From 81912a18b9c1a3fd6c765e0a7e0e37bee0e9c796 Mon Sep 17 00:00:00 2001 From: Christopher Tauchen Date: Tue, 3 Feb 2026 12:37:20 +0000 Subject: [PATCH] Update Felix configuraton files for CE --- .../components/FelixConfig/config-params.json | 54 +++ .../components/FelixConfig/config-params.json | 171 ++++----- .../components/FelixConfig/config-params.json | 336 +++++++++++++----- 3 files changed, 378 insertions(+), 183 deletions(-) diff --git a/calico-enterprise_versioned_docs/version-3.21-2/_includes/components/FelixConfig/config-params.json b/calico-enterprise_versioned_docs/version-3.21-2/_includes/components/FelixConfig/config-params.json index 789e47b71d..03f81131c6 100644 --- a/calico-enterprise_versioned_docs/version-3.21-2/_includes/components/FelixConfig/config-params.json +++ b/calico-enterprise_versioned_docs/version-3.21-2/_includes/components/FelixConfig/config-params.json @@ -1267,6 +1267,33 @@ "GoType": "*bool", "OpenSourceOnly": false }, + { + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "CgroupV2Path", + "NameEnvVar": "FELIX_CgroupV2Path", + "NameYAML": "cgroupV2Path", + "NameGoAPI": "CgroupV2Path", + "StringSchema": "String", + "StringSchemaHTML": "String", + "StringDefault": "", + "ParsedDefault": "", + "ParsedDefaultJSON": "\"\"", + "ParsedType": "string", + "YAMLType": "string", + "YAMLSchema": "String.", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "String.", + "YAMLDefault": "", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Overrides the default location where to find the cgroup hierarchy.", + "DescriptionHTML": "

Overrides the default location where to find the cgroup hierarchy.

", + "UserEditable": true, + "GoType": "string", + "OpenSourceOnly": false + }, { "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", @@ -7575,6 +7602,33 @@ "GoType": "*v1.Duration", "OpenSourceOnly": false }, + { + "Group": "Egress gateway", + "GroupWithSortPrefix": "70 Egress gateway", + "NameConfigFile": "EgressIPHostIfacePattern", + "NameEnvVar": "FELIX_EgressIPHostIfacePattern", + "NameYAML": "egressIPHostIfacePattern", + "NameGoAPI": "EgressIPHostIfacePattern", + "StringSchema": "Comma-delimited list of Linux interface names/regex patterns. Regex patterns must start/end with `/`.", + "StringSchemaHTML": "Comma-delimited list of Linux interface names/regex patterns. Regex patterns must start/end with /.", + "StringDefault": "", + "ParsedDefault": "[]", + "ParsedDefaultJSON": "null", + "ParsedType": "[]*regexp.Regexp", + "YAMLType": "string", + "YAMLSchema": "String.", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "String.", + "YAMLDefault": "", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "A comma-separated list of interface names which might send and receive egress traffic\nacross the cluster boundary, after it has left an Egress Gateway pod. Felix will ensure `src_valid_mark` sysctl flags\nare set correctly for matching interfaces.\nTo target multiple interfaces with a single string, the list supports regular expressions.\nFor regular expressions, wrap the value with `/`.\nExample: `/^bond/,eth0` will match all interfaces that begin with `bond` and also the interface `eth0`.", + "DescriptionHTML": "

A comma-separated list of interface names which might send and receive egress traffic\nacross the cluster boundary, after it has left an Egress Gateway pod. Felix will ensure src_valid_mark sysctl flags\nare set correctly for matching interfaces.\nTo target multiple interfaces with a single string, the list supports regular expressions.\nFor regular expressions, wrap the value with /.\nExample: /^bond/,eth0 will match all interfaces that begin with bond and also the interface eth0.

