Skip to main content

Installation reference

The Kubernetes resources below configure Calico Cloud installation when using the operator. Each resource is responsible for installing and configuring a different subsystem of Calico Cloud during installation. Most options can be modified on a running cluster using kubectl.

Packages:

operator.tigera.io/v1

API Schema definitions for configuring the installation of Calico and Calico Enterprise

Resource Types:

APIServer

APIServer installs the Tigera API server and related resources. At most one instance of this resource is supported. It must be named “tigera-secure”.

FieldDescription
apiVersion
string		operator.tigera.io/v1
kind
string		APIServer
metadata
Kubernetes meta/v1.ObjectMeta		Refer to the Kubernetes API documentation for the fields of themetadata field.
spec
APIServerSpec

Specification of the desired state for the Tigera API server.



status
APIServerStatus

Most recently observed status for the Tigera API server.

AmazonCloudIntegration

AmazonCloudIntegration is the Schema for the amazoncloudintegrations API

FieldDescription
apiVersion
string		operator.tigera.io/v1
kind
string		AmazonCloudIntegration
metadata
Kubernetes meta/v1.ObjectMeta		Refer to the Kubernetes API documentation for the fields of themetadata field.
spec
AmazonCloudIntegrationSpec

defaultPodMetadataAccess
MetadataAccessAllowedType		(Optional)

DefaultPodMetadataAccess defines what the default behavior will be for accessing the AWS metadata service from a pod. Default: Denied

nodeSecurityGroupIDs
[]string

NodeSecurityGroupIDs is a list of Security Group IDs that all nodes and masters will be in.

podSecurityGroupID
string

PodSecurityGroupID is the ID of the Security Group which all pods should be placed in by default.

vpcs
[]string

VPCS is a list of VPC IDs to monitor for ENIs and Security Groups, only one is supported.

sqsURL
string

SQSURL is the SQS URL needed to access the Simple Queue Service.

awsRegion
string

AWSRegion is the region in which your cluster is located.

enforcedSecurityGroupID
string

EnforcedSecurityGroupID is the ID of the Security Group which will be applied to all ENIs that are on a host that is also part of the Kubernetes cluster.

trustEnforcedSecurityGroupID,omitemtpy
string

TrustEnforcedSecurityGroupID is the ID of the Security Group which will be applied to all ENIs in the VPC.

status
AmazonCloudIntegrationStatus

ApplicationLayer

ApplicationLayer is the Schema for the applicationlayers API

FieldDescription
apiVersion
string		operator.tigera.io/v1
kind
string		ApplicationLayer
metadata
Kubernetes meta/v1.ObjectMeta		Refer to the Kubernetes API documentation for the fields of themetadata field.
spec
ApplicationLayerSpec

logCollection
LogCollectionSpec

Specification for application layer (L7) log collection.

status
ApplicationLayerStatus

Authentication

Authentication is the Schema for the authentications API

FieldDescription
apiVersion
string		operator.tigera.io/v1
kind
string		Authentication
metadata
Kubernetes meta/v1.ObjectMeta		Refer to the Kubernetes API documentation for the fields of themetadata field.
spec
AuthenticationSpec

managerDomain
string

ManagerDomain is the domain name of the Manager

usernamePrefix
string		(Optional)

If specified, UsernamePrefix is prepended to each user obtained from the identity provider. Note that Kibana does not support a user prefix, so this prefix is removed from Kubernetes User when translating log access ClusterRoleBindings into Elastic.

groupsPrefix
string		(Optional)

If specified, GroupsPrefix is prepended to each group obtained from the identity provider. Note that Kibana does not support a groups prefix, so this prefix is removed from Kubernetes Groups when translating log access ClusterRoleBindings into Elastic.

oidc
AuthenticationOIDC		(Optional)

OIDC contains the configuration needed to setup OIDC authentication.

openshift
AuthenticationOpenshift		(Optional)

Openshift contains the configuration needed to setup Openshift OAuth authentication.

ldap
AuthenticationLDAP		(Optional)

LDAP contains the configuration needed to setup LDAP authentication.

status
AuthenticationStatus

Compliance

Compliance installs the components required for Tigera compliance reporting. At most one instance of this resource is supported. It must be named “tigera-secure”.

FieldDescription
apiVersion
string		operator.tigera.io/v1
kind
string		Compliance
metadata
Kubernetes meta/v1.ObjectMeta		Refer to the Kubernetes API documentation for the fields of themetadata field.
spec
ComplianceSpec

Specification of the desired state for Tigera compliance reporting.



status
ComplianceStatus

Most recently observed state for Tigera compliance reporting.

ImageSet

ImageSet is used to specify image digests for the images that the operator deploys. The name of the ImageSet is expected to be in the format <variang>-<release>. The variant used is enterprise if the InstallationSpec Variant isTigeraSecureEnterprise otherwise it is calico. The release must match the version of the variant that the operator is built to deploy, this version can be obtained by passing the --version flag to the operator binary.

FieldDescription
apiVersion
string		operator.tigera.io/v1
kind
string		ImageSet
metadata
Kubernetes meta/v1.ObjectMeta		Refer to the Kubernetes API documentation for the fields of themetadata field.
spec
ImageSetSpec

images
[]Image

Images is the list of images to use digests. All images that the operator will deploy must be specified.

Installation

Installation configures an installation of Calico or Calico Enterprise. At most one instance of this resource is supported. It must be named “default”. The Installation API installs core networking and network policy components, and provides general install-time configuration.

FieldDescription
apiVersion
string		operator.tigera.io/v1
kind
string		Installation
metadata
Kubernetes meta/v1.ObjectMeta		Refer to the Kubernetes API documentation for the fields of themetadata field.
spec
InstallationSpec

Specification of the desired state for the Calico or Calico Enterprise installation.



variant
ProductVariant		(Optional)

Variant is the product to install - one of Calico or TigeraSecureEnterprise Default: Calico

registry
string		(Optional)

Registry is the default Docker registry used for component Docker images. If specified then the given value must end with a slash character (/) and all images will be pulled from this registry. If not specified then the default registries will be used. A special case value, UseDefault, is supported to explicitly specify the default registries will be used.

Image format:<registry><imagePath>/<imagePrefix><imageName>:<image-tag>

This option allows configuring the <registry> portion of the above format.

imagePath
string		(Optional)

ImagePath allows for the path part of an image to be specified. If specified then the specified value will be used as the image path for each image. If not specified or empty, the default for each image will be used. A special case value, UseDefault, is supported to explicitly specify the default image path will be used for each image.

Image format:<registry><imagePath>/<imagePrefix><imageName>:<image-tag>

This option allows configuring the <imagePath> portion of the above format.

imagePrefix
string		(Optional)

ImagePrefix allows for the prefix part of an image to be specified. If specified then the given value will be used as a prefix on each image. If not specified or empty, no prefix will be used. A special case value, UseDefault, is supported to explicitly specify the default image prefix will be used for each image.

