From c90eb2396149949b92e141335aaeb47ec246b2af Mon Sep 17 00:00:00 2001 From: Denis Parnovskiy Date: Sun, 11 Jul 2021 09:45:52 -0700 Subject: [PATCH] Running helm from lambda POC --- cdk/domino_cdk/aws_configurator.py | 43 +- cdk/domino_cdk/manifests/calico.yaml | 4358 +++++++++++++++++ .../install_calico_lambda_code/main.py | 49 + .../tigera-operator-v3.18.4-1.tgz | Bin 0 -> 37763 bytes .../install_calico_lambda_code/values.yaml | 1 + cdk/domino_cdk/provisioners/lambda_utils.py | 37 +- 6 files changed, 4464 insertions(+), 24 deletions(-) create mode 100644 cdk/domino_cdk/manifests/calico.yaml create mode 100644 cdk/domino_cdk/provisioners/install_calico_lambda_code/main.py create mode 100644 cdk/domino_cdk/provisioners/install_calico_lambda_code/tigera-operator-v3.18.4-1.tgz create mode 100644 cdk/domino_cdk/provisioners/install_calico_lambda_code/values.yaml diff --git a/cdk/domino_cdk/aws_configurator.py b/cdk/domino_cdk/aws_configurator.py index 13a8422a..85a73331 100644 --- a/cdk/domino_cdk/aws_configurator.py +++ b/cdk/domino_cdk/aws_configurator.py @@ -1,49 +1,45 @@ -from os.path import isfile +from os import path from re import MULTILINE from re import split as re_split import aws_cdk.aws_ec2 as ec2 import aws_cdk.aws_eks as eks +import requests from aws_cdk import core as cdk -from requests import get as requests_get from yaml import safe_load as yaml_safe_load +from .provisioners.lambda_utils import helm_lambda + +dirname = path.dirname(path.abspath(__file__)) + manifests = [ - [ - "calico", - "https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.7.10/config/master/calico.yaml", - ] + { + "vendored": path.join(dirname, "manifests", "calico.yaml"), # in cwd + "alternative_url": "https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.7.10/config/master/calico.yaml", + }, ] +# Currently this just installs calico directly via manifest, but we might do it via lambda +# Need to figure out +# - how to make helm chart accessible by the CDK lambda, how to upload chart or make it part of lambda bundle + -# Currently this just installs calico directly via manifest, but will -# ultimately become a lambda that handles various tasks (calico, -# deprovisoning efs backups/route53, tagging the eks cluster until -# the CloudFormation api supports it, etc.) class DominoAwsConfigurator: def __init__(self, scope: cdk.Construct, eks_cluster: eks.Cluster, vpc: ec2.Vpc): self.scope = scope self.eks_cluster = eks_cluster self.vpc = vpc - self.install_calico() + self._install_calico_helm_lambda() def install_calico(self): - # This produces an obnoxious diff on every subsequent run - # Using a helm chart does not, so we should switch to that - # However, we need to figure out how to get the helm chart - # accessible by the CDK lambda first. Not clear how to give - # s3 perms to it programmatically, and while ECR might be - # an option it also doesn't seem like there's a way to push - # the chart with existing api calls. - # Probably need to do some custom lambda thing. for manifest in manifests: - filename = f"{manifest[0]}.yaml" - if isfile(filename): + filename = manifest["vendored"] + if path.isfile(filename): with open(filename) as f: manifest_text = f.read() else: - manifest_text = requests_get(manifest[1]).text + manifest_text = requests.get(manifest["alternative_url"]).text loaded_manifests = [yaml_safe_load(i) for i in re_split("^---$", manifest_text, flags=MULTILINE) if i] crds = eks.KubernetesManifest( self.scope, @@ -58,3 +54,6 @@ def install_calico(self): manifest=[notcrd for notcrd in loaded_manifests if notcrd["kind"] != "CustomResourceDefinition"], ) non_crds.node.add_dependency(crds) + + def _install_calico_helm_lambda(self): + helm_lambda(scope=self.scope, name="install_calico", cluster=self.eks_cluster, vpc=self.vpc) diff --git a/cdk/domino_cdk/manifests/calico.yaml b/cdk/domino_cdk/manifests/calico.yaml new file mode 100644 index 00000000..978c4b15 --- /dev/null +++ b/cdk/domino_cdk/manifests/calico.yaml @@ -0,0 +1,4358 @@ +--- +# Source: crds/calico/kdd/crd.projectcalico.org_bgpconfigurations.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: bgpconfigurations.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: BGPConfiguration + listKind: BGPConfigurationList + plural: bgpconfigurations + singular: bgpconfiguration + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: BGPConfiguration contains the configuration for any BGP routing. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BGPConfigurationSpec contains the values of the BGP configuration. + properties: + asNumber: + description: 'ASNumber is the default AS number used by a node. [Default: + 64512]' + format: int32 + type: integer + communities: + description: Communities is a list of BGP community values and their + arbitrary names for tagging routes. + items: + description: Community contains standard or large community value + and its name. + properties: + name: + description: Name given to community value. + type: string + value: + description: Value must be of format `aa:nn` or `aa:nn:mm`. + For standard community use `aa:nn` format, where `aa` and + `nn` are 16 bit number. For large community use `aa:nn:mm` + format, where `aa`, `nn` and `mm` are 32 bit number. Where, + `aa` is an AS Number, `nn` and `mm` are per-AS identifier. + pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ + type: string + type: object + type: array + listenPort: + description: ListenPort is the port where BGP protocol should listen. + Defaults to 179 + maximum: 65535 + minimum: 1 + type: integer + logSeverityScreen: + description: 'LogSeverityScreen is the log severity above which logs + are sent to the stdout. [Default: INFO]' + type: string + nodeToNodeMeshEnabled: + description: 'NodeToNodeMeshEnabled sets whether full node to node + BGP mesh is enabled. [Default: true]' + type: boolean + prefixAdvertisements: + description: PrefixAdvertisements contains per-prefix advertisement + configuration. + items: + description: PrefixAdvertisement configures advertisement properties + for the specified CIDR. + properties: + cidr: + description: CIDR for which properties should be advertised. + type: string + communities: + description: Communities can be list of either community names + already defined in `Specs.Communities` or community value + of format `aa:nn` or `aa:nn:mm`. For standard community use + `aa:nn` format, where `aa` and `nn` are 16 bit number. For + large community use `aa:nn:mm` format, where `aa`, `nn` and + `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and + `mm` are per-AS identifier. + items: + type: string + type: array + type: object + type: array + serviceClusterIPs: + description: ServiceClusterIPs are the CIDR blocks from which service + cluster IPs are allocated. If specified, Calico will advertise these + blocks, as well as any cluster IPs within them. + items: + description: ServiceClusterIPBlock represents a single allowed ClusterIP + CIDR block. + properties: + cidr: + type: string + type: object + type: array + serviceExternalIPs: + description: ServiceExternalIPs are the CIDR blocks for Kubernetes + Service External IPs. Kubernetes Service ExternalIPs will only be + advertised if they are within one of these blocks. + items: + description: ServiceExternalIPBlock represents a single allowed + External IP CIDR block. + properties: + cidr: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +# Source: crds/calico/kdd/crd.projectcalico.org_bgppeers.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: bgppeers.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: BGPPeer + listKind: BGPPeerList + plural: bgppeers + singular: bgppeer + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BGPPeerSpec contains the specification for a BGPPeer resource. + properties: + asNumber: + description: The AS Number of the peer. + format: int32 + type: integer + keepOriginalNextHop: + description: Option to keep the original nexthop field when routes + are sent to a BGP Peer. Setting "true" configures the selected BGP + Peers node to use the "next hop keep;" instead of "next hop self;"(default) + in the specific branch of the Node on "bird.cfg". + type: boolean + node: + description: The node name identifying the Calico node instance that + is targeted by this peer. If this is not set, and no nodeSelector + is specified, then this BGP peer selects all nodes in the cluster. + type: string + nodeSelector: + description: Selector for the nodes that should have this peering. When + this is set, the Node field must be empty. + type: string + password: + description: Optional BGP password for the peerings generated by this + BGPPeer resource. + properties: + secretKeyRef: + description: Selects a key of a secret in the node pod's namespace. + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be + defined + type: boolean + required: + - key + type: object + type: object + peerIP: + description: The IP address of the peer followed by an optional port + number to peer with. If port number is given, format should be `[]:port` + or `:` for IPv4. If optional port number is not set, + and this peer IP and ASNumber belongs to a calico/node with ListenPort + set in BGPConfiguration, then we use that port to peer. + type: string + peerSelector: + description: Selector for the remote nodes to peer with. When this + is set, the PeerIP and ASNumber fields must be empty. For each + peering between the local node and selected remote nodes, we configure + an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, + and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The + remote AS number comes from the remote node's NodeBGPSpec.ASNumber, + or the global default if that is not set. + type: string + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +# Source: crds/calico/kdd/crd.projectcalico.org_blockaffinities.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: blockaffinities.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: BlockAffinity + listKind: BlockAffinityList + plural: blockaffinities + singular: blockaffinity + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BlockAffinitySpec contains the specification for a BlockAffinity + resource. + properties: + cidr: + type: string + deleted: + description: Deleted indicates that this block affinity is being deleted. + This field is a string for compatibility with older releases that + mistakenly treat this field as a string. + type: string + node: + type: string + state: + type: string + required: + - cidr + - deleted + - node + - state + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +# Source: crds/calico/kdd/crd.projectcalico.org_clusterinformations.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterinformations.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: ClusterInformation + listKind: ClusterInformationList + plural: clusterinformations + singular: clusterinformation + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: ClusterInformation contains the cluster specific information. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterInformationSpec contains the values of describing + the cluster. + properties: + calicoVersion: + description: CalicoVersion is the version of Calico that the cluster + is running + type: string + clusterGUID: + description: ClusterGUID is the GUID of the cluster + type: string + clusterType: + description: ClusterType describes the type of the cluster + type: string + datastoreReady: + description: DatastoreReady is used during significant datastore migrations + to signal to components such as Felix that it should wait before + accessing the datastore. + type: boolean + variant: + description: Variant declares which variant of Calico should be active. + type: string + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +# Source: crds/calico/kdd/crd.projectcalico.org_felixconfigurations.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: felixconfigurations.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: FelixConfiguration + listKind: FelixConfigurationList + plural: felixconfigurations + singular: felixconfiguration + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Felix Configuration contains the configuration for Felix. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FelixConfigurationSpec contains the values of the Felix configuration. + properties: + allowIPIPPacketsFromWorkloads: + description: 'AllowIPIPPacketsFromWorkloads controls whether Felix + will add a rule to drop IPIP encapsulated traffic from workloads + [Default: false]' + type: boolean + allowVXLANPacketsFromWorkloads: + description: 'AllowVXLANPacketsFromWorkloads controls whether Felix + will add a rule to drop VXLAN encapsulated traffic from workloads + [Default: false]' + type: boolean + awsSrcDstCheck: + description: 'Set source-destination-check on AWS EC2 instances. Accepted + value must be one of "DoNothing", "Enabled" or "Disabled". [Default: + DoNothing]' + enum: + - DoNothing + - Enable + - Disable + type: string + bpfConnectTimeLoadBalancingEnabled: + description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, + controls whether Felix installs the connection-time load balancer. The + connect-time load balancer is required for the host to be able to + reach Kubernetes services and it improves the performance of pod-to-service + connections. The only reason to disable it is for debugging purposes. [Default: + true]' + type: boolean + bpfDataIfacePattern: + description: BPFDataIfacePattern is a regular expression that controls + which interfaces Felix should attach BPF programs to in order to + catch traffic to/from the network. This needs to match the interfaces + that Calico workload traffic flows over as well as any interfaces + that handle incoming traffic to nodeports and services from outside + the cluster. It should not match the workload interfaces (usually + named cali...). + type: string + bpfDisableUnprivileged: + description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled + sysctl to disable unprivileged use of BPF. This ensures that unprivileged + users cannot access Calico''s BPF maps and cannot insert their own + BPF programs to interfere with Calico''s. [Default: true]' + type: boolean + bpfEnabled: + description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. + [Default: false]' + type: boolean + bpfExternalServiceMode: + description: 'BPFExternalServiceMode in BPF mode, controls how connections + from outside the cluster to services (node ports and cluster IPs) + are forwarded to remote workloads. If set to "Tunnel" then both + request and response traffic is tunneled to the remote node. If + set to "DSR", the request traffic is tunneled but the response traffic + is sent directly from the remote node. In "DSR" mode, the remote + node appears to use the IP of the ingress node; this requires a + permissive L2 network. [Default: Tunnel]' + type: string + bpfKubeProxyEndpointSlicesEnabled: + description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls + whether Felix's embedded kube-proxy accepts EndpointSlices or not. + type: boolean + bpfKubeProxyIptablesCleanupEnabled: + description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF + mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s + iptables chains. Should only be enabled if kube-proxy is not running. [Default: + true]' + type: boolean + bpfKubeProxyMinSyncPeriod: + description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the + minimum time between updates to the dataplane for Felix''s embedded + kube-proxy. Lower values give reduced set-up latency. Higher values + reduce Felix CPU usage by batching up more work. [Default: 1s]' + type: string + bpfLogLevel: + description: 'BPFLogLevel controls the log level of the BPF programs + when in BPF dataplane mode. One of "Off", "Info", or "Debug". The + logs are emitted to the BPF trace pipe, accessible with the command + `tc exec bpf debug`. [Default: Off].' + type: string + chainInsertMode: + description: 'ChainInsertMode controls whether Felix hooks the kernel''s + top-level iptables chains by inserting a rule at the top of the + chain or by appending a rule at the bottom. insert is the safe default + since it prevents Calico''s rules from being bypassed. If you switch + to append mode, be sure that the other rules in the chains signal + acceptance by falling through to the Calico rules, otherwise the + Calico policy will be bypassed. [Default: insert]' + type: string + dataplaneDriver: + type: string + debugDisableLogDropping: + type: boolean + debugMemoryProfilePath: + type: string + debugSimulateCalcGraphHangAfter: + type: string + debugSimulateDataplaneHangAfter: + type: string + defaultEndpointToHostAction: + description: 'DefaultEndpointToHostAction controls what happens to + traffic that goes from a workload endpoint to the host itself (after + the traffic hits the endpoint egress policy). By default Calico + blocks traffic from workload endpoints to the host itself with an + iptables “DROP” action. If you want to allow some or all traffic + from endpoint to host, set this parameter to RETURN or ACCEPT. Use + RETURN if you have your own rules in the iptables “INPUT” chain; + Calico will insert its rules at the top of that chain, then “RETURN” + packets to the “INPUT” chain once it has completed processing workload + endpoint egress policy. Use ACCEPT to unconditionally accept packets + from workloads after processing workload endpoint egress policy. + [Default: Drop]' + type: string + deviceRouteProtocol: + description: This defines the route protocol added to programmed device + routes, by default this will be RTPROT_BOOT when left blank. + type: integer + deviceRouteSourceAddress: + description: This is the source address to use on programmed device + routes. By default the source address is left blank, leaving the + kernel to choose the source address used. + type: string + disableConntrackInvalidCheck: + type: boolean + endpointReportingDelay: + type: string + endpointReportingEnabled: + type: boolean + externalNodesList: + description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes + which may source tunnel traffic and have the tunneled traffic be + accepted at calico nodes. + items: + type: string + type: array + failsafeInboundHostPorts: + description: 'FailsafeInboundHostPorts is a comma-delimited list of + UDP/TCP ports that Felix will allow incoming traffic to host endpoints + on irrespective of the security policy. This is useful to avoid + accidentally cutting off a host with incorrect configuration. Each + port should be specified as tcp: or udp:. + For back-compatibility, if the protocol is not specified, it defaults + to “tcp”. To disable all inbound host ports, use the value none. + The default value allows ssh access and DHCP. [Default: tcp:22, + udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' + items: + description: ProtoPort is combination of protocol and port, both + must be specified. + properties: + port: + type: integer + protocol: + type: string + required: + - port + - protocol + type: object + type: array + failsafeOutboundHostPorts: + description: 'FailsafeOutboundHostPorts is a comma-delimited list + of UDP/TCP ports that Felix will allow outgoing traffic from host + endpoints to irrespective of the security policy. This is useful + to avoid accidentally cutting off a host with incorrect configuration. + Each port should be specified as tcp: or udp:. + For back-compatibility, if the protocol is not specified, it defaults + to “tcp”. To disable all outbound host ports, use the value none. + The default value opens etcd''s standard ports to ensure that Felix + does not get cut off from etcd as well as allowing DHCP and DNS. + [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, + udp:53, udp:67]' + items: + description: ProtoPort is combination of protocol and port, both + must be specified. + properties: + port: + type: integer + protocol: + type: string + required: + - port + - protocol + type: object + type: array + featureDetectOverride: + description: FeatureDetectOverride is used to override the feature + detection. Values are specified in a comma separated list with no + spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". + "true" or "false" will force the feature, empty or omitted values + are auto-detected. + type: string + genericXDPEnabled: + description: 'GenericXDPEnabled enables Generic XDP so network cards + that don''t support XDP offload or driver modes can use XDP. This + is not recommended since it doesn''t provide better performance + than iptables. [Default: false]' + type: boolean + healthEnabled: + type: boolean + healthHost: + type: string + healthPort: + type: integer + interfaceExclude: + description: 'InterfaceExclude is a comma-separated list of interfaces + that Felix should exclude when monitoring for host endpoints. The + default value ensures that Felix ignores Kubernetes'' IPVS dummy + interface, which is used internally by kube-proxy. If you want to + exclude multiple interface names using a single value, the list + supports regular expressions. For regular expressions you must wrap + the value with ''/''. For example having values ''/^kube/,veth1'' + will exclude all interfaces that begin with ''kube'' and also the + interface ''veth1''. [Default: kube-ipvs0]' + type: string + interfacePrefix: + description: 'InterfacePrefix is the interface name prefix that identifies + workload endpoints and so distinguishes them from host endpoint + interfaces. Note: in environments other than bare metal, the orchestrators + configure this appropriately. For example our Kubernetes and Docker + integrations set the ''cali'' value, and our OpenStack integration + sets the ''tap'' value. [Default: cali]' + type: string + interfaceRefreshInterval: + description: InterfaceRefreshInterval is the period at which Felix + rescans local interfaces to verify their state. The rescan can be + disabled by setting the interval to 0. + type: string + ipipEnabled: + type: boolean + ipipMTU: + description: 'IPIPMTU is the MTU to set on the tunnel device. See + Configuring MTU [Default: 1440]' + type: integer + ipsetsRefreshInterval: + description: 'IpsetsRefreshInterval is the period at which Felix re-checks + all iptables state to ensure that no other process has accidentally + broken Calico''s rules. Set to 0 to disable iptables refresh. [Default: + 90s]' + type: string + iptablesBackend: + description: IptablesBackend specifies which backend of iptables will + be used. The default is legacy. + type: string + iptablesFilterAllowAction: + type: string + iptablesLockFilePath: + description: 'IptablesLockFilePath is the location of the iptables + lock file. You may need to change this if the lock file is not in + its standard location (for example if you have mapped it into Felix''s + container at a different path). [Default: /run/xtables.lock]' + type: string + iptablesLockProbeInterval: + description: 'IptablesLockProbeInterval is the time that Felix will + wait between attempts to acquire the iptables lock if it is not + available. Lower values make Felix more responsive when the lock + is contended, but use more CPU. [Default: 50ms]' + type: string + iptablesLockTimeout: + description: 'IptablesLockTimeout is the time that Felix will wait + for the iptables lock, or 0, to disable. To use this feature, Felix + must share the iptables lock file with all other processes that + also take the lock. When running Felix inside a container, this + requires the /run directory of the host to be mounted into the calico/node + or calico/felix container. [Default: 0s disabled]' + type: string + iptablesMangleAllowAction: + type: string + iptablesMarkMask: + description: 'IptablesMarkMask is the mask that Felix selects its + IPTables Mark bits from. Should be a 32 bit hexadecimal number with + at least 8 bits set, none of which clash with any other mark bits + in use on the system. [Default: 0xff000000]' + format: int32 + type: integer + iptablesNATOutgoingInterfaceFilter: + type: string + iptablesPostWriteCheckInterval: + description: 'IptablesPostWriteCheckInterval is the period after Felix + has done a write to the dataplane that it schedules an extra read + back in order to check the write was not clobbered by another process. + This should only occur if another application on the system doesn''t + respect the iptables lock. [Default: 1s]' + type: string + iptablesRefreshInterval: + description: 'IptablesRefreshInterval is the period at which Felix + re-checks the IP sets in the dataplane to ensure that no other process + has accidentally broken Calico''s rules. Set to 0 to disable IP + sets refresh. Note: the default for this value is lower than the + other refresh intervals as a workaround for a Linux kernel bug that + was fixed in kernel version 4.11. If you are using v4.11 or greater + you may want to set this to, a higher value to reduce Felix CPU + usage. [Default: 10s]' + type: string + ipv6Support: + type: boolean + kubeNodePortRanges: + description: 'KubeNodePortRanges holds list of port ranges used for + service node ports. Only used if felix detects kube-proxy running + in ipvs mode. Felix uses these ranges to separate host and workload + traffic. [Default: 30000:32767].' + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + logFilePath: + description: 'LogFilePath is the full path to the Felix log. Set to + none to disable file logging. [Default: /var/log/calico/felix.log]' + type: string + logPrefix: + description: 'LogPrefix is the log prefix that Felix uses when rendering + LOG rules. [Default: calico-packet]' + type: string + logSeverityFile: + description: 'LogSeverityFile is the log severity above which logs + are sent to the log file. [Default: Info]' + type: string + logSeverityScreen: + description: 'LogSeverityScreen is the log severity above which logs + are sent to the stdout. [Default: Info]' + type: string + logSeveritySys: + description: 'LogSeveritySys is the log severity above which logs + are sent to the syslog. Set to None for no logging to syslog. [Default: + Info]' + type: string + maxIpsetSize: + type: integer + metadataAddr: + description: 'MetadataAddr is the IP address or domain name of the + server that can answer VM queries for cloud-init metadata. In OpenStack, + this corresponds to the machine running nova-api (or in Ubuntu, + nova-api-metadata). A value of none (case insensitive) means that + Felix should not set up any NAT rule for the metadata path. [Default: + 127.0.0.1]' + type: string + metadataPort: + description: 'MetadataPort is the port of the metadata server. This, + combined with global.MetadataAddr (if not ''None''), is used to + set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. + In most cases this should not need to be changed [Default: 8775].' + type: integer + mtuIfacePattern: + description: MTUIfacePattern is a regular expression that controls + which interfaces Felix should scan in order to calculate the host's + MTU. This should not match workload interfaces (usually named cali...). + type: string + natOutgoingAddress: + description: NATOutgoingAddress specifies an address to use when performing + source NAT for traffic in a natOutgoing pool that is leaving the + network. By default the address used is an address on the interface + the traffic is leaving on (ie it uses the iptables MASQUERADE target) + type: string + natPortRange: + anyOf: + - type: integer + - type: string + description: NATPortRange specifies the range of ports that is used + for port mapping when doing outgoing NAT. When unset the default + behavior of the network stack is used. + pattern: ^.* + x-kubernetes-int-or-string: true + netlinkTimeout: + type: string + openstackRegion: + description: 'OpenstackRegion is the name of the region that a particular + Felix belongs to. In a multi-region Calico/OpenStack deployment, + this must be configured somehow for each Felix (here in the datamodel, + or in felix.cfg or the environment on each compute node), and must + match the [calico] openstack_region value configured in neutron.conf + on each node. [Default: Empty]' + type: string + policySyncPathPrefix: + description: 'PolicySyncPathPrefix is used to by Felix to communicate + policy changes to external services, like Application layer policy. + [Default: Empty]' + type: string + prometheusGoMetricsEnabled: + description: 'PrometheusGoMetricsEnabled disables Go runtime metrics + collection, which the Prometheus client does by default, when set + to false. This reduces the number of metrics reported, reducing + Prometheus load. [Default: true]' + type: boolean + prometheusMetricsEnabled: + description: 'PrometheusMetricsEnabled enables the Prometheus metrics + server in Felix if set to true. [Default: false]' + type: boolean + prometheusMetricsHost: + description: 'PrometheusMetricsHost is the host that the Prometheus + metrics server should bind to. [Default: empty]' + type: string + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. [Default: 9091]' + type: integer + prometheusProcessMetricsEnabled: + description: 'PrometheusProcessMetricsEnabled disables process metrics + collection, which the Prometheus client does by default, when set + to false. This reduces the number of metrics reported, reducing + Prometheus load. [Default: true]' + type: boolean + removeExternalRoutes: + description: Whether or not to remove device routes that have not + been programmed by Felix. Disabling this will allow external applications + to also add device routes. This is enabled by default which means + we will remove externally added routes. + type: boolean + reportingInterval: + description: 'ReportingInterval is the interval at which Felix reports + its status into the datastore or 0 to disable. Must be non-zero + in OpenStack deployments. [Default: 30s]' + type: string + reportingTTL: + description: 'ReportingTTL is the time-to-live setting for process-wide + status reports. [Default: 90s]' + type: string + routeRefreshInterval: + description: 'RouteRefreshInterval is the period at which Felix re-checks + the routes in the dataplane to ensure that no other process has + accidentally broken Calico''s rules. Set to 0 to disable route refresh. + [Default: 90s]' + type: string + routeSource: + description: 'RouteSource configures where Felix gets its routing + information. - WorkloadIPs: use workload endpoints to construct + routes. - CalicoIPAM: the default - use IPAM data to construct routes.' + type: string + routeTableRange: + description: Calico programs additional Linux route tables for various + purposes. RouteTableRange specifies the indices of the route tables + that Calico should use. + properties: + max: + type: integer + min: + type: integer + required: + - max + - min + type: object + serviceLoopPrevention: + description: 'When service IP advertisement is enabled, prevent routing + loops to service IPs that are not in use, by dropping or rejecting + packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled", + in which case such routing loops continue to be allowed. [Default: + Drop]' + type: string + sidecarAccelerationEnabled: + description: 'SidecarAccelerationEnabled enables experimental sidecar + acceleration [Default: false]' + type: boolean + usageReportingEnabled: + description: 'UsageReportingEnabled reports anonymous Calico version + number and cluster size to projectcalico.org. Logs warnings returned + by the usage server. For example, if a significant security vulnerability + has been discovered in the version of Calico being used. [Default: + true]' + type: boolean + usageReportingInitialDelay: + description: 'UsageReportingInitialDelay controls the minimum delay + before Felix makes a report. [Default: 300s]' + type: string + usageReportingInterval: + description: 'UsageReportingInterval controls the interval at which + Felix makes reports. [Default: 86400s]' + type: string + useInternalDataplaneDriver: + type: boolean + vxlanEnabled: + type: boolean + vxlanMTU: + description: 'VXLANMTU is the MTU to set on the tunnel device. See + Configuring MTU [Default: 1440]' + type: integer + vxlanPort: + type: integer + vxlanVNI: + type: integer + wireguardEnabled: + description: 'WireguardEnabled controls whether Wireguard is enabled. + [Default: false]' + type: boolean + wireguardInterfaceName: + description: 'WireguardInterfaceName specifies the name to use for + the Wireguard interface. [Default: wg.calico]' + type: string + wireguardListeningPort: + description: 'WireguardListeningPort controls the listening port used + by Wireguard. [Default: 51820]' + type: integer + wireguardMTU: + description: 'WireguardMTU controls the MTU on the Wireguard interface. + See Configuring MTU [Default: 1420]' + type: integer + wireguardRoutingRulePriority: + description: 'WireguardRoutingRulePriority controls the priority value + to use for the Wireguard routing rule. [Default: 99]' + type: integer + xdpEnabled: + description: 'XDPEnabled enables XDP acceleration for suitable untracked + incoming deny rules. [Default: true]' + type: boolean + xdpRefreshInterval: + description: 'XDPRefreshInterval is the period at which Felix re-checks + all XDP state to ensure that no other process has accidentally broken + Calico''s BPF maps or attached programs. Set to 0 to disable XDP + refresh. [Default: 90s]' + type: string + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +# Source: crds/calico/kdd/crd.projectcalico.org_globalnetworkpolicies.