", + "UserEditable": true, + "GoType": "string", + "OpenSourceOnly": false + }, { "Group": "Egress gateway", "GroupWithSortPrefix": "70 Egress gateway", diff --git a/calico-enterprise_versioned_docs/version-3.22-2/_includes/components/FelixConfig/config-params.json b/calico-enterprise_versioned_docs/version-3.22-2/_includes/components/FelixConfig/config-params.json index ae69c4aacd..a62f14f9e5 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/_includes/components/FelixConfig/config-params.json +++ b/calico-enterprise_versioned_docs/version-3.22-2/_includes/components/FelixConfig/config-params.json @@ -1016,10 +1016,10 @@ "Required": false, "OnParseFailure": "ReplaceWithDefault", "AllowedConfigSources": "All", - "Description": "Defines the absolute path to the TLS CA certificate file used for securing the /metrics endpoint.\nThis certificate must be valid and accessible by the calico-node process.", - "DescriptionHTML": "

Defines the absolute path to the TLS CA certificate file used for securing the /metrics endpoint.\nThis certificate must be valid and accessible by the calico-node process.

", + "Description": "The path to the TLS CA file for the Prometheus metrics server.", + "DescriptionHTML": "

The path to the TLS CA file for the Prometheus metrics server.

", "UserEditable": true, - "GoType": "*string", + "GoType": "string", "OpenSourceOnly": false }, { @@ -1043,37 +1043,10 @@ "Required": false, "OnParseFailure": "ReplaceWithDefault", "AllowedConfigSources": "All", - "Description": "Defines the absolute path to the TLS certificate file used for securing the /metrics endpoint.\nThis certificate must be valid and accessible by the calico-node process.", - "DescriptionHTML": "

Defines the absolute path to the TLS certificate file used for securing the /metrics endpoint.\nThis certificate must be valid and accessible by the calico-node process.

", + "Description": "The path to the TLS certificate file for the Prometheus metrics server.", + "DescriptionHTML": "

The path to the TLS certificate file for the Prometheus metrics server.

", "UserEditable": true, - "GoType": "*string", - "OpenSourceOnly": false - }, - { - "Group": "Process: Prometheus metrics", - "GroupWithSortPrefix": "00 Process: Prometheus metrics", - "NameConfigFile": "PrometheusMetricsClientAuth", - "NameEnvVar": "FELIX_PrometheusMetricsClientAuth", - "NameYAML": "prometheusMetricsClientAuth", - "NameGoAPI": "PrometheusMetricsClientAuth", - "StringSchema": "One of: `NoClientCert`, `RequireAndVerifyClientCert`, `RequireAnyClientCert`, `VerifyClientCertIfGiven` (case insensitive)", - "StringSchemaHTML": "One of: NoClientCert, RequireAndVerifyClientCert, RequireAnyClientCert, VerifyClientCertIfGiven (case insensitive)", - "StringDefault": "RequireAndVerifyClientCert", - "ParsedDefault": "RequireAndVerifyClientCert", - "ParsedDefaultJSON": "\"RequireAndVerifyClientCert\"", - "ParsedType": "string", - "YAMLType": "string", - "YAMLSchema": "", - "YAMLEnumValues": null, - "YAMLSchemaHTML": "", - "YAMLDefault": "RequireAndVerifyClientCert", - "Required": false, - "OnParseFailure": "ReplaceWithDefault", - "AllowedConfigSources": "All", - "Description": "Specifies the client authentication type for the /metrics endpoint.\nThis determines how the server validates client certificates. Default is \"RequireAndVerifyClientCert\".", - "DescriptionHTML": "

Specifies the client authentication type for the /metrics endpoint.\nThis determines how the server validates client certificates. Default is \"RequireAndVerifyClientCert\".

", - "UserEditable": true, - "GoType": "*v3.PrometheusMetricsClientAuthType", + "GoType": "string", "OpenSourceOnly": false }, { @@ -1151,10 +1124,10 @@ "Required": false, "OnParseFailure": "ReplaceWithDefault", "AllowedConfigSources": "All", - "Description": "Defines the absolute path to the private key file corresponding to the TLS certificate\nused for securing the /metrics endpoint. The private key must be valid and accessible by the calico-node process.", - "DescriptionHTML": "

Defines the absolute path to the private key file corresponding to the TLS certificate\nused for securing the /metrics endpoint. The private key must be valid and accessible by the calico-node process.

", + "Description": "The path to the TLS private key file for the Prometheus metrics server.", + "DescriptionHTML": "

The path to the TLS private key file for the Prometheus metrics server.