Image format:<registry><imagePath>/<imagePrefix><imageName>:<image-tag>

This option allows configuring the <imagePrefix> portion of the above format.

imagePullSecrets
[]Kubernetes core/v1.LocalObjectReference		(Optional)

ImagePullSecrets is an array of references to container registry pull secrets to use. These are applied to all images to be pulled.

kubernetesProvider
Provider		(Optional)

KubernetesProvider specifies a particular provider of the Kubernetes platform and enables provider-specific configuration. If the specified value is empty, the Operator will attempt to automatically determine the current provider. If the specified value is not empty, the Operator will still attempt auto-detection, but will additionally compare the auto-detected value to the specified value to confirm they match.

cni
CNISpec		(Optional)

CNI specifies the CNI that will be used by this installation.

calicoNetwork
CalicoNetworkSpec		(Optional)

CalicoNetwork specifies networking configuration options for Calico.

typhaAffinity
TyphaAffinity		(Optional)

TyphaAffinity allows configuration of node affinity characteristics for Typha pods.

controlPlaneNodeSelector
map[string]string		(Optional)

ControlPlaneNodeSelector is used to select control plane nodes on which to run Calico components. This is globally applied to all resources created by the operator excluding daemonsets.

controlPlaneTolerations
[]Kubernetes core/v1.Toleration		(Optional)

ControlPlaneTolerations specify tolerations which are then globally applied to all resources created by the operator.

controlPlaneReplicas
int32		(Optional)

ControlPlaneReplicas defines how many replicas of the control plane core components will be deployed. This field applies to all control plane components that support High Availability. Defaults to 2.

nodeMetricsPort
int32		(Optional)

NodeMetricsPort specifies which port calico/node serves prometheus metrics on. By default, metrics are not enabled. If specified, this overrides any FelixConfiguration resources which may exist. If omitted, then prometheus metrics may still be configured through FelixConfiguration.

typhaMetricsPort
int32		(Optional)

TyphaMetricsPort specifies which port calico/typha serves prometheus metrics on. By default, metrics are not enabled.

flexVolumePath
string		(Optional)

FlexVolumePath optionally specifies a custom path for FlexVolume. If not specified, FlexVolume will be enabled by default. If set to ‘None’, FlexVolume will be disabled. The default is based on the kubernetesProvider.

nodeUpdateStrategy
Kubernetes apps/v1.DaemonSetUpdateStrategy		(Optional)

NodeUpdateStrategy can be used to customize the desired update strategy, such as the MaxUnavailable field.

componentResources
[]ComponentResource		(Optional)

ComponentResources can be used to customize the resource requirements for each component. Node, Typha, and KubeControllers are supported for installations.

certificateManagement
CertificateManagement		(Optional)

CertificateManagement configures pods to submit a CertificateSigningRequest to the certificates.k8s.io/v1beta1 API in order to obtain TLS certificates. This feature requires that you bring your own CSR signing and approval process, otherwise pods will be stuck during initialization.

nonPrivileged
NonPrivilegedType		(Optional)

NonPrivileged configures Calico to be run in non-privileged containers as non-root users where possible.

status
InstallationStatus

Most recently observed state for the Calico or Calico Enterprise installation.

IntrusionDetection

IntrusionDetection installs the components required for Tigera intrusion detection. At most one instance of this resource is supported. It must be named “tigera-secure”.

FieldDescription
apiVersion
string		operator.tigera.io/v1
kind
string		IntrusionDetection
metadata
Kubernetes meta/v1.ObjectMeta		Refer to the Kubernetes API documentation for the fields of themetadata field.
spec
IntrusionDetectionSpec

Specification of the desired state for Tigera intrusion detection.



componentResources
[]IntrusionDetectionComponentResource		(Optional)

ComponentResources can be used to customize the resource requirements for each component. Only DeepPacketInspection is supported for this spec.

status
IntrusionDetectionStatus

Most recently observed state for Tigera intrusion detection.

LogCollector

LogCollector installs the components required for Tigera flow and DNS log collection. At most one instance of this resource is supported. It must be named “tigera-secure”. When created, this installs fluentd on all nodes configured to collect Tigera log data and export it to Tigera’s Elasticsearch cluster as well as any additionally configured destinations.

FieldDescription
apiVersion
string		operator.tigera.io/v1
kind
string		LogCollector
metadata
Kubernetes meta/v1.ObjectMeta		Refer to the Kubernetes API documentation for the fields of themetadata field.
spec
LogCollectorSpec

Specification of the desired state for Tigera log collection.



additionalStores
AdditionalLogStoreSpec		(Optional)

Configuration for exporting flow, audit, and DNS logs to external storage.

additionalSources
AdditionalLogSourceSpec		(Optional)

Configuration for importing audit logs from managed kubernetes cluster log sources.

collectProcessPath
CollectProcessPathOption		(Optional)

Configuration for enabling/disabling process path collection in flowlogs. If Enabled, this feature sets hostPID to true in order to read process cmdline. Default: Enabled

status
LogCollectorStatus

Most recently observed state for Tigera log collection.

LogStorage

LogStorage installs the components required for Tigera flow and DNS log storage. At most one instance of this resource is supported. It must be named “tigera-secure”. When created, this installs an Elasticsearch cluster for use by Calico Enterprise.

FieldDescription
apiVersion
string		operator.tigera.io/v1
kind
string		LogStorage
metadata
Kubernetes meta/v1.ObjectMeta		Refer to the Kubernetes API documentation for the fields of themetadata field.
spec
LogStorageSpec

Specification of the desired state for Tigera log storage.



nodes
Nodes

Nodes defines the configuration for a set of identical Elasticsearch cluster nodes, each of type master, data, and ingest.

indices
Indices		(Optional)

Index defines the configuration for the indices in the Elasticsearch cluster.

retention
Retention		(Optional)

Retention defines how long data is retained in the Elasticsearch cluster before it is cleared.

storageClassName
string		(Optional)

StorageClassName will populate the PersistentVolumeClaim.StorageClassName that is used to provision disks to the Tigera Elasticsearch cluster. The StorageClassName should only be modified when no LogStorage is currently active. We recommend choosing a storage class dedicated to Tigera LogStorage only. Otherwise, data retention cannot be guaranteed during upgrades. Default: tigera-elasticsearch

dataNodeSelector
map[string]string		(Optional)

DataNodeSelector gives you more control over the node that Elasticsearch will run on. The contents of DataNodeSelector will be added to the PodSpec of the Elasticsearch nodes. For the pod to be eligible to run on a node, the node must have each of the indicated key-value pairs as labels as well as access to the specified StorageClassName.

componentResources
[]LogStorageComponentResource		(Optional)

ComponentResources can be used to customize the resource requirements for each component. Only ECKOperator is supported for this spec.

status
LogStorageStatus

Most recently observed state for Tigera log storage.

