Skip to main content
Calico Enterprise 3.21 documentation

Configuring Felix

note

The following tables detail the configuration file and environment variable parameters. For FelixConfiguration resource settings, refer to Felix Configuration Resource.

Configuration for Felix is read from one of four possible locations, in order, as follows.

  1. Environment variables.
  2. The Felix configuration file.
  3. Host-specific FelixConfiguration resources (node.<nodename>).
  4. The global FelixConfiguration resource (default).

The value of any configuration parameter is the value read from the first location containing a value. For example, if an environment variable contains a value, it takes top precedence.

If not set in any of these locations, most configuration parameters have defaults, and it should be rare to have to explicitly set them.

The full list of parameters which can be set is as follows.

Spec

Datastore connection

DatastoreType

AttributeValue
KeyDatastoreType
Description

Controls which datastore driver Felix will use. Typically, this is detected from the environment and it does not need to be set manually. (For example, if KUBECONFIG is set, the kubernetes datastore driver will be used by default).

SchemaOne of: etcdv3, kubernetes (case insensitive)
Defaultetcdv3

EtcdAddr

AttributeValue
KeyEtcdAddr
Description

Open source-only parameter; etcdv3 datastore driver is not supported in Calico Enterprise/Cloud.

When using the etcdv3 datastore driver, the etcd server and port to connect to. If EtcdEndpoints is also specified, it takes precedence.

SchemaString matching regex ^[^:/]+:\d+$
Default127.0.0.1:2379

EtcdCaFile

AttributeValue
KeyEtcdCaFile
Description

Open source-only parameter; etcdv3 datastore driver is not supported in Calico Enterprise/Cloud.

When using the etcdv3 datastore driver, path to TLS CA file to use when connecting to etcd. If the CA file is specified, the other TLS parameters are mandatory.

SchemaPath to file, which must exist
Defaultnone

EtcdCertFile

AttributeValue
KeyEtcdCertFile
Description

Open source-only parameter; etcdv3 datastore driver is not supported in Calico Enterprise/Cloud.

When using the etcdv3 datastore driver, path to TLS certificate file to use when connecting to etcd. If the certificate file is specified, the other TLS parameters are mandatory.

SchemaPath to file, which must exist
Defaultnone

EtcdEndpoints

AttributeValue
KeyEtcdEndpoints
Description

Open source-only parameter; etcdv3 datastore driver is not supported in Calico Enterprise/Cloud.

When using the etcdv3 datastore driver, comma-delimited list of etcd endpoints to connect to, replaces EtcdAddr and EtcdScheme.

SchemaList of HTTP endpoints: comma-delimited list of http(s)://hostname:port
Defaultnone

EtcdKeyFile

AttributeValue
KeyEtcdKeyFile
Description

Open source-only parameter; etcdv3 datastore driver is not supported in Calico Enterprise/Cloud.

When using the etcdv3 datastore driver, path to TLS private key file to use when connecting to etcd. If the key file is specified, the other TLS parameters are mandatory.

SchemaPath to file, which must exist
Defaultnone

EtcdScheme

AttributeValue
KeyEtcdScheme
Description

Open source-only parameter; etcdv3 datastore driver is not supported in Calico Enterprise/Cloud.

EtcdAddr: when using the etcdv3 datastore driver, the URL scheme to use. If EtcdEndpoints is also specified, it takes precedence.

SchemaOne of: http, https (case insensitive)
Defaulthttp

FelixHostname

AttributeValue
KeyFelixHostname
Description

The name of this node, used to identify resources in the datastore that belong to this node. Auto-detected from the node's hostname if not provided.

SchemaString matching regex ^[a-zA-Z0-9_.-]+$
Defaultnone

TyphaAddr

AttributeValue
KeyTyphaAddr
Description

If set, tells Felix to connect to Typha at the given address and port. Overrides TyphaK8sServiceName.

SchemaString matching regex ^[^:/]+:\d+$
Defaultnone

TyphaCAFile

AttributeValue
KeyTyphaCAFile
Description

Path to the TLS CA file to use when communicating with Typha. If this parameter is specified, the other TLS parameters must also be specified. For non-cluster hosts, the CA file is extracted from the tigera-ca-bundle ConfigMap under the TyphaK8sNamespace namespace.

SchemaPath to file, which must exist
Defaultnone

TyphaCN

AttributeValue
KeyTyphaCN
Description

Common name to use when authenticating to Typha over TLS. If any TLS parameters are specified then one of TyphaCN and TyphaURISAN must be set.