", "UserEditable": true, - "GoType": "*string", + "GoType": "string", "OpenSourceOnly": false }, { @@ -1855,6 +1828,63 @@ "GoType": "*bool", "OpenSourceOnly": false }, + { + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "IstioAmbientMode", + "NameEnvVar": "FELIX_IstioAmbientMode", + "NameYAML": "istioAmbientMode", + "NameGoAPI": "IstioAmbientMode", + "StringSchema": "One of: `Disabled`, `Enabled` (case insensitive)", + "StringSchemaHTML": "One of: Disabled, Enabled (case insensitive)", + "StringDefault": "Disabled", + "ParsedDefault": "Disabled", + "ParsedDefaultJSON": "\"Disabled\"", + "ParsedType": "string", + "YAMLType": "string", + "YAMLSchema": "One of: `\"Disabled\"`, `\"Enabled\"`.", + "YAMLEnumValues": [ + "Disabled", + "Enabled" + ], + "YAMLSchemaHTML": "One of: \"Disabled\", \"Enabled\".", + "YAMLDefault": "Disabled", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Configures Felix to work together with Tigera's Istio distribution.", + "DescriptionHTML": "

Configures Felix to work together with Tigera's Istio distribution.

", + "UserEditable": true, + "GoType": "*v3.IstioAmbientMode", + "OpenSourceOnly": false + }, + { + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "IstioDSCPMark", + "NameEnvVar": "FELIX_IstioDSCPMark", + "NameYAML": "istioDSCPMark", + "NameGoAPI": "IstioDSCPMark", + "StringSchema": "Numeric value: An integer from 0 to 63, representing the 6-bit DSCP code directly; Named value: A case-insensitive string corresponding to a standardized DSCP name (e.g., \"CS0\", \"AF11\", \"AF21\", \"EF\", etc.) as defined in the IANA registry for Differentiated Services Field Codepoints.", + "StringSchemaHTML": "Numeric value: An integer from 0 to 63, representing the 6-bit DSCP code directly; Named value: A case-insensitive string corresponding to a standardized DSCP name (e.g., \"CS0\", \"AF11\", \"AF21\", \"EF\", etc.) as defined in the IANA registry for Differentiated Services Field Codepoints.", + "StringDefault": "23", + "ParsedDefault": "23", + "ParsedDefaultJSON": "23", + "ParsedType": "numorstring.DSCP", + "YAMLType": "integer", + "YAMLSchema": "String.", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "String.", + "YAMLDefault": "", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith other Istio installation.", + "DescriptionHTML": "

Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith other Istio installation.

", + "UserEditable": true, + "GoType": "*numorstring.DSCP", + "OpenSourceOnly": false + }, { "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", @@ -3746,33 +3776,6 @@ "GoType": "*v3.BPFHostNetworkedNATType", "OpenSourceOnly": false }, - { - "Group": "Dataplane: eBPF", - "GroupWithSortPrefix": "22 Dataplane: eBPF", - "NameConfigFile": "BPFJITHardening", - "NameEnvVar": "FELIX_BPFJITHardening", - "NameYAML": "bpfJITHardening", - "NameGoAPI": "BPFJITHardening", - "StringSchema": "One of: `Auto`, `Strict` (case insensitive)", - "StringSchemaHTML": "One of: Auto, Strict (case insensitive)", - "StringDefault": "Auto", - "ParsedDefault": "Auto", - "ParsedDefaultJSON": "\"Auto\"", - "ParsedType": "string", - "YAMLType": "string", - "YAMLSchema": "", - "YAMLEnumValues": null, - "YAMLSchemaHTML": "", - "YAMLDefault": "Auto", - "Required": true, - "OnParseFailure": "ReplaceWithDefault", - "AllowedConfigSources": "All", - "Description": "Controls BPF JIT hardening. When set to \"Auto\", Felix will set JIT hardening to 1\nif it detects the current value is 2 (strict mode that hurts performance). When set to \"Strict\",\nFelix will not modify the JIT hardening setting.", - "DescriptionHTML": "

Controls BPF JIT hardening. When set to \"Auto\", Felix will set JIT hardening to 1\nif it detects the current value is 2 (strict mode that hurts performance). When set to \"Strict\",\nFelix will not modify the JIT hardening setting.