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: globalnetworkpolicies.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: GlobalNetworkPolicy + listKind: GlobalNetworkPolicyList + plural: globalnetworkpolicies + singular: globalnetworkpolicy + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + applyOnForward: + description: ApplyOnForward indicates to apply the rules in this policy + on forward traffic. + type: boolean + doNotTrack: + description: DoNotTrack indicates whether packets matched by the rules + in this policy should go through the data plane's connection tracking, + such as Linux conntrack. If True, the rules in this policy are + applied before any data plane connection tracking, and packets allowed + by this policy are marked as not to be tracked. + type: boolean + egress: + description: The ordered set of egress rules. Each rule contains + a set of packet match criteria and a corresponding action to apply. + items: + description: "A Rule encapsulates a set of match criteria and an + action. Both selector-based security Policy and security Profiles + reference rules - separated out as a list of rules for both ingress + and egress packet matching. \n Each positive match criteria has + a negated version, prefixed with ”Not”. All the match criteria + within a rule must be satisfied for a packet to match. A single + rule can contain the positive and negative version of a match + and both must be satisfied for the rule to match." + properties: + action: + type: string + destination: + description: Destination contains the match criteria that apply + to destination entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + type: object + http: + description: HTTP contains match criteria that apply to HTTP + requests. + properties: + methods: + description: Methods is an optional field that restricts + the rule to apply only to HTTP requests that use one of + the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple + methods are OR'd together. + items: + type: string + type: array + paths: + description: 'Paths is an optional field that restricts + the rule to apply to HTTP requests that use one of the + listed HTTP Paths. Multiple paths are OR''d together. + e.g: - exact: /foo - prefix: /bar NOTE: Each entry may + ONLY specify either a `exact` or a `prefix` match. The + validator will check for it.' + items: + description: 'HTTPPath specifies an HTTP path to match. + It may be either of the form: exact: : which matches + the path exactly or prefix: : which matches + the path prefix' + properties: + exact: + type: string + prefix: + type: string + type: object + type: array + type: object + icmp: + description: ICMP is an optional field that restricts the rule + to apply to a specific type and code of ICMP traffic. This + should only be specified if the Protocol field is set to "ICMP" + or "ICMPv6". + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel's iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + ipVersion: + description: IPVersion is an optional field that restricts the + rule to only match a specific IP version. + type: integer + metadata: + description: Metadata contains additional information for this + rule + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a set of key value pairs that + give extra information about the rule + type: object + type: object + notICMP: + description: NotICMP is the negated version of the ICMP field. + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel's iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + notProtocol: + anyOf: + - type: integer + - type: string + description: NotProtocol is the negated version of the Protocol + field. + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + description: "Protocol is an optional field that restricts the + rule to only apply to traffic of a specific IP protocol. Required + if any of the EntityRules contain Ports (because ports only + apply to certain protocols). \n Must be one of these string + values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", + \"UDPLite\" or an integer in the range 1-255." + pattern: ^.* + x-kubernetes-int-or-string: true + source: + description: Source contains the match criteria that apply to + source entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + type: object + required: + - action + type: object + type: array + ingress: + description: The ordered set of ingress rules. Each rule contains + a set of packet match criteria and a corresponding action to apply. + items: + description: "A Rule encapsulates a set of match criteria and an + action. Both selector-based security Policy and security Profiles + reference rules - separated out as a list of rules for both ingress + and egress packet matching. \n Each positive match criteria has + a negated version, prefixed with ”Not”. All the match criteria + within a rule must be satisfied for a packet to match. A single + rule can contain the positive and negative version of a match + and both must be satisfied for the rule to match." + properties: + action: + type: string + destination: + description: Destination contains the match criteria that apply + to destination entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + type: object + http: + description: HTTP contains match criteria that apply to HTTP + requests. + properties: + methods: + description: Methods is an optional field that restricts + the rule to apply only to HTTP requests that use one of + the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple + methods are OR'd together. + items: + type: string + type: array + paths: + description: 'Paths is an optional field that restricts + the rule to apply to HTTP requests that use one of the + listed HTTP Paths. Multiple paths are OR''d together. + e.g: - exact: /foo - prefix: /bar NOTE: Each entry may + ONLY specify either a `exact` or a `prefix` match. The + validator will check for it.' + items: + description: 'HTTPPath specifies an HTTP path to match. + It may be either of the form: exact: : which matches + the path exactly or prefix: : which matches + the path prefix' + properties: + exact: + type: string + prefix: + type: string + type: object + type: array + type: object + icmp: + description: ICMP is an optional field that restricts the rule + to apply to a specific type and code of ICMP traffic. This + should only be specified if the Protocol field is set to "ICMP" + or "ICMPv6". + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel's iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + ipVersion: + description: IPVersion is an optional field that restricts the + rule to only match a specific IP version. + type: integer + metadata: + description: Metadata contains additional information for this + rule + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a set of key value pairs that + give extra information about the rule + type: object + type: object + notICMP: + description: NotICMP is the negated version of the ICMP field. + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel's iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + notProtocol: + anyOf: + - type: integer + - type: string + description: NotProtocol is the negated version of the Protocol + field. + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + description: "Protocol is an optional field that restricts the + rule to only apply to traffic of a specific IP protocol. Required + if any of the EntityRules contain Ports (because ports only + apply to certain protocols). \n Must be one of these string + values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", + \"UDPLite\" or an integer in the range 1-255." + pattern: ^.* + x-kubernetes-int-or-string: true + source: + description: Source contains the match criteria that apply to + source entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + type: object + required: + - action + type: object + type: array + namespaceSelector: + description: NamespaceSelector is an optional field for an expression + used to select a pod based on namespaces. + type: string + order: + description: Order is an optional field that specifies the order in + which the policy is applied. Policies with higher "order" are applied + after those with lower order. If the order is omitted, it may be + considered to be "infinite" - i.e. the policy will be applied last. Policies + with identical order will be applied in alphanumerical order based + on the Policy "Name". + type: number + preDNAT: + description: PreDNAT indicates to apply the rules in this policy before + any DNAT. + type: boolean + selector: + description: "The selector is an expression used to pick pick out + the endpoints that the policy should be applied to. \n Selector + expressions follow this syntax: \n \tlabel == \"string_literal\" + \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" + \ -> not equal; also matches if label is not present \tlabel in + { \"a\", \"b\", \"c\", ... } -> true if the value of label X is + one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", + ... } -> true if the value of label X is not one of \"a\", \"b\", + \"c\" \thas(label_name) -> True if that label is present \t! expr + -> negation of expr \texpr && expr -> Short-circuit and \texpr + || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() + or the empty selector -> matches all endpoints. \n Label names are + allowed to contain alphanumerics, -, _ and /. String literals are + more permissive but they do not support escape characters. \n Examples + (with made-up labels): \n \ttype == \"webserver\" && deployment + == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != + \"dev\" \t! has(label_name)" + type: string + serviceAccountSelector: + description: ServiceAccountSelector is an optional field for an expression + used to select a pod based on service accounts. + type: string + types: + description: "Types indicates whether this policy applies to ingress, + or to egress, or to both. When not explicitly specified (and so + the value on creation is empty or nil), Calico defaults Types according + to what Ingress and Egress rules are present in the policy. The + default is: \n - [ PolicyTypeIngress ], if there are no Egress rules + (including the case where there are also no Ingress rules) \n + - [ PolicyTypeEgress ], if there are Egress rules but no Ingress + rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are + both Ingress and Egress rules. \n When the policy is read back again, + Types will always be one of these values, never empty or nil." + items: + description: PolicyType enumerates the possible values of the PolicySpec + Types field. + type: string + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +# Source: crds/calico/kdd/crd.projectcalico.org_globalnetworksets.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: globalnetworksets.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: GlobalNetworkSet + listKind: GlobalNetworkSetList + plural: globalnetworksets + singular: globalnetworkset + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs + that share labels to allow rules to refer to them via selectors. The labels + of GlobalNetworkSet are not namespaced. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GlobalNetworkSetSpec contains the specification for a NetworkSet + resource. + properties: + nets: + description: The list of IP networks that belong to this set. + items: + type: string + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +# Source: crds/calico/kdd/crd.projectcalico.org_hostendpoints.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: hostendpoints.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: HostEndpoint + listKind: HostEndpointList + plural: hostendpoints + singular: hostendpoint + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: HostEndpointSpec contains the specification for a HostEndpoint + resource. + properties: + expectedIPs: + description: "The expected IP addresses (IPv4 and IPv6) of the endpoint. + If \"InterfaceName\" is not present, Calico will look for an interface + matching any of the IPs in the list and apply policy to that. Note: + \tWhen using the selector match criteria in an ingress or egress + security Policy \tor Profile, Calico converts the selector into + a set of IP addresses. For host \tendpoints, the ExpectedIPs field + is used for that purpose. (If only the interface \tname is specified, + Calico does not learn the IPs of the interface for use in match + \tcriteria.)" + items: + type: string + type: array + interfaceName: + description: "Either \"*\", or the name of a specific Linux interface + to apply policy to; or empty. \"*\" indicates that this HostEndpoint + governs all traffic to, from or through the default network namespace + of the host named by the \"Node\" field; entering and leaving that + namespace via any interface, including those from/to non-host-networked + local workloads. \n If InterfaceName is not \"*\", this HostEndpoint + only governs traffic that enters or leaves the host through the + specific interface named by InterfaceName, or - when InterfaceName + is empty - through the specific interface that has one of the IPs + in ExpectedIPs. Therefore, when InterfaceName is empty, at least + one expected IP must be specified. Only external interfaces (such + as “eth0”) are supported here; it isn't possible for a HostEndpoint + to protect traffic through a specific local workload interface. + \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; + initially just pre-DNAT policy. Please check Calico documentation + for the latest position." + type: string + node: + description: The node name identifying the Calico node instance. + type: string + ports: + description: Ports contains the endpoint's named ports, which may + be referenced in security policy rules. + items: + properties: + name: + type: string + port: + type: integer + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + required: + - name + - port + - protocol + type: object + type: array + profiles: + description: A list of identifiers of security Profile objects that + apply to this endpoint. Each profile is applied in the order that + they appear in this list. Profile rules are applied after the selector-based + security policy. + items: + type: string + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +# Source: crds/calico/kdd/crd.projectcalico.org_ipamblocks.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ipamblocks.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: IPAMBlock + listKind: IPAMBlockList + plural: ipamblocks + singular: ipamblock + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPAMBlockSpec contains the specification for an IPAMBlock + resource. + properties: + affinity: + type: string + allocations: + items: + type: integer + # TODO: This nullable is manually added in. We should update controller-gen + # to handle []*int properly itself. + nullable: true + type: array + attributes: + items: + properties: + handle_id: + type: string + secondary: + additionalProperties: + type: string + type: object + type: object + type: array + cidr: + type: string + deleted: + type: boolean + strictAffinity: + type: boolean + unallocated: + items: + type: integer + type: array + required: + - allocations + - attributes + - cidr + - strictAffinity + - unallocated + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +# Source: crds/calico/kdd/crd.projectcalico.org_ipamconfigs.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ipamconfigs.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: IPAMConfig + listKind: IPAMConfigList + plural: ipamconfigs + singular: ipamconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPAMConfigSpec contains the specification for an IPAMConfig + resource. + properties: + autoAllocateBlocks: + type: boolean + maxBlocksPerHost: + description: MaxBlocksPerHost, if non-zero, is the max number of blocks + that can be affine to each host. + type: integer + strictAffinity: + type: boolean + required: + - autoAllocateBlocks + - strictAffinity + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +# Source: crds/calico/kdd/crd.projectcalico.org_ipamhandles.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ipamhandles.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: IPAMHandle + listKind: IPAMHandleList + plural: ipamhandles + singular: ipamhandle + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPAMHandleSpec contains the specification for an IPAMHandle + resource. + properties: + block: + additionalProperties: + type: integer + type: object + deleted: + type: boolean + handleID: + type: string + required: + - block + - handleID + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +# Source: crds/calico/kdd/crd.projectcalico.org_ippools.