Skip to content

[PMREQ-810]: L2 support phase 1: Add Network CRD and RBAC for L2 VM mobility #4719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
fasaxc wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

[PMREQ-810]: L2 support phase 1: Add Network CRD and RBAC for L2 VM mobility #4719

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion config/enterprise_versions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
title: master
components:
libcalico-go:
version: master
version: wt-l2-prod-cni
manager:
image: manager
version: master
Expand Down
290 changes: 289 additions & 1 deletion pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_networks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,298 @@ spec:
spec:
description: |-
NetworkSpec contains the specification for a Network resource. Exactly one of the
network-type fields (vrf, ...) must be set.
network-type fields (vrf, l2Bridge, ...) must be set.
maxProperties: 1
minProperties: 1
properties:
l2Bridge:
description: |-
L2Bridge configures a Layer 2 bridged network. A Linux bridge on each
participating node connects workload interfaces to VLAN segments
carried by physical trunk interfaces. See L2BridgeSpec.
properties:
hostConfig:
description: |-
HostConfig defines per-node-group configuration for this network.
When multiple entries are present, the first entry whose
nodeSelector matches a given node is used; all other entries are
ignored for that node. Entries with no nodeSelector match all
nodes.
items:
description: |-
L2HostConfig provides node-specific L2 bridge settings. Different nodes
may have different bridge types or trunk interface names; each entry
applies to the nodes matched by its NodeSelector (first-match wins).
properties:
bridge:
description: |-
Bridge selects the bridge device for these nodes: either a
Calico-managed bridge or a pre-existing (BYO) bridge.
maxProperties: 1
minProperties: 1
properties:
existingBridge:
description: |-
ExistingBridge instructs Calico to attach to a pre-existing bridge
created and managed externally (e.g. via netplan). Calico does
not create, reconfigure, or delete the bridge; it does not add or
remove IP addresses on it; and it does not remove interfaces it
did not create. Calico still attaches workload veths, configures
their VLAN membership, and connects trunk interfaces (if
hostConnections is specified) unless the trunk is already
connected.
properties:
name:
description:
Name is the Linux bridge device name
(e.g. "br0").
maxLength: 15
minLength: 1
type: string
required:
- name
type: object
managedBridge:
description: |-
ManagedBridge instructs Calico to create and fully manage the
bridge device. The bridge name is derived automatically from the
Network name so it does not clash with other Networks or with
Calico workload veth names.
properties:
stp:
default: Disabled
description: |-
STP controls whether Spanning Tree Protocol is active on the
bridge. "Disabled" (default) is appropriate for datacenter
topologies where loop prevention is handled by the upstream
switch; "Enabled" causes the bridge to exchange BPDU frames on
trunk ports. Workload veth ports always operate in edge/portfast
mode regardless of this setting — they never participate in STP.
enum:
- Enabled
- Disabled
type: string
type: object
type: object
hostConnections:
description: |-
HostConnections defines how the bridge connects to the physical
network on these nodes. Each entry is a typed connection
(currently only trunkPort). If omitted, no trunk is attached by
Calico — the user is responsible for providing external
connectivity (e.g. on a BYO bridge with a pre-configured trunk).
items:
description: |-
L2HostConnection defines a single host-side connection to the bridge.
Exactly one connection type must be set.
maxProperties: 1
minProperties: 1
properties:
trunkPort:
description: |-
TrunkPort enslaves a host interface to the bridge as an 802.1Q
trunk.
properties:
interface:
description: |-
Interface identifies the trunk interface on this node group.
Heterogeneous clusters use separate HostConfig entries with
different NodeSelectors rather than per-rule selectors.
maxProperties: 1
minProperties: 1
properties:
name:
description: |-
Name matches a network interface by its exact device name
(e.g. "bond0", "eth1", "ens192").
maxLength: 15
minLength: 1
type: string
type: object
nativeVLAN:
description: |-
NativeVLAN, when set, designates one VLAN ID as the trunk's native
VLAN: frames in that VLAN are sent untagged on the wire and
untagged frames received on the trunk are tagged with this VLAN.
The referenced VLAN ID must appear in spec.vlans (either directly
as an id or within a range). When unset (default) the trunk is
strictly tagged: only 802.1Q-tagged frames are accepted and
transmitted.
maximum: 4094
minimum: 1
type: integer
vlans:
description: |-
VLANs restricts which VLANs this trunk carries. Defaults to all
VLANs defined in spec.vlans when omitted.

