Skip to main content
Calico Open Source 3.30 (latest) documentation

Kubernetes controllers configuration

A Calico Kubernetes controllers configuration resource (KubeControllersConfiguration) represents configuration options for the Calico Kubernetes controllers.

Sample YAML

apiVersion: projectcalico.org/v3
kind: KubeControllersConfiguration
metadata:
name: default
spec:
logSeverityScreen: Info
healthChecks: Enabled
etcdV3CompactionPeriod: 10m
prometheusMetricsPort: 9094
controllers:
node:
reconcilerPeriod: 5m
leakGracePeriod: 15m
syncLabels: Enabled
hostEndpoint:
autoCreate: Disabled
createDefaultHostEndpoint: Enabled
templates:
- generateName: custom-host-endpoint
interfaceCIDRs:
- 1.2.3.0/24
nodeSelector: "has(my-label)"
labels:
key: value
policy:
reconcilerPeriod: 5m
workloadEndpoint:
reconcilerPeriod: 5m
serviceAccount:
reconcilerPeriod: 5m
namespace:
reconcilerPeriod: 5m
loadbalancer:
assignIPs: AllServices

Kubernetes controllers configuration definition

Metadata

FieldDescriptionAccepted ValuesSchema
nameUnique name to describe this resource instance. Required.Must be defaultstring
  • Calico automatically creates a resource named default containing the configuration settings, only the name default is used and only one object of this type is allowed. You can use calicoctl to view and edit these settings

Spec

FieldDescriptionAccepted ValuesSchemaDefault
logSeverityScreenThe log severity above which logs are sent to the stdout.Debug, Info, Warning, Error, FatalstringInfo
healthChecksEnable support for health checksEnabled, DisabledstringEnabled
prometheusMetricsPortPort on which to serve prometheus metrics.Set to 0 to disable, > 0 to enable.TCP port9094
etcdV3CompactionPeriodThe period between etcdv3 compaction requests. Only applies when using etcd as the Calico datastore.Set to 0 to disable, > 0 to enableDuration string10m
controllersEnabled controllers and their settingsControllers

Controllers

FieldDescriptionSchema
nodeEnable and configure the node controlleromit to disable, or NodeController
policyEnable and configure the network policy controlleromit to disable, or PolicyController
workloadEndpointEnable and configure the workload endpoint controlleromit to disable, or WorkloadEndpointController
serviceAccountEnable and configure the service account controlleromit to disable, or ServiceAccountController
namespaceEnable and configure the namespace controlleromit to disable, or NamespaceController

NodeController

The node controller automatically cleans up configuration for nodes that no longer exist. Optionally, it can create host endpoints for all Kubernetes nodes.

FieldDescriptionAccepted ValuesSchemaDefault
reconcilerPeriodPeriod to perform reconciliation with the Calico datastoreDuration string5m
syncLabelsWhen enabled, Kubernetes node labels will be copied to Calico node objects.Enabled, DisabledstringEnabled
hostEndpointConfigures the host endpoint controllerHostEndpoint
leakGracePeriodGrace period to use when garbage collecting suspected leaked IP addresses.Duration string15m

HostEndpoint

FieldDescriptionAccepted ValuesSchemaDefault
autoCreateWhen enabled, automatically create host endpointsEnabled, DisabledstringDisabled
createDefaultHostEndpointWhen enabled, default host endpoint will be createdEnabled, DisabledstringEnabled
templatesControls creation of custom host endpointsTemplate

Template

FieldDescriptionAccepted ValuesSchemaDefault
generateNameUnique name used as suffix for host endpoints created based on this templateAlphanumeric stringstring
nodeSelectorSelects the nodes for which this template should create host endpointsSelectorall()
interfaceCIDRsThis configuration defines which IP addresses from a node's specification (including standard, tunnel, and WireGuard IPs) are eligible for inclusion in the generated HostEndpoint. IP addresses must fall within the provided CIDR ranges to be considered. If no address on the node matches the specified CIDRs, the HostEndpoint creation is skipped.List of valid CIDRsList string
labelsLabels to be added to generated host endpoints matching this templatemap of string key to string values

Selectors

A label selector is an expression which either matches or does not match a resource based on its labels.

Calico label selectors support a number of operators, which can be combined into larger expressions using the boolean operators and parentheses.

ExpressionMeaning
Logical operators
( <expression> )Matches if and only if <expression> matches. (Parentheses are used for grouping expressions.)
! <expression>Matches if and only if <expression> does not match. Tip: ! is a special character at the start of a YAML string, if you need to use ! at the start of a YAML string, enclose the string in quotes.
<expression 1> && <expression 2>"And": matches if and only if both <expression 1>, and, <expression 2> matches
<expression 1> || <expression 2>"Or": matches if and only if either <expression 1>, or, <expression 2> matches.
Match operators
all()Match all in-scope resources. To match no resources, combine this operator with ! to form !all().
global()Match all non-namespaced resources. Useful in a namespaceSelector to select global resources such as global network sets.
k == 'v'Matches resources with the label 'k' and value 'v'.
k != 'v'Matches resources without label 'k' or with label 'k' and value not equal to v
has(k)Matches resources with label 'k', independent of value. To match pods that do not have label k, combine this operator with ! to form !has(k)
k in { 'v1', 'v2' }Matches resources with label 'k' and value in the given set
k not in { 'v1', 'v2' }Matches resources without label 'k' or with label 'k' and value not in the given set
k contains 's'Matches resources with label 'k' and value containing the substring 's'
k starts with 's'Matches resources with label 'k' and value starting with the substring 's'
k ends with 's'Matches resources with label 'k' and value ending with the substring 's'

Operators have the following precedence:

  • Highest: all the match operators
  • Parentheses ( ... )
  • Negation with !
  • Conjunction with &&
  • Lowest: Disjunction with ||

For example, the expression

! has(my-label) || my-label starts with 'prod' && role in {'frontend','business'}

Would be "bracketed" like this:

((!(has(my-label)) || ((my-label starts with 'prod') && (role in {'frontend','business'}))

It would match:

  • Any resource that did not have label "my-label".
  • Any resource that both:
    • Has a value for my-label that starts with "prod", and,
    • Has a role label with value either "frontend", or "business".

PolicyController

The policy controller syncs Kubernetes network policies to the Calico datastore. This controller is only valid when using etcd as the Calico datastore.

FieldDescriptionSchemaDefault
reconcilerPeriodPeriod to perform reconciliation with the Calico datastoreDuration string5m

WorkloadEndpointController

The workload endpoint controller automatically syncs Kubernetes pod label changes to the Calico datastore by updating the corresponding workload endpoints appropriately. This controller is only valid when using etcd as the Calico datastore.

FieldDescriptionSchemaDefault
reconcilerPeriodPeriod to perform reconciliation with the Calico datastoreDuration string5m

ServiceAccountController

The service account controller syncs Kubernetes service account changes to the Calico datastore. This controller is only valid when using etcd as the Calico datastore.

FieldDescriptionSchemaDefault
reconcilerPeriodPeriod to perform reconciliation with the Calico datastoreDuration string5m

NamespaceController

The namespace controller syncs Kubernetes namespace label changes to the Calico datastore. This controller is only valid when using etcd as the Calico datastore.

FieldDescriptionSchemaDefault
reconcilerPeriodPeriod to perform reconciliation with the Calico datastoreDuration string5m

LoadBalancerController

The load balancer controller manages IPAM for Services of type LoadBalancer.

FieldDescriptionAccepted ValuesSchemaDefault
assignIPsMode in which LoadBalancer controller operatesAllServices, RequestedServicesOnlyStringAllServices