ManagementCluster

The presence of ManagementCluster in your cluster, will configure it to be the management plane to which managed clusters can connect. At most one instance of this resource is supported. It must be named “tigera-secure”.

FieldDescription
apiVersion
string		operator.tigera.io/v1
kind
string		ManagementCluster
metadata
Kubernetes meta/v1.ObjectMeta		Refer to the Kubernetes API documentation for the fields of themetadata field.
spec
ManagementClusterSpec

address
string		(Optional)

This field specifies the externally reachable address to which your managed cluster will connect. When a managed cluster is added, this field is used to populate an easy-to-apply manifest that will connect both clusters. Valid examples are: “0.0.0.0:31000”, “example.com:32000”, “[::1]:32500”

ManagementClusterConnection

ManagementClusterConnection represents a link between a managed cluster and a management cluster. At most one instance of this resource is supported. It must be named “tigera-secure”.

FieldDescription
apiVersion
string		operator.tigera.io/v1
kind
string		ManagementClusterConnection
metadata
Kubernetes meta/v1.ObjectMeta		Refer to the Kubernetes API documentation for the fields of themetadata field.
spec
ManagementClusterConnectionSpec

managementClusterAddr
string		(Optional)

Specify where the managed cluster can reach the management cluster. Ex.: “10.128.0.10:30449”. A managed cluster should be able to access this address. This field is used by managed clusters only.

Manager

Manager installs the Calico Enterprise manager graphical user interface. At most one instance of this resource is supported. It must be named “tigera-secure”.

FieldDescription
apiVersion
string		operator.tigera.io/v1
kind
string		Manager
metadata
Kubernetes meta/v1.ObjectMeta		Refer to the Kubernetes API documentation for the fields of themetadata field.
spec
ManagerSpec

Specification of the desired state for the Calico Enterprise manager.



auth
Auth		(Optional)

Deprecated. Please use the Authentication CR for configuring authentication.

status
ManagerStatus

Most recently observed state for the Calico Enterprise manager.

Monitor

Monitor is the Schema for the monitor API. At most one instance of this resource is supported. It must be named “tigera-secure”.

FieldDescription
apiVersion
string		operator.tigera.io/v1
kind
string		Monitor
metadata
Kubernetes meta/v1.ObjectMeta		Refer to the Kubernetes API documentation for the fields of themetadata field.
spec
MonitorSpec

status
MonitorStatus

TigeraStatus

TigeraStatus represents the most recently observed status for Calico or a Calico Enterprise functional area.

FieldDescription
apiVersion
string		operator.tigera.io/v1
kind
string		TigeraStatus
metadata
Kubernetes meta/v1.ObjectMeta		Refer to the Kubernetes API documentation for the fields of themetadata field.
spec
TigeraStatusSpec

status
TigeraStatusStatus

APIServerSpec

(Appears on:APIServer)

APIServerSpec defines the desired state of Tigera API server.

APIServerStatus

(Appears on:APIServer)

APIServerStatus defines the observed state of Tigera API server.

FieldDescription
state
string

State provides user-readable status.

AdditionalLogSourceSpec

(Appears on:LogCollectorSpec)

FieldDescription
eksCloudwatchLog
EksCloudwatchLogsSpec		(Optional)

If specified with EKS Provider in Installation, enables fetching EKS audit logs.

AdditionalLogStoreSpec

(Appears on:LogCollectorSpec)

FieldDescription
s3
S3StoreSpec		(Optional)

If specified, enables exporting of flow, audit, and DNS logs to Amazon S3 storage.

syslog
SyslogStoreSpec		(Optional)

If specified, enables exporting of flow, audit, and DNS logs to syslog.

splunk
SplunkStoreSpec		(Optional)

If specified, enables exporting of flow, audit, and DNS logs to splunk.

AmazonCloudIntegrationSpec

(Appears on:AmazonCloudIntegration)

AmazonCloudIntegrationSpec defines the desired state of AmazonCloudIntegration

FieldDescription
defaultPodMetadataAccess
MetadataAccessAllowedType		(Optional)

DefaultPodMetadataAccess defines what the default behavior will be for accessing the AWS metadata service from a pod. Default: Denied

nodeSecurityGroupIDs
[]string

NodeSecurityGroupIDs is a list of Security Group IDs that all nodes and masters will be in.

podSecurityGroupID
string

PodSecurityGroupID is the ID of the Security Group which all pods should be placed in by default.

vpcs
[]string

VPCS is a list of VPC IDs to monitor for ENIs and Security Groups, only one is supported.

sqsURL
string

SQSURL is the SQS URL needed to access the Simple Queue Service.

awsRegion
string

AWSRegion is the region in which your cluster is located.

enforcedSecurityGroupID
string

EnforcedSecurityGroupID is the ID of the Security Group which will be applied to all ENIs that are on a host that is also part of the Kubernetes cluster.

trustEnforcedSecurityGroupID,omitemtpy
string

TrustEnforcedSecurityGroupID is the ID of the Security Group which will be applied to all ENIs in the VPC.

AmazonCloudIntegrationStatus

(Appears on:AmazonCloudIntegration)

AmazonCloudIntegrationStatus defines the observed state of AmazonCloudIntegration

FieldDescription
state
string

State provides user-readable status.

ApplicationLayerSpec

(Appears on:ApplicationLayer)

ApplicationLayerSpec defines the desired state of ApplicationLayer

FieldDescription
logCollection
LogCollectionSpec

Specification for application layer (L7) log collection.

ApplicationLayerStatus

(Appears on:ApplicationLayer)

ApplicationLayerStatus defines the observed state of ApplicationLayer

FieldDescription
state
string

State provides user-readable status.

Auth

(Appears on:ManagerSpec,ManagerStatus)

Auth defines authentication configuration.

FieldDescription
type
AuthType

Type configures the type of authentication used by the manager. Default: Token

authority
string		(Optional)

Authority configures the OAuth2/OIDC authority/issuer when using OAuth2 or OIDC login.

clientID
string		(Optional)

ClientId configures the OAuth2/OIDC client ID to use for OAuth2 or OIDC login.

AuthMethod (string alias)

AuthType (string alias)

(Appears on:Auth)

AuthType represents the type of authentication to use. Valid options are: Token, Basic, OIDC, OAuth

AuthenticationLDAP

(Appears on:AuthenticationSpec)

AuthenticationLDAP is the configuration needed to setup LDAP.

FieldDescription
host
string

The host and port of the LDAP server. Example: ad.example.com:636

startTLS
bool		(Optional)

StartTLS whether to enable the startTLS feature for establishing TLS on an existing LDAP session. If true, the ldap:// protocol is used and then issues a StartTLS command, otherwise, connections will use the ldaps:// protocol.

userSearch
UserSearch

User entry search configuration to match the credentials with a user.

groupSearch
GroupSearch		(Optional)

Group search configuration to find the groups that a user is in.