", - "UserEditable": true, - "GoType": "*v3.BPFJITHardeningType", - "OpenSourceOnly": false - }, { "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", @@ -3800,33 +3803,6 @@ "GoType": "*bool", "OpenSourceOnly": false }, - { - "Group": "Dataplane: eBPF", - "GroupWithSortPrefix": "22 Dataplane: eBPF", - "NameConfigFile": "BPFKubeProxyHealthzPort", - "NameEnvVar": "FELIX_BPFKubeProxyHealthzPort", - "NameYAML": "bpfKubeProxyHealthzPort", - "NameGoAPI": "BPFKubeProxyHealthzPort", - "StringSchema": "Integer", - "StringSchemaHTML": "Integer", - "StringDefault": "10256", - "ParsedDefault": "10256", - "ParsedDefaultJSON": "10256", - "ParsedType": "int", - "YAMLType": "integer", - "YAMLSchema": "Integer", - "YAMLEnumValues": null, - "YAMLSchemaHTML": "Integer", - "YAMLDefault": "10256", - "Required": true, - "OnParseFailure": "ReplaceWithDefault", - "AllowedConfigSources": "All", - "Description": "In BPF mode, controls the port that Felix's embedded kube-proxy health check server binds to.\nThe health check server is used by external load balancers to determine if this node should receive traffic.", - "DescriptionHTML": "

In BPF mode, controls the port that Felix's embedded kube-proxy health check server binds to.\nThe health check server is used by external load balancers to determine if this node should receive traffic.

", - "UserEditable": true, - "GoType": "*int", - "OpenSourceOnly": false - }, { "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", @@ -4330,25 +4306,26 @@ "NameEnvVar": "FELIX_BPFRedirectToPeer", "NameYAML": "bpfRedirectToPeer", "NameGoAPI": "BPFRedirectToPeer", - "StringSchema": "One of: `Disabled`, `Enabled` (case insensitive)", - "StringSchemaHTML": "One of: Disabled, Enabled (case insensitive)", + "StringSchema": "One of: `Disabled`, `Enabled`, `L2Only` (case insensitive)", + "StringSchemaHTML": "One of: Disabled, Enabled, L2Only (case insensitive)", "StringDefault": "Disabled", "ParsedDefault": "Disabled", "ParsedDefaultJSON": "\"Disabled\"", "ParsedType": "string", "YAMLType": "string", - "YAMLSchema": "One of: `\"Disabled\"`, `\"Enabled\"`.", + "YAMLSchema": "One of: `\"Disabled\"`, `\"Enabled\"`, `\"L2Only\"`.", "YAMLEnumValues": [ "Disabled", - "Enabled" + "Enabled", + "L2Only" ], - "YAMLSchemaHTML": "One of: \"Disabled\", \"Enabled\".", + "YAMLSchemaHTML": "One of: \"Disabled\", \"Enabled\", \"L2Only\".", "YAMLDefault": "Disabled", "Required": true, "OnParseFailure": "ReplaceWithDefault", "AllowedConfigSources": "All", - "Description": "Controls whether traffic may be forwarded directly to the peer side of a workload’s device.\nNote that the legacy \"L2Only\" option is now deprecated and if set it is treated like \"Enabled\".\nSetting this option to \"Enabled\" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard),\nwhich can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path.\nAs a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic.", - "DescriptionHTML": "

Controls whether traffic may be forwarded directly to the peer side of a workload’s device.\nNote that the legacy \"L2Only\" option is now deprecated and if set it is treated like \"Enabled\".\nSetting this option to \"Enabled\" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard),\nwhich can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path.\nAs a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic.

", + "Description": "Controls which whether it is allowed to forward straight to the\npeer side of the workload devices. It is allowed for any host L2 devices by default\n(L2Only), but it breaks TCP dump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or Wireguard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.", + "DescriptionHTML": "

Controls which whether it is allowed to forward straight to the\npeer side of the workload devices. It is allowed for any host L2 devices by default\n(L2Only), but it breaks TCP dump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or Wireguard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.

