calicoctl

calicoctl：
calicoctl可以方便的管理calico網絡和安全策略，你也可以將其當做容器運行，可以在dockhub上下載calico/ctl，但是在容器中運行會有限制，不具有二進制命令的完整功能。calicoctl命令行提供了許多資源管理命令，允許您創建，修改，刪除和查看不同的Calico資源。

Command Reference：
    create    Create a resource by filename or stdin.
    replace   Replace a resource by filename or stdin.
    apply     Apply a resource by filename or stdin.  This creates a resource
              if it does not exist, and replaces a resource if it does exists.
    delete    Delete a resource identified by file, stdin or resource type and
              name.
    get       Get a resource identified by file, stdin or resource type and
              name.
    config    Manage system-wide and low-level node configuration options.
    ipam      IP address management.
    node      Calico node management.
    version   Display the version of calicoctl.

calicoctl create：根據配置文件創建資源，配置文件可以是yaml或者json格式，資源類型node、bgpPeer、hostEndpoint、workloadEndpoint、ipPool、policy、profile。-f 指定資源文件位置，-c 默認是/etc/calico/calicoctl.cfg
calicoctl replace：根據配置文件替換一個已經存在的資源，參數和create一樣
calicoctl apply：根據配置文件創建一個資源或者替換一個已有的資源，參數和create一樣
calicoctl delete：根據資源文件刪除資源，或者根據類型、標識符刪除資源
calicoctl get：根據文件顯示設置資源，或者根據類型、標識符顯示資源。顯示格式有多種ps、wide、yaml、json....
calicoctl config：允許用戶查看或者修改Felix和BGP的低級組件配置。calicoctl config set/unset/get <NAME> <VALUE>

calicoctl ipam release：從calico ip 地址管理中釋放一個ip。這個不會刪除endpoint上的ip，只是會清除已經釋放的美歐乾淨移除的ip
calicoctl ipam show：顯示已經已經分配的ip

calicoctl node run：用來啓動一個calico/node容器。

calicoctl node run [--ip=<IP>] [--ip6=<IP6>] [--as=<AS_NUM>]
                     [--name=<NAME>]
                     [--ip-autodetection-method=<IP_AUTODETECTION_METHOD>]
                     [--ip6-autodetection-method=<IP6_AUTODETECTION_METHOD>]
                     [--log-dir=<LOG_DIR>]
                     [--node-image=<DOCKER_IMAGE_NAME>]
                     [--backend=(bird|gobgp|none)]
                     [--config=<CONFIG>]
                     [--no-default-ippools]
                     [--dryrun]
                     [--init-system]
                     [--disable-docker-networking]
                     [--docker-networking-ifprefix=<IFPREFIX>]
                     [--use-docker-networking-container-labels]

calicoctl node run --ip autodetect --ip-autodetection-method interface=eth0

calicoctl node status：檢查calico node的狀態
calicoctl node diags：在calico node收集診斷信息
calicoctl node checksystem：檢查主機的兼容性

Resource Definitions：
apiVersion: v1
kind: <type of resource>
metadata:
  # Identifying information
  name: <name of resource>
  ...
spec:
  # Specification of the resource
  ... 
===================================================
BGP Peer
Metadata：scope、node、peerIP
Spec：asNumber

apiVersion: v1
kind: bgpPeer
metadata:
  scope: node
  node: rack1-host1
  peerIP: 192.168.1.1
spec:
  asNumber: 63400
====================================================
Host Endpoint
Metadata：name、node、labels
Spec：interfaceName、expectedIPs、profiles

apiVersion: v1
kind: hostEndpoint
metadata:
  name: eth0
  node: myhost
  labels:
    type: production
spec:
  interfaceName: eth0
  expectedIPs:
  - 192.168.0.1
  - 192.168.0.2
  profiles:
  - profile1
  - profile2
========================================================
IP Pool
Metadata：cidr
Spec：ipip、nat-outgoing、disabled

apiVersion: v1
kind: ipPool
metadata:
  cidr: 10.1.0.0/16
spec:
  ipip:
    enabled: true
    mode: cross-subnet
  nat-outgoing: true
  disabled: false
=====================================================

Node
Metadata：name
Spec：bgp、orchRefs
OrchRef：nodeName、orchestrator
BGP：asNumber、ipv4Address、ipv6Address

=======================================================

Policy
Metadata：name、annotations
Spec：order、selector、types、ingress、egress、doNotTrack、preDNAT
Rule：action、protocol、notProtocol、icmp、notICMP、ipVersion、source、destination
ICMP：type、code
EntityRule：tag、notTag、nets、net、notNets、notNet、selector、notSelector、ports、notPorts
Selector：
Ports：int、start:end

apiVersion: v1
kind: policy
metadata:
  name: allow-tcp-6379
spec:
  selector: role == 'database'
  types:
  - ingress
  - egress
  ingress:
  - action: allow
    protocol: tcp
    source:
      selector: role == 'frontend'
    destination:
      ports:
      - 6379
  egress:
  - action: allow

================================================================

Profile

Metadata：name、labels、tags
Spec：ingress、egress
Rule：action、protocol、notProtocol、icmp、notICMP、ipVersion、source、destination
ICMP：type、code
EntityRule：tag、notTag、nets、net、notNets、notNet、selector、notSelector、ports、notPorts
Selector：
Ports：int、start:end

apiVersion: v1
kind: profile
metadata:
  name: profile1
  labels:
    profile: profile1 
spec:
  ingress:
  - action: deny
    source:
      nets:
      - 10.0.20.0/24
  - action: allow
    source:
      selector: profile == 'profile1'
  egress:
  - action: allow 

===============================================

Workload Endpoint
Metadata：

apiVersion: v1
kind: workloadEndpoint
metadata:
  name: eth0
  workload: default.frontend-5gs43
  orchestrator: k8s
  node: rack1-host1
  labels:
    app: frontend
    calico/k8s_ns: default
spec:
  interfaceName: cali0ef24ba
  mac: ca:fe:1d:52🇧🇧e9
  ipNetworks:
  - 192.168.0.0/32
  profiles:
  - profile1