Skip to content

Update Felix configuraton files for CE #2507

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ctauchen merged 1 commit into from
Feb 3, 2026
Merged

Update Felix configuraton files for CE #2507

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions ...erprise_versioned_docs/version-3.21-2/_includes/components/FelixConfig/config-params.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1267,6 +1267,33 @@
"GoType": "*bool",
"OpenSourceOnly": false
},
{
"Group": "Dataplane: Common",
"GroupWithSortPrefix": "10 Dataplane: Common",
"NameConfigFile": "CgroupV2Path",
"NameEnvVar": "FELIX_CgroupV2Path",
"NameYAML": "cgroupV2Path",
"NameGoAPI": "CgroupV2Path",
"StringSchema": "String",
"StringSchemaHTML": "String",
"StringDefault": "",
"ParsedDefault": "",
"ParsedDefaultJSON": "\"\"",
"ParsedType": "string",
"YAMLType": "string",
"YAMLSchema": "String.",
"YAMLEnumValues": null,
"YAMLSchemaHTML": "String.",
"YAMLDefault": "",
"Required": false,
"OnParseFailure": "ReplaceWithDefault",
"AllowedConfigSources": "All",
"Description": "Overrides the default location where to find the cgroup hierarchy.",
"DescriptionHTML": "<p>Overrides the default location where to find the cgroup hierarchy.</p>",
"UserEditable": true,
"GoType": "string",
"OpenSourceOnly": false
},
{
"Group": "Dataplane: Common",
"GroupWithSortPrefix": "10 Dataplane: Common",
Expand Down Expand Up @@ -7575,6 +7602,33 @@
"GoType": "*v1.Duration",
"OpenSourceOnly": false
},
{
"Group": "Egress gateway",
"GroupWithSortPrefix": "70 Egress gateway",
"NameConfigFile": "EgressIPHostIfacePattern",
"NameEnvVar": "FELIX_EgressIPHostIfacePattern",
"NameYAML": "egressIPHostIfacePattern",
"NameGoAPI": "EgressIPHostIfacePattern",
"StringSchema": "Comma-delimited list of Linux interface names/regex patterns. Regex patterns must start/end with `/`.",
"StringSchemaHTML": "Comma-delimited list of Linux interface names/regex patterns. Regex patterns must start/end with <code>/</code>.",
"StringDefault": "",
"ParsedDefault": "[]",
"ParsedDefaultJSON": "null",
"ParsedType": "[]*regexp.Regexp",
"YAMLType": "string",
"YAMLSchema": "String.",
"YAMLEnumValues": null,
"YAMLSchemaHTML": "String.",
"YAMLDefault": "",
"Required": false,
"OnParseFailure": "ReplaceWithDefault",
"AllowedConfigSources": "All",
"Description": "A comma-separated list of interface names which might send and receive egress traffic\nacross the cluster boundary, after it has left an Egress Gateway pod. Felix will ensure `src_valid_mark` sysctl flags\nare set correctly for matching interfaces.\nTo target multiple interfaces with a single string, the list supports regular expressions.\nFor regular expressions, wrap the value with `/`.\nExample: `/^bond/,eth0` will match all interfaces that begin with `bond` and also the interface `eth0`.",
"DescriptionHTML": "<p>A comma-separated list of interface names which might send and receive egress traffic\nacross the cluster boundary, after it has left an Egress Gateway pod. Felix will ensure <code>src_valid_mark</code> sysctl flags\nare set correctly for matching interfaces.\nTo target multiple interfaces with a single string, the list supports regular expressions.\nFor regular expressions, wrap the value with <code>/</code>.\nExample: <code>/^bond/,eth0</code> will match all interfaces that begin with <code>bond</code> and also the interface <code>eth0</code>.</p>",
"UserEditable": true,
"GoType": "string",
"OpenSourceOnly": false
},
{
"Group": "Egress gateway",
"GroupWithSortPrefix": "70 Egress gateway",
Expand Down
171 changes: 74 additions & 97 deletions ...erprise_versioned_docs/version-3.22-2/_includes/components/FelixConfig/config-params.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1016,10 +1016,10 @@
"Required": false,
"OnParseFailure": "ReplaceWithDefault",
"AllowedConfigSources": "All",
"Description": "Defines the absolute path to the TLS CA certificate file used for securing the /metrics endpoint.\nThis certificate must be valid and accessible by the calico-node process.",
"DescriptionHTML": "<p>Defines the absolute path to the TLS CA certificate file used for securing the /metrics endpoint.\nThis certificate must be valid and accessible by the calico-node process.</p>",
"Description": "The path to the TLS CA file for the Prometheus metrics server.",
"DescriptionHTML": "<p>The path to the TLS CA file for the Prometheus metrics server.</p>",
"UserEditable": true,
"GoType": "*string",
"GoType": "string",
"OpenSourceOnly": false
},
{
Expand All @@ -1043,37 +1043,10 @@
"Required": false,
"OnParseFailure": "ReplaceWithDefault",
"AllowedConfigSources": "All",
"Description": "Defines the absolute path to the TLS certificate file used for securing the /metrics endpoint.\nThis certificate must be valid and accessible by the calico-node process.",
"DescriptionHTML": "<p>Defines the absolute path to the TLS certificate file used for securing the /metrics endpoint.\nThis certificate must be valid and accessible by the calico-node process.</p>",