SchemaString
Defaultnone

TyphaCertFile

AttributeValue
KeyTyphaCertFile
Description

Path to the TLS certificate to use when communicating with Typha. If this parameter is specified, the other TLS parameters must also be specified. For non-cluster hosts, the certificate will be signed by the in-cluster Tigera operator signer.

SchemaPath to file, which must exist
Defaultnone

TyphaK8sNamespace

AttributeValue
KeyTyphaK8sNamespace
Description

Namespace to look in when looking for Typha's service (see TyphaK8sServiceName).

SchemaString
Defaultkube-system

TyphaK8sServiceName

AttributeValue
KeyTyphaK8sServiceName
Description

If set, tells Felix to connect to Typha by looking up the Endpoints of the given Kubernetes Service in namespace specified by TyphaK8sNamespace.

SchemaString
Defaultnone

TyphaKeyFile

AttributeValue
KeyTyphaKeyFile
Description

Path to the TLS private key to use when communicating with Typha. If this parameter is specified, the other TLS parameters must also be specified. For non-cluster hosts, the private key is generated locally and rotated when the certificate expires.

SchemaPath to file, which must exist
Defaultnone

TyphaReadTimeout

AttributeValue
KeyTyphaReadTimeout
Description

Read timeout when reading from the Typha connection. If typha sends no data for this long, Felix will exit and restart. (Note that Typha sends regular pings so traffic is always expected.)

SchemaSeconds (floating point)
Default30

TyphaURISAN

AttributeValue
KeyTyphaURISAN
Description

URI SAN to use when authenticating to Typha over TLS. If any TLS parameters are specified then one of TyphaCN and TyphaURISAN must be set.

SchemaString
Defaultnone

TyphaWriteTimeout

AttributeValue
KeyTyphaWriteTimeout
Description

Write timeout when writing data to Typha.

SchemaSeconds (floating point)
Default10

Process: Feature detection/overrides

FeatureDetectOverride

AttributeValue
KeyFeatureDetectOverride
Description

Used to override feature detection based on auto-detected platform capabilities. Values are specified in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". A value of "true" or "false" will force enable/disable feature, empty or omitted values fall back to auto-detection.

SchemaComma-delimited list of key=value pairs
Defaultnone

FeatureGates

AttributeValue
KeyFeatureGates
Description

Used to enable or disable tech-preview Calico features. Values are specified in a comma separated list with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". This is used to enable features that are not fully production ready.

SchemaComma-delimited list of key=value pairs
Defaultnone

Process: Go runtime

GoGCThreshold

AttributeValue
KeyGoGCThreshold
Description

Sets the Go runtime's garbage collection threshold. I.e. the percentage that the heap is allowed to grow before garbage collection is triggered. In general, doubling the value halves the CPU time spent doing GC, but it also doubles peak GC memory overhead. A special value of -1 can be used to disable GC entirely; this should only be used in conjunction with the GoMemoryLimitMB setting.

This setting is overridden by the GOGC environment variable.

SchemaInteger: [-1,263-1]
Default40

GoMaxProcs

AttributeValue
KeyGoMaxProcs
Description

Sets the maximum number of CPUs that the Go runtime will use concurrently. A value of -1 means "use the system default"; typically the number of real CPUs on the system.

this setting is overridden by the GOMAXPROCS environment variable.

SchemaInteger: [-1,263-1]
Default-1

GoMemoryLimitMB

AttributeValue
KeyGoMemoryLimitMB
Description

Sets a (soft) memory limit for the Go runtime in MB. The Go runtime will try to keep its memory usage under the limit by triggering GC as needed. To avoid thrashing, it will exceed the limit if GC starts to take more than 50% of the process's CPU time. A value of -1 disables the memory limit.

Note that the memory limit, if used, must be considerably less than any hard resource limit set at the container or pod level. This is because felix is not the only process that must run in the container or pod.

This setting is overridden by the GOMEMLIMIT environment variable.

SchemaInteger: [-1,263-1]
Default-1

Process: Health port and timeouts

HealthEnabled

AttributeValue
KeyHealthEnabled
Description

If set to true, enables Felix's health port, which provides readiness and liveness endpoints.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

HealthHost

AttributeValue
KeyHealthHost
Description

The host that the health server should bind to.

SchemaString matching regex ^[a-zA-Z0-9:._+-]{1,64}$
Defaultlocalhost

HealthPort

AttributeValue
KeyHealthPort
Description

The TCP port that the health server should bind to.