", "UserEditable": true, "GoType": "string", "OpenSourceOnly": false diff --git a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/FelixConfig/config-params.json b/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/FelixConfig/config-params.json index ae69c4aacd..488e86903e 100644 --- a/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/FelixConfig/config-params.json +++ b/calico-enterprise_versioned_docs/version-3.23-1/_includes/components/FelixConfig/config-params.json @@ -1855,6 +1855,63 @@ "GoType": "*bool", "OpenSourceOnly": false }, + { + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "IstioAmbientMode", + "NameEnvVar": "FELIX_IstioAmbientMode", + "NameYAML": "istioAmbientMode", + "NameGoAPI": "IstioAmbientMode", + "StringSchema": "One of: `Disabled`, `Enabled` (case insensitive)", + "StringSchemaHTML": "One of: Disabled, Enabled (case insensitive)", + "StringDefault": "Disabled", + "ParsedDefault": "Disabled", + "ParsedDefaultJSON": "\"Disabled\"", + "ParsedType": "string", + "YAMLType": "string", + "YAMLSchema": "One of: `\"Disabled\"`, `\"Enabled\"`.", + "YAMLEnumValues": [ + "Disabled", + "Enabled" + ], + "YAMLSchemaHTML": "One of: \"Disabled\", \"Enabled\".", + "YAMLDefault": "Disabled", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Configures Felix to work together with Tigera's Istio distribution.", + "DescriptionHTML": "

Configures Felix to work together with Tigera's Istio distribution.

", + "UserEditable": true, + "GoType": "*v3.IstioAmbientMode", + "OpenSourceOnly": false + }, + { + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "IstioDSCPMark", + "NameEnvVar": "FELIX_IstioDSCPMark", + "NameYAML": "istioDSCPMark", + "NameGoAPI": "IstioDSCPMark", + "StringSchema": "Numeric value: An integer from 0 to 63, representing the 6-bit DSCP code directly; Named value: A case-insensitive string corresponding to a standardized DSCP name (e.g., \"CS0\", \"AF11\", \"AF21\", \"EF\", etc.) as defined in the IANA registry for Differentiated Services Field Codepoints.", + "StringSchemaHTML": "Numeric value: An integer from 0 to 63, representing the 6-bit DSCP code directly; Named value: A case-insensitive string corresponding to a standardized DSCP name (e.g., \"CS0\", \"AF11\", \"AF21\", \"EF\", etc.) as defined in the IANA registry for Differentiated Services Field Codepoints.", + "StringDefault": "23", + "ParsedDefault": "23", + "ParsedDefaultJSON": "23", + "ParsedType": "numorstring.DSCP", + "YAMLType": "integer", + "YAMLSchema": "String.", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "String.", + "YAMLDefault": "", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith other Istio installation.", + "DescriptionHTML": "

Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith other Istio installation.

", + "UserEditable": true, + "GoType": "*numorstring.DSCP", + "OpenSourceOnly": false + }, { "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", @@ -2038,13 +2095,12 @@ "ParsedDefaultJSON": "\"Disabled\"", "ParsedType": "string", "YAMLType": "string", - "YAMLSchema": "One of: `\"Auto\"`, `\"Disabled\"`, `\"Enabled\"`.", + "YAMLSchema": "One of: `\"Disabled\"`, `\"Enabled\"`.", "YAMLEnumValues": [ - "Auto", "Disabled", "Enabled" ], - "YAMLSchemaHTML": "One of: \"Auto\", \"Disabled\", \"Enabled\".", + "YAMLSchemaHTML": "One of: \"Disabled\", \"Enabled\".", "YAMLDefault": "Disabled", "Required": false, "OnParseFailure": "ReplaceWithDefault", @@ -2109,6 +2165,141 @@ "GoType": "string", "OpenSourceOnly": false }, + { + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "PolicyActivityLogsFileDirectory", + "NameEnvVar": "FELIX_PolicyActivityLogsFileDirectory", + "NameYAML": "policyActivityLogsFileDirectory", + "NameGoAPI": "PolicyActivityLogsFileDirectory", + "StringSchema": "String", + "StringSchemaHTML": "String", + "StringDefault": "/var/log/calico/policy", + "ParsedDefault": "/var/log/calico/policy", + "ParsedDefaultJSON": "\"/var/log/calico/policy\"", + "ParsedType": "string", + "YAMLType": "string", + "YAMLSchema": "String.", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "String.", + "YAMLDefault": "/var/log/calico/policy", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Sets the directory where policy activity log files are stored.", + "DescriptionHTML": "

Sets the directory where policy activity log files are stored.