"Description": "The path to the TLS certificate file for the Prometheus metrics server.",
"DescriptionHTML": "<p>The path to the TLS certificate file for the Prometheus metrics server.</p>",
"UserEditable": true,
"GoType": "*string",
"OpenSourceOnly": false
},
{
"Group": "Process: Prometheus metrics",
"GroupWithSortPrefix": "00 Process: Prometheus metrics",
"NameConfigFile": "PrometheusMetricsClientAuth",
"NameEnvVar": "FELIX_PrometheusMetricsClientAuth",
"NameYAML": "prometheusMetricsClientAuth",
"NameGoAPI": "PrometheusMetricsClientAuth",
"StringSchema": "One of: `NoClientCert`, `RequireAndVerifyClientCert`, `RequireAnyClientCert`, `VerifyClientCertIfGiven` (case insensitive)",
"StringSchemaHTML": "One of: <code>NoClientCert</code>, <code>RequireAndVerifyClientCert</code>, <code>RequireAnyClientCert</code>, <code>VerifyClientCertIfGiven</code> (case insensitive)",
"StringDefault": "RequireAndVerifyClientCert",
"ParsedDefault": "RequireAndVerifyClientCert",
"ParsedDefaultJSON": "\"RequireAndVerifyClientCert\"",
"ParsedType": "string",
"YAMLType": "string",
"YAMLSchema": "",
"YAMLEnumValues": null,
"YAMLSchemaHTML": "",
"YAMLDefault": "RequireAndVerifyClientCert",
"Required": false,
"OnParseFailure": "ReplaceWithDefault",
"AllowedConfigSources": "All",
"Description": "Specifies the client authentication type for the /metrics endpoint.\nThis determines how the server validates client certificates. Default is \"RequireAndVerifyClientCert\".",
"DescriptionHTML": "<p>Specifies the client authentication type for the /metrics endpoint.\nThis determines how the server validates client certificates. Default is \"RequireAndVerifyClientCert\".</p>",
"UserEditable": true,
"GoType": "*v3.PrometheusMetricsClientAuthType",
"GoType": "string",
"OpenSourceOnly": false
},
{
Expand Down Expand Up @@ -1151,10 +1124,10 @@
"Required": false,
"OnParseFailure": "ReplaceWithDefault",
"AllowedConfigSources": "All",
"Description": "Defines the absolute path to the private key file corresponding to the TLS certificate\nused for securing the /metrics endpoint. The private key must be valid and accessible by the calico-node process.",
"DescriptionHTML": "<p>Defines the absolute path to the private key file corresponding to the TLS certificate\nused for securing the /metrics endpoint. The private key must be valid and accessible by the calico-node process.</p>",
"Description": "The path to the TLS private key file for the Prometheus metrics server.",
"DescriptionHTML": "<p>The path to the TLS private key file for the Prometheus metrics server.</p>",
"UserEditable": true,
"GoType": "*string",
"GoType": "string",
"OpenSourceOnly": false
},
{
Expand Down Expand Up @@ -1855,6 +1828,63 @@
"GoType": "*bool",
"OpenSourceOnly": false
},
{
"Group": "Dataplane: Common",
"GroupWithSortPrefix": "10 Dataplane: Common",
"NameConfigFile": "IstioAmbientMode",
"NameEnvVar": "FELIX_IstioAmbientMode",
"NameYAML": "istioAmbientMode",
"NameGoAPI": "IstioAmbientMode",
"StringSchema": "One of: `Disabled`, `Enabled` (case insensitive)",
"StringSchemaHTML": "One of: <code>Disabled</code>, <code>Enabled</code> (case insensitive)",
"StringDefault": "Disabled",
"ParsedDefault": "Disabled",
"ParsedDefaultJSON": "\"Disabled\"",
"ParsedType": "string",
"YAMLType": "string",
"YAMLSchema": "One of: `\"Disabled\"`, `\"Enabled\"`.",
"YAMLEnumValues": [
"Disabled",
"Enabled"
],
"YAMLSchemaHTML": "One of: <code>\"Disabled\"</code>, <code>\"Enabled\"</code>.",
"YAMLDefault": "Disabled",
"Required": false,
"OnParseFailure": "ReplaceWithDefault",
"AllowedConfigSources": "All",
"Description": "Configures Felix to work together with Tigera's Istio distribution.",
"DescriptionHTML": "<p>Configures Felix to work together with Tigera's Istio distribution.</p>",
"UserEditable": true,
"GoType": "*v3.IstioAmbientMode",
"OpenSourceOnly": false
},
{
"Group": "Dataplane: Common",
"GroupWithSortPrefix": "10 Dataplane: Common",
"NameConfigFile": "IstioDSCPMark",
"NameEnvVar": "FELIX_IstioDSCPMark",
"NameYAML": "istioDSCPMark",
"NameGoAPI": "IstioDSCPMark",
"StringSchema": "Numeric value: An integer from 0 to 63, representing the 6-bit DSCP code directly; Named value: A case-insensitive string corresponding to a standardized DSCP name (e.g., \"CS0\", \"AF11\", \"AF21\", \"EF\", etc.) as defined in the IANA registry for Differentiated Services Field Codepoints.",
"StringSchemaHTML": "Numeric value: An integer from 0 to 63, representing the 6-bit DSCP code directly; Named value: A case-insensitive string corresponding to a standardized DSCP name (e.g., \"CS0\", \"AF11\", \"AF21\", \"EF\", etc.) as defined in the IANA registry for Differentiated Services Field Codepoints.",
"StringDefault": "23",
"ParsedDefault": "23",
"ParsedDefaultJSON": "23",
"ParsedType": "numorstring.DSCP",
"YAMLType": "integer",
"YAMLSchema": "String.",
"YAMLEnumValues": null,
"YAMLSchemaHTML": "String.",
"YAMLDefault": "",
Comment on lines +1874 to +1878
Copy link

