Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add serviceaccount list to network-admin and user-ui #3687

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 81 additions & 2 deletions pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,80 @@ spec:
- Userspace
- BPFProgram
type: string
bpfConntrackTimeouts:
description: |-
BPFConntrackTimers overrides the default values for the specified conntrack timer if
set. Each value can be either a duration or `Auto` to pick the value from
a Linux conntrack timeout.

Configurable timers are: CreationGracePeriod, TCPSynSent,
TCPEstablished, TCPFinsSeen, TCPResetSeen, UDPTimeout, GenericTimeout,
ICMPTimeout.

Unset values are replaced by the default values with a warning log for
incorrect values.
properties:
creationGracePeriod:
description: |2-
CreationGracePeriod gives a generic grace period to new connection
before they are considered for cleanup [Default: 10s].
pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$
type: string
genericTimeout:
description: |-
GenericTimeout controls how long it takes before considering this
entry for cleanup after the connection became idle. If set to 'Auto', the
value from nf_conntrack_generic_timeout is used. If nil, Calico uses its
own default value. [Default: 10m].
pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$
type: string
icmpTimeout:
description: |-
ICMPTimeout controls how long it takes before considering this
entry for cleanup after the connection became idle. If set to 'Auto', the
value from nf_conntrack_icmp_timeout is used. If nil, Calico uses its
own default value. [Default: 5s].
pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$
type: string
tcpEstablished:
description: |-
TCPEstablished controls how long it takes before considering this entry for
cleanup after the connection became idle. If set to 'Auto', the
value from nf_conntrack_tcp_timeout_established is used. If nil, Calico uses
its own default value. [Default: 1h].
pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$
type: string
tcpFinsSeen:
description: |-
TCPFinsSeen controls how long it takes before considering this entry for
cleanup after the connection was closed gracefully. If set to 'Auto', the
value from nf_conntrack_tcp_timeout_time_wait is used. If nil, Calico uses
its own default value. [Default: Auto].
pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$
type: string
tcpResetSeen:
description: |-
TCPFinsSeen controls how long it takes before considering this entry for
cleanup after the connection was aborted. If nil, Calico uses its own
default value. [Default: 40s].
pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$
type: string
tcpSynSent:
description: |-
TCPSynSent controls how long it takes before considering this entry for
cleanup after the last SYN without a response. If set to 'Auto', the
value from nf_conntrack_tcp_timeout_syn_sent is used. If nil, Calico uses
its own default value. [Default: 20s].
pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$
type: string
udpTimeout:
description: |-
UDPTimeout controls how long it takes before considering this entry for
cleanup after the connection became idle. If nil, Calico uses its own
default value. [Default: 60s].
pattern: ^(([0-9]*(\.[0-9]*)?(ms|s|h|m|us)+)+|Auto)$
type: string
type: object
bpfDSROptoutCIDRs:
description: |-
BPFDSROptoutCIDRs is a list of CIDRs which are excluded from DSR. That is, clients
Expand Down Expand Up @@ -1055,8 +1129,13 @@ spec:
to use for the Wireguard routing rule. [Default: 99]'
type: integer
wireguardThreadingEnabled:
description: 'WireguardThreadingEnabled controls whether Wireguard
has NAPI threading enabled. [Default: false]'
description: |-
WireguardThreadingEnabled controls whether Wireguard has Threaded NAPI enabled. [Default: false]
This increases the maximum number of packets a Wireguard interface can process.
Consider threaded NAPI only if you have high packets per second workloads that are causing dropping packets due to a saturated `softirq` CPU core.
There is a [known issue](https://lore.kernel.org/netdev/CALrw=nEoT2emQ0OAYCjM1d_6Xe_kNLSZ6dhjb5FxrLFYh4kozA@mail.gmail.com/T/) with this setting
that may cause NAPI to get stuck holding the global `rtnl_mutex` when a peer is removed.
Workaround: Make sure your Linux kernel [includes this patch](https://github.com/torvalds/linux/commit/56364c910691f6d10ba88c964c9041b9ab777bd6) to unwedge NAPI.
type: boolean
workloadSourceSpoofing:
description: |-
Expand Down
12 changes: 12 additions & 0 deletions pkg/render/apiserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -1663,6 +1663,12 @@ func (c *apiServerComponent) tigeraUserClusterRole() *rbacv1.ClusterRole {
Resources: []string{"pods"},
Verbs: []string{"list"},
},
// Additional "list" requests required to view serviceaccount labels.
{
APIGroups: []string{""},
Resources: []string{"serviceaccounts"},
Verbs: []string{"list"},
},
// Access to statistics.
{
APIGroups: []string{""},
Expand Down Expand Up @@ -1847,6 +1853,12 @@ func (c *apiServerComponent) tigeraNetworkAdminClusterRole() *rbacv1.ClusterRole
Resources: []string{"pods"},
Verbs: []string{"list"},
},
// Additional "list" requests required to view serviceaccount labels.
{
APIGroups: []string{""},
Resources: []string{"serviceaccounts"},
Verbs: []string{"list"},
},
// Access to statistics.
{
APIGroups: []string{""},
Expand Down
10 changes: 10 additions & 0 deletions pkg/render/apiserver_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1323,6 +1323,11 @@ var (
Resources: []string{"pods"},
Verbs: []string{"list"},
},
{
APIGroups: []string{""},
Resources: []string{"serviceaccounts"},
Verbs: []string{"list"},
},
{
APIGroups: []string{""},
Resources: []string{"services/proxy"},
Expand Down Expand Up @@ -1467,6 +1472,11 @@ var (
Resources: []string{"pods"},
Verbs: []string{"list"},
},
{
APIGroups: []string{""},
Resources: []string{"serviceaccounts"},
Verbs: []string{"list"},
},
{
APIGroups: []string{""},
Resources: []string{"services/proxy"},
Expand Down
Loading