AuthenticationOIDC

(Appears on:AuthenticationSpec)

AuthenticationOIDC is the configuration needed to setup OIDC.

FieldDescription
issuerURL
string

IssuerURL is the URL to the OIDC provider.

usernameClaim
string

UsernameClaim specifies which claim to use from the OIDC provider as the username.

requestedScopes
[]string		(Optional)

RequestedScopes is a list of scopes to request from the OIDC provider. If not provided, the following scopes are requested: [“openid”, “email”, “profile”, “groups”, “offline_access”].

usernamePrefix
string		(Optional)

Deprecated. Please use Authentication.Spec.UsernamePrefix instead.

groupsClaim
string		(Optional)

GroupsClaim specifies which claim to use from the OIDC provider as the group.

groupsPrefix
string		(Optional)

Deprecated. Please use Authentication.Spec.GroupsPrefix instead.

emailVerification
EmailVerificationType		(Optional)

Some providers do not include the claim “email_verified” when there is no verification in the user enrollment process or if they are acting as a proxy for another identity provider. By default those tokens are deemed invalid. To skip this check, set the value to “InsecureSkip”. Default: Verify

promptTypes
[]PromptType		(Optional)

PromptTypes is an optional list of string values that specifies whether the identity provider prompts the end user for re-authentication and consent. See the RFC for more information on prompt types:https://openid.net/specs/openid-connect-core-1_0.html. Default: “Consent”

type
OIDCType		(Optional)

Default: “Dex”

AuthenticationOpenshift

(Appears on:AuthenticationSpec)

AuthenticationOpenshift is the configuration needed to setup Openshift.

FieldDescription
issuerURL
string

IssuerURL is the URL to the Openshift OAuth provider. Ex.: https://api.my-ocp-domain.com:6443

AuthenticationSpec

(Appears on:Authentication)

AuthenticationSpec defines the desired state of Authentication

FieldDescription
managerDomain
string

ManagerDomain is the domain name of the Manager

usernamePrefix
string		(Optional)

If specified, UsernamePrefix is prepended to each user obtained from the identity provider. Note that Kibana does not support a user prefix, so this prefix is removed from Kubernetes User when translating log access ClusterRoleBindings into Elastic.

groupsPrefix
string		(Optional)

If specified, GroupsPrefix is prepended to each group obtained from the identity provider. Note that Kibana does not support a groups prefix, so this prefix is removed from Kubernetes Groups when translating log access ClusterRoleBindings into Elastic.

oidc
AuthenticationOIDC		(Optional)

OIDC contains the configuration needed to setup OIDC authentication.

openshift
AuthenticationOpenshift		(Optional)

Openshift contains the configuration needed to setup Openshift OAuth authentication.

ldap
AuthenticationLDAP		(Optional)

LDAP contains the configuration needed to setup LDAP authentication.

AuthenticationStatus

(Appears on:Authentication)

AuthenticationStatus defines the observed state of Authentication

FieldDescription
state
string

State provides user-readable status.

BGPOption (string alias)

(Appears on:CalicoNetworkSpec)

BGPOption describes the mode of BGP to use.

One of: Enabled, Disabled

CNIPluginType (string alias)

(Appears on:CNISpec)

CNIPluginType describes the type of CNI plugin used.

One of: Calico, GKE, AmazonVPC, AzureVNET

CNISpec

(Appears on:InstallationSpec)

CNISpec contains configuration for the CNI plugin.

FieldDescription
type
CNIPluginType

Specifies the CNI plugin that will be used in the Calico or Calico Enterprise installation. * For KubernetesProvider GKE, this field defaults to GKE. * For KubernetesProvider AKS, this field defaults to AzureVNET. * For KubernetesProvider EKS, this field defaults to AmazonVPC. * If aws-node daemonset exists in kube-system when the Installation resource is created, this field defaults to AmazonVPC. * For all other cases this field defaults to Calico.

For the value Calico, the CNI plugin binaries and CNI config will be installed as part of deployment, for all other values the CNI plugin binaries and CNI config is a dependency that is expected to be installed separately.

Default: Calico

ipam
IPAMSpec		(Optional)

IPAM specifies the pod IP address management that will be used in the Calico or Calico Enterprise installation.

CalicoNetworkSpec

(Appears on:InstallationSpec)

CalicoNetworkSpec specifies configuration options for Calico provided pod networking.

FieldDescription
linuxDataplane
LinuxDataplaneOption		(Optional)

LinuxDataplane is used to select the dataplane used for Linux nodes. In particular, it causes the operator to add required mounts and environment variables for the particular dataplane. If not specified, iptables mode is used. Default: Iptables

bgp
BGPOption		(Optional)

BGP configures whether or not to enable Calico’s BGP capabilities.

ipPools
[]IPPool		(Optional)

IPPools contains a list of IP pools to create if none exist. At most one IP pool of each address family may be specified. If omitted, a single pool will be configured if needed.

mtu
int32		(Optional)

MTU specifies the maximum transmission unit to use on the pod network. If not specified, Calico will perform MTU auto-detection based on the cluster network.

nodeAddressAutodetectionV4
NodeAddressAutodetection		(Optional)

NodeAddressAutodetectionV4 specifies an approach to automatically detect node IPv4 addresses. If not specified, will use default auto-detection settings to acquire an IPv4 address for each node.

nodeAddressAutodetectionV6
NodeAddressAutodetection		(Optional)

NodeAddressAutodetectionV6 specifies an approach to automatically detect node IPv6 addresses. If not specified, IPv6 addresses will not be auto-detected.

hostPorts
HostPortsType		(Optional)

HostPorts configures whether or not Calico will support Kubernetes HostPorts. Valid only when using the Calico CNI plugin. Default: Enabled

multiInterfaceMode
MultiInterfaceMode		(Optional)

MultiInterfaceMode configures what will configure multiple interface per pod. Only valid for Calico Enterprise installations using the Calico CNI plugin. Default: None

containerIPForwarding
ContainerIPForwardingType		(Optional)

ContainerIPForwarding configures whether ip forwarding will be enabled for containers in the CNI configuration. Default: Disabled

CertificateManagement

(Appears on:InstallationSpec)

CertificateManagement configures pods to submit a CertificateSigningRequest to the certificates.k8s.io/v1beta1 API in order to obtain TLS certificates. This feature requires that you bring your own CSR signing and approval process, otherwise pods will be stuck during initialization.

FieldDescription
caCert
[]byte

Certificate of the authority that signs the CertificateSigningRequests in PEM format.

signerName
string

When a CSR is issued to the certificates.k8s.io API, the signerName is added to the request in order to accommodate for clusters with multiple signers. Must be formatted as: <my-domain>/<my-signername>.

keyAlgorithm
string		(Optional)

Specify the algorithm used by pods to generate a key pair that is associated with the X.509 certificate request. Default: RSAWithSize2048

signatureAlgorithm
string		(Optional)

Specify the algorithm used for the signature of the X.509 certificate request. Default: SHA256WithRSA

CollectProcessPathOption (string alias)

(Appears on:LogCollectorSpec)

ComplianceSpec

(Appears on:Compliance)

ComplianceSpec defines the desired state of Tigera compliance reporting capabilities.