Copilot AI Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For IstioDSCPMark, the YAML metadata is internally inconsistent with the string schema and defaults: YAMLType is set to integer while YAMLSchema/YAMLSchemaHTML say String., and YAMLDefault is empty even though the string/parsed defaults are 23. To avoid confusing users and keep this entry consistent with other DSCP-style fields, please align YAMLType, YAMLSchema/HTML, and YAMLDefault with the actual accepted value formats and the documented default (23).

Suggested change
"YAMLType": "integer",
"YAMLSchema": "String.",
"YAMLEnumValues": null,
"YAMLSchemaHTML": "String.",
"YAMLDefault": "",
"YAMLType": "string",
"YAMLSchema": "Numeric value: An integer from 0 to 63, representing the 6-bit DSCP code directly; Named value: A case-insensitive string corresponding to a standardized DSCP name (e.g., \"CS0\", \"AF11\", \"AF21\", \"EF\", etc.) as defined in the IANA registry for Differentiated Services Field Codepoints.",
"YAMLEnumValues": null,
"YAMLSchemaHTML": "Numeric value: An integer from 0 to 63, representing the 6-bit DSCP code directly; Named value: A case-insensitive string corresponding to a standardized DSCP name (e.g., \"CS0\", \"AF11\", \"AF21\", \"EF\", etc.) as defined in the IANA registry for Differentiated Services Field Codepoints.",
"YAMLDefault": "23",

Copilot uses AI. Check for mistakes.
"Required": false,
"OnParseFailure": "ReplaceWithDefault",
"AllowedConfigSources": "All",
"Description": "Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith other Istio installation.",
"DescriptionHTML": "<p>Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith other Istio installation.</p>",
Comment on lines +1882 to +1883
Copy link

Copilot AI Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the IstioDSCPMark description text, the phrase must not be used with other Istio installation is ungrammatical; it should say any other Istio installation or other Istio installations. Please update both the plain-text and HTML descriptions to use correct grammar so the restriction is clear to readers.