SchemaInteger: [0,65535]
Default9099

HealthTimeoutOverrides

AttributeValue
KeyHealthTimeoutOverrides
Description

Allows the internal watchdog timeouts of individual subcomponents to be overridden. This is useful for working around "false positive" liveness timeouts that can occur in particularly stressful workloads or if CPU is constrained. For a list of active subcomponents, see Felix's logs.

SchemaComma-delimited list of <key>=<duration> pairs, where durations use Go's standard format (e.g. 1s, 1m, 1h3m2s)
Defaultnone

Process: Logging

LogDebugFilenameRegex

AttributeValue
KeyLogDebugFilenameRegex
Description

Controls which source code files have their Debug log output included in the logs. Only logs from files with names that match the given regular expression are included. The filter only applies to Debug level logs.

SchemaRegular expression
Defaultnone

LogDropActionOverride

AttributeValue
KeyLogDropActionOverride
Description

Specifies whether or not to include the DropActionOverride in the logs when it is triggered.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

LogFilePath

AttributeValue
KeyLogFilePath
Description

The full path to the Felix log. Set to none to disable file logging.

SchemaPath to file
Default/var/log/calico/felix.log

LogPrefix

AttributeValue
KeyLogPrefix
Description

The log prefix that Felix uses when rendering LOG rules.

SchemaString
Defaultcalico-packet

LogSeverityFile

AttributeValue
KeyLogSeverityFile
Description

The log severity above which logs are sent to the log file.

SchemaOne of: DEBUG, ERROR, FATAL, INFO, WARNING (case insensitive)
DefaultINFO

LogSeverityScreen

AttributeValue
KeyLogSeverityScreen
Description

The log severity above which logs are sent to the stdout.

SchemaOne of: DEBUG, ERROR, FATAL, INFO, WARNING (case insensitive)
DefaultINFO

LogSeveritySys

AttributeValue
KeyLogSeveritySys
Description

The log severity above which logs are sent to the syslog. Set to None for no logging to syslog.

SchemaOne of: DEBUG, ERROR, FATAL, INFO, WARNING (case insensitive)
DefaultINFO

Process: Prometheus metrics

PrometheusGoMetricsEnabled

AttributeValue
KeyPrometheusGoMetricsEnabled
Description

Disables Go runtime metrics collection, which the Prometheus client does by default, when set to false. This reduces the number of metrics reported, reducing Prometheus load.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaulttrue

PrometheusMetricsCAFile

AttributeValue
KeyPrometheusMetricsCAFile
Description

The path to the TLS CA file for the Prometheus metrics server.

SchemaPath to file, which must exist
Defaultnone

PrometheusMetricsCertFile

AttributeValue
KeyPrometheusMetricsCertFile
Description

The path to the TLS certificate file for the Prometheus metrics server.

SchemaPath to file, which must exist
Defaultnone

PrometheusMetricsEnabled

AttributeValue
KeyPrometheusMetricsEnabled
Description

Enables the Prometheus metrics server in Felix if set to true.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

PrometheusMetricsHost

AttributeValue
KeyPrometheusMetricsHost
Description

The host that the Prometheus metrics server should bind to.

SchemaString matching regex ^[a-zA-Z0-9:._+-]{1,64}$
Defaultnone

PrometheusMetricsKeyFile

AttributeValue
KeyPrometheusMetricsKeyFile
Description

The path to the TLS private key file for the Prometheus metrics server.

SchemaPath to file, which must exist
Defaultnone

PrometheusMetricsPort

AttributeValue
KeyPrometheusMetricsPort
Description

The TCP port that the Prometheus metrics server should bind to.

SchemaInteger: [0,65535]
Default9091

PrometheusProcessMetricsEnabled

AttributeValue
KeyPrometheusProcessMetricsEnabled
Description

Disables process metrics collection, which the Prometheus client does by default, when set to false. This reduces the number of metrics reported, reducing Prometheus load.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaulttrue

PrometheusWireGuardMetricsEnabled

AttributeValue
KeyPrometheusWireGuardMetricsEnabled
Description

Disables WireGuard metrics collection, which the Prometheus client does by default, when set to false. This reduces the number of metrics reported, reducing Prometheus load.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaulttrue

Data plane: Common

No matching group found for 'Dataplane: Common'.

Data plane: iptables

No matching group found for 'Dataplane: iptables'.

Data plane: nftables

No matching group found for 'Dataplane: nftables'.