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: IPPool + listKind: IPPoolList + plural: ippools + singular: ippool + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPPoolSpec contains the specification for an IPPool resource. + properties: + blockSize: + description: The block size to use for IP address assignments from + this pool. Defaults to 26 for IPv4 and 112 for IPv6. + type: integer + cidr: + description: The pool CIDR. + type: string + disabled: + description: When disabled is true, Calico IPAM will not assign addresses + from this pool. + type: boolean + ipip: + description: 'Deprecated: this field is only used for APIv1 backwards + compatibility. Setting this field is not allowed, this field is + for internal use only.' + properties: + enabled: + description: When enabled is true, ipip tunneling will be used + to deliver packets to destinations within this pool. + type: boolean + mode: + description: The IPIP mode. This can be one of "always" or "cross-subnet". A + mode of "always" will also use IPIP tunneling for routing to + destination IP addresses within this pool. A mode of "cross-subnet" + will only use IPIP tunneling when the destination node is on + a different subnet to the originating node. The default value + (if not specified) is "always". + type: string + type: object + ipipMode: + description: Contains configuration for IPIP tunneling for this pool. + If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling + is disabled). + type: string + nat-outgoing: + description: 'Deprecated: this field is only used for APIv1 backwards + compatibility. Setting this field is not allowed, this field is + for internal use only.' + type: boolean + natOutgoing: + description: When nat-outgoing is true, packets sent from Calico networked + containers in this pool to destinations outside of this pool will + be masqueraded. + type: boolean + nodeSelector: + description: Allows IPPool to allocate for a specific node by label + selector. + type: string + vxlanMode: + description: Contains configuration for VXLAN tunneling for this pool. + If not specified, then this is defaulted to "Never" (i.e. VXLAN + tunneling is disabled). + type: string + required: + - cidr + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +# Source: crds/calico/kdd/crd.projectcalico.org_kubecontrollersconfigurations.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: kubecontrollersconfigurations.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: KubeControllersConfiguration + listKind: KubeControllersConfigurationList + plural: kubecontrollersconfigurations + singular: kubecontrollersconfiguration + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KubeControllersConfigurationSpec contains the values of the + Kubernetes controllers configuration. + properties: + controllers: + description: Controllers enables and configures individual Kubernetes + controllers + properties: + namespace: + description: Namespace enables and configures the namespace controller. + Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]' + type: string + type: object + node: + description: Node enables and configures the node controller. + Enabled by default, set to nil to disable. + properties: + hostEndpoint: + description: HostEndpoint controls syncing nodes to host endpoints. + Disabled by default, set to nil to disable. + properties: + autoCreate: + description: 'AutoCreate enables automatic creation of + host endpoints for every node. [Default: Disabled]' + type: string + type: object + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]' + type: string + syncLabels: + description: 'SyncLabels controls whether to copy Kubernetes + node labels to Calico nodes. [Default: Enabled]' + type: string + type: object + policy: + description: Policy enables and configures the policy controller. + Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]' + type: string + type: object + serviceAccount: + description: ServiceAccount enables and configures the service + account controller. Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]' + type: string + type: object + workloadEndpoint: + description: WorkloadEndpoint enables and configures the workload + endpoint controller. Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]' + type: string + type: object + type: object + etcdV3CompactionPeriod: + description: 'EtcdV3CompactionPeriod is the period between etcdv3 + compaction requests. Set to 0 to disable. [Default: 10m]' + type: string + healthChecks: + description: 'HealthChecks enables or disables support for health + checks [Default: Enabled]' + type: string + logSeverityScreen: + description: 'LogSeverityScreen is the log severity above which logs + are sent to the stdout. [Default: Info]' + type: string + required: + - controllers + type: object + status: + description: KubeControllersConfigurationStatus represents the status + of the configuration. It's useful for admins to be able to see the actual + config that was applied, which can be modified by environment variables + on the kube-controllers process. + properties: + environmentVars: + additionalProperties: + type: string + description: EnvironmentVars contains the environment variables on + the kube-controllers that influenced the RunningConfig. + type: object + runningConfig: + description: RunningConfig contains the effective config that is running + in the kube-controllers pod, after merging the API resource with + any environment variables. + properties: + controllers: + description: Controllers enables and configures individual Kubernetes + controllers + properties: + namespace: + description: Namespace enables and configures the namespace + controller. Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]' + type: string + type: object + node: + description: Node enables and configures the node controller. + Enabled by default, set to nil to disable. + properties: + hostEndpoint: + description: HostEndpoint controls syncing nodes to host + endpoints. Disabled by default, set to nil to disable. + properties: + autoCreate: + description: 'AutoCreate enables automatic creation + of host endpoints for every node. [Default: Disabled]' + type: string + type: object + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]' + type: string + syncLabels: + description: 'SyncLabels controls whether to copy Kubernetes + node labels to Calico nodes. [Default: Enabled]' + type: string + type: object + policy: + description: Policy enables and configures the policy controller. + Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]' + type: string + type: object + serviceAccount: + description: ServiceAccount enables and configures the service + account controller. Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]' + type: string + type: object + workloadEndpoint: + description: WorkloadEndpoint enables and configures the workload + endpoint controller. Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]' + type: string + type: object + type: object + etcdV3CompactionPeriod: + description: 'EtcdV3CompactionPeriod is the period between etcdv3 + compaction requests. Set to 0 to disable. [Default: 10m]' + type: string + healthChecks: + description: 'HealthChecks enables or disables support for health + checks [Default: Enabled]' + type: string + logSeverityScreen: + description: 'LogSeverityScreen is the log severity above which + logs are sent to the stdout. [Default: Info]' + type: string + required: + - controllers + type: object + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +# Source: crds/calico/kdd/crd.projectcalico.org_networkpolicies.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: NetworkPolicy + listKind: NetworkPolicyList + plural: networkpolicies + singular: networkpolicy + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + egress: + description: The ordered set of egress rules. Each rule contains + a set of packet match criteria and a corresponding action to apply. + items: + description: "A Rule encapsulates a set of match criteria and an + action. Both selector-based security Policy and security Profiles + reference rules - separated out as a list of rules for both ingress + and egress packet matching. \n Each positive match criteria has + a negated version, prefixed with ”Not”. All the match criteria + within a rule must be satisfied for a packet to match. A single + rule can contain the positive and negative version of a match + and both must be satisfied for the rule to match." + properties: + action: + type: string + destination: + description: Destination contains the match criteria that apply + to destination entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + type: object + http: + description: HTTP contains match criteria that apply to HTTP + requests. + properties: + methods: + description: Methods is an optional field that restricts + the rule to apply only to HTTP requests that use one of + the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple + methods are OR'd together. + items: + type: string + type: array + paths: + description: 'Paths is an optional field that restricts + the rule to apply to HTTP requests that use one of the + listed HTTP Paths. Multiple paths are OR''d together. + e.g: - exact: /foo - prefix: /bar NOTE: Each entry may + ONLY specify either a `exact` or a `prefix` match. The + validator will check for it.' + items: + description: 'HTTPPath specifies an HTTP path to match. + It may be either of the form: exact: : which matches + the path exactly or prefix: : which matches + the path prefix' + properties: + exact: + type: string + prefix: + type: string + type: object + type: array + type: object + icmp: + description: ICMP is an optional field that restricts the rule + to apply to a specific type and code of ICMP traffic. This + should only be specified if the Protocol field is set to "ICMP" + or "ICMPv6". + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel's iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + ipVersion: + description: IPVersion is an optional field that restricts the + rule to only match a specific IP version. + type: integer + metadata: + description: Metadata contains additional information for this + rule + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a set of key value pairs that + give extra information about the rule + type: object + type: object + notICMP: + description: NotICMP is the negated version of the ICMP field. + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel's iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + notProtocol: + anyOf: + - type: integer + - type: string + description: NotProtocol is the negated version of the Protocol + field. + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + description: "Protocol is an optional field that restricts the + rule to only apply to traffic of a specific IP protocol. Required + if any of the EntityRules contain Ports (because ports only + apply to certain protocols). \n Must be one of these string + values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", + \"UDPLite\" or an integer in the range 1-255." + pattern: ^.* + x-kubernetes-int-or-string: true + source: + description: Source contains the match criteria that apply to + source entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + type: object + required: + - action + type: object + type: array + ingress: + description: The ordered set of ingress rules. Each rule contains + a set of packet match criteria and a corresponding action to apply. + items: + description: "A Rule encapsulates a set of match criteria and an + action. Both selector-based security Policy and security Profiles + reference rules - separated out as a list of rules for both ingress + and egress packet matching. \n Each positive match criteria has + a negated version, prefixed with ”Not”. All the match criteria + within a rule must be satisfied for a packet to match. A single + rule can contain the positive and negative version of a match + and both must be satisfied for the rule to match." + properties: + action: + type: string + destination: + description: Destination contains the match criteria that apply + to destination entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + type: object + http: + description: HTTP contains match criteria that apply to HTTP + requests. + properties: + methods: + description: Methods is an optional field that restricts + the rule to apply only to HTTP requests that use one of + the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple + methods are OR'd together. + items: + type: string + type: array + paths: + description: 'Paths is an optional field that restricts + the rule to apply to HTTP requests that use one of the + listed HTTP Paths. Multiple paths are OR''d together. + e.g: - exact: /foo - prefix: /bar NOTE: Each entry may + ONLY specify either a `exact` or a `prefix` match. The + validator will check for it.' + items: + description: 'HTTPPath specifies an HTTP path to match. + It may be either of the form: exact: : which matches + the path exactly or prefix: : which matches + the path prefix' + properties: + exact: + type: string + prefix: + type: string + type: object + type: array + type: object + icmp: + description: ICMP is an optional field that restricts the rule + to apply to a specific type and code of ICMP traffic. This + should only be specified if the Protocol field is set to "ICMP" + or "ICMPv6". + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel's iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + ipVersion: + description: IPVersion is an optional field that restricts the + rule to only match a specific IP version. + type: integer + metadata: + description: Metadata contains additional information for this + rule + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a set of key value pairs that + give extra information about the rule + type: object + type: object + notICMP: + description: NotICMP is the negated version of the ICMP field. + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel's iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + notProtocol: + anyOf: + - type: integer + - type: string + description: NotProtocol is the negated version of the Protocol + field. + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + description: "Protocol is an optional field that restricts the + rule to only apply to traffic of a specific IP protocol. Required + if any of the EntityRules contain Ports (because ports only + apply to certain protocols). \n Must be one of these string + values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", + \"UDPLite\" or an integer in the range 1-255." + pattern: ^.* + x-kubernetes-int-or-string: true + source: + description: Source contains the match criteria that apply to + source entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and Selector are defined on the same rule, then only workload + endpoints that are matched by both selectors will be selected + by the rule. \n For NetworkPolicy, an empty NamespaceSelector + implies that the Selector is limited to selecting only + workload endpoints in the same namespace as the NetworkPolicy. + \n For NetworkPolicy, `global()` NamespaceSelector implies + that the Selector is limited to selecting only GlobalNetworkSet + or HostEndpoint. \n For GlobalNetworkPolicy, an empty + NamespaceSelector implies the Selector applies to workload + endpoints across all namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label “my_label”. \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label “my_label”. + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + type: object + required: + - action + type: object + type: array + order: + description: Order is an optional field that specifies the order in + which the policy is applied. Policies with higher "order" are applied + after those with lower order. If the order is omitted, it may be + considered to be "infinite" - i.e. the policy will be applied last. Policies + with identical order will be applied in alphanumerical order based + on the Policy "Name". + type: number + selector: + description: "The selector is an expression used to pick pick out + the endpoints that the policy should be applied to. \n Selector + expressions follow this syntax: \n \tlabel == \"string_literal\" + \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" + \ -> not equal; also matches if label is not present \tlabel in + { \"a\", \"b\", \"c\", ... } -> true if the value of label X is + one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", + ... } -> true if the value of label X is not one of \"a\", \"b\", + \"c\" \thas(label_name) -> True if that label is present \t! expr + -> negation of expr \texpr && expr -> Short-circuit and \texpr + || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() + or the empty selector -> matches all endpoints. \n Label names are + allowed to contain alphanumerics, -, _ and /. String literals are + more permissive but they do not support escape characters. \n Examples + (with made-up labels): \n \ttype == \"webserver\" && deployment + == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != + \"dev\" \t! has(label_name)" + type: string + serviceAccountSelector: + description: ServiceAccountSelector is an optional field for an expression + used to select a pod based on service accounts. + type: string + types: + description: "Types indicates whether this policy applies to ingress, + or to egress, or to both. When not explicitly specified (and so + the value on creation is empty or nil), Calico defaults Types according + to what Ingress and Egress are present in the policy. The default + is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including + the case where there are also no Ingress rules) \n - [ PolicyTypeEgress + ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, + PolicyTypeEgress ], if there are both Ingress and Egress rules. + \n When the policy is read back again, Types will always be one + of these values, never empty or nil." + items: + description: PolicyType enumerates the possible values of the PolicySpec + Types field. + type: string + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +# Source: crds/calico/kdd/crd.projectcalico.org_networksets.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networksets.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: NetworkSet + listKind: NetworkSetList + plural: networksets + singular: networkset + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: NetworkSetSpec contains the specification for a NetworkSet + resource. + properties: + nets: + description: The list of IP networks that belong to this set. + items: + type: string + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +# Source: crds/operator.tigera.io_installations_crd.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.3.0 + name: installations.operator.tigera.io +spec: + group: operator.tigera.io + names: + kind: Installation + listKind: InstallationList + plural: installations + singular: installation + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Installation configures an installation of Calico or Calico Enterprise. + At most one instance of this resource is supported. It must be named "default". + The Installation API installs core networking and network policy components, + and provides general install-time configuration. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Specification of the desired state for the Calico or Calico + Enterprise installation. + properties: + calicoNetwork: + description: CalicoNetwork specifies networking configuration options + for Calico. + properties: + bgp: + description: BGP configures whether or not to enable Calico's + BGP capabilities. + enum: + - Enabled + - Disabled + type: string + containerIPForwarding: + description: 'ContainerIPForwarding configures whether ip forwarding + will be enabled for containers in the CNI configuration. Default: + Disabled' + enum: + - Enabled + - Disabled + type: string + hostPorts: + description: 'HostPorts configures whether or not Calico will + support Kubernetes HostPorts. Valid only when using the Calico + CNI plugin. Default: Enabled' + enum: + - Enabled + - Disabled + type: string + ipPools: + description: IPPools contains a list of IP pools to create if + none exist. At most one IP pool of each address family may be + specified. If omitted, a single pool will be configured if needed. + items: + properties: + blockSize: + description: 'BlockSize specifies the CIDR prefex length + to use when allocating per-node IP blocks from the main + IP pool CIDR. Default: 26 (IPv4), 122 (IPv6)' + format: int32 + type: integer + cidr: + description: CIDR contains the address range for the IP + Pool in classless inter-domain routing format. + type: string + encapsulation: + description: 'Encapsulation specifies the encapsulation + type that will be used with the IP Pool. Default: IPIP' + enum: + - IPIPCrossSubnet + - IPIP + - VXLAN + - VXLANCrossSubnet + - None + type: string + natOutgoing: + description: 'NATOutgoing specifies if NAT will be enabled + or disabled for outgoing traffic. Default: Enabled' + enum: + - Enabled + - Disabled + type: string + nodeSelector: + description: 'NodeSelector specifies the node selector that + will be set for the IP Pool. Default: ''all()''' + type: string + required: + - cidr + type: object + type: array + mtu: + description: MTU specifies the maximum transmission unit to use + on the pod network. If not specified, Calico will perform MTU + auto-detection based on the cluster network. + format: int32 + type: integer + multiInterfaceMode: + description: 'MultiInterfaceMode configures what will configure + multiple interface per pod. Only valid for Calico Enterprise + installations using the Calico CNI plugin. Default: None' + enum: + - None + - Multus + type: string + nodeAddressAutodetectionV4: + description: NodeAddressAutodetectionV4 specifies an approach + to automatically detect node IPv4 addresses. If not specified, + will use default auto-detection settings to acquire an IPv4 + address for each node. + properties: + canReach: + description: CanReach enables IP auto-detection based on which + source address on the node is used to reach the specified + IP or domain. + type: string + cidrs: + description: CIDRS enables IP auto-detection based on which + addresses on the nodes are within one of the provided CIDRs. + items: + type: string + type: array + firstFound: + description: FirstFound uses default interface matching parameters + to select an interface, performing best-effort filtering + based on well-known interface names. + type: boolean + interface: + description: Interface enables IP auto-detection based on + interfaces that match the given regex. + type: string + skipInterface: + description: SkipInterface enables IP auto-detection based + on interfaces that do not match the given regex. + type: string + type: object + nodeAddressAutodetectionV6: + description: NodeAddressAutodetectionV6 specifies an approach + to automatically detect node IPv6 addresses. If not specified, + IPv6 addresses will not be auto-detected. + properties: + canReach: + description: CanReach enables IP auto-detection based on which + source address on the node is used to reach the specified + IP or domain. + type: string + cidrs: + description: CIDRS enables IP auto-detection based on which + addresses on the nodes are within one of the provided CIDRs. + items: + type: string + type: array + firstFound: + description: FirstFound uses default interface matching parameters + to select an interface, performing best-effort filtering + based on well-known interface names. + type: boolean + interface: + description: Interface enables IP auto-detection based on + interfaces that match the given regex. + type: string + skipInterface: + description: SkipInterface enables IP auto-detection based + on interfaces that do not match the given regex. + type: string + type: object + type: object + cni: + description: CNI specifies the CNI that will be used by this installation. + properties: + ipam: + description: IPAM specifies the pod IP address management that + will be used in the Calico or Calico Enterprise installation. + properties: + type: + description: "Specifies the IPAM plugin that will be used + in the Calico or Calico Enterprise installation. * For CNI + Plugin Calico, this field defaults to Calico. * For CNI + Plugin GKE, this field defaults to HostLocal. * For CNI + Plugin AzureVNET, this field defaults to AzureVNET. * For + CNI Plugin AmazonVPC, this field defaults to AmazonVPC. + \n The IPAM plugin is installed and configured only if the + CNI plugin is set to Calico, for all other values of the + CNI plugin the plugin binaries and CNI config is a dependency + that is expected to be installed separately. \n Default: + Calico" + enum: + - Calico + - HostLocal + - AmazonVPC + - AzureVNET + type: string + required: + - type + type: object + type: + description: "Specifies the CNI plugin that will be used in the + Calico or Calico Enterprise installation. * For KubernetesProvider + GKE, this field defaults to GKE. * For KubernetesProvider AKS, + this field defaults to AzureVNET. * For KubernetesProvider EKS, + this field defaults to AmazonVPC. * If aws-node daemonset exists + in kube-system when the Installation resource is created, this + field defaults to AmazonVPC. * For all other cases this field + defaults to Calico. \n For the value Calico, the CNI plugin + binaries and CNI config will be installed as part of deployment, + for all other values the CNI plugin binaries and CNI config + is a dependency that is expected to be installed separately. + \n Default: Calico" + enum: + - Calico + - GKE + - AmazonVPC + - AzureVNET + type: string + required: + - type + type: object + componentResources: + description: ComponentResources can be used to customize the resource + requirements for each component. + items: + description: The ComponentResource struct associates a ResourceRequirements + with a component by name + properties: + componentName: + description: ComponentName is an enum which identifies the component + enum: + - Node + - Typha + - KubeControllers + type: string + resourceRequirements: + description: ResourceRequirements allows customization of limits + and requests for compute resources such as cpu and memory. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. More info: + https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + type: object + required: + - componentName + - resourceRequirements + type: object + type: array + controlPlaneNodeSelector: + additionalProperties: + type: string + description: ControlPlaneNodeSelector is used to select control plane + nodes on which to run specific Calico components. This currently + only applies to kube-controllers and the apiserver. + type: object + flexVolumePath: + description: FlexVolumePath optionally specifies a custom path for + FlexVolume. If not specified, FlexVolume will be enabled by default. + If set to 'None', FlexVolume will be disabled. The default is based + on the kubernetesProvider. + type: string + imagePath: + description: "ImagePath allows for the path part of an image to be + specified. If specified then the specified value will be used as + the image path for each image. If not specified or empty, the default + for each image will be used. \n Image format: `//:` + \n This option allows configuring the `` portion of the + above format." + type: string + imagePullSecrets: + description: ImagePullSecrets is an array of references to container + registry pull secrets to use. These are applied to all images to + be pulled. + items: + description: LocalObjectReference contains enough information to + let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + type: array + kubernetesProvider: + description: KubernetesProvider specifies a particular provider of + the Kubernetes platform and enables provider-specific configuration. + If the specified value is empty, the Operator will attempt to automatically + determine the current provider. If the specified value is not empty, + the Operator will still attempt auto-detection, but will additionally + compare the auto-detected value to the specified value to confirm + they match. + enum: + - "" + - EKS + - GKE + - AKS + - OpenShift + - DockerEnterprise + type: string + nodeMetricsPort: + description: NodeMetricsPort specifies which port calico/node serves + prometheus metrics on. By default, metrics are not enabled. If specified, + this overrides any FelixConfiguration resources which may exist. + If omitted, then prometheus metrics may still be configured through + FelixConfiguration. + format: int32 + type: integer + nodeUpdateStrategy: + description: NodeUpdateStrategy can be used to customize the desired + update strategy, such as the MaxUnavailable field. + properties: + rollingUpdate: + description: 'Rolling update config params. Present only if type + = "RollingUpdate". --- TODO: Update this to follow our convention + for oneOf, whatever we decide it to be. Same as Deployment `strategy.rollingUpdate`. + See https://github.com/kubernetes/kubernetes/issues/35345' + properties: + maxUnavailable: + anyOf: + - type: integer + - type: string + description: 'The maximum number of DaemonSet pods that can + be unavailable during the update. Value can be an absolute + number (ex: 5) or a percentage of total number of DaemonSet + pods at the start of the update (ex: 10%). Absolute number + is calculated from percentage by rounding up. This cannot + be 0. Default value is 1. Example: when this is set to 30%, + at most 30% of the total number of nodes that should be + running the daemon pod (i.e. status.desiredNumberScheduled) + can have their pods stopped for an update at any given time. + The update starts by stopping at most 30% of those DaemonSet + pods and then brings up new DaemonSet pods in their place. + Once the new pods are available, it then proceeds onto other + DaemonSet pods, thus ensuring that at least 70% of original + number of DaemonSet pods are available at all times during + the update.' + x-kubernetes-int-or-string: true + type: object + type: + description: Type of daemon set update. Can be "RollingUpdate" + or "OnDelete". Default is RollingUpdate. + type: string + type: object + registry: + description: "Registry is the default Docker registry used for component + Docker images. If specified, all images will be pulled from this + registry. If not specified then the default registries will be used. + \n Image format: `//:` + \n This option allows configuring the `` portion of the + above format." + type: string + variant: + description: 'Variant is the product to install - one of Calico or + TigeraSecureEnterprise Default: Calico' + enum: + - Calico + - TigeraSecureEnterprise + type: string + type: object + status: + description: Most recently observed state for the Calico or Calico Enterprise + installation. + properties: + computed: + description: Computed is the final installation including overlaid + resources. + properties: + calicoNetwork: + description: CalicoNetwork specifies networking configuration + options for Calico. + properties: + bgp: + description: BGP configures whether or not to enable Calico's + BGP capabilities. + enum: + - Enabled + - Disabled + type: string + containerIPForwarding: + description: 'ContainerIPForwarding configures whether ip + forwarding will be enabled for containers in the CNI configuration. + Default: Disabled' + enum: + - Enabled + - Disabled + type: string + hostPorts: + description: 'HostPorts configures whether or not Calico will + support Kubernetes HostPorts. Valid only when using the + Calico CNI plugin. Default: Enabled' + enum: + - Enabled + - Disabled + type: string + ipPools: + description: IPPools contains a list of IP pools to create + if none exist. At most one IP pool of each address family + may be specified. If omitted, a single pool will be configured + if needed. + items: + properties: + blockSize: + description: 'BlockSize specifies the CIDR prefex length + to use when allocating per-node IP blocks from the + main IP pool CIDR. Default: 26 (IPv4), 122 (IPv6)' + format: int32 + type: integer + cidr: + description: CIDR contains the address range for the + IP Pool in classless inter-domain routing format. + type: string + encapsulation: + description: 'Encapsulation specifies the encapsulation + type that will be used with the IP Pool. Default: + IPIP' + enum: + - IPIPCrossSubnet + - IPIP + - VXLAN + - VXLANCrossSubnet + - None + type: string + natOutgoing: + description: 'NATOutgoing specifies if NAT will be enabled + or disabled for outgoing traffic. Default: Enabled' + enum: + - Enabled + - Disabled + type: string + nodeSelector: + description: 'NodeSelector specifies the node selector + that will be set for the IP Pool. Default: ''all()''' + type: string + required: + - cidr + type: object + type: array + mtu: + description: MTU specifies the maximum transmission unit to + use on the pod network. If not specified, Calico will perform + MTU auto-detection based on the cluster network. + format: int32 + type: integer + multiInterfaceMode: + description: 'MultiInterfaceMode configures what will configure + multiple interface per pod. Only