ComplianceStatus

(Appears on:Compliance)

ComplianceStatus defines the observed state of Tigera compliance reporting capabilities.

FieldDescription
state
string

State provides user-readable status.

ComponentName (string alias)

(Appears on:ComponentResource)

ComponentName represents a single component.

One of: Node, Typha, KubeControllers

ComponentResource

(Appears on:InstallationSpec)

The ComponentResource struct associates a ResourceRequirements with a component by name

FieldDescription
componentName
ComponentName

ComponentName is an enum which identifies the component

resourceRequirements
Kubernetes core/v1.ResourceRequirements

ResourceRequirements allows customization of limits and requests for compute resources such as cpu and memory.

ConditionStatus (string alias)

(Appears on:TigeraStatusCondition)

ConditionStatus represents the status of a particular condition. A condition may be one of: True, False, Unknown.

ContainerIPForwardingType (string alias)

(Appears on:CalicoNetworkSpec)

ContainerIPForwardingType specifies whether the CNI config for container ip forwarding is enabled.

EksCloudwatchLogsSpec

(Appears on:AdditionalLogSourceSpec)

EksConfigSpec defines configuration for fetching EKS audit logs.

FieldDescription
region
string

AWS Region EKS cluster is hosted in.

groupName
string

Cloudwatch log-group name containing EKS audit logs.

streamPrefix
string		(Optional)

Prefix of Cloudwatch log stream containing EKS audit logs in the log-group. Default: kube-apiserver-audit-

fetchInterval
int32		(Optional)

Cloudwatch audit logs fetching interval in seconds. Default: 60

EmailVerificationType (string alias)

(Appears on:AuthenticationOIDC)

EncapsulationType (string alias)

(Appears on:IPPool)

EncapsulationType is the type of encapsulation to use on an IP pool.

One of: IPIP, VXLAN, IPIPCrossSubnet, VXLANCrossSubnet, None

GroupSearch

(Appears on:AuthenticationLDAP)

Group search configuration to find the groups that a user is in.

FieldDescription
baseDN
string

BaseDN to start the search from. For example “cn=groups,dc=example,dc=com”

filter
string		(Optional)

Optional filter to apply when searching the directory. For example “(objectClass=posixGroup)”

nameAttribute
string

The attribute of the group that represents its name. This attribute can be used to apply RBAC to a user group.

userMatchers
[]UserMatch

Following list contains field pairs that are used to match a user to a group. It adds an additional requirement to the filter that an attribute in the group must match the user’s attribute value.

HostPortsType (string alias)

(Appears on:CalicoNetworkSpec)

HostPortsType specifies host port support.

One of: Enabled, Disabled

IPAMPluginType (string alias)

(Appears on:IPAMSpec)

IPAMSpec

(Appears on:CNISpec)

IPAMSpec contains configuration for pod IP address management.

FieldDescription
type
IPAMPluginType

Specifies the IPAM plugin that will be used in the Calico or Calico Enterprise installation. * For CNI Plugin Calico, this field defaults to Calico. * For CNI Plugin GKE, this field defaults to HostLocal. * For CNI Plugin AzureVNET, this field defaults to AzureVNET. * For CNI Plugin AmazonVPC, this field defaults to AmazonVPC.

The IPAM plugin is installed and configured only if the CNI plugin is set to Calico, for all other values of the CNI plugin the plugin binaries and CNI config is a dependency that is expected to be installed separately.

Default: Calico

IPPool

(Appears on:CalicoNetworkSpec)

FieldDescription
cidr
string

CIDR contains the address range for the IP Pool in classless inter-domain routing format.

encapsulation
EncapsulationType		(Optional)

Encapsulation specifies the encapsulation type that will be used with the IP Pool. Default: IPIP

natOutgoing
NATOutgoingType		(Optional)

NATOutgoing specifies if NAT will be enabled or disabled for outgoing traffic. Default: Enabled

nodeSelector
string		(Optional)

NodeSelector specifies the node selector that will be set for the IP Pool. Default: ‘all()’

blockSize
int32		(Optional)

BlockSize specifies the CIDR prefex length to use when allocating per-node IP blocks from the main IP pool CIDR. Default: 26 (IPv4), 122 (IPv6)

Image

(Appears on:ImageSetSpec)

FieldDescription
image
string

Image is an image that the operator deploys and instead of using the built in tag the operator will use the Digest for the image identifier. The value should be the image name without registry or tag or digest. For the image docker.io/calico/node:v3.17.1 it should be represented as calico/node

digest
string

Digest is the image identifier that will be used for the Image. The field should not include a leading @ and must be prefixed with sha256:.

ImageSetSpec

(Appears on:ImageSet)

ImageSetSpec defines the desired state of ImageSet.

FieldDescription
images
[]Image

Images is the list of images to use digests. All images that the operator will deploy must be specified.

Indices

(Appears on:LogStorageSpec)

Indices defines the configuration for the indices in an Elasticsearch cluster.

FieldDescription
replicas
int32		(Optional)

Replicas defines how many replicas each index will have. See https://www.elastic.co/guide/en/elasticsearch/reference/current/scalability.html

InstallationSpec

(Appears on:Installation,InstallationStatus)

InstallationSpec defines configuration for a Calico or Calico Enterprise installation.

FieldDescription
variant
ProductVariant		(Optional)

Variant is the product to install - one of Calico or TigeraSecureEnterprise Default: Calico

registry
string		(Optional)

Registry is the default Docker registry used for component Docker images. If specified then the given value must end with a slash character (/) and all images will be pulled from this registry. If not specified then the default registries will be used. A special case value, UseDefault, is supported to explicitly specify the default registries will be used.

Image format:<registry><imagePath>/<imagePrefix><imageName>:<image-tag>

This option allows configuring the <registry> portion of the above format.

imagePath
string		(Optional)

ImagePath allows for the path part of an image to be specified. If specified then the specified value will be used as the image path for each image. If not specified or empty, the default for each image will be used. A special case value, UseDefault, is supported to explicitly specify the default image path will be used for each image.

Image format:<registry><imagePath>/<imagePrefix><imageName>:<image-tag>

This option allows configuring the <imagePath> portion of the above format.

imagePrefix
string		(Optional)

ImagePrefix allows for the prefix part of an image to be specified. If specified then the given value will be used as a prefix on each image. If not specified or empty, no prefix will be used. A special case value, UseDefault, is supported to explicitly specify the default image prefix will be used for each image.