Suggested change
"Description": "Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith other Istio installation.",
"DescriptionHTML": "<p>Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith other Istio installation.</p>",
"Description": "Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith any other Istio installation.",
"DescriptionHTML": "<p>Sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on\nSYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used\nwith any other Istio installation.</p>",

Copilot uses AI. Check for mistakes.
"UserEditable": true,
"GoType": "*numorstring.DSCP",
"OpenSourceOnly": false
},
{
"Group": "Dataplane: Common",
"GroupWithSortPrefix": "10 Dataplane: Common",
Expand Down Expand Up @@ -3746,33 +3776,6 @@
"GoType": "*v3.BPFHostNetworkedNATType",
"OpenSourceOnly": false
},
{
"Group": "Dataplane: eBPF",
"GroupWithSortPrefix": "22 Dataplane: eBPF",
"NameConfigFile": "BPFJITHardening",
"NameEnvVar": "FELIX_BPFJITHardening",
"NameYAML": "bpfJITHardening",
"NameGoAPI": "BPFJITHardening",
"StringSchema": "One of: `Auto`, `Strict` (case insensitive)",
"StringSchemaHTML": "One of: <code>Auto</code>, <code>Strict</code> (case insensitive)",
"StringDefault": "Auto",
"ParsedDefault": "Auto",
"ParsedDefaultJSON": "\"Auto\"",
"ParsedType": "string",
"YAMLType": "string",
"YAMLSchema": "",
"YAMLEnumValues": null,
"YAMLSchemaHTML": "",
"YAMLDefault": "Auto",
"Required": true,
"OnParseFailure": "ReplaceWithDefault",
"AllowedConfigSources": "All",
"Description": "Controls BPF JIT hardening. When set to \"Auto\", Felix will set JIT hardening to 1\nif it detects the current value is 2 (strict mode that hurts performance). When set to \"Strict\",\nFelix will not modify the JIT hardening setting.",
"DescriptionHTML": "<p>Controls BPF JIT hardening. When set to \"Auto\", Felix will set JIT hardening to 1\nif it detects the current value is 2 (strict mode that hurts performance). When set to \"Strict\",\nFelix will not modify the JIT hardening setting.</p>",
"UserEditable": true,
"GoType": "*v3.BPFJITHardeningType",
"OpenSourceOnly": false
},
{
"Group": "Dataplane: eBPF",
"GroupWithSortPrefix": "22 Dataplane: eBPF",
Expand Down Expand Up @@ -3800,33 +3803,6 @@
"GoType": "*bool",
"OpenSourceOnly": false
},
{
"Group": "Dataplane: eBPF",
"GroupWithSortPrefix": "22 Dataplane: eBPF",
"NameConfigFile": "BPFKubeProxyHealthzPort",
"NameEnvVar": "FELIX_BPFKubeProxyHealthzPort",
"NameYAML": "bpfKubeProxyHealthzPort",
"NameGoAPI": "BPFKubeProxyHealthzPort",
"StringSchema": "Integer",
"StringSchemaHTML": "Integer",
"StringDefault": "10256",
"ParsedDefault": "10256",
"ParsedDefaultJSON": "10256",
"ParsedType": "int",
"YAMLType": "integer",
"YAMLSchema": "Integer",
"YAMLEnumValues": null,
"YAMLSchemaHTML": "Integer",
"YAMLDefault": "10256",
"Required": true,
"OnParseFailure": "ReplaceWithDefault",
"AllowedConfigSources": "All",
"Description": "In BPF mode, controls the port that Felix's embedded kube-proxy health check server binds to.\nThe health check server is used by external load balancers to determine if this node should receive traffic.",
"DescriptionHTML": "<p>In BPF mode, controls the port that Felix's embedded kube-proxy health check server binds to.\nThe health check server is used by external load balancers to determine if this node should receive traffic.</p>",
"UserEditable": true,
"GoType": "*int",
"OpenSourceOnly": false
},
{
"Group": "Dataplane: eBPF",
"GroupWithSortPrefix": "22 Dataplane: eBPF",
Expand Down Expand Up @@ -4330,25 +4306,26 @@
"NameEnvVar": "FELIX_BPFRedirectToPeer",
"NameYAML": "bpfRedirectToPeer",
"NameGoAPI": "BPFRedirectToPeer",
"StringSchema": "One of: `Disabled`, `Enabled` (case insensitive)",
"StringSchemaHTML": "One of: <code>Disabled</code>, <code>Enabled</code> (case insensitive)",
"StringSchema": "One of: `Disabled`, `Enabled`, `L2Only` (case insensitive)",
"StringSchemaHTML": "One of: <code>Disabled</code>, <code>Enabled</code>, <code>L2Only</code> (case insensitive)",
"StringDefault": "Disabled",
"ParsedDefault": "Disabled",
"ParsedDefaultJSON": "\"Disabled\"",
"ParsedType": "string",
"YAMLType": "string",
"YAMLSchema": "One of: `\"Disabled\"`, `\"Enabled\"`.",
"YAMLSchema": "One of: `\"Disabled\"`, `\"Enabled\"`, `\"L2Only\"`.",
"YAMLEnumValues": [
"Disabled",
"Enabled"
"Enabled",
"L2Only"
],
"YAMLSchemaHTML": "One of: <code>\"Disabled\"</code>, <code>\"Enabled\"</code>.",
"YAMLSchemaHTML": "One of: <code>\"Disabled\"</code>, <code>\"Enabled\"</code>, <code>\"L2Only\"</code>.",
"YAMLDefault": "Disabled",
"Required": true,
"OnParseFailure": "ReplaceWithDefault",
"AllowedConfigSources": "All",
"Description": "Controls whether traffic may be forwarded directly to the peer side of a workload’s device.\nNote that the legacy \"L2Only\" option is now deprecated and if set it is treated like \"Enabled\".\nSetting this option to \"Enabled\" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard),\nwhich can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path.\nAs a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic.",
"DescriptionHTML": "<p>Controls whether traffic may be forwarded directly to the peer side of a workload’s device.\nNote that the legacy \"L2Only\" option is now deprecated and if set it is treated like \"Enabled\".\nSetting this option to \"Enabled\" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard),\nwhich can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path.\nAs a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic.</p>",
"Description": "Controls which whether it is allowed to forward straight to the\npeer side of the workload devices. It is allowed for any host L2 devices by default\n(L2Only), but it breaks TCP dump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or Wireguard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.",
"DescriptionHTML": "<p>Controls which whether it is allowed to forward straight to the\npeer side of the workload devices. It is allowed for any host L2 devices by default\n(L2Only), but it breaks TCP dump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or Wireguard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.</p>",
Comment on lines +4327 to +4328
Copy link