When reconciling a pre-existing trunk port on a BYO bridge, Calico
adds these VLANs to the port's VLAN membership but does not
remove other VLAN memberships or change the port's PVID. This
preserves untagged traffic (e.g. the host's primary IP on the
bridge) that is not managed by Calico.
items:
description:
L2VLANMatch identifies a VLAN segment. Exactly
one field must be set.
maxProperties: 1
minProperties: 1
properties:
id:
description:
ID selects a single 802.1Q
VLAN (1-4094).
maximum: 4094
minimum: 1
type: integer
range:
description:
Range selects a contiguous
range of VLAN IDs (inclusive).
properties:
end:
description:
End is the last VLAN ID
in the range (1-4094, must be ≥ Start).
maximum: 4094
minimum: 1
type: integer
start:
description:
Start is the first VLAN
ID in the range (1-4094).
maximum: 4094
minimum: 1
type: integer
required:
- end
- start
type: object
x-kubernetes-validations:
- message: start must be <= end
rule: self.start <= self.end
type: object
type: array
x-kubernetes-list-type: atomic
required:
- interface
type: object
x-kubernetes-validations:
- message: nativeVLAN must be between 1 and 4094
rule:
"!has(self.nativeVLAN) || self.nativeVLAN
>= 1 && self.nativeVLAN <= 4094"
type: object
maxItems: 1
type: array
x-kubernetes-list-type: atomic
nodeSelector:
description: |-
NodeSelector is a Calico selector expression that determines which
nodes this configuration applies to. If omitted, the entry
applies to all nodes. When multiple HostConfig entries are
present, the first entry whose selector matches a given node wins;
subsequent entries are ignored for that node.
type: string
required:
- bridge
type: object
minItems: 1
type: array
x-kubernetes-list-type: atomic
vlans:
description: |-
VLANs is the authoritative list of 802.1Q VLAN segments carried by
this network. Each entry defines a single VLAN ID or a contiguous
range of VLAN IDs, plus the subnets associated with that segment.

Workload attachments select a single entry via the CNI config
"vlan" field; if spec.vlans has exactly one entry that resolves to
a single VLAN ID, the CNI config "vlan" field may be omitted.
items:
description:
L2VLANSpec defines a VLAN segment and its optional
IP configuration.
properties:
subnets:
description: |-
Subnets are the IP subnets for this VLAN segment. Used to apply
the correct prefix length to pod interfaces and to filter which
IPPools the IPAM plugin considers for this VLAN. Multiple entries
support dual-stack or multi-subnet VLANs.
items:
description:
L2Subnet defines an IP subnet associated
with a VLAN segment.
properties:
cidr:
description: |-
CIDR is the subnet in CIDR notation (e.g. "10.100.0.0/24",
"fd00::/64").
type: string
gateway:
description: |-
Gateway, if set, is the IP address of the upstream router on this
subnet (e.g. "10.100.0.1"). The CNI plugin programs a default
route via this gateway inside the pod in a per-interface routing
table, enabling the pod to reach destinations beyond the local
VLAN subnet. The gateway must be an L2 neighbor reachable via
the bridge; the route is installed with the onlink flag.
type: string
required:
- cidr
type: object
type: array
x-kubernetes-list-type: atomic
vlan:
description: |-
VLAN identifies this segment: a single VLAN ID or a contiguous
range of VLAN IDs.
maxProperties: 1
minProperties: 1
properties:
id:
description: ID selects a single 802.1Q VLAN (1-4094).
maximum: 4094
minimum: 1
type: integer
range:
description:
Range selects a contiguous range of VLAN
IDs (inclusive).
properties:
end:
description:
End is the last VLAN ID in the range
(1-4094, must be ≥ Start).
maximum: 4094
minimum: 1
type: integer
start:
description:
Start is the first VLAN ID in the range
(1-4094).
maximum: 4094
minimum: 1
type: integer
required:
- end
- start
type: object
x-kubernetes-validations:
- message: start must be <= end
rule: self.start <= self.end
type: object
required:
- vlan
type: object
minItems: 1
type: array
x-kubernetes-list-type: atomic
required:
- hostConfig
- vlans
type: object
vrf:
description: |-
VRF network configuration.
Expand Down
Loading
Loading