Data plane: eBPF

No matching group found for 'Dataplane: eBPF'.

Data plane: Windows

No matching group found for 'Dataplane: Windows'.

Data plane: OpenStack support

No matching group found for 'Dataplane: OpenStack support'.

Data plane: XDP acceleration for iptables data plane

No matching group found for 'Dataplane: XDP acceleration for iptables dataplane'.

Overlay: VXLAN overlay

VXLANEnabled

AttributeValue
KeyVXLANEnabled
Description

Overrides whether Felix should create the VXLAN tunnel device for IPv4 VXLAN networking. Optional as Felix determines this based on the existing IP pools.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultnone

VXLANMTU

AttributeValue
KeyVXLANMTU
Description

The MTU to set on the IPv4 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the MTU of the host's interfaces.

SchemaInteger
Default0

VXLANMTUV6

AttributeValue
KeyVXLANMTUV6
Description

The MTU to set on the IPv6 VXLAN tunnel device. Optional as Felix auto-detects the MTU based on the MTU of the host's interfaces.

SchemaInteger
Default0

VXLANPort

AttributeValue
KeyVXLANPort
Description

The UDP port number to use for VXLAN traffic.

SchemaInteger
Default4789

VXLANVNI

AttributeValue
KeyVXLANVNI
Description

The VXLAN VNI to use for VXLAN traffic. You may need to change this if the default value is in use on your system.

SchemaInteger
Default4096

Overlay: IP-in-IP

IpInIpEnabled

AttributeValue
KeyIpInIpEnabled
Description

Overrides whether Felix should configure an IPIP interface on the host. Optional as Felix determines this based on the existing IP pools.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultnone

IpInIpMtu

AttributeValue
KeyIpInIpMtu
Description

Controls the MTU to set on the IPIP tunnel device. Optional as Felix auto-detects the MTU based on the MTU of the host's interfaces.

SchemaInteger
Default0

Overlay: WireGuard

WireguardEnabled

AttributeValue
KeyWireguardEnabled
Description

Controls whether Wireguard is enabled for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network).

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

WireguardEnabledV6

AttributeValue
KeyWireguardEnabledV6
Description

Controls whether Wireguard is enabled for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network).

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

WireguardHostEncryptionEnabled

AttributeValue
KeyWireguardHostEncryptionEnabled
Description

Controls whether Wireguard host-to-host encryption is enabled.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

WireguardInterfaceName

AttributeValue
KeyWireguardInterfaceName
Description

Specifies the name to use for the IPv4 Wireguard interface.

SchemaString matching regex ^[a-zA-Z0-9:._+-]{1,15}$
Defaultwireguard.cali

WireguardInterfaceNameV6

AttributeValue
KeyWireguardInterfaceNameV6
Description

Specifies the name to use for the IPv6 Wireguard interface.

SchemaString matching regex ^[a-zA-Z0-9:._+-]{1,15}$
Defaultwg-v6.cali

WireguardListeningPort

AttributeValue
KeyWireguardListeningPort
Description

Controls the listening port used by IPv4 Wireguard.

SchemaInteger
Default51820

WireguardListeningPortV6

AttributeValue
KeyWireguardListeningPortV6
Description

Controls the listening port used by IPv6 Wireguard.

SchemaInteger
Default51821

WireguardMTU

AttributeValue
KeyWireguardMTU
Description

Controls the MTU on the IPv4 Wireguard interface. See Configuring MTU.

SchemaInteger
Default0

WireguardMTUV6

AttributeValue
KeyWireguardMTUV6
Description

Controls the MTU on the IPv6 Wireguard interface. See Configuring MTU.

SchemaInteger
Default0

WireguardPersistentKeepAlive

AttributeValue
KeyWireguardPersistentKeepAlive
Description

Controls Wireguard PersistentKeepalive option. Set 0 to disable.

SchemaSeconds (floating point)
Default0 (0s)

WireguardRoutingRulePriority

AttributeValue
KeyWireguardRoutingRulePriority
Description

Controls the priority value to use for the Wireguard routing rule.