", + "UserEditable": true, + "GoType": "*string", + "OpenSourceOnly": false + }, + { + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "PolicyActivityLogsFileEnabled", + "NameEnvVar": "FELIX_PolicyActivityLogsFileEnabled", + "NameYAML": "policyActivityLogsFileEnabled", + "NameGoAPI": "PolicyActivityLogsFileEnabled", + "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.", + "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.", + "StringDefault": "true", + "ParsedDefault": "true", + "ParsedDefaultJSON": "true", + "ParsedType": "bool", + "YAMLType": "boolean", + "YAMLSchema": "Boolean.", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "Boolean.", + "YAMLDefault": "true", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Controls logging policy activity logs to a file. If false no policy activity logging to file will occur.", + "DescriptionHTML": "

Controls logging policy activity logs to a file. If false no policy activity logging to file will occur.

", + "UserEditable": true, + "GoType": "*bool", + "OpenSourceOnly": false + }, + { + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "PolicyActivityLogsFileMaxFileSizeMB", + "NameEnvVar": "FELIX_PolicyActivityLogsFileMaxFileSizeMB", + "NameYAML": "policyActivityLogsFileMaxFileSizeMB", + "NameGoAPI": "PolicyActivityLogsFileMaxFileSizeMB", + "StringSchema": "Integer", + "StringSchemaHTML": "Integer", + "StringDefault": "100", + "ParsedDefault": "100", + "ParsedDefaultJSON": "100", + "ParsedType": "int", + "YAMLType": "integer", + "YAMLSchema": "Integer", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "Integer", + "YAMLDefault": "100", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Sets the max size in MB of policy activity log files before rotation.", + "DescriptionHTML": "

Sets the max size in MB of policy activity log files before rotation.

", + "UserEditable": true, + "GoType": "*int", + "OpenSourceOnly": false + }, + { + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "PolicyActivityLogsFileMaxFiles", + "NameEnvVar": "FELIX_PolicyActivityLogsFileMaxFiles", + "NameYAML": "policyActivityLogsFileMaxFiles", + "NameGoAPI": "PolicyActivityLogsFileMaxFiles", + "StringSchema": "Integer", + "StringSchemaHTML": "Integer", + "StringDefault": "5", + "ParsedDefault": "5", + "ParsedDefaultJSON": "5", + "ParsedType": "int", + "YAMLType": "integer", + "YAMLSchema": "Integer", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "Integer", + "YAMLDefault": "5", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Sets the number of policy activity log files to keep.", + "DescriptionHTML": "

Sets the number of policy activity log files to keep.

", + "UserEditable": true, + "GoType": "*int", + "OpenSourceOnly": false + }, + { + "Group": "Dataplane: Common", + "GroupWithSortPrefix": "10 Dataplane: Common", + "NameConfigFile": "PolicyActivityLogsFlushInterval", + "NameEnvVar": "FELIX_PolicyActivityLogsFlushInterval", + "NameYAML": "policyActivityLogsFlushInterval", + "NameGoAPI": "PolicyActivityLogsFlushInterval", + "StringSchema": "Seconds (floating point)", + "StringSchemaHTML": "Seconds (floating point)", + "StringDefault": "15", + "ParsedDefault": "15s", + "ParsedDefaultJSON": "15000000000", + "ParsedType": "time.Duration", + "YAMLType": "string", + "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.", + "YAMLDefault": "15s", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "Configures the interval at which Felix exports policy activity logs.", + "DescriptionHTML": "

Configures the interval at which Felix exports policy activity logs.