Image format:<registry><imagePath>/<imagePrefix><imageName>:<image-tag>

This option allows configuring the <imagePrefix> portion of the above format.

imagePullSecrets
[]Kubernetes core/v1.LocalObjectReference		(Optional)

ImagePullSecrets is an array of references to container registry pull secrets to use. These are applied to all images to be pulled.

kubernetesProvider
Provider		(Optional)

KubernetesProvider specifies a particular provider of the Kubernetes platform and enables provider-specific configuration. If the specified value is empty, the Operator will attempt to automatically determine the current provider. If the specified value is not empty, the Operator will still attempt auto-detection, but will additionally compare the auto-detected value to the specified value to confirm they match.

cni
CNISpec		(Optional)

CNI specifies the CNI that will be used by this installation.

calicoNetwork
CalicoNetworkSpec		(Optional)

CalicoNetwork specifies networking configuration options for Calico.

typhaAffinity
TyphaAffinity		(Optional)

TyphaAffinity allows configuration of node affinity characteristics for Typha pods.

controlPlaneNodeSelector
map[string]string		(Optional)

ControlPlaneNodeSelector is used to select control plane nodes on which to run Calico components. This is globally applied to all resources created by the operator excluding daemonsets.

controlPlaneTolerations
[]Kubernetes core/v1.Toleration		(Optional)

ControlPlaneTolerations specify tolerations which are then globally applied to all resources created by the operator.

controlPlaneReplicas
int32		(Optional)

ControlPlaneReplicas defines how many replicas of the control plane core components will be deployed. This field applies to all control plane components that support High Availability. Defaults to 2.

nodeMetricsPort
int32		(Optional)

NodeMetricsPort specifies which port calico/node serves prometheus metrics on. By default, metrics are not enabled. If specified, this overrides any FelixConfiguration resources which may exist. If omitted, then prometheus metrics may still be configured through FelixConfiguration.

typhaMetricsPort
int32		(Optional)

TyphaMetricsPort specifies which port calico/typha serves prometheus metrics on. By default, metrics are not enabled.

flexVolumePath
string		(Optional)

FlexVolumePath optionally specifies a custom path for FlexVolume. If not specified, FlexVolume will be enabled by default. If set to ‘None’, FlexVolume will be disabled. The default is based on the kubernetesProvider.

nodeUpdateStrategy
Kubernetes apps/v1.DaemonSetUpdateStrategy		(Optional)

NodeUpdateStrategy can be used to customize the desired update strategy, such as the MaxUnavailable field.

componentResources
[]ComponentResource		(Optional)

ComponentResources can be used to customize the resource requirements for each component. Node, Typha, and KubeControllers are supported for installations.

certificateManagement
CertificateManagement		(Optional)

CertificateManagement configures pods to submit a CertificateSigningRequest to the certificates.k8s.io/v1beta1 API in order to obtain TLS certificates. This feature requires that you bring your own CSR signing and approval process, otherwise pods will be stuck during initialization.

nonPrivileged
NonPrivilegedType		(Optional)

NonPrivileged configures Calico to be run in non-privileged containers as non-root users where possible.

InstallationStatus

(Appears on:Installation)

InstallationStatus defines the observed state of the Calico or Calico Enterprise installation.

FieldDescription
variant
ProductVariant

Variant is the most recently observed installed variant - one of Calico or TigeraSecureEnterprise

mtu
int32

MTU is the most recently observed value for pod network MTU. This may be an explicitly configured value, or based on Calico’s native auto-detetion.

imageSet
string		(Optional)

ImageSet is the name of the ImageSet being used, if there is an ImageSet that is being used. If an ImageSet is not being used then this will not be set.

computed
InstallationSpec		(Optional)

Computed is the final installation including overlaid resources.

IntrusionDetectionComponentName (string alias)

(Appears on:IntrusionDetectionComponentResource)

IntrusionDetectionComponentResource

(Appears on:IntrusionDetectionSpec)

The ComponentResource struct associates a ResourceRequirements with a component by name

FieldDescription
componentName
IntrusionDetectionComponentName

ComponentName is an enum which identifies the component

resourceRequirements
Kubernetes core/v1.ResourceRequirements

ResourceRequirements allows customization of limits and requests for compute resources such as cpu and memory.

IntrusionDetectionSpec

(Appears on:IntrusionDetection)

IntrusionDetectionSpec defines the desired state of Tigera intrusion detection capabilities.

FieldDescription
componentResources
[]IntrusionDetectionComponentResource		(Optional)

ComponentResources can be used to customize the resource requirements for each component. Only DeepPacketInspection is supported for this spec.

IntrusionDetectionStatus

(Appears on:IntrusionDetection)

IntrusionDetectionStatus defines the observed state of Tigera intrusion detection capabilities.

FieldDescription
state
string

State provides user-readable status.

KubernetesAutodetectionMethod (string alias)

(Appears on:NodeAddressAutodetection)

KubernetesAutodetectionMethod is a method of detecting an IP address based on the Kubernetes API.

One of: NodeInternalIP

LinuxDataplaneOption (string alias)

(Appears on:CalicoNetworkSpec)

LinuxDataplaneOption controls which dataplane is to be used on Linux nodes.

One of: Iptables, BPF

LogCollectionSpec

(Appears on:ApplicationLayerSpec)

FieldDescription
collectLogs
LogCollectionStatusType		(Optional)

This setting enables or disable log collection. Allowed values are Enabled or Disabled.

logIntervalSeconds
int64		(Optional)

Interval in seconds for sending L7 log information for processing. Default: 5 sec

logRequestsPerInterval
int64		(Optional)

Maximum number of unique L7 logs that are sent LogIntervalSeconds. Adjust this to limit the number of L7 logs sent per LogIntervalSeconds to felix for further processing, use negative number to ignore limits. Default: -1

LogCollectionStatusType (string alias)

(Appears on:LogCollectionSpec)

LogCollectorSpec

(Appears on:LogCollector)

LogCollectorSpec defines the desired state of Tigera flow, audit, and DNS log collection.

FieldDescription
additionalStores
AdditionalLogStoreSpec		(Optional)

Configuration for exporting flow, audit, and DNS logs to external storage.

additionalSources
AdditionalLogSourceSpec		(Optional)

Configuration for importing audit logs from managed kubernetes cluster log sources.

collectProcessPath
CollectProcessPathOption		(Optional)

Configuration for enabling/disabling process path collection in flowlogs. If Enabled, this feature sets hostPID to true in order to read process cmdline. Default: Enabled

LogCollectorStatus

(Appears on:LogCollector)

LogCollectorStatus defines the observed state of Tigera flow and DNS log collection

FieldDescription
state
string

State provides user-readable status.