SchemaInteger
Default99

WireguardThreadingEnabled

AttributeValue
KeyWireguardThreadingEnabled
Description

Controls whether Wireguard has Threaded NAPI enabled. This increases the maximum number of packets a Wireguard interface can process. Consider threaded NAPI only if you have high packets per second workloads that are causing dropping packets due to a saturated softirq CPU core. There is a [known issue](https://lore.kernel.org/netdev/CALrw=nEoT2emQ0OAYCjM1d_6Xe_kNLSZ6dhjb5FxrLFYh4kozA@mail.gmail.com/T/) with this setting that may cause NAPI to get stuck holding the global rtnl_mutex when a peer is removed. Workaround: Make sure your Linux kernel [includes this patch](https://github.com/torvalds/linux/commit/56364c910691f6d10ba88c964c9041b9ab777bd6) to unwedge NAPI.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

Overlay: IPSec

IPSecAllowUnsecuredTraffic

AttributeValue
KeyIPSecAllowUnsecuredTraffic
Description

Controls whether non-IPsec traffic is allowed in addition to IPsec traffic. Enabling this negates the anti-spoofing protections of IPsec but it is useful when migrating to/from IPsec.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

IPSecESPAlgorithm

AttributeValue
KeyIPSecESPAlgorithm
Description

IPSecESAlgorithm sets IPSec ESP algorithm. Default is NIST suite B recommendation.

SchemaString
Defaultaes128gcm16-ecp256

IPSecIKEAlgorithm

AttributeValue
KeyIPSecIKEAlgorithm
Description

Sets IPSec IKE algorithm. Default is NIST suite B recommendation.

SchemaString
Defaultaes128gcm16-prfsha256-ecp256

IPSecLogLevel

AttributeValue
KeyIPSecLogLevel
Description

Controls log level for IPSec components. Set to None for no logging. A generic log level terminology is used [None, Notice, Info, Debug, Verbose].

SchemaOne of: DEBUG, INFO, NOTICE, VERBOSE (case insensitive)
DefaultINFO

IPSecMode

AttributeValue
KeyIPSecMode
Description

Controls which mode IPSec is operating on. Default value means IPSec is not enabled.

SchemaString
Defaultnone

IPSecPSKFile

AttributeValue
KeyIPSecPSKFile
Description

File contains PSK.

SchemaPath to file, which must exist
Defaultnone

IPSecPolicyRefreshInterval

AttributeValue
KeyIPSecPolicyRefreshInterval
Description

The interval at which Felix will check the kernel's IPsec policy tables and repair any inconsistencies.

SchemaSeconds (floating point)
Default600 (10m0s)

Flow logs: Prometheus reports

DeletedMetricsRetentionSecs

AttributeValue
KeyDeletedMetricsRetentionSecs
Description

Controls how long metrics are retianed after the flow is gone.

SchemaSeconds (floating point)
Default30

PrometheusReporterCAFile

AttributeValue
KeyPrometheusReporterCAFile
Description

The path to the TLS CA file for the Prometheus per-flow metrics reporter.

SchemaPath to file, which must exist
Defaultnone

PrometheusReporterCertFile

AttributeValue
KeyPrometheusReporterCertFile
Description

The path to the TLS certificate file for the Prometheus per-flow metrics reporter.

SchemaPath to file, which must exist
Defaultnone

PrometheusReporterEnabled

AttributeValue
KeyPrometheusReporterEnabled
Description

Controls whether the Prometheus per-flow metrics reporter is enabled. This is used to show real-time flow metrics in the UI.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

PrometheusReporterKeyFile

AttributeValue
KeyPrometheusReporterKeyFile
Description

The path to the TLS private key file for the Prometheus per-flow metrics reporter.

SchemaPath to file, which must exist
Defaultnone

PrometheusReporterPort

AttributeValue
KeyPrometheusReporterPort
Description

The port that the Prometheus per-flow metrics reporter should bind to.

SchemaInteger: [0,65535]
Default9092

Flow logs: Syslog reports

SyslogReporterAddress

AttributeValue
KeySyslogReporterAddress
Description

The address to dial to when writing to Syslog. For TCP and UDP networks, the address has the form "host:port". The host must be a literal IP address, or a host name that can be resolved to IP addresses. The port must be a literal port number or a service name. For more, see: https://pkg.go.dev/net#Dial.

SchemaString
Defaultnone

SyslogReporterEnabled

AttributeValue
KeySyslogReporterEnabled
Description

Turns on the feature to write logs to Syslog. Please note that this can incur significant disk space usage when running felix on non-cluster hosts.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

SyslogReporterNetwork

AttributeValue
KeySyslogReporterNetwork
Description

The network to dial to when writing to Syslog. Known networks are "tcp", "tcp4" (IPv4-only), "tcp6" (IPv6-only), "udp", "udp4" (IPv4-only), "udp6" (IPv6-only), "ip", "ip4" (IPv4-only), "ip6" (IPv6-only), "unix", "unixgram" and "unixpacket". For more, see: https://pkg.go.dev/net#Dial.