", + "UserEditable": true, + "GoType": "*v1.Duration", + "OpenSourceOnly": false + }, { "Group": "Dataplane: Common", "GroupWithSortPrefix": "10 Dataplane: Common", @@ -2731,33 +2922,6 @@ "GoType": "string", "OpenSourceOnly": false }, - { - "Group": "Dataplane: iptables", - "GroupWithSortPrefix": "20 Dataplane: iptables", - "NameConfigFile": "IptablesLockFilePath", - "NameEnvVar": "FELIX_IptablesLockFilePath", - "NameYAML": "iptablesLockFilePath", - "NameGoAPI": "IptablesLockFilePath", - "StringSchema": "Path to file", - "StringSchemaHTML": "Path to file", - "StringDefault": "/run/xtables.lock", - "ParsedDefault": "/run/xtables.lock", - "ParsedDefaultJSON": "\"/run/xtables.lock\"", - "ParsedType": "string", - "YAMLType": "string", - "YAMLSchema": "String.", - "YAMLEnumValues": null, - "YAMLSchemaHTML": "String.", - "YAMLDefault": "/run/xtables.lock", - "Required": false, - "OnParseFailure": "ReplaceWithDefault", - "AllowedConfigSources": "All", - "Description": "The location of the iptables lock file. You may need to change this\nif the lock file is not in its standard location (for example if you have mapped it into Felix's\ncontainer at a different path).", - "DescriptionHTML": "

The location of the iptables lock file. You may need to change this\nif the lock file is not in its standard location (for example if you have mapped it into Felix's\ncontainer at a different path).

", - "UserEditable": true, - "GoType": "string", - "OpenSourceOnly": false - }, { "Group": "Dataplane: iptables", "GroupWithSortPrefix": "20 Dataplane: iptables", @@ -2779,35 +2943,8 @@ "Required": false, "OnParseFailure": "ReplaceWithDefault", "AllowedConfigSources": "All", - "Description": "When IptablesLockTimeout is enabled: the time that Felix will wait between\nattempts to acquire the iptables lock if it is not available. Lower values make Felix more\nresponsive when the lock is contended, but use more CPU.", - "DescriptionHTML": "

When IptablesLockTimeout is enabled: the time that Felix will wait between\nattempts to acquire the iptables lock if it is not available. Lower values make Felix more\nresponsive when the lock is contended, but use more CPU.

", - "UserEditable": true, - "GoType": "*v1.Duration", - "OpenSourceOnly": false - }, - { - "Group": "Dataplane: iptables", - "GroupWithSortPrefix": "20 Dataplane: iptables", - "NameConfigFile": "IptablesLockTimeoutSecs", - "NameEnvVar": "FELIX_IptablesLockTimeoutSecs", - "NameYAML": "iptablesLockTimeout", - "NameGoAPI": "IptablesLockTimeout", - "StringSchema": "Seconds (floating point)", - "StringSchemaHTML": "Seconds (floating point)", - "StringDefault": "0", - "ParsedDefault": "0s", - "ParsedDefaultJSON": "0", - "ParsedType": "time.Duration", - "YAMLType": "string", - "YAMLSchema": "Duration string, for example `1m30s123ms` or `1h5m`.", - "YAMLEnumValues": null, - "YAMLSchemaHTML": "Duration string, for example 1m30s123ms or 1h5m.", - "YAMLDefault": "0s", - "Required": false, - "OnParseFailure": "ReplaceWithDefault", - "AllowedConfigSources": "All", - "Description": "The time that Felix itself will wait for the iptables lock (rather than delegating the\nlock handling to the `iptables` command).\n\nDeprecated: `iptables-restore` v1.8+ always takes the lock, so enabling this feature results in deadlock.", - "DescriptionHTML": "

The time that Felix itself will wait for the iptables lock (rather than delegating the\nlock handling to the iptables command).

\n

Deprecated: iptables-restore v1.8+ always takes the lock, so enabling this feature results in deadlock.

", + "Description": "Configures the interval between attempts to claim\nthe xtables lock. Shorter intervals are more responsive but use more CPU.", + "DescriptionHTML": "

Configures the interval between attempts to claim\nthe xtables lock. Shorter intervals are more responsive but use more CPU.