LogStorageComponentName (string alias)

(Appears on:LogStorageComponentResource)

LogStorageComponentName CRD enum

LogStorageComponentResource

(Appears on:LogStorageSpec)

The ComponentResource struct associates a ResourceRequirements with a component by name

FieldDescription
componentName
LogStorageComponentName

ComponentName is an enum which identifies the component

resourceRequirements
Kubernetes core/v1.ResourceRequirements

ResourceRequirements allows customization of limits and requests for compute resources such as cpu and memory.

LogStorageSpec

(Appears on:LogStorage)

LogStorageSpec defines the desired state of Tigera flow and DNS log storage.

FieldDescription
nodes
Nodes

Nodes defines the configuration for a set of identical Elasticsearch cluster nodes, each of type master, data, and ingest.

indices
Indices		(Optional)

Index defines the configuration for the indices in the Elasticsearch cluster.

retention
Retention		(Optional)

Retention defines how long data is retained in the Elasticsearch cluster before it is cleared.

storageClassName
string		(Optional)

StorageClassName will populate the PersistentVolumeClaim.StorageClassName that is used to provision disks to the Tigera Elasticsearch cluster. The StorageClassName should only be modified when no LogStorage is currently active. We recommend choosing a storage class dedicated to Tigera LogStorage only. Otherwise, data retention cannot be guaranteed during upgrades. Default: tigera-elasticsearch

dataNodeSelector
map[string]string		(Optional)

DataNodeSelector gives you more control over the node that Elasticsearch will run on. The contents of DataNodeSelector will be added to the PodSpec of the Elasticsearch nodes. For the pod to be eligible to run on a node, the node must have each of the indicated key-value pairs as labels as well as access to the specified StorageClassName.

componentResources
[]LogStorageComponentResource		(Optional)

ComponentResources can be used to customize the resource requirements for each component. Only ECKOperator is supported for this spec.

LogStorageStatus

(Appears on:LogStorage)

LogStorageStatus defines the observed state of Tigera flow and DNS log storage.

FieldDescription
state
string

State provides user-readable status.

elasticsearchHash
string

ElasticsearchHash represents the current revision and configuration of the installed Elasticsearch cluster. This is an opaque string which can be monitored for changes to perform actions when Elasticsearch is modified.

kibanaHash
string

KibanaHash represents the current revision and configuration of the installed Kibana dashboard. This is an opaque string which can be monitored for changes to perform actions when Kibana is modified.

ManagementClusterConnectionSpec

(Appears on:ManagementClusterConnection)

ManagementClusterConnectionSpec defines the desired state of ManagementClusterConnection

FieldDescription
managementClusterAddr
string		(Optional)

Specify where the managed cluster can reach the management cluster. Ex.: “10.128.0.10:30449”. A managed cluster should be able to access this address. This field is used by managed clusters only.

ManagementClusterSpec

(Appears on:ManagementCluster)

ManagementClusterSpec defines the desired state of a ManagementCluster

FieldDescription
address
string		(Optional)

This field specifies the externally reachable address to which your managed cluster will connect. When a managed cluster is added, this field is used to populate an easy-to-apply manifest that will connect both clusters. Valid examples are: “0.0.0.0:31000”, “example.com:32000”, “[::1]:32500”

ManagerSpec

(Appears on:Manager)

ManagerSpec defines configuration for the Calico Enterprise manager GUI.

FieldDescription
auth
Auth		(Optional)

Deprecated. Please use the Authentication CR for configuring authentication.

ManagerStatus

(Appears on:Manager)

ManagerStatus defines the observed state of the Calico Enterprise manager GUI.

FieldDescription
auth
Auth		(Optional)

Deprecated. Please use the Authentication CR for configuring authentication.

state
string

State provides user-readable status.

MetadataAccessAllowedType (string alias)

(Appears on:AmazonCloudIntegrationSpec)

MetadataAccessAllowedType

MonitorSpec

(Appears on:Monitor)

MonitorSpec defines the desired state of Tigera monitor.

MonitorStatus

(Appears on:Monitor)

MonitorStatus defines the observed state of Tigera monitor.

FieldDescription
state
string

State provides user-readable status.

MultiInterfaceMode (string alias)

(Appears on:CalicoNetworkSpec)

MultiInterfaceMode describes the method of providing multiple pod interfaces.

One of: None, Multus

NATOutgoingType (string alias)

(Appears on:IPPool)

NATOutgoingType describe the type of outgoing NAT to use.

One of: Enabled, Disabled

NodeAddressAutodetection

(Appears on:CalicoNetworkSpec)

NodeAddressAutodetection provides configuration options for auto-detecting node addresses. At most one option can be used. If no detection option is specified, then IP auto detection will be disabled for this address family and IPs must be specified directly on the Node resource.

FieldDescription
firstFound
bool		(Optional)

FirstFound uses default interface matching parameters to select an interface, performing best-effort filtering based on well-known interface names.

kubernetes
KubernetesAutodetectionMethod		(Optional)

Kubernetes configures Calico to detect node addresses based on the Kubernetes API.

interface
string		(Optional)

Interface enables IP auto-detection based on interfaces that match the given regex.

skipInterface
string		(Optional)

SkipInterface enables IP auto-detection based on interfaces that do not match the given regex.

canReach
string		(Optional)

CanReach enables IP auto-detection based on which source address on the node is used to reach the specified IP or domain.

cidrs
[]string

CIDRS enables IP auto-detection based on which addresses on the nodes are within one of the provided CIDRs.

NodeAffinity

(Appears on:TyphaAffinity)

NodeAffinity is similar to *v1.NodeAffinity, but allows us to limit available schedulers.

FieldDescription
preferredDuringSchedulingIgnoredDuringExecution
[]Kubernetes core/v1.PreferredSchedulingTerm		(Optional)

The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions.

requiredDuringSchedulingIgnoredDuringExecution
Kubernetes core/v1.NodeSelector		(Optional)

WARNING: Please note that if the affinity requirements specified by this field are not met at scheduling time, the pod will NOT be scheduled onto the node. There is no fallback to another affinity rules with this setting. This may cause networking disruption or even catastrophic failure! PreferredDuringSchedulingIgnoredDuringExecution should be used for affinity unless there is a specific well understood reason to use RequiredDuringSchedulingIgnoredDuringExecution and you can guarantee that the RequiredDuringSchedulingIgnoredDuringExecution will always have sufficient nodes to satisfy the requirement. NOTE: RequiredDuringSchedulingIgnoredDuringExecution is set by default for AKS nodes, to avoid scheduling Typhas on virtual-nodes. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.

NodeSet

(Appears on:Nodes)

NodeSets defines configuration specific to each Elasticsearch Node Set

FieldDescription
selectionAttributes
[]NodeSetSelectionAttribute

SelectionAttributes defines K8s node attributes a NodeSet should use when setting the Node Affinity selectors and Elasticsearch cluster awareness attributes for the Elasticsearch nodes. The list of SelectionAttributes are used to define Node Affinities and set the node awareness configuration in the running Elasticsearch instance.