Copilot AI Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For BPFRedirectToPeer, the documented defaults conflict with the prose description: StringDefault/YAMLDefault are "Disabled", but the description states that forwarding from host L2 devices is allowed "by default (L2Only)". Please update either the default fields or the description text so they agree on the actual default behavior for this option.

Suggested change
"Description": "Controls which whether it is allowed to forward straight to the\npeer side of the workload devices. It is allowed for any host L2 devices by default\n(L2Only), but it breaks TCP dump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or Wireguard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.",
"DescriptionHTML": "<p>Controls which whether it is allowed to forward straight to the\npeer side of the workload devices. It is allowed for any host L2 devices by default\n(L2Only), but it breaks TCP dump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or Wireguard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.</p>",
"Description": "Controls which whether it is allowed to forward straight to the\npeer side of the workload devices. When set to L2Only, it is allowed for any host L2 devices,\nbut it breaks TCP dump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or Wireguard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.",
"DescriptionHTML": "<p>Controls which whether it is allowed to forward straight to the\npeer side of the workload devices. When set to L2Only, it is allowed for any host L2 devices,\nbut it breaks TCP dump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or Wireguard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.</p>",

Copilot uses AI. Check for mistakes.
Comment on lines +4327 to +4328
Copy link

Copilot AI Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The BPFRedirectToPeer description contains a few wording issues that make it harder to read: Controls which whether it is allowed is grammatically incorrect, TCP dump should be tcpdump (or at least be consistent with other docs), and Wireguard should be WireGuard. Please tidy up the text (and matching HTML) to fix these typos while keeping the semantics the same.

Suggested change
"Description": "Controls which whether it is allowed to forward straight to the\npeer side of the workload devices. It is allowed for any host L2 devices by default\n(L2Only), but it breaks TCP dump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or Wireguard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.",
"DescriptionHTML": "<p>Controls which whether it is allowed to forward straight to the\npeer side of the workload devices. It is allowed for any host L2 devices by default\n(L2Only), but it breaks TCP dump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or Wireguard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.</p>",
"Description": "Controls whether it is allowed to forward straight to the\npeer side of the workload devices. It is allowed for any host L2 devices by default\n(L2Only), but it breaks tcpdump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or WireGuard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.",
"DescriptionHTML": "<p>Controls whether it is allowed to forward straight to the\npeer side of the workload devices. It is allowed for any host L2 devices by default\n(L2Only), but it breaks tcpdump on the host side of workload device as it bypasses\nit on ingress. Value of Enabled also allows redirection from L3 host devices like\nIPIP tunnel or WireGuard directly to the peer side of the workload's device. This\nmakes redirection faster, however, it breaks tools like tcpdump on the peer side.\nUse Enabled with caution.</p>",

Copilot uses AI. Check for mistakes.
"UserEditable": true,
"GoType": "string",
"OpenSourceOnly": false
Expand Down
Loading