SchemaString
Defaultnone

Flow logs: file reports

FlowLogsAggregationThresholdBytes

AttributeValue
KeyFlowLogsAggregationThresholdBytes
Description

Used specify how far behind the external pipeline that reads flow logs can be. Default is 8192 bytes. This parameter only takes effect when FlowLogsDynamicAggregationEnabled is set to true.

SchemaInteger
Default8192

FlowLogsCollectProcessInfo

AttributeValue
KeyFlowLogsCollectProcessInfo
Description

If enabled Felix will load the kprobe BPF programs to collect process info.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

FlowLogsCollectProcessPath

AttributeValue
KeyFlowLogsCollectProcessPath
Description

When FlowLogsCollectProcessPath and FlowLogsCollectProcessInfo are both enabled, each flow log will include information about the process that is sending or receiving the packets in that flow: the process_name field will contain the full path of the process executable, and the process_args field will have the arguments with which the executable was invoked. Process information will not be reported for connections which use raw sockets.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

FlowLogsCollectTcpStats

AttributeValue
KeyFlowLogsCollectTcpStats
Description

Enables flow logs reporting TCP socket stats.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

FlowLogsCollectorDebugTrace

AttributeValue
KeyFlowLogsCollectorDebugTrace
Description

When FlowLogsCollectorDebugTrace is set to true, enables the logs in the collector to be printed in their entirety.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

FlowLogsDestDomainsByClient

AttributeValue
KeyFlowLogsDestDomainsByClient
Description

Used to configure if the source IP is used in the mapping of top level destination domains.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaulttrue

FlowLogsDynamicAggregationEnabled

AttributeValue
KeyFlowLogsDynamicAggregationEnabled
Description

Used to enable/disable dynamically changing aggregation levels. Default is true.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

FlowLogsEnableHostEndpoint

AttributeValue
KeyFlowLogsEnableHostEndpoint
Description

Enables Flow logs reporting for HostEndpoints.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

FlowLogsEnableNetworkSets

AttributeValue
KeyFlowLogsEnableNetworkSets
Description

Enables Flow logs reporting for GlobalNetworkSets.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

FlowLogsFileAggregationKindForAllowed

AttributeValue
KeyFlowLogsFileAggregationKindForAllowed
Description

Used to choose the type of aggregation for flow log entries created for allowed connections. . Accepted values are 0, 1 and 2. 0 - No aggregation. 1 - Source port based aggregation. 2 - Pod prefix name based aggreagation.

SchemaInteger: [0,3]
Default2

FlowLogsFileAggregationKindForDenied

AttributeValue
KeyFlowLogsFileAggregationKindForDenied
Description

Used to choose the type of aggregation for flow log entries created for denied connections. . Accepted values are 0, 1 and 2. 0 - No aggregation. 1 - Source port based aggregation. 2 - Pod prefix name based aggregation. 3 - No destination ports based aggregation.

SchemaInteger: [0,3]
Default1

FlowLogsFileDirectory

AttributeValue
KeyFlowLogsFileDirectory
Description

Sets the directory where flow logs files are stored.

SchemaString
Default/var/log/calico/flowlogs

FlowLogsFileDomainsLimit

AttributeValue
KeyFlowLogsFileDomainsLimit
Description

Used to configure the number of (destination) domains to include in the flow log. These are not included for workload or host endpoint destinations.

SchemaInteger
Default5

FlowLogsFileEnabled

AttributeValue
KeyFlowLogsFileEnabled
Description

When set to true, enables logging flow logs to a file. If false no flow logging to file will occur.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

FlowLogsFileEnabledForAllowed

AttributeValue
KeyFlowLogsFileEnabledForAllowed
Description

Used to enable/disable flow logs entries created for allowed connections. Default is true. This parameter only takes effect when FlowLogsFileReporterEnabled is set to true.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaulttrue

FlowLogsFileEnabledForDenied

AttributeValue
KeyFlowLogsFileEnabledForDenied
Description

Used to enable/disable flow logs entries created for denied flows. Default is true. This parameter only takes effect when FlowLogsFileReporterEnabled is set to true.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaulttrue

FlowLogsFileIncludeLabels

AttributeValue
KeyFlowLogsFileIncludeLabels
Description

Used to configure if endpoint labels are included in a Flow log entry written to