valid for Calico Enterprise + installations using the Calico CNI plugin. Default: None' + enum: + - None + - Multus + type: string + nodeAddressAutodetectionV4: + description: NodeAddressAutodetectionV4 specifies an approach + to automatically detect node IPv4 addresses. If not specified, + will use default auto-detection settings to acquire an IPv4 + address for each node. + properties: + canReach: + description: CanReach enables IP auto-detection based + on which source address on the node is used to reach + the specified IP or domain. + type: string + cidrs: + description: CIDRS enables IP auto-detection based on + which addresses on the nodes are within one of the provided + CIDRs. + items: + type: string + type: array + firstFound: + description: FirstFound uses default interface matching + parameters to select an interface, performing best-effort + filtering based on well-known interface names. + type: boolean + interface: + description: Interface enables IP auto-detection based + on interfaces that match the given regex. + type: string + skipInterface: + description: SkipInterface enables IP auto-detection based + on interfaces that do not match the given regex. + type: string + type: object + nodeAddressAutodetectionV6: + description: NodeAddressAutodetectionV6 specifies an approach + to automatically detect node IPv6 addresses. If not specified, + IPv6 addresses will not be auto-detected. + properties: + canReach: + description: CanReach enables IP auto-detection based + on which source address on the node is used to reach + the specified IP or domain. + type: string + cidrs: + description: CIDRS enables IP auto-detection based on + which addresses on the nodes are within one of the provided + CIDRs. + items: + type: string + type: array + firstFound: + description: FirstFound uses default interface matching + parameters to select an interface, performing best-effort + filtering based on well-known interface names. + type: boolean + interface: + description: Interface enables IP auto-detection based + on interfaces that match the given regex. + type: string + skipInterface: + description: SkipInterface enables IP auto-detection based + on interfaces that do not match the given regex. + type: string + type: object + type: object + cni: + description: CNI specifies the CNI that will be used by this installation. + properties: + ipam: + description: IPAM specifies the pod IP address management + that will be used in the Calico or Calico Enterprise installation. + properties: + type: + description: "Specifies the IPAM plugin that will be used + in the Calico or Calico Enterprise installation. * For + CNI Plugin Calico, this field defaults to Calico. * + For CNI Plugin GKE, this field defaults to HostLocal. + * For CNI Plugin AzureVNET, this field defaults to AzureVNET. + * For CNI Plugin AmazonVPC, this field defaults to AmazonVPC. + \n The IPAM plugin is installed and configured only + if the CNI plugin is set to Calico, for all other values + of the CNI plugin the plugin binaries and CNI config + is a dependency that is expected to be installed separately. + \n Default: Calico" + enum: + - Calico + - HostLocal + - AmazonVPC + - AzureVNET + type: string + required: + - type + type: object + type: + description: "Specifies the CNI plugin that will be used in + the Calico or Calico Enterprise installation. * For KubernetesProvider + GKE, this field defaults to GKE. * For KubernetesProvider + AKS, this field defaults to AzureVNET. * For KubernetesProvider + EKS, this field defaults to AmazonVPC. * If aws-node daemonset + exists in kube-system when the Installation resource is + created, this field defaults to AmazonVPC. * For all other + cases this field defaults to Calico. \n For the value Calico, + the CNI plugin binaries and CNI config will be installed + as part of deployment, for all other values the CNI plugin + binaries and CNI config is a dependency that is expected + to be installed separately. \n Default: Calico" + enum: + - Calico + - GKE + - AmazonVPC + - AzureVNET + type: string + required: + - type + type: object + componentResources: + description: ComponentResources can be used to customize the resource + requirements for each component. + items: + description: The ComponentResource struct associates a ResourceRequirements + with a component by name + properties: + componentName: + description: ComponentName is an enum which identifies the + component + enum: + - Node + - Typha + - KubeControllers + type: string + resourceRequirements: + description: ResourceRequirements allows customization of + limits and requests for compute resources such as cpu + and memory. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of + compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount + of compute resources required. If Requests is omitted + for a container, it defaults to Limits if that is + explicitly specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + type: object + required: + - componentName + - resourceRequirements + type: object + type: array + controlPlaneNodeSelector: + additionalProperties: + type: string + description: ControlPlaneNodeSelector is used to select control + plane nodes on which to run specific Calico components. This + currently only applies to kube-controllers and the apiserver. + type: object + flexVolumePath: + description: FlexVolumePath optionally specifies a custom path + for FlexVolume. If not specified, FlexVolume will be enabled + by default. If set to 'None', FlexVolume will be disabled. The + default is based on the kubernetesProvider. + type: string + imagePath: + description: "ImagePath allows for the path part of an image to + be specified. If specified then the specified value will be + used as the image path for each image. If not specified or empty, + the default for each image will be used. \n Image format: `//:` + \n This option allows configuring the `` portion + of the above format." + type: string + imagePullSecrets: + description: ImagePullSecrets is an array of references to container + registry pull secrets to use. These are applied to all images + to be pulled. + items: + description: LocalObjectReference contains enough information + to let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + type: array + kubernetesProvider: + description: KubernetesProvider specifies a particular provider + of the Kubernetes platform and enables provider-specific configuration. + If the specified value is empty, the Operator will attempt to + automatically determine the current provider. If the specified + value is not empty, the Operator will still attempt auto-detection, + but will additionally compare the auto-detected value to the + specified value to confirm they match. + enum: + - "" + - EKS + - GKE + - AKS + - OpenShift + - DockerEnterprise + type: string + nodeMetricsPort: + description: NodeMetricsPort specifies which port calico/node + serves prometheus metrics on. By default, metrics are not enabled. + If specified, this overrides any FelixConfiguration resources + which may exist. If omitted, then prometheus metrics may still + be configured through FelixConfiguration. + format: int32 + type: integer + nodeUpdateStrategy: + description: NodeUpdateStrategy can be used to customize the desired + update strategy, such as the MaxUnavailable field. + properties: + rollingUpdate: + description: 'Rolling update config params. Present only if + type = "RollingUpdate". --- TODO: Update this to follow + our convention for oneOf, whatever we decide it to be. Same + as Deployment `strategy.rollingUpdate`. See https://github.com/kubernetes/kubernetes/issues/35345' + properties: + maxUnavailable: + anyOf: + - type: integer + - type: string + description: 'The maximum number of DaemonSet pods that + can be unavailable during the update. Value can be an + absolute number (ex: 5) or a percentage of total number + of DaemonSet pods at the start of the update (ex: 10%). + Absolute number is calculated from percentage by rounding + up. This cannot be 0. Default value is 1. Example: when + this is set to 30%, at most 30% of the total number + of nodes that should be running the daemon pod (i.e. + status.desiredNumberScheduled) can have their pods stopped + for an update at any given time. The update starts by + stopping at most 30% of those DaemonSet pods and then + brings up new DaemonSet pods in their place. Once the + new pods are available, it then proceeds onto other + DaemonSet pods, thus ensuring that at least 70% of original + number of DaemonSet pods are available at all times + during the update.' + x-kubernetes-int-or-string: true + type: object + type: + description: Type of daemon set update. Can be "RollingUpdate" + or "OnDelete". Default is RollingUpdate. + type: string + type: object + registry: + description: "Registry is the default Docker registry used for + component Docker images. If specified, all images will be pulled + from this registry. If not specified then the default registries + will be used. \n Image format: `//:` + \n This option allows configuring the `` portion of + the above format." + type: string + variant: + description: 'Variant is the product to install - one of Calico + or TigeraSecureEnterprise Default: Calico' + enum: + - Calico + - TigeraSecureEnterprise + type: string + type: object + mtu: + description: MTU is the most recently observed value for pod network + MTU. This may be an explicitly configured value, or based on Calico's + native auto-detetion. + format: int32 + type: integer + variant: + description: Variant is the most recently observed installed variant + - one of Calico or TigeraSecureEnterprise + enum: + - Calico + - TigeraSecureEnterprise + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + +--- +# Source: crds/operator.tigera.io_tigerastatuses_crd.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tigerastatuses.operator.tigera.io +spec: + group: operator.tigera.io + names: + kind: TigeraStatus + listKind: TigeraStatusList + plural: tigerastatuses + singular: tigerastatus + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Whether the component running and stable. + jsonPath: .status.conditions[?(@.type=='Available')].status + name: Available + type: string + - description: Whether the component is processing changes. + jsonPath: .status.conditions[?(@.type=='Progressing')].status + name: Progressing + type: string + - description: Whether the component is degraded. + jsonPath: .status.conditions[?(@.type=='Degraded')].status + name: Degraded + type: string + - description: The time the component's Available status last changed. + jsonPath: .status.conditions[?(@.type=='Available')].lastTransitionTime + name: Since + type: date + name: v1 + schema: + openAPIV3Schema: + description: TigeraStatus represents the most recently observed status for + Calico or a Calico Enterprise functional area. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + type: object + status: + description: TigeraStatusStatus defines the observed state of TigeraStatus + properties: + conditions: + description: Conditions represents the latest observed set of conditions + for this component. A component may be one or more of Available, + Progressing, or Degraded. + items: + description: TigeraStatusCondition represents a condition attached + to a particular component. + properties: + lastTransitionTime: + description: The timestamp representing the start time for the + current status. + format: date-time + type: string + message: + description: Optionally, a detailed message providing additional + context. + type: string + reason: + description: A brief reason explaining the condition. + type: string + status: + description: The status of the condition. May be True, False, + or Unknown. + type: string + type: + description: The type of condition. May be Available, Progressing, + or Degraded. + type: string + required: + - lastTransitionTime + - status + - type + type: object + type: array + required: + - conditions + type: object + type: object + served: true + storage: true + subresources: + status: {} + +--- +# Source: tigera-operator/templates/tigera-operator/00-namespace-tigera-operator.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: tigera-operator + annotations: + labels: + name: tigera-operator +--- +# Source: tigera-operator/templates/tigera-operator/02-podsecuritypolicy-tigera-operator.yaml +# This should not be rendered for an OpenShift install. +# OpenShift uses SecurityContextConstraints instead. +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: tigera-operator + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'hostPath' + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + # Assume that persistentVolumes set up by the cluster admin are safe to use. + - 'persistentVolumeClaim' + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +--- +# Source: tigera-operator/templates/tigera-operator/02-serviceaccount-tigera-operator.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tigera-operator + namespace: tigera-operator +--- +# Source: tigera-operator/templates/tigera-operator/02-role-tigera-operator.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: tigera-operator +rules: + - apiGroups: + - "" + resources: + - namespaces + - pods + - podtemplates + - services + - endpoints + - events + - configmaps + - secrets + - serviceaccounts + verbs: + - create + - get + - list + - update + - delete + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + # Need to update node labels when migrating nodes. + - 'get' + - 'patch' + - 'list' + # We need this for Typha autoscaling + - 'watch' + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - rolebindings + - roles + verbs: + - create + - get + - list + - update + - delete + - watch + - bind + - escalate + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - statefulsets + verbs: + - create + - get + - list + - patch + - update + - delete + - watch + - apiGroups: + - apps + resourceNames: + - tigera-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - operator.tigera.io + resources: + - '*' + verbs: + - create + - get + - list + - update + - patch + - delete + - watch + - apiGroups: + - crd.projectcalico.org + resources: + - felixconfigurations + verbs: + - patch + - apiGroups: + - crd.projectcalico.org + resources: + - ippools + verbs: + - get + - list + - watch + - apiGroups: + - scheduling.k8s.io + resources: + - priorityclasses + verbs: + - create + - get + - list + - update + - delete + - watch + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - get + - list + - update + - delete + - watch + - apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - list + - watch + # Add the appropriate pod security policy permissions + - apiGroups: + - policy + resources: + - podsecuritypolicies + resourceNames: + - tigera-operator + verbs: + - use + - apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - get + - list + - watch + - create + - update +--- +# Source: tigera-operator/templates/tigera-operator/02-rolebinding-tigera-operator.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tigera-operator +subjects: + - kind: ServiceAccount + name: tigera-operator + namespace: tigera-operator +roleRef: + kind: ClusterRole + name: tigera-operator + apiGroup: rbac.authorization.k8s.io +--- +# Source: tigera-operator/templates/tigera-operator/02-tigera-operator.