", "UserEditable": true, "GoType": "*v1.Duration", "OpenSourceOnly": false @@ -3773,33 +3910,6 @@ "GoType": "*v3.BPFJITHardeningType", "OpenSourceOnly": false }, - { - "Group": "Dataplane: eBPF", - "GroupWithSortPrefix": "22 Dataplane: eBPF", - "NameConfigFile": "BPFKubeProxyEndpointSlicesEnabled", - "NameEnvVar": "FELIX_BPFKubeProxyEndpointSlicesEnabled", - "NameYAML": "bpfKubeProxyEndpointSlicesEnabled", - "NameGoAPI": "BPFKubeProxyEndpointSlicesEnabled", - "StringSchema": "Boolean: `true`, `1`, `yes`, `y`, `t` accepted as True; `false`, `0`, `no`, `n`, `f` accepted (case insensitively) as False.", - "StringSchemaHTML": "Boolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.", - "StringDefault": "true", - "ParsedDefault": "true", - "ParsedDefaultJSON": "true", - "ParsedType": "bool", - "YAMLType": "boolean", - "YAMLSchema": "Boolean.", - "YAMLEnumValues": null, - "YAMLSchemaHTML": "Boolean.", - "YAMLDefault": "true", - "Required": false, - "OnParseFailure": "ReplaceWithDefault", - "AllowedConfigSources": "All", - "Description": "Deprecated and has no effect. BPF\nkube-proxy always accepts endpoint slices. This option will be removed in\nthe next release.", - "DescriptionHTML": "

Deprecated and has no effect. BPF\nkube-proxy always accepts endpoint slices. This option will be removed in\nthe next release.

", - "UserEditable": true, - "GoType": "*bool", - "OpenSourceOnly": false - }, { "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF", @@ -3966,6 +4076,60 @@ "GoType": "string", "OpenSourceOnly": false }, + { + "Group": "Dataplane: eBPF", + "GroupWithSortPrefix": "22 Dataplane: eBPF", + "NameConfigFile": "BPFMaglevMaxEndpointsPerService", + "NameEnvVar": "FELIX_BPFMaglevMaxEndpointsPerService", + "NameYAML": "bpfMaglevMaxEndpointsPerService", + "NameGoAPI": "BPFMaglevMaxEndpointsPerService", + "StringSchema": "Integer: [1,3000]", + "StringSchemaHTML": "Integer: [1,3000]", + "StringDefault": "100", + "ParsedDefault": "100", + "ParsedDefaultJSON": "100", + "ParsedType": "int", + "YAMLType": "integer", + "YAMLSchema": "Integer: [1,3000]", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "Integer: [1,3000]", + "YAMLDefault": "100", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "The maximum number of endpoints\nexpected to be part of a single Maglev-enabled service.\n\nInfluences the size of the per-service Maglev lookup-tables generated by Felix\nand thus the amount of memory reserved.", + "DescriptionHTML": "

The maximum number of endpoints\nexpected to be part of a single Maglev-enabled service.

\n

Influences the size of the per-service Maglev lookup-tables generated by Felix\nand thus the amount of memory reserved.

", + "UserEditable": true, + "GoType": "*int", + "OpenSourceOnly": false + }, + { + "Group": "Dataplane: eBPF", + "GroupWithSortPrefix": "22 Dataplane: eBPF", + "NameConfigFile": "BPFMaglevMaxServices", + "NameEnvVar": "FELIX_BPFMaglevMaxServices", + "NameYAML": "bpfMaglevMaxServices", + "NameGoAPI": "BPFMaglevMaxServices", + "StringSchema": "Integer: [1,3000]", + "StringSchemaHTML": "Integer: [1,3000]", + "StringDefault": "100", + "ParsedDefault": "100", + "ParsedDefaultJSON": "100", + "ParsedType": "int", + "YAMLType": "integer", + "YAMLSchema": "Integer: [1,3000]", + "YAMLEnumValues": null, + "YAMLSchemaHTML": "Integer: [1,3000]", + "YAMLDefault": "100", + "Required": false, + "OnParseFailure": "ReplaceWithDefault", + "AllowedConfigSources": "All", + "Description": "The maximum number of expected Maglev-enabled\nservices that Felix will allocate lookup-tables for.", + "DescriptionHTML": "

The maximum number of expected Maglev-enabled\nservices that Felix will allocate lookup-tables for.

", + "UserEditable": true, + "GoType": "*int", + "OpenSourceOnly": false + }, { "Group": "Dataplane: eBPF", "GroupWithSortPrefix": "22 Dataplane: eBPF",