NodeSetSelectionAttribute

(Appears on:NodeSet)

NodeSetSelectionAttribute defines a K8s node “attribute” the Elasticsearch nodes should be aware of. The “Name” and “Value” are used together to set the “awareness” attributes in Elasticsearch, while the “NodeLabel” and “Value” are used together to define Node Affinity for the Pods created for the Elasticsearch nodes.

FieldDescription
name
string
nodeLabel
string
value
string

Nodes

(Appears on:LogStorageSpec)

Nodes defines the configuration for a set of identical Elasticsearch cluster nodes, each of type master, data, and ingest.

FieldDescription
count
int64

Count defines the number of nodes in the Elasticsearch cluster.

nodeSets
[]NodeSet		(Optional)

NodeSets defines configuration specific to each Elasticsearch Node Set

resourceRequirements
Kubernetes core/v1.ResourceRequirements		(Optional)

ResourceRequirements defines the resource limits and requirements for the Elasticsearch cluster.

NonPrivilegedType (string alias)

(Appears on:InstallationSpec)

NonPrivilegedType specifies whether Calico runs as permissioned or not

One of: Enabled, Disabled

OIDCType (string alias)

(Appears on:AuthenticationOIDC)

OIDCType defines how OIDC is configured for Tigera Enterprise. Dex should be the best option for most use-cases. The Tigera option can help in specific use-cases, for instance, when you are unable to configure a client secret. One of: Dex, Tigera

ProductVariant (string alias)

(Appears on:InstallationSpec,InstallationStatus)

ProductVariant represents the variant of the product.

One of: Calico, TigeraSecureEnterprise

PromptType (string alias)

(Appears on:AuthenticationOIDC)

PromptType is a value that specifies whether the identity provider prompts the end user for re-authentication and consent. One of: None, Login, Consent, SelectAccount.

Provider (string alias)

(Appears on:InstallationSpec)

Provider represents a particular provider or flavor of Kubernetes. Valid options are: EKS, GKE, AKS, OpenShift, DockerEnterprise.

Retention

(Appears on:LogStorageSpec)

Retention defines how long data is retained in an Elasticsearch cluster before it is cleared.

FieldDescription
flows
int32		(Optional)

Flows configures the retention period for flow logs, in days. Logs written on a day that started at least this long ago are removed. To keep logs for at least x days, use a retention period of x+1. Default: 8

auditReports
int32		(Optional)

AuditReports configures the retention period for audit logs, in days. Logs written on a day that started at least this long ago are removed. To keep logs for at least x days, use a retention period of x+1. Default: 91

snapshots
int32		(Optional)

Snapshots configures the retention period for snapshots, in days. Snapshots are periodic captures of resources which along with audit events are used to generate reports. Consult the Compliance Reporting documentation for more details on snapshots. Logs written on a day that started at least this long ago are removed. To keep logs for at least x days, use a retention period of x+1. Default: 91

complianceReports
int32		(Optional)

ComplianceReports configures the retention period for compliance reports, in days. Reports are output from the analysis of the system state and audit events for compliance reporting. Consult the Compliance Reporting documentation for more details on reports. Logs written on a day that started at least this long ago are removed. To keep logs for at least x days, use a retention period of x+1. Default: 91

S3StoreSpec

(Appears on:AdditionalLogStoreSpec)

S3StoreSpec defines configuration for exporting logs to Amazon S3.

FieldDescription
region
string

AWS Region of the S3 bucket

bucketName
string

Name of the S3 bucket to send logs

bucketPath
string

Path in the S3 bucket where to send logs

SplunkStoreSpec

(Appears on:AdditionalLogStoreSpec)

SplunkStoreSpec defines configuration for exporting logs to splunk.

FieldDescription
endpoint
string

Location for splunk’s http event collector end point. example https://1.2.3.4:8088

StatusConditionType (string alias)

(Appears on:TigeraStatusCondition)

StatusConditionType is a type of condition that may apply to a particular component.

SyslogLogType (string alias)

(Appears on:SyslogStoreSpec)

SyslogLogType represents the allowable log types for syslog. Allowable values are Audit, DNS, Flows and IDSEvents. * Audit corresponds to audit logs for both Kubernetes resources and Enterprise custom resources. * DNS corresponds to DNS logs generated by Calico node. * Flows corresponds to flow logs generated by Calico node. * IDSEvents corresponds to event logs for the intrusion detection system (anomaly detection, suspicious IPs, suspicious domains and global alerts).

SyslogStoreSpec

(Appears on:AdditionalLogStoreSpec)

SyslogStoreSpec defines configuration for exporting logs to syslog.

FieldDescription
endpoint
string

Location of the syslog server. example: tcp://1.2.3.4:601

packetSize
int32		(Optional)

PacketSize defines the maximum size of packets to send to syslog. In general this is only needed if you notice long logs being truncated. Default: 1024

logTypes
[]SyslogLogType

LogTypes contains a list of types of logs to export to syslog. By default, if this field is omitted, it will be set to include all possible values.

TigeraStatusCondition

(Appears on:TigeraStatusStatus)

TigeraStatusCondition represents a condition attached to a particular component.

FieldDescription
type
StatusConditionType

The type of condition. May be Available, Progressing, or Degraded.

status
ConditionStatus

The status of the condition. May be True, False, or Unknown.

lastTransitionTime
Kubernetes meta/v1.Time

The timestamp representing the start time for the current status.

reason
string

A brief reason explaining the condition.

message
string

Optionally, a detailed message providing additional context.

TigeraStatusSpec

(Appears on:TigeraStatus)

TigeraStatusSpec defines the desired state of TigeraStatus

TigeraStatusStatus

(Appears on:TigeraStatus)

TigeraStatusStatus defines the observed state of TigeraStatus

FieldDescription
conditions
[]TigeraStatusCondition

Conditions represents the latest observed set of conditions for this component. A component may be one or more of Available, Progressing, or Degraded.

TyphaAffinity

(Appears on:InstallationSpec)

TyphaAffinity allows configuration of node affinitiy characteristics for Typha pods.

FieldDescription
nodeAffinity
NodeAffinity		(Optional)

NodeAffinity describes node affinity scheduling rules for typha.

UserMatch

(Appears on:GroupSearch)

UserMatch when the value of a UserAttribute and a GroupAttribute match, a user belongs to the group.

FieldDescription
userAttribute
string

The attribute of a user that links it to a group.

groupAttribute
string

The attribute of a group that links it to a user.

UserSearch

(Appears on:AuthenticationLDAP)

User entry search configuration to match the credentials with a user.

FieldDescription
baseDN
string

BaseDN to start the search from. For example “cn=users,dc=example,dc=com”

filter
string		(Optional)

Optional filter to apply when searching the directory. For example “(objectClass=person)”

nameAttribute
string		(Optional)

A mapping of the attribute that is used as the username. This attribute can be used to apply RBAC to a user. Default: uid