diff --git a/config/master/calico.yaml b/config/master/calico.yaml index d17194c13cf..c113712fa32 100644 --- a/config/master/calico.yaml +++ b/config/master/calico.yaml @@ -32,7 +32,12 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: quay.io/calico/node:v3.15.1 + image: quay.io/calico/node:v3.16.2 + envFrom: + - configMapRef: + # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. + name: kubernetes-services-endpoint + optional: true env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE @@ -114,6 +119,13 @@ spec: - mountPath: /var/lib/calico name: var-lib-calico readOnly: false + # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the + # parent directory. + - name: sysfs + mountPath: /sys/fs/ + # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host. + # If the host is known to mount that filesystem already then Bidirectional can be omitted. + mountPropagation: Bidirectional volumes: # Used to ensure proper kmods are installed. - name: lib-modules @@ -129,6 +141,10 @@ spec: hostPath: path: /run/xtables.lock type: FileOrCreate + - name: sysfs + hostPath: + path: /sys/fs/ + type: DirectoryOrCreate tolerations: # Make sure calico/node gets scheduled on all nodes. - effect: NoSchedule @@ -549,12 +565,17 @@ spec: securityContext: fsGroup: 65534 containers: - - image: quay.io/calico/typha:v3.15.1 + - image: quay.io/calico/typha:v3.16.2 name: calico-typha ports: - containerPort: 5473 name: calico-typha protocol: TCP + envFrom: + - configMapRef: + # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. + name: kubernetes-services-endpoint + optional: true env: # Use eni not cali for interface prefix - name: FELIX_INTERFACEPREFIX