostPath:\n path: /var/lib/docker\n---\napiVersion: v1\nkind: LimitRange\nmetadata:\n name: memory-limit-range\n namespace: kube-system\nspec:\n limits:\n - default:\n memory: 3Gi\n defaultRequest:\n memory: 128Mi\n type: Container\n" --- apiVersion: v1 kind: ConfigMap @@ -1565,7 +1565,8 @@ data: "taint_not_ready_node": true, "enable_hpp_direct": true, "unknown_mac_unicast_action": "flood", - "opflex_agent_reset_wait_delay": 10 + "opflex_agent_reset_wait_delay": 10, + "disable_service_vlan_preprovisioning": true }, "drop_log_config": { "disable_events": true @@ -1664,6 +1665,7 @@ data: } ], "apic-connection-retry-limit": 10, + "disable-service-vlan-preprovisioning": true, "aci-podbd-dn": "uni/tn-kube/BD-kube-pod-bd", "aci-nodebd-dn": "uni/tn-kube/BD-kube-node-bd", "aci-service-phys-dom": "kubernetes-control",