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tigera-operator + namespace: tigera-operator + labels: + k8s-app: tigera-operator +spec: + replicas: 1 + selector: + matchLabels: + name: tigera-operator + template: + metadata: + labels: + name: tigera-operator + k8s-app: tigera-operator + spec: + nodeSelector: + kubernetes.io/os: linux + tolerations: + - effect: NoExecute + operator: Exists + - effect: NoSchedule + operator: Exists + serviceAccountName: tigera-operator + hostNetwork: true + # This must be set when hostNetwork is true or else the cluster services won't resolve + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: tigera-operator + image: quay.io/tigera/operator:v1.13.2 + imagePullPolicy: IfNotPresent + command: + - operator + volumeMounts: + - name: var-lib-calico + readOnly: true + mountPath: /var/lib/calico + env: + - name: WATCH_NAMESPACE + value: "" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: "tigera-operator" + - name: TIGERA_OPERATOR_INIT_IMAGE_VERSION + value: v1.13.2 + envFrom: + - configMapRef: + name: kubernetes-services-endpoint + optional: true + volumes: + - name: var-lib-calico + hostPath: + path: /var/lib/calico + +--- +# This section includes base Calico installation configuration. +# For more information, see: https://docs.projectcalico.org/v3.17/reference/installation/api#operator.tigera.io/v1.Installation +apiVersion: operator.tigera.io/v1 +kind: Installation +metadata: + name: default +spec: + # Configures Calico policy configured to work with AmazonVPC CNI networking. + cni: + type: AmazonVPC diff --git a/cdk/domino_cdk/provisioners/install_calico_lambda_code/main.py b/cdk/domino_cdk/provisioners/install_calico_lambda_code/main.py new file mode 100644 index 00000000..97040eb4 --- /dev/null +++ b/cdk/domino_cdk/provisioners/install_calico_lambda_code/main.py @@ -0,0 +1,49 @@ +import json +import os + +import boto3 +import requests + +client = boto3.client('backup') + + +def on_event(event, context): + print('Debug: event: ', event) + print('Debug: environ:', os.environ) + request_type = event['RequestType'] + response = {} + if request_type == 'Create': + response = on_create(event) + if request_type == 'Delete': + response = on_delete(event) + if response: + event.update(response) + event['Status'] = 'SUCCESS' + requests.put(event['ResponseURL'], data=json.dumps(event)) + + +def on_create(event): + os.system( + f''' + export PATH=$PATH:/opt/awscli:/opt/kubectl + export KUBECONFIG=/tmp/kubeconfig + aws eks update-kubeconfig --name {os.environ["cluster_name"]} --kubeconfig $KUBECONFIG + chmod 400 $KUBECONFIG + mkdir /tmp/install + cp * /tmp/install + cd /tmp/install + tar xvf tigera-operator-v3.18.4-1.tgz + for t in 1 2 3 4 5 6 7 8 + do + # somehow the credentials are not ready immediately + /opt/helm/helm install calico ./tigera-operator -f values.yaml && exit 0 + sleep 5 + done + ''' + ) + physical_id = f'{os.environ["AWS_LAMBDA_FUNCTION_NAME"]}-custom' + return {'PhysicalResourceId': physical_id} + + +def on_delete(event): + return {} diff --git a/cdk/domino_cdk/provisioners/install_calico_lambda_code/tigera-operator-v3.18.4-1.tgz b/cdk/domino_cdk/provisioners/install_calico_lambda_code/tigera-operator-v3.18.4-1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..51d2afc1b17cad297dfabdb0bfa92d0c97ea3a1f GIT binary patch literal 37763 zcmYJaWl$YW7cGpty9Br38eD=q1oz-Nn5twu-la{PgLI782&S+tQ1Uq?r8&%_h$^0x z@zpc$vRIOL1lL@h{^sb%Cyl36k2M1cM^TKXL*pWY*I=!tOhNThiq?^ zWMzUEqYrt9p)6=di_2Gn7=MT@ntqwFRDLmD3Fqtfa<~&42)-@r0c&xMX9Q@&&9#6H zNxI8#z*?+m;h$gvbi)O{Y%^JxamwKsVOkN;<00axfs*m82t_C&zoNFELd?V(wwOaB zy;?9~DVqe%(B*-}r8 z@=cOVK`=%6ZQb++7y^n;Zj2P^6dLu1`D11v}G;gC?nIKk2V@nH^Q2a zQM8t0`+H^dkc`kE9_WV!84<0Z3U#!7HOkRpJOM)1yOO4Da4mia&Ifg-cik^N_Zm-f z6^5UE-rzIIW-gc}2T(JfZh%?Q440q4^YiodV6vmvyU|aP1U_t!S3*0o0xOeQ$2FBD zhkkV=+9|Rpz}wk)yhxnPl!ZQ9qZ(BnyW1ZMs@0g;u{B4smw5-H_oA1-hC^R_x~42R z1Ef8k3U7qnEGTCnDU9Av*gwu%twGyupPp0?_%B>HfZd~)oka7K=X6B=C-7eXWcu~j`5 zOOb*U8md_Yr;-6+did*?4gW62 zg9l5yo+0Ok!G>Q*R$jsL{YGH#l#`PgaN^$YqUX5MzYj(a2!WvAzgo#4_-3Easb5!< zxrL*M``T)o=Fj!+SqCJiLMd4P$Ga7mPva5&ap|pWJUh=}AD?Cya8@+D8=6iBwBIA0 zNvw6CqX`iCV&R{M2daAvNU^3$ry6daQg<`#G)e~n9^cAG!03iuUk<_2-U;^ax$3R& zvAOfJ_W59!8x}RZ!~+p*;34f={AGKbKu?*}V$oHqll|6gR1_Z-7&bioKt%6a^$VBNARe3aME~~;Yos%YO*Lop_mLbPHlYmpZHIzDK%~q zcr)ozg;Uu4Op<-O&{tLu)*z)iodHU!`RQH7fI0p`wKOX?v{31nTXEG)0vfyFB-2LM zAB3~LzI<%~t!v;2Dx)atH0m*=cR6T-cd+>%@bky;1^yrikTSY(4PbBJm&NkMh?5=n z*zq6`dA*bN4BV;zOZv(>cLX7(S9kSD?n|m02H9$aZtf7X-G-1d3|@Sq!h=DpsYWf> zR=4{YaMgOO;l&H+{u$2v1b)CYv6NlJ^x^SkfHQc?*J8c+cd0WJB6|Xx3X=Kr!nL^> z*R5|YyDyxzwE?7SsUvZIhXXOFlElf?xRV*cLeE+@Vz^Wu{;1K2v8I9Iu*L)B-*ni9 z5pdbPgsA9I+!8roHlgV<>yukWMC;h&N|wZ^$h#ACu&}eJ%_d|j55Wy%yZWQ5)6ZJ0 z^%tE??1GANpU=!jGhC77_5RjhnlcDvr-Cn_Qs+p%=gf}jT1c?jm9DAQ5)=++Oa~LW z$h%{I4KxvL7ZpI*O2|x-&xuzLr6CIFI^v}tmTHG`X2<&j6bne=~25(h;BxC7jIg#~#D$Sy^|)sM%o{n2;*FSoa0 z{&x%c_#)s%6Gl+}gm%+cwXJHk%v-BJ%IKH7;8}F^3((Fgt0CGQS^Ry$r*!>$BVZC4 z_!J`{6B0APp@?S+5lMcdM$2N4zh4la|55vBTAJCaN{+EoVLs$}td3-lbCgE2sT4DE zFrgCy)85OU!y*0&ez4!XUw5dtkG7Hbp_%TCPlRFPxKL{Z~$x z|9facszPH4*xHk#CG$tq+OP=K?9rbcyUeV=gj(0iqrN(qASsQRPs~X@XL$`j4!#}O zV~-;DRyTM#8Bs&)z8%3JM*+1~7G8oE6ZFg3=zZGrn~D{M}Er^$_M`{({*L|(b0dd9*E@k3i5xs6p6o2iC6ztGM`~#L4gY{!-f!E#08Ad z-@l-9oS720qD-(mX5Dl2Hj7+clK0;G{J5iCg?9%f;|fgz4&AcA<(ay7F8H+j>bj6c zFXqD&faBvB4h%NU<)DSHNtrhtCN{c6OqCL^`K~{NZ+8$^hskt^(l>{hj7vluDcj-fkP|myvCYO$qKJGcA%5+XujT&c+6Bp7waWoE>939rU*q_g zmnH%=*E)mOFtP}(C5c&%C1>@}>3N5xHf*zi$=pox3x#B5`fJd2UaKz$RMiY1^WL9x zloJ8fh!kAzW`r5OQwtKc>9{6w^m=lIj6=5N#!XD)fUc7-ixW)3!Erptp{lN+05z_g zED$ILIqMd{ftzD2yt3=WP12@l*lhASh$)Mk?~iFEf*;SLKvzf+KNdst!NOn|zuu?J z9vA@;@7emsaCK$yBCbved+tZVLM?wU3H5WfW`YdHXRUd%_7Ev9HG-EDX= zhTP{5|DIVVy3a0;jB&^s!I7;nVR=LOYW#>fb^-Zish4VJUCqE;Y>hKF-HyfgFzu+- zgcYrz)IOUsnSh51`Dgl{o!CYMsO9&kt#N*O!I;trA_)*QKBr`hijElv?$60QctcU= zo9wyH6!!d@@uRZ}haoEm^>a>=9bU02ZFTKo;m>fmMMwfQK~2P1%2F~*8&t|*k~m_; z+dj{5KO6wQ0%sCO%i)F%FMls(mf;??z7zBe*#xZG^k%`0H-gKyAnKRyYsHDK>IDy_ zO;3-V%|!Z4YK60K%~LPuuR*RsP2p|0dvla7YT^uJ$0b+IkZouUkr+IQKpGZrxpcM3 z=}je=;-%yp7S|%N2fX>If<(sl@ zE^eNN#0>dF&a9UN>Y|@Ryvi^rk=;ILMBhg_O?{3pBM5O75aV8@%ckTO$n?^YN1@BXP(JNW&pvNw2JwrZU_dS=eKs&?Jt`c=`qKE?lJ)-_Xa@8ZWf7peU9xTSWWI zoTrL$I1r4?rdSxM!mm^NC@SJ*2P8dCwuv*@G|)uE_VT7Jm^elc#d?6IDrpxyFpj^C zI2iAb<1X|8bsn7(wm$Iz9RoM4x<4?H7AauFO@Opc=AIMeYzQf(s=ih9>!jXh)_fLY z+5Y1-IGu1@zs-() z#UI`FHnR-ldtd=>NoEFb9veQDZWnLp9EEfAyTNlWp9iQ= z2(x?VA5}bLNRO^<6wc{eO?bY5bahIh?HcUw_F?_j#Cn+ahsydDyHEAtmYl<IV2q(UYUD-4PhCu65C zqfrKPU|ym#;=DNRzq{2vdZiWyfNxcw^*dsAf0#N;I4kasVoTAzfdwo_(hMuYo=1vb zZs248?l^k!3h#qf_a?Pi&!2na&DbeN?b+!vaR z6{BRq0bw#$zS(*5)k6ZTFhi(_`(dqQxpOVAe-ayn<@dSbi?%?m_7sRLaLR@Mz*K1S z(5)d(nc1ihVp1LMxRvt!Y68&`hi8{*OY}6vpP2)A-*3EcI{GZ>+W5=vtE2h8Y26~x zre1ANR%B+;o)Pa_UeV~gzC$nuG;Nq_c_`xwHxN)r*Tq)z+h6^ou5)P-?s?eWnng6x zGR%MzpM%Np3uf_#KtWF72w#$tUQ*VVw zyDGu{j++#TC73>*)s-BD$zpMz!4xC=_YMTgAy(dg3LS^xx$t*txwp0`UU+BMYcMl> zc>Psr)sGr-8swjKkBMSHuETn;b7be;#-Z6|QXR`+LhkxzuLCLHr>Rm@%Q#c?y%~KE ze0zLf>9-TVijFblJFkK-Z-hBAjNrK2C%ALb=F9yZEipsEQ!D zH`h2hLDT*5etGYq_r}4-M3uRsA*sUq&hLP^Xu)BbPpzdbpaoj3TJfmaDv}sV6@EN( zu#k!<-q15PeYF?9T}{maN5fW7h7BQf=EQ?l=SfFG1RtHpj*!53kYIH<%T`=cK|`UK z5>dldlgt)^HfV1%)*QZ_FN1raPx|n6UO);Za{kzFIP|Egr7)~VA&W=#t^i@@gmmQHMCAS%0aa!-ylS-sgSqBj26%5#Q;-=7;)C(KY5+ zUm=)p<~D9FvR-zCM=_>mYNxUl4btcAuRCR{ci@|K_K)XYkOpY-(?ew6YPaerU7fz8 zwp)HTX;-2W!mtu!X|t=)(!1i5XMd|PN?n$UD${Emnj&IukAOmkJfaTVK5rs>^TMHr z_q=aY2kcvo&~qM=m|oQmJV4f9-rYjBLX$tY^7 zk-A@=NooKL{m@X=ZRVqbHcqcNQXcb7$%4Urz{((05jXp;GkGnlQeV7Fd9~piq8q&u zd?z#J*TN&(p!Mcoh{ey4xCDx5Yk66z_`?*~Tj##r`Aw_A~ z{N5p7SQeZiR~;?J()NxqcHUoXaOK1X86s&}EFi@U^OsO6m2OoDN1tHug5e(;Xeef2yMC-l#m+ zpTf>rsWFf4v3BxCz7*oR_~1&)&|BeQF;sFKpm#@5i&H;jrO56DeEG5uxeiN`-eJep z2dj)lDcMN7h%t^60lQa_SZ8b(r%-I9q_R4N`ao4tN}x-(4ujvq^=!zn*Okfz3Z_+; z&~wVwEsLir;Ha0P9N@im2421BPvI_7%(<)jx(!rPo(2qQ3{JAf^abZ~2Q*7)SL#Xs z;#M`j<9SD}?I7WfrA#BjGhFgVW%29pMBAN}iOMkTLwnua$tPFG16&wDJ&gj|Ov_GO z9l>N7{( zDoLK-SHi=)19!5y>u0MI4DZpi9@~57>Plp;exLR}^4cg=e{f~fkJJ?W{G=n?L@)Pe z$J=92`|al)A3hh*$n)4X(*xx~=ws*FW)mNdh6I9gEmvm@N1Tpb7r)z>q|~I3reUmE z-QGy+Qrp_5%uYAdJ@C5~-XzaPj6?I2 z;7}%i0VK=|VtN}77p@|ThO5P#D{>69Rdh~gQy=cZ!W6k4UL#f{X}AtY7eVJ61fo7I z3T30cAu3`lg=ETTc~c$NUe!EvJs}>MM7CqvX7=4dLeN64A##TaEZ)B_6k>5NLIob0 zKwzfdUgBXlK336ZYnGB+OHXR$WW(LIWICXk=C+j^3O}6d~ zv-4PQ2VaZl2VP^i*rJ}M#XEl5U?SwVl5Sc8BO zhQQOpg5-wH8qCf_iGPnrHMYf}iwODGcr+eL?JUiY`zS|{scinH`yti>FY_dsq|ppV ztqbR1q6Am|R*AI&#Z6&sCJe`p4uW`32c>Ps9eE4g;$rWWPw2TBOvlkt$jJrinHF}{ z0S46TfbW*83PGd41@lKhhE(zJ9?;sSbO`0~~R3^1h`E@)RcbbtpHtgbSScFs#d4y#e?7 zupfebQ%;h{z!djh+9Z9W+W3a$^ibKT+|5CKUu}u{Euy8zVCwnqby*Lc0hX z5j-VnrS8v?21%$x`(K>9a0x`)m9+ynM*gyGMZ6N`Mp!=cLx0|%aTnb2n5$KvXyjjV zALx&I{^(7_GS-sbmx;1t%tqZi+u_T!6h*1cyHCFB*-4t<(WnP8MoA;@042Igd*F@&DN3~c)VzYR~KzJuqh2Kzzaud{TCVDZDd`g@W3s@5+?|EM_xmu?7z zee|yHV;%wyhxBNmLs&vCMaDoHm*|aPsxeS@OerHGfy3>438Xxhx34f?zJit8U<^og z{K!-F4|URrfwN#IoqcX(6_=*OYabi5Nq%Q888#B^>6JxnszPL#LdGwv$|jg#pO~U1 z!g&282yh9+7^N(7O3Dt0JTm#wW^a!Wu$@Pf$QK}}3-QBW*;qg(zL7u$fKj^;9a=-oI%FUId&^D`mX>=3Kj`p4v zlrdE3xeN?kb!#X8XHm-&!gGd&$*zpxsR;;X{W!sUnHiZo=GW$e<&rB<<&wxAbzPa0WLdNyVAa>7Z}5INbmqV(mT zKh@9QDgM0znuwiEqk;$y1;f4!2n`HB@ysLg~k+tVk6^G+VbZUGj)ks?F3DxbwvkKb1Li z=cy45DC##PP&9k)yguw0!{ za#y|irA;?~R**>0eQKzZQ=SchJQ8b@nKYux+zM8nH3?aAn-I4OdYC+7nK-fPalsy* z-&~Zk_BT4D^sTBQzeA}|I*NOK=WYuz5I%PC!?_jVIN0LK{VT$>{Q^smH(G;=Kn0R2 zA?Zl=DbWW$RbM5IW%}ak|6+D)J@E5elbJ#);m57qEC6Y7?y`iAKZcq zICrRd%{7?7!R-*0!)<~eVAf#Q^z?xI01jESy`o%46Uchha!_bDhOA1IE`-)9@YW#q z)MhA^)Y~5NqOT4?pnT|FO+ffDHK%T!%(94FUILX~5;3-{E%dX`M+c<>+V6>7hbfb* zL+}YN%V7exn04pLhh}z7WU@Fa-Ch@NUWXW^zqnq1pA_-Nh91MsnuCxq+;ATr+dL^5 zEG@9sPrq8wR$9zVm7$f}uG!(uec@=3SaS3XV1I4w24u{ISh~xGZ!U*2moc?IdL=8a ze{CUiDz#9oG;DNfNr-(GBjRxtzI|9)YdBZiWRZV=C_zKO4G8l>Q24^GW@1^9WVNWg zLfr@<8_u)Qq)t41+Q=kNVbvxXJifVqq=FC)#<*xY&G57v%dLqMP)jsFpB6%!~ z?|$3a8HhI@O3%_Z;8Sw&6I%Y8DCEvjJq`KpyRU)O;&_eAtBPs{si%A>VW2L#lfsyu z_hd@juc@mZ4W=1Ng%|z_)%v%{G49W-S$ywJa-J5F?tZs>)N!s{P7VW8b4SKyb9x=Q zFu~3NT(rL{U-oKpdd(T}+Pga%@OrFacM=MCg7W?OUy^=cZodN?wT%2D?Vh_AD|Tir zG_!^AIe|?P9nBg>9z?0_5;N?DM0zf!QB5NO!(WNmlkQWlyr1)MXTA@KwqTy$!4!au zCrPCxCQp6@gfB4WMKf_2Ee_nSAmWD$SLc&nx94sP|2xrHKY9AKxl z{?Kk7I${!o+DU-?!{wtns5UTVt=E*Nn^?NcYBN;hSVKZc4c<=(7PXMJ7 z>TnDPaE^*(DYa#^p|zUOz#WS)HJOlGWJ175?D&&6 z`@EI8U-bj&U)<)}n%gsLNsmuNjYAQb!PAdG1`lyaq9@mq_m%GeakIL5#qvwKA7bgK zT9$+%eHKeksYw6_=W}Lqg!^%#tD$y1+fOrKlA*l4()XU5jdROsgUL-&H$VA7e!Ipo z+<;9NmQSU^u&AG2;%3IP`%+D2Qh5tHyxefwLD1d1N|G}a>?sb3M)|Sh_!l2?H`e7| zRO1g@;WZp@nC^e#P4@&>i})QN2plQimA#j*=UtbOeh zUz@1b#Xn)L&(tK-r_RjCw)OoV_6DGY_=Nm9fkerU!F&M*0&#=E$Q!nqK}kQ&g@;3D zSZR0kugH1c)Hr7$EcSG2?xq@NCM!h0Uq6A-;^^EocqMOw48tebez__5h<=0F*~N`h zmn9QDSmlJ^RS*bdix8YEmLL@uOCGv_2~by@Os#5!8RO$BD!pmjz+~#&Oj_lr`VC0P zY!G8ow>wn;^t%sBqpnv)`Ji)o*mNe>r!jdLB1R@9yxPo?Dg=l?&A(9{4K5!JzE|D! zdVxVm!;PWSD4DeCFi9n?N4E^q4=&O2FIp_|^T&VP>!joxh9wwd=pd3W7GR!b22Lk{ zx#IgmGO8F_tqBX(kKY1y*hB!tLc8Q?ck#T)qgGZ%IdQ$*CE zofZ@eXo=q}Tl^T7HysJ=i;lo+Bp+Wj2Y^q&Q~y)NidbXsb+G9=G#MhjzRC)w*``%9 znDuO<4l66-9vkjnz$lJclS3BRwl}mfgKI@-rC!XvNjvRq3o1C~TI8I-W~9oGu9%Xr zGY^VX&vobb=(RhIK!B69#Aym;1?HxSdl{|m}F-YFToWC%IgFz6d&>6LWZ+@MZ|!zo^bHuotN4Wz`b?rS5k+t6@8UgoNY> z>_fuq^S%DBKp8#0fvAvZIq{{yg52aqRdGHbE5pO zXYHEJ8T*+S119aSOH_(DT7GY76PK#GEK!$_`;7+hK%QqilkvKrmlU?7FBf%@y&N_i z!!sGiiQc^?a(7C$59x)%uQVi76x5R5TFvib3EU{I;pvVBBx)KKtomM3id^#arE<_J zIBOXQI??2~RohgTaV(3WpOKgPKXdf`Gik=(pm7`YLF?r)SKR`@55N&w|3mL{Q2%i9 zBvY9Gho%${0L@H_R(P*T-3;F6de@jOnIJkx*#{jPaU*;INKEvH?*|bBr%R~Sx~g%g zzKh`7#d>ks@B1nr_>+glp>7I*P&Nj0w_2uzI_z(*py6TF%WI+{OxHP$84IKDiBUsF z-{JK5(_)(RpX)5K1=q!%_)e_MJpN|>($Uv`V_pr7FOjQdN>t2*JW#|W#wRTqt1&x> zk9pN*%gQ*ukNaa#!`7IJ6!&KUR&+B%gVf^hF^gQIgUEt+jlYg|<&`Mk1*U~2VvQ*p zt#(41suR_N9ixW7)7EZRRbGE;`B(fSKKuoc`pbZ)=lJX4raYGAr1{q&ru@M?bQCwg zshwt-6|;_7Ugs*!{e;jH+Kwr#!Np>ngA*GzOQKK1T7|^UNl2xI`Y-3)X=phbsRy=6 zYp$-~D!OaQ`nL=f5ZWw8K;EU1H|qk04t#=I|CkplAJ%Nn75~dL5g8$cM&fFz8qsK; zVackAmOgdqaEK=hX%SH9vf1wvnOU_Tr4*&n7i;#Y<`AV-S8-7_xtMdLXqvlW_sH1; z(>nc+{b)QAsj_bW{JAHgLw@w17%C~8R|M)=HNDJD{V@<%LoZWc#{&sjA3Fli?tA@hj z97>(pcd<4}QfZE{i^0D>6=Ohc`wQK&2g63(O>NKFR#5W8cxRQP;QgftMc+IIz1)hf zC5S9p9`7+rK(6(ng{~7^eaf=Ev&y zFgLv&@Af`ytyWx^0;SY0<04XJNJ-^D4u)0uk5$~6icg|RGW6CM;rrd*f_c;`L$a;! zH{LDowLe~LAJm>Zag9FOuPSf{AjMY|han)g3;9s_AbqFyknw`1t+6hNaBxNfLzgmZV2!&@XMGk(c!PmO};Z+nX4 z9!c>>XVq?5DgHb1S*0kB!w6IlyPdbz=3ns@*8L@9r!2K?f{T}!@>1i2{Zk`91)s){x7;-XRM4+(6zX?L5h0SjHlTnD9 zz!<3HtsNiOH18*EzgUSQFt~{>`5jUF^j;eK&(tDVx%gs)*?;>U=)(V6+V!OlE$!J1 z4KGp4Z`^FR&0Z2F!CX@!Z0B$G=$9ng9`cZqYz%LLB(_S_ zR}@jPT$DYQn*BsV8g*7b!R3wlKMUxTUsvDDQJk!*TZ|_s?*B|%WYAOB`#iH^o}?e` zAD(x+jvr$2l6F1o9z`x43k;)%yhPjc`L%l*Y=uA+)8-isx2)A7(6r$#Sg`rzb$r#W zCol!V7<)>o6lt^7+eAgF2h=3)8d$cM!0)t|c)3VN<|t*}AGt9ol(Co9vizY-P)VWp zJ%5?uQpC>pZWp5jI#2(I$x2_tw8zJZ$9bfVxNC9lh5fJ$QWANZ-%|X z`Bbz+wP7BIq`n)Q0o~$PVAZgq?wAfY)|0DaP#U4vhz2xC@Wo@mOCQkU(C;66f zezFn^jfv4V%rN&G{ndJbt1fFYT9@?1PsHKD96jtd$IN6TiKi3x`986lL4VYqgaYQI5uD~hsRhzTf@VAwirsj^G1=nghvWLagBWLHs-DJW;@JGWFLd-9asQQrT~R(}$OFB-r8Yj5PSu0s zEaMv`W;z)T-#}K3UuoU{B{jEQfiXCyxt>(pD*}Q`e$A2Q7Nic`7fNaGtqX7c#|63~dYyjS0C1OEpEpl{!fhKjW{R=<1q7By}&UT^1{g}#bjbn!QP zL|b86q1b{Ey{~TuLG+ni=im55SL^;nKmrHDhC*S{Jzx8=DD6!1S;R4PNl9c&6z*-Z zue6NsKd@Uaz8%@J)jtk9<-X;c@{F-E%8Gqp6q76SNx*np_p%{({ZCcxbiF#cJdLEr z?I<`c^l$@~5-(`5 z`#I+Nj{SM$>X??LAOBO17yciRP`@m1sZ#ljA$oJji5OT~V71}DX=2Eikt-awR=WxM<-chDk z(;VL}u7*%z+9N(FmYCiuLXyAdyKr5)T`f+EpTC;Z7P#ohWRFIFczrh|0CujXSvqe} zA@&*{7MqDGo@Q12d{(^)!JtW>V$v?{O}fcY5j@X?w(?w9TV#C9@}sF~Miy?P;YO4* zmJN0u5SEx#{Q7tmo!cIEEi`nySD<|E-(ux~um_Mpe! zK{FRABdeboWi!;(v!oB|k#Kukc!x!`0PHX184e3S=(MMj0vNZkXaKI6aA#`@O`; zo=T)RsxhE(^)a-5dG5-jUlmoLIA#)6zNp&T?Wd8M<>gJ6%jvN(l>sfLco|q+xYzzu z?i`<$!jZkYiG$YM;F1{T+j@|7Rii4=nA!zk&SRdjac3=-wd4(q*z z`MkBCannT`ic(NM z#N9EzLBrx$uv7}Ah+q~!QTDcAYjBXX2X6*sy2?V!5uG{5yN*NC242TaxA91OFclg? z@6|E$aObu@YfiWYM_&05F!qSg!wFsP-fQcmSi^1jILBSTnt3yK(j;;$mt6KA`t1+F zRAxkWRx@F}ovqPI!b%sHb72!{iU(NvbLi^ zz&DF2DEXZ=Y~3GipQ?rHm&)19n_BKTPoWaXiB?^v;pfB@oy}tdAB8Ok(w`&sAd0e#{zT6Ff$bm5@m)I{zF~}efqlTk~ z3uDAuE@jMj%%8+~e5pmNZH<+zYS9sma#P5lj(@H1G-$n$@KRy_cS5LYT;IQPYpn;V z5`{C9Y*yZ9aBk0ZZ^gu>73a&j+6CS3<+7vV=7|*U!+R-gmKi#7#{iGVds6IyIe=(# zQve|kv7GESO>^d^+ta1 zX}y%0lZZN%gm?k;@ScK6CE$CfQC(I$d@aU_E6V7{x@L*BkM@zhs{ok*pifhPE`LR@ z7PTp+H@@NOA5gc_28_h)h`QZ!){&uogf_WnIonop;Kw5LwC7pUy6n73wxx+uD99Ee zKcdTX_(^vUc~pn4Ge8?9?;G%xr(NLaUQ_|b-I6qJN}?Jk;_lM6`nw%fu^X?a^vH6p zhfSVfdQfMXTv=cNU&-m9|BXQAjexpCF!SfskPoNJE$P63L5_p<-OI)Lp(tyeSZSi~ zA3gV{m^u0;oqH(;tv`s#v%#ugTKzu$GT}h?dIR0{I!6H(iAVW&uDx%w1c=9!WPNuN zI6>)MIq?HR4~67yz_VE`qDXjJ=ykx#@w_iz{j@^ynX69pyL$&; z2I{-jGixQbQ$CjnxoY7da^Od7RgKxI_D>mC^RS~hmHZ=Ad8#Mfb{++BKO+9D2fonQ z=@K395w>(mcKnkTDx<0O<&ty%AEu|_(cWWGs2;YJxt_H5<2wy=+o|__17htoTp1>q zIX50sR&l>g42ZOyv@-yU6hoQg+12H#b%Xv+3P=|wsHHKyLKdBp!*a;EG>`-%-lk_v zGEnijL^(>KK-;~n;5sQ%v4oo#H4loY#Qku3C3be5vqrdLdshP2!yd`F=Lr}OrC-aA zlPwMI>^XD1Vm4^ww&@A1#X9XUP^z(|>d+QBM?U*2vMGSUB7TbIz{Wuw>_oaY6?*ux zDU|JnzpEk!6*Lv(mQ{5o1f;dU9#n~FQU+6dZ1=Fy4scWX@diNloxg&ojm@t6c3fBQ zK9*xIa*?fT|3$T^Ww#8nId;i^Y+?rQ1%=+HG%Y!yuFKx(HfD#^oeI#>u~ZlmRD6$B z_lk1UQrog)wlSi7icjhdq`Z`JgPIwHe!MIqFsk>Gm#);`NFayKk7KO-{?t?8gB`2^$e5 zb0(?%Ojz^o@N40#1FJ!yGkzuGQEu_RYjkjU%{5slI{O^zIyo^XuW$Zn5kfEBcES zEa9)vJ({IsTcooc{A&Kh((W*2uXB-tsMp7J^z7tkY&+P_KZjLWcjjz(&0fWnhVr@T zdXwp_1wZkl*N_^V)aLECPjlH z?r~X|*I}~nhoD$ibPXQ#=E-V$#YrDVIR?p@#8XLbGD55!`xbE`4Nz~)`!1&lB~ z!Cwe2i1gz@Y=u$0z#72?t}EAy%VpL*f&- z)*`t^D{qc7wEaU*ptFXgSZl?oGJ*bai%q44Qw1MYLA^2&`n)`t_7)s3mB%yk!JnhO zza^Xwj-3)`i=>@xuq?=*=~EQ?lv{$QBy+gmPFpn3G&^0(%4ZgxE!@VSs%JAH<0Js^ zZ`QKXYhCpE`B+fj$A4g_)79nJS?v%z)!m0`UvcQ`q-Awq=|(3?eG30=HkU zg3rq)|2`w;HXg43jkDY)A#TH|aVSGJ3p*ItO-e+TmD5(JRTP0@9PK%glrq*o^ch9J z^RbL+I+cg@NJ4ep%8B@F&Xs2zS|L1cvdR`sr|4V2%bwOgbm-v66^0BrbHLK9k_2YOuhjhc7M=X>caSwPtB&d?U#7E) z5j#CmIFzWAVvd;y{UGWz&YuyH9&u5N_EZhRt@>gNLAcY(8o?1r!er4_E@Wn&Vs?$Y za2VV0v&DTa<_#NR@Aq5eR$(hovD@kDk^>FLPA zQOcGgODjRzY<6A~_Bb-#(vr8p9l)lQ!kn?(zVdw_-4`(PEPR)PZ%%;MjlK#C@{A+&uxljOt>KuzL%=LJHqO4<#p)-6D&4fdTDK#&^|L1EyKF zsTpoN41HTL*TMM8=nPf0UBgVpMzzI=Fn;e6Q@n?0X+93**A5ecP&qv|C1b?39j-h}*_)Jd@gVq4{#P&$xVuECDGyG1TG14-kvte_7 z$UCd`n@a%^f1a}oI2g1=-fNDN!n{%{0*0TMY3#QoFD7~2-4%UI!bg<2sRPHgzcd^s zhbSKQIXXV&nilAATeV5PRrdQM%qmrYWl>$iaLoTj7AeP~q-QKku+DR*Kodo{R9+PI z2&#|j3=Svj-e1|7bP-7Be|T5!L*^34O8aHX84T%|q=p+99Ny$O4?9?6O(|##j^XAE z#LIrCF)k_}K)J)q6)2qCMXnL{A!JHnr#IxfVaqx`%N7~b7R(?C^ucDPehq|Y^`02D zQ&43&?pU_ju&n*_E{r;|&$GMlw{Lnc!i`Z-Bwh$(Fmf}rshW*3C-mxM=RP>($8fCr zRWnhyB*luhE^2|lA$}JFqc5(aW#elz!Jpz2@70H?3b=6m5NCYIxdGq7t#67+s4>n0D;Iz!snz^ig`*p5}a31MO$UT!fM2uGkXfdJ$%hS6ttH)+!-SzKPP z&+=*0oBCrlank3WT1)@QILK!R6oG7?(#se6*#<>A0E(ywQ(X2wp%{Zfgae>#Q8Z() z8Nxf+0LXT>PB6*iKl48f7{9+d{C{A;{~PNyuNPkf?Eahh4`K*LLN^BMaaq@Xn6^Mq zCF6Q6Bei7K8j!YJaqa=*#2LCMaJLhX9A&~HOo>(ZP=)XM>4aZ~;PYR0v1cs>{y&S% zZ$Cs?@D@e*F3s{b5?%PtkhY2Fe`9|C_5Pcp2lo#RJ-dtj58MmFCH33a`$qV0#fsbA z|9cBp_Y!9i{CNBCX*|UP$b#Y&m=p0`?tmM|GMB#D(nCF_`fs&FsE$(A0PjB?4Ns~pYVDAF$Mlx zcZ>1VE15j17`8fi@qZ|L$KYOqM(a1WogHV#+_7!jwr$(Vj&0kvtsUF8jsMMg-gD|b z_kO$cVWz8Qrn;xAYi6o{Ypre?FYM5fVS0qe*f-Q4N~hcShnH<2%RxEud=z>HwgQ6k z>@v02ZL`n-8)a^Kpac|3>JSaq4`!8TtDdH>9XnbUaQGY#o~w0d3z>HX)ZLK++~#Zw zjt=UL>`8u~LWv7KvX}%>5~1yAq~2x5Vj5kD&=+0w4>u9JK(uRcI2zV=6#*ML{Fp*! z=z`QXnk0WcT7tI}iSCl!V=8zLS!Q$hT)&NwSprkpSgJ(wN`DEIKl@;s(rNbuF5FKX zfmlnHE$KqJzA-AX5+N{6pZdqx{ag9>z5H&-tSl5H>I%NlkEd7QSa3K)-CX7%OESGK zMmTDkTvElQhsw%Ge1J52%C0;~jO~>mJ;XgaTSexWj? z*bZ5%jFfW;8v8r9S~ei_&h$HNpUI8a0p6x7V#<$f49S;dg$oUovgEaQ?AwkTKQZ^# zNz`O&)b}J`73!{*1Z((g${)DzP5tt<&HU99$QW=3boviU5X!}<;hdQNb^HF->^8gd zlW7sno!0(ci!kqB#EXXkb{vzr$&<)O?+yST&}2i0shF-Xq>|(SS^&%n!~eO`o6#Ww z`%c;8W2#rG%n%?Ub|Pt7j_zLrFOyJ8q*XH+64CSQ9s8GeRw9y2LZY!zYoC^mV1miO z*02@D){;O|`8dxrHu`z&<pl4ix6W$)oJG$Y-WZO>h6j^MNK zl4xPr3UlMM0fyfGKLbeRydgsR5=N{OirS`MQ&&E1BEVYDDKgbSB${D^D z7%i*%f<w{nXuP9**7^%uN7MPzp1*L7G>7kf1XVV@UHHM5&BTFxc_+Ux^;URiY`@Fi5L!ye> z+9LeCV;g*MkKJ=BITbHSQ7&GORjzvZt>5^;=3ouLFO}46=+pZ#!1s=t^901(WnlB@ zE||IJQ8t01=HzJ=>788iaAu%_+=37fAcC5yWV+Z|wMe6*W0A+ZnUi@9r{cNI>SltBl(&93L$9KaO z6m^ab+>#fvW7WQS4s_SPB#LW^1C9KS*`(*?MDa*;rBDit@%CN7l!4Vvb(kZrOK}+NV3G>(F82=TxXJ%@kP*N=&YU}G zPaQHCN6(FZd^p*D%0?YJrbF86a@3${DY;>@ILpDWJ#?I}3reh_gR1qn~SyepEuCg^+KP1EJ_UzYTZ^)tug?Q!VOQ!7G&F$^!Z5|n*+tcCI zI}U(<@J4d4m&}c?`b@nuR6g!=q=v(&XClqwQTutlFy;PCHro=2)G4*cc=}efL1LG>!cwa%;N{7y(H-pL%&URN^DrVP2TP>1`xdQzleLk} zUWnYNIQAqvO`5SW+fR`p?s33_x%mRik?*apd#1SgR)hiwA%*UTzmab0qbtJ}igp$^ z?qts^;E+7RMFfs}dJkQ}$f&eRliR9i*ZCsD?2kHVKiARCV%Yp@ z5)7 z$tPGRP%j7k_Wjh(r`W9n^Ncd9^YfUDcE<2WbLV{ED^WPIiN-SDvjr?F)?f_Q?WrDy zsUhu`wH%nS4JJWQb_9B}=tmA}tg4azI}IT?QTpF?@R>0-#|1q^mi8^rW-T~0%)5d( zRDw{p*aCx3|1zYO@K?~0XL36_*RK@Z{N_qS;fI6eG!#a#_HmpX`e_;7Gd~ENbXH)6 zZ?P_fB?8i(XKdWi{OHaKcxB%6p4+UDkB5HqTfB-mP1JggSeDkLxk8%cqOtip7&)-F zo8qXnZ$bT9AjMFFxtvS4g0Asz2~r5=_L{>J^2E_MRQCOm4c~`rwp|F^E1&~2*sc-jl>cH$C+}mPxzskI=PNEXnEP%w8GQNWB|N&Prv7HtcU4v8i`XhlO9rZZ1Y^^zXFdqi8pCG z0C6gk-hVZsP8f=8er9X^fsyP6hjxB|pkmn}$p%*sQbEsV0?{Cn9U4BRAT+FmyqoIS zz1!Xsf$o4ug$d@y1YDJXC)a~*s#Z@#@QMS7bDpKd@X>$`MB2d!jR9%#J2PE7uQY6reJ~DrYS4L$%%;vFw^f^g#T7+JT)t)$#-(HXK}B(f zcXB1i+0rDPd9GB8!Rzk?=qgsau|08clK47BDiSI~W=;QvuJKGvjD{Qfdp4LooU$u= zJw!$4*pu&jg7XDLB0x9yY8{}L7wfQB%!4=m^JM&B@2IyH*pdHx5L4i7HinE4K+D}E z@QriWEAahcGU+!4+!6?(3^Ne1w@ttYv@YX*I!(FU<@d!?Ji?_}rN7y#L#%#`5J zB`F~I#tr#m&-xtoDo+%t-HN?@^#+}Yg}J=l>^{W-_7rmDNdC(&*mTJjPbXPR^Rh+& z%198cFSIR%JV1B>->^-1@s(i0(|O@F>CtlcRn#H%J7$Lh|U%2KTcEC_)mrv z=ZxUsxe3VK`CL2L63Jxr)Q2kJzp1FSCckGQquhYA+IbF}~w>Ve+g`5AL+(&#P{mvSC& z)rv7|BO#=CQBs6nmP#I<@ELr$S#o(iMZEj#T0>hVRd~{b;Vut(4aZQhg4fZ|92RM% z;A&@=ipZA6NVnr44z4W8Q*jg-kyxp5%H8x`0e=K#BY~AgH-UaZoJ4f+wrS=1*K-4P zJsG(Pf{JSk%e)R?ejXM#;4rV~SmJQotXgP}hTI)**wC?KW%_gr| zd6k02@;g1f{m}3`w~u~fH8Stmhfi6bY!l@iCgrRhzbK1#37y#H#XLLB=xFR-bVom% zk?DsVs-fq_Z*2mn$Z$Auj*Q(H-uZsI8XrEeHhNVSXP@Hpo%Pu?9^8P^z_oS(D9nCc`mwDg zp$i;zG?=hf2VOn*o`}^V>Z)D&(Ifmth=usr`N2>_-z&2Ch*s#IQmiJW!>zKDI~8j% z8yU9hNLnZIjnpm8cvUe$%?@>}-v!k%Hr_@H5E|n*dO}xv_u7!fTxu-wjkP`vV0mHY z7knWQxHL_>d>7||Rqk1HMa&}*EJFe7^Z$}cvCa(=#;sOZ;8)DN21JMRGAu!R984?E z)?s(Ndj7TTmI>!e<3aq>kyvyjLB0zvhgQ;N-DaqC3Pf!7<@ID5?u~8&WJokm_4Z{d z4!lB2ek3(CuId0eKBj$6W2eN9S03%KvFHJub)_%bQZQzy8yVhUE3cbr>wExA>Kh`I zgL1PjwB+FTO8zKT@oXOb&`=iTk;3J)QJ%*#$1hnXz3C{JQ{EL=@TFH)X*bsr+m-5b zQ)8qo+*B~{V>KQ5D#88*Hq8gkjVKt87k6`l!$o$q|L~Lf0gWwez>*;eX0%0$*=Hu( zg?TSsLrEm@(koZwQGWU>m@2T6lqJp{p|&f2f^?xC7M`~ZskRLviS2Moe4x6|xgukD z)Y{dsD@MhYEPLy!UEQ}0^sU;&;Ra^}E@wW5ea}wamUFc(7FxcDJqDjuWWV6RZpXm> z-6y0|d_NDDYnQ0^cS5VF;C4el|G=P$DOw{C-g?iu!^gny_Ivmm`ly2-M)0IMXLlq) zC0I|4XfjiW4*h;F%OwjR9m~vxPGw(Q&RTv;QWh}W42H9uJ{KjYBUD4iKA?jm(ZzlP1+=G`k03}bHHJ-^x?IYjbVEFJ#ki4`lc;wd4d!*p2<5N zQ>2(D%G9g+kK1W+eD?g@8H58NifT^ep|2Yp1neg8SA$vV*< z0-AeBWOlG9S)mIX8ORW6N3n;fXl}=1NH&d0G`do$YL&JFDUow@RoQ;s&3WPQX>_Lb zgs4fUVukTg({*-7&+B39CrY+d>FMsJS7S$A zte7ha97BtOfCg5Dc{=qbO(M42d;b*id4rfse9p5LNn2@su1Vu4ut)y{z25YMYLdQ~ zh?i6lE@^HR?D|xaRp5FRSrSBZaLX2}1Ucgk5&}C^!tV0I+-xVK3awR6E{q0c$DirM z>@PFfmO3xnsovbHMpUvfTtpiHiBEa%;|8#?J~5v8r4h&0&}5K?+_;dYyq8=jo+LG;&3Bc>~L;{$#%dg6^`$qyS8 z%{F_BQ5d1%!(9-imH6z$8O6#P9VCoQ!R!6+4dJUp=dem#P-gxX>(uC_cqNf~Ic@n5t58P-(yPrKz1T!wO88{?RQk~o3*r67SE%U?$ zJ&JWK+aOZ;wj*4f{-6l_9f!tM#wmxvQw;c3ev5V{U1ZyW!SVEZsyE>;3p=mwU!K7?u#5AY~Xwz#P%JBDwy*>B(ReW0uLFitJl~tfu zCG~4S-dtCACz7*jg!J=a&knIm&c$I zz#wOgQYMG@!@%j@H}J}JxSC9^Cvdi1K)d02i%ezMA%|WMT-*m)i->imo)bKp9hAXW z>by8kEc_n{rA;5dVD|6{t5J_#KB8i zGlQ!`MH9PZFq!8eOe+Fa_7iF{ZP}t_E4>(Ey|c=%&-v-4-AFNUr}`yBeJ?xaDrhO+ zh8BsBH~p0xvmc*q8;#H1;+#Lr`NkcPjVEECwj(t@sDWj>v4@YN42JWtceNKUXrv@p ze&ExZSpm_e`$5^Ws}9h0FyUx?HN@OsyNEEf@G>s7Qq-xK=jpW~B1lYL9@U0sRvz9j zsztSp=WxF>g=+j~;tjz! zHjOeH^(uo@>hP+u``lg1T-3W`eRjKX=PxL;K!C)ZWq){kGQWNt<#4YMnZ8`AOFVaz z&)haFp9{f}3Kpk^#M)51I8?dw6&LpRl^~g|$KR`cZOpLC-0`OwJ4|IhotoY-^+~f8 zt{e|HYwgsB+iuj$aCEdgc`nD!dtw%0?~KgrE>2l8V?LUdpEu zW7u|Xw`Ta?YodleH>gQj%hR*R(*?1j%n2toUgT4WQH@*j*9Yf~$sXk_((R4o18MvkAl?-(H8nM4AqypQVJ77RtTwo=_!95P z*OjD9u-GqrdfNsckUVPkEp>RCNm33-7$nD^raBsB+@OXGAa_PS6C)1{Z|BoX`03tG z&0=X0BeP@w6-|0om%{M~l-~oWvjPw1(7t|qQ|D2##Q0jVb2H5J3p~2eY?tly^*GXx zJMfOM|LcqFSp!03&CN&ld*IsK`0x0)v?QaW1JJ0kpCo#_yWi6>mJnRpA4{1OJo2%R zs8+xM`*Ow~ga$rRzCLnaLL{JDP~SbspRk1Uw3kRS?vi#@Xrjfm`)x4C&HvEn5Dz^a z85%>Uzp%_euPv{%#2}pN=j{RfrIZg)_U{$RC9ym$fQ`V<&s7t#(?VS$g?@3MP!nh> zJvx83f!=Fa46oK5@l(GmH1hX2!|2S5!GKE-`lifDXOR85hMhGx-*?;j6?iDz5{FHb z86_$a{jl>IAOi;Q*Mh_v?f5j)YFHzRJ&Fv~=#0h+S|)nqJv_>1>S@VbW^rIs&ZsQ|w*rlHWREd`fC*yT;N8MZP@tV2d>_fvkRi|TQpGDYNP(QOwv zkvn61=P!xT2Zb<_A#wIy_bsm(FpFGHV!y!|-RZjmoy#=E9fIO_)!>Ru3~RS)%6v>U zd+n6=@18(tXUTaZJ&rut#Yljp+zQ>Zw3JAG}A;T zfEh+sqJBUj03#2ko%Q_8NXBnIaaGXv5u?o z=S$&C#kAlf&mHYbUR3W@jme>{zk%RK$7}(gk2Mp#CvBd&G5a8mH1Ez)4*k1&d&Spx zMHhc1#+-n@*9Gje%`_&>a;JF}e*tt&!@P#m~Ceoqy1W>4j( z*gTHi2#Zp1lV_M8JK7-&eojyycHrFqja>b%en9INQ}7pC5bpmF*OeSS50b0@VX;40 zmOfAe{{O{ie;D+n{tuMx`?>Ll-2N959{6rGpUEyQDFdJ~f z3;QoR{C{9H;wbA6^!?v>IcL`O|AJ=7T=!jU?|s_;M$OWuEdQHQ{}Aa`xSy*bbN)l6 z{l2KVUx!*P8UKTk` zE&*KV?fu*rMHZV0gNU-}LNefGx6veTgZyRXJ<(Nn7#WY676&)v1dAFycZWs#yqQzC z>qL!k1=NJ6uD8Mnlsa?SZ|fh+e+EVpmyZ2$KV#qT;FVo_4PjX1W#`Z374|?_*A7jQRbWjd=>mk!9S$in!w&G8o z_@)_O!UbOB_b25yeFFd|cJz?^GfU;e2g(uuE(i%A8Q32@^9vm)D|YyAY*c71B>yu3 zqCY|mVX!&Z9_t*E!YpIP> zd)!1caZN!q4tsu`0??1FVQEoD^Pk+^71IZ2aU}GV4~H6~)D?&K&k6wC@abqelA_LU z$6n5l9JBk=^OepCZeUG1c!5#)vx=oa*NB?wM z_yN37{*R4=NE94Tk<=)U#@_(?%hRl+sBXQoP`vVPjn9{Or36Ua_v3^xd&C<2)>q21 zsbid6vnaMAaOINKeC~RkbOC$h4Xujh5BBU`{C3t<_?toTtFBVQeoOOBYn z=sxi=GE_|~Y}<6m)J`@zX>02wK8_)Q>xXzMuj}lWN%0Ire;bPaqFXu7icA9?bhaGP zoehP2+0Y_b1e()a+0O)hdHC*lBM*V%uSV=?ltO6P31XRHgYpG&M=OoB_DL!0u-lQZ z1zWn&)q9#cB(Z=IwwL4|%41L){mu8h-P#_5Gfwbg)C-gJlA6#=u9#%P)!Ae1$f+@2 zjxtFlb*H1l+6-aF4^z44&lMCuyt(ZKK<@yCJ4XD2B{^Z*Tk2t$4(9a>@M|mP`a3SS zi8%lDkKL<>T$Dv|T)^aL7ZU6v?}CCVgrHDYPw4b6R6*U&3GjhXY)$@V&1GkS*&K_Y+V?|#2 zw;i#g^Kh!&m>eIUNCnN(IOXeJ;^+z6t9Xwwcy@TR=0d@$Tx8Rx96!p9UTOI|z*z^X z+4pv#oFc_DG^29$kki9)$W%NR?{xQ{@Zzat=gF5a_#JiV1g3!gAG#7VTVAi z7_AZ!jvi>6@fL!@WlZK$@qGhlpDuPA{89M~zJiD1(N5g2FccL#-Fz6sv@2<+wdXY; zwSg!f*H(W2&RfHz$-Y;Cm>OA9b)9hFk&=NeqHjRh?fMv~oJ7sqBynvh<4EkJlmLpPq6s`tGQz`b#uE1)B)dFI@i$XHzwu&?!3g#0imb_LUTwxZ4^k0@ z>(a|mlMhloS@U>phjA1QbnD!jH!$_tJ>krn`5ko6rBp5+G24@@(BfZdz|Dp(-}su5 zWq2C_tSg5EvUGG29xi$*zyErD4L0O}u;_E^Vc`IEZPfHaC(lK@!S^&|)V9%Ncc2M&empj``+15y`2WvO#e`j=~c?tp@0aF|}}2}oB?me~V-<4RYpwz@7Tl>fv`;p83)1`n>Hc06ti9yp{o+XZNfX zg=sVzyxld&*1C5zCg4bHwLR%Fh^0)G{Oe1sS9HTI*Q*OZLS}9iv`)*yx3)rNO$1G< z!nZC}tk}kiB>P0?+4X`wnR1xr{xWJ(U>uSoDfWDL1Z2h)S?8chJ|6M)Sy-Yb&eJ}U zSuQ)HRx9!Dc{RUNJ|_ypVW9i7N*qo54Eo+2ZEBtkgqPCCjaj zUDA&tA2EdCg{~y#N&TZf$`52e#NMvph;Drel{(ZgnBZuiW76NaI0aX?<2*-@@I?Qx!Q(zM1;{uV3l<#>;k1k~m|;y6GJjBPPeQgiSVOH$S2rr2UvE)~Y% z|GSV=NU)+0kTLjok9Tg1bru`v^{R4HETokdz=mg{7Gq&X9X+H4B^2*JriY7<$IP-d zJP02ogn_Hdl+4OrbRPTFH<}gv$JZTgk2WVo)?F;uSY-l=6uZ!$?d@!b*Ml;UaK3Oc znEO*%cMh{wxAzUqjR>nZ+J_bXOTo^H# zf+pnDYKm?{-dmXlS~5zplz*Vi_SbR@IBwpq#u6U z3i+{I|wE?cD3cifz%Ap`uhfs=4Rvx)n(pag4E75>L8j1-5EpE|ln)joDve=*N zgNaimRpgNzXTp0`}0i1#TZ3QBTQm+}Moz8A69ckG{ zHv})IA(2932A&iQ)_^*$HuV>lY=dWgHul-c=#k*+M6chs$6Pzw0#a+im6g*+OTIa@ z1w#uS8Pm$P(6jpH5TfeZsI@wAWiPxu)Os$zz{hlZz_rw>F9iPNZC>fMv;Vx;&+U4` z5A~K3=8r=@F?qI`slA(b3PoJL73T@I8r+jsCQYsC7q`q9bXVyPMOIvE*P|bg{_<&* zs%ln_A9ds`S^@v>P}7sPn=qfk;T6jqXV6(F>{igf z^kap_`k4w+w~~Ii4Lggjw|DJu8q+4Z+5BRyf`9GLdV_9?`pzs5YPjRcDWkR?l%?>) zazEZ>gbeNU1|4GoHQe(6uZE#;UMOdW{RNS1ZBYS<87vgm&M`W4ejt8C_1-CH)7B9Z zqFJVRZM|E){Yt2t&(1dq>e8Fn$1BL&vwE$BdT+|XBefqicK)_dAep-)?d zuN~xnB4bXm8>i~bE1tIAfis|n3Sf(G5=jb8(#vy$uDK*aehDjv!-(Q=d7dar(a4>4 zRLP%&>q(Gb&uUhd3ov%Yv05#=_!hoki@}HvY9N-Ll%C|Dy-ad=lkxAhA(?mp55GZd zK;U?P))M@k3Dp|vxvAp2-{E!`#whpJ8!x^+M|ou~eYiZG{~Sw~?jbZ2OSOR~VlUj) zq_dI{#HzrMBfah#Fmq=WGE22Uev*lw&vvuNaW+sW#F}=U9vW&*S8Jd|s3^9V4vQO6y~c`$9D)MoAci9K z6}l%IJfeJ<;8d59z282JRaE56fV}Wm6W2+J!09IsHNkYfS=-P^Okj@6Zs!s%Pr#r) zmw+93*9>$kLXJx5iTy+%>!})mn4~LV2l%6)a6@-}F}uIdSyktEPfe7?<}PIy zue_>roud5W8?QE=d4H6mFLgx=`3jfy&N=~MLi8G8vvku@<#JOVHJJu7)zLwb{s~Jw zj}ty6r<3Xgv=)sp(RiR)0=#llx!GTnwL?zKT)YYQQRb$JV?pEScV!S(k!9+O@0fXE~4QmD1l_ZhPORWkCVk5nT%cI;wj;9~^lT9*E5=ZXAoc zI~V!So|!_`Z(Q65k2YaUYP>fy2jz<&+&PlJ#SZS2J-L%PdAzuj4T)bpd!>`)L#?!) z{~kM!tJ2)G4_Hd3_w2NZ-f0%;Z>%DzonT^mr$2a?J3M*57X;zsj%58S;z)etA5A`8 zw^uyfgmruy6nQY?SEg*IZXI>4jAhZm_)AJ@IWrPF9u)p4ZB>qza z8?O(ImstcdsGqIeAXy`!*$+#Y5NZ0Env-e6=&nho9Ag&Dxd+!7ztohVRD207r z>^kjLI!1o#E;}Q)4Zd|fV#2gD=6loM*U)2{S!i9p+I{a%mQj-dn@t0b$HF)C;MG%K zi6RtE@_TWi(W(VlTLqU`7ezCLcu(GPvtu7%^=|nr=GG2BY^Q}d6&6(pIJ`d(1Ptg- z>3$n@F&%68#UDy!-rHBEHuCl0+dhQ_@jY{Gk{uqt(zbBbMB+T}C&y|wZtW4gf8k!a z*6QL~H(D2=gsG5KXrI%gTQxuvxfP(bF3aO z^+(y`aA~~GhpQr^#?o)Qu4_1mswvp&P>6~M41o68YUHQfaCmVq_&ED^n59DW;Qp)~ zw7mFu$R!3rt%o%s5bF?UET#z;V8OV0HrdAo#gZt&F_Z4%M z{P*>#(E^|ei%<)n&Sj&woSXf;nGPaPxVZ8h5*Obelu~OE zeagEdF=FW z{Em>~%+I&Q|CHlCpvXCp?l@rWJWw(1wTl6*_v3p=>Y7iO(hmuGT2z7iy_jlsv@ubN zUS~sa0sfz|)y_YiIX&U;yU$g*l_n@~33F~}H`fcDA`|%k5L|>?C(4AW|)*VqR06 zvPn*)Covk3aDp{r?@B)Cu%2=VS0ae@)p5jT23R{UE@p43zvglqZ7N@mR3wGJqKbS3 zohxwLX4UVM!XaIt!ehpbTy* zPN)*Ab>a{sfQBBpu$Uz}DoM5slyR)d;yIuy{261|x`4fAn+3|;VKtT(lu{=w@xssW z5eplss+QVZ7W><|$&Kc-KVBszHkD#50~`KQ1xx)wR-qQyvfO*J)WcypF{z+9Co~_Q zED(Y9v(!?8eSvH2NoL(8PJ)-##YlGpUD0R8V=3a5_3FFD`9L;7nkC8c3~>N1?>Fp1 z3KZ+bS;=*nripA)z>&FdvcGJ51461LO{MU%Eqe3nR4M_ksAnmtHIZgx3G-Li>=c%& zA1!?E+$oNO)!9*pYjJ^xWKcXeacA8e!M8sqK^DMi)s1E1&ab5GUeXx<`ZDAx)8O2H3M zBX@G)r(W=lIOYXC^<8;CB-gPg8~;>>oLJbj9?Z)9Vi)9+eldpLTBHSX^APbXYJMB<0FCO z>Ue%cTfI@$br_WEM=T$CCQ=f>8|p9%&~?TicpjFhFaCdie(dFXI!rTpXfpis+Vy^v zAY?P8sWsW#wNrX}FK1~&@1#8}lCivVWjz=tkng}-3;w-|LZvd}ibmVl%KU`XXP@<_Bi`hbg4Vk3*GWt3)f- zs4Ut$jWLvzVPBo5nH^0U-S6AWUAduQp%m4gv_Lqan&}EYk#m<=5J)|&MSTeSG?R%@Ccg~Y2P*X zfWo`=mH1c{V3~y<1g#4CRhnndgBt}Ac$}RRR9ciPV33ed7emv^W6mclN#-MWCqLdP zN}Jn?$aSOa76b-X{v}rtg)MkKW7PLS5OZ8J@$5&5FLl6pG5Jutp6UaKrf&0B^htO* zM}NPXj=9H;g>Ez*9vH*xEYJ2Y1yZ;WS2eq0!~~ae!;`ReyG;807&*=M3jVOckBL`j zY%h&vY_xeqTN2bKf&mKk{G0FgZIypgG`Z^;B1#hPZeE+b$`?(ktK2xX9adF}e%JwpJRe09biV}|Ki#pvR&g_D5 z!jt@(1OK6eaX)UX>3KkJ>AkQ>Up`psCWqE-HO2Cd*r=62M74UABbi6weA<6s)Cl&^ zX_};@b^*C`dZ(J@vX^`H*(0g`@{Vg{%G4FzIZp9HNPEy$fODU&BAJcH`M^mzHXhJH z_w^=2Odww{N;0z0=j9?Z^Is9vV(BR!JY@?X-$_M9j9d|Ho>vdT50U%+LzvjM%!=Ik((8}+nb1@$=VOeV!3nNA7>Ca2Y^1eGdl9 zuXQ3^DmXcLXwG8R5Lx;ggoEhGmi%6ryS#4dJI-?`rM`M87ZR|^4mp9<~3&%03gs?c)`w_w_9j3#w*BiX_LLVWEneIzMP-Z zoveOPJ`Ky6Tu)^DeJ(@x!@kay(EFoD;Vnb5yywFB6bfK z-_!eI1)W^6Gl!LF>m_hBO@l3uPxmFUIyVzEgbQ8X9Ek{hC&dy*m-^E~$6QU!OzYQ6 zNw>lrs^k5a$ZV-kKM1Ph;>Pn=#u28P_Z;T&I|fWJBozx-ixQpU^WX76@}u@ssngTL zP|oV?E&pdkWfdpOD5Ik*-u!yHp~!J+)nwxku!ynDl+-s|qS)d&>P${W0E*Jd9XvG* z#fszu{9B62=X0BaX#F#hyKFR{N>yM~jrF8X=inNl^Ew#yD4 z9R~{Iz#`Zu6bnCn5u;ct4?@+*^*mx6eJ>ph|{AYq&$WSJ{2e9;{qogdWf3`Rh=TS%`hjNE&kS|BGCB}^D zrw5391KIPQZ5kW-KES^Hg=3Gg&g@A)GfB65Gr2 zFS%3fayWzc<7Qd9e~wdpyDN?tgsX7D`@c{dP$s?x)xzlYo(NV3>)|R#qCaltA!@vg zYCV6~dSt>L&bQahRxaVrINoE_$kL@PrfaDwkGIM*mao&!oXc9_0Htm#b8$V+C{8?g zp=tc+*q9!(wt9$aU7)FTx zQETU#jP~rGMNS#h&NY+58tJ7+Hwwcs-P4NAxkZ5^MUqcUTkhuJ=@N4uC^IdYBg!!{ z%x)2!#Nw|Z$|{l_MeO*G??KF}lMK6ASI*kg|4{AK4O;7tt8H%}6i^pyamc`GREz_6 z#96H4<0>>DM^UZJz>b;FN;H#kd~9yZV0~6~Bza7cJao;Xayz1-dj~O+PSb6GzLmuu z1=lN6qAKQ*q7ZHzie+CWGr~$Wnk~6YCNOA9-jgB(Q@kde1W>r`r{crs7&J7%m6R_U z67w%26MpykR~HCflb?P$HbQU|rFO3eh;HK*7FpqC=E#Nza(m_WnqUVNKG|H|TYYx< z)eHBHK0hzK(uMwHJVwU`rNWn@QSCOv4v|@h2GT#p{sW#@wA5J%cX0Yy&QaO!%B2V! z!t>K>IoaHO*{1yg!hZiLF2>;kp5u-?WfzGJU|yT;GZ(~pb!h4%5{m(3%h&`(ztv(h zV#7_1rMK85Sz|7MIu4^Nne$3D3ThIkY}D*f#&&4ZyAZ-u+K%eCeAqrzs30SvV4^#U z%D#zyut7#37;;pgf2Ni80{gM9)I~fLdso1q9@B~{R^ZjwlnJT_HYY^JD4+%kl}-8= zM39tT#pM7bP-w3;n!{qn>NrT!d#@ zsP)_MXQYy>$I027Kt?2(&s(<%getly8Og+vVQKP?hM1g_Lg41N7Jq#@iRq|Sy?mA^ zAi_}+!VC0|H1nQgh4Ar1UuTf(7)=~q6l;6-^qe~^CpOqRwc(0`nsVPDC@zyo3Y}8G zp9Q|)uA%4`bWIJgMHEP;BS)X`phfX64Yc7wKEbN>Uh3Iy`B8qrP1-Qa1`uToG@6Lr zlw=<{QvH$-=RA&S4R)8w2t@`3gMhB^GhxGP&MDT@J9cE|Id8Rcx<1fS__ri!W70i6 z2F6`Ed7UNL@Pc=27IgVHg8{A`IQ48Ww}5!W&7m$5VbjOw9}3qjgqU2o%a;@-hePe2 zjx;5GqUiK+Rj4V88fj{tI93EQ*{r=FYYiyYc)4BaYp~5|LJJ`$G`s7n4jPEb%O{@D zVc+LPsoq2bmy)l~e}hOp5TA??F2-OYp%Rc}wpBCTAzZj6zdH*=Xy;TeQ=nug;bWm- zQs;t;M^Lf7egrW5;Ju7;W0B}su5)ha$43<3;)7;U(-=xo^>1)X|Lk~CNfCc*{apuE z&``NLcIXBZIn`=&2hg7KbAs(EKzc3);Jf6B;g!93{C6pw`<#Dp+Q<`I2CG}X5Z4e8 z(KFBjIi-3sQh@Wf(yGpkE_8{sZN*uDA-Iey4R^{^h?)+=Fjjc*a=1Dn;y?|Kbub>` zt=Q<;+8o+iEAUqh(*D6Noz`?vfIa_*0P!B@VhbWhXFhmokV>l?uOX8Ya0i{RrU675 z-C&V0km^zE(xm6RH+1+LCQUiaF&c~2lIgjw^G6^Z4@){(4(9OA^qYMdQA**s1S*6~ zl7GpJW4cXv+TbOkf&52*OUpps$T|p5XRDHoI17_f$F2vwO>JVXQ=$Z&t$Mt|cB%Qg z{ls1JP>}kXPN>+viI;JN=p2HfDI$}c;OZLQ@(na!rm&HDV)(>gA@dky^%w>y;=8u> zL%P-V0HR8T*4B{~1o_qm>gakIUnV9-|4tcvD6dTG*j~ImEI}OHA?7ceDKVtf%uVP_ zu0QtP^`yLR{$#{%c2RRYebzwTnM12u^}J0KBzE`m=G(^9!Z%Q}e`assmomBI))=C1 zWm<&a@No%ZHofS@cZ{PM2x4Bh&faieM`)tO5AE;mPxlVDk%uH6s}O%jB&stzFj_ADRu~>%9@`(xoZAX}@u%Z0066&O z0?o6x)4Rz6xnym^dvN!)b2_(*5+MFlf!oFo$Py;#U>LQb`Q>3&cLN`v#SKTr(e7sK zh+;qi2JVMcoHcYcQ*VBB7=Sc6E|i~=2q{2Ee(-NnqAC4PG^SL`a5Ns$QA^n&)aGjb zLVi3xK^UIYzFaae+}bt2$o?3@qvT53CWMr$|2@z=O+@!s)UxFMb+2KZ+4%EmBWQMc zy@eR@KLqRyh}>seiY5}2h?JrHIoFXpULY+AKJyFlCRLQ)2I4sjuIz65U`@HOR-y8k zYq#J)P7JYbCc&5BVp)6`x$I4BrEKn>bYHWh1C2L#Ro9<8gjtgP-`Ba3zuG(Gw-#@hN{bF-)X^T%jV6V6JCy z8%y~k?q(>c(_75=qwP9DAoxSJ^#=MV$2!KD&v<$z{HEUg1r&|N@r!-v1307CP6;o_ z^ZyAM5$5hcn)dx5-;?do?}rw_g0zsB;}GzN?9dL`VHEr!PVXP{*%{U->}T@~N2m;< z;*&^Zd=iO{Pa+ZWNvvHz9O)52%O@j%2;;>4IOP1Gz#lF0;?eWTT@ds`deiq85rSzO z$|oVpgGl-T!c0S4jYQKAdA?no{ZWYe!K;TR*8V6|{h?(x2yfp-)(@$=y_owk==uSo zKE{TmZTLFMCx=H#+9Bg_K*IVF_erEojghB!*7LnGbV!MhK;tJ5h{#X2LFFeympKoO z&QHc6^pi+6J_@P7)4x$@{lOD`2+5yBC@n!me=>;bPevg7lXxX09^s$d1?4|Dx`?(v z66rrkQIT4)RRD*PjL1hp{)X;H$3v`>IGA-Z5^9}{gIg!RUC4EEH`sO3@w90e^A_;B zj#ak6>w`RX7p4Zx9gY5Uuh8UVO!)<~(;k=gKmW3}X#cH+&2wjA53(c{Jqz2YR}k1_ z-@{9jR5(Z#)aN?G7w`gH8$fSK@RNWFJV>!q;T#eIYP3)(5cYA6MQ&hgO;Wbtc?7!} zk@%lv8%H!7@-s}D%9XcOpQ;dYI}C>`_#%W{@cXmDY@jjnX;650;q)81MNYt)jvUe~ z`!rldL5FhLfH)~gQ5h$0JqIRgftMD6-$QjQE2lPi7UW-zY3o0#Ss4ZB>2PZ>z; z0`Atnx@Ma_M1DZ@?XNMT#&0uU)p2n3^nYdk`r4-x$LPbzL9~rO=)Y^UE`YvV7iH0Ytt0J!@7F^irXU*t2xg# zjJSqr$2W(KxGb~Nlc(@sVDGMjA5*QeF#{Gevj`We4Bw=a+P~Rbl+x59RDC`9TSe#Gr(6t>L*0BGC zO12!Z#^a(P?Q*|hiO9oMcAEmb{Y!T?;qr_XT%<$hpX93!H2!mqVyV}@SQy!61;)Vc zsa4n7Pp)(TghAP@Pmx**gvF&>!Hi1-3|lf=@zHEUJ*}2(km^DdfQ|TEhrF^Ip2*!P z`EOPTShhJ^Qps;@rOJU?G=MHA_4!OoG9%A{B;l(SOF6i-cg?|#7aXB(JGr^9L+OZd zCMR?udUbs?z<9No)*!ddr4oacqGWVW)lgG@w!S5?xOh<_+Agxcs&z_9!IprZj63d* zJM)ez{~}|zA4OKJJkbB7lL*lGfvzY9ilB=Ujb2EAtoQJ(Bw|ggFVVdIHnMcX-0nR@ z7Q? Y}BPC1=Vz093nI_q1Sajl}gXuJ#u2YzDeMZs?z#n#RW2YhoDHINK{UFv01P z`47cTouVGdv^Hk69y1R`u*x*lExsIBvNtF2Sr0;+`aZOST)4C*u@+=nFI=04=r|C! z1`qIRpAxTn+_-bm~cud?idB?a^OJ)0qLt)J*C zBwHZcR$nbOmN`0iyp9+RQMj(MjFg%rR+@sXUowQLY+AAiMd(|YqJ}5Dt3?ZOGVeix ze=r@Z3p=q~RLd)HiK#gV)ijcVWDIjDpmLVE>eMt-eM}IZmpsKUOS;lIQR@I4X^efE zkGUY+fr~-C#599)wDV8gu;PZZ&-=Ot=HxS%R}+mmwhz79{~i1jJfIQA`Y26xq(N1( zMU@!{2SV5UBP&V(=D+57x<@LWeiQN|KK!xWJ$)i}RX2R5ac0*Rg-LMqZ74l&P9?*2 zMx|Pxpp2SCFGFRb-;%@?med+p`v9``Fnnt*LlC%BO7)%p#Or1e7b~9Q7D%c>tv<`{ zw8MdisO1Y(avyJqj&C?@X1@7OsClIWziJZkAM?T-$=KAcS3W+D_Wq;zbejK-lhT?xT{Ci)o0k8rU{K^8)3vH^;sf-1&0EQjR_h5B;#ez6DjxWH@jS&e<7G#;peM&@iv zF8nuc1S1mP+DJt5$;`^MF?gS*pvgym9MZc6nLl4iQy0M#Bie2pk2wXt4vjITVHeK7#OOUO}+ zS6-?^Mrm%+V5K`8&o`tHRSYOcwboal3C(pelv#~NZ?&C+DLJ{Nt98cSK-BX9RjDsk zwL9i;_QjqW1*o`uIQzm3!njd&A)>7>uBh_dtO56Ivf|srC`#5@ za5*}4253U=eMzb{$=T;N4NP)T9nX}JNZu<0b-1*!qJ%ss_4YK|0x z@$Bkp@}=~RN*Tzd+5KvKCCL~qCHWEuMHGC=^MO1R;+IDa-eCf>45n@%Ahm0aL_J1X+B&>LXLCWGz0cpWjKLxQwsxg9NccDB;6XFccjNhq zajt$aULt*$U|fD^TGUP?Z3;5+GlCcChz*aq< z2%@A5L#U@B2D)-A&M?fvNxf2I@h%?*d73oPrvbw_5?^^VT;~WB>S&q-(1Rn8sK-zQ z%<5q@>JcQz;8v5Zu&c>f{A%)W7}jJ<9BZ;IqU$zz*5u(Ztw|iN_1Ftm}~-?+Mmw<6V!W*hPBo!@M3zv>Qy;!Mz^4EPFwz+t}B4U=xtC zd-1PF678a8_hDd5^Y_k1U9*?3;Mk8sHQE1v^ zJfb!kkE%_!=s75S-$GExZ%NnFVJeTh-lMMfsOvrIdfv`G>U#Zsd(`zFb-hPj&-?se z)b&Qa06mPOou2=RKH_%Oa+^IIyQQ1%P8Y-T65Ob|KqW!~A50ErvzQe+2I82Ef;o;~ zQ4`0fJlGUxVdz#Qc3xwa%U$6i;3{fdyy<1@C&7SI87OJ>KoO^R55&Bo1*cIc89N`b zskyFS7b2}Nt6dl9Q=$bidxG`!L_se3k`?rVB~`(kf|;#)e*NJaq2TDidncZkj=w7o zEHk(OzhFJX+0C}OV0I{TCpW`>H)jz4S+aCbm)7mAn2(7%_E)C3V*P8-SKKB#e!gze zw^uN*fj5!5O4g$T2ga%wR<{GEs|NuBs|uE|TxJ_0=CEZ<@ccp)E=+C@$L}tG)XK?< zZZHDT4U2H1opqFjDC+z|z25q)jU3Z_ZTNqGRCIVFhBl#h1GbWG8+*?)R&}9FO|_># ztv%}Bjh)~2Z#?g&i{5bF1=PFIIv--+osg|kih?eg`$;t~+NCWq0Pzj^pZ|TT|9lD% z0BkK;dPY~KU>SoTy4|tdVH#MO!bCkA*%Ho($fNIH3XEFwLlg=&Uh)m?|k(GFJ(iLHQ7OF$#W=| z(EL)#w?rt}dyKd!PYJm(qVA~@_ilMIa3CCutXi4TnzXF3D+Z~b7(ikoI88t~%~K_y z=a~&v{c9<5$l51U9Xei%-=DsD{%=!tF8t|FJ4YsRcxU(LX;}}48GifyQ_tZO#V0Qf zCYs_lxl*=XIhNJ)LM#g;;bGQkaaVRzwk&8`+Yzx$zSY0;aA>}cWbg8d)n#QYe>-J8 zE&5z087-wA*wH*U)_@{(Sq;dO}IilWiNo!<53%VUWQRN1EFLiMyLO&STLk`*u(Vwv+_EbY>uIKiD# z$I?;*p!%$}c_@QSH>6;Ya9`yPJ#)3tlkC3a(wqi~Sgop@%gsIrc0RA9D9Zhm-LP!G z0&eS#afamHy7Em^(dMY)8EXu^pHJCA+b7zU#!V2in9+e>l0g ztWgitWVA;gOAyrSubu)mU_6ItR|qo2katE{o~{Mf>0>0xc()ojB4L(w5o;+RT|pa) zn82V+Pi0%JSawXy{!*j&IRR><%ZVD;xG8W?_jcosd2dc-&wROi{bJ3M#8aY?BLyBO}WQl#gaQ%TTg=l zkR#`C)8>9Fs@a|aeV0GZxe9)Ox2?mme!SNO-qE+6Zeb`yEfBSr;M*fG~6c z-aY!F>wQALm87e6SKweKC7j~A8j{yzYYIK+)7sO{_)e6_m`LtT6CS*US+TNIhJQ>a z-`g@;dw@ cdk.Construct: + dirname = path.dirname(path.abspath(__file__)) + on_event = lambda_.Function( + scope, + f"{name}_on_event", + function_name=f"{cluster.cluster_name}-{name}", + runtime=lambda_.Runtime.PYTHON_3_7, + layers=[ + KubectlLayer(scope, "KubectlLayer"), + AwsCliLayer(scope, "AwsCliLayer"), + ], + handler="main.on_event", + code=lambda_.Code.from_asset(path.join(dirname, f"{name}_lambda_code")), + environment={ + "cluster_name": cluster.cluster_name, + }, + timeout=cdk.Duration.seconds(180), # default is 3 seconds + log_retention=logs.RetentionDays.ONE_DAY, # defaults to never delete logs + security_groups=cluster.connections.security_groups, + vpc=vpc, ) + cluster.connections.allow_default_port_from(cluster.connections) + statement = iam.PolicyStatement() + statement.add_resources(cluster.cluster_arn) + statement.add_actions("eks:DescribeCluster") + on_event.add_to_role_policy(statement) + cluster.aws_auth.add_masters_role(on_event.role) + + return cdk.CustomResource(scope, f"{name}_custom", service_token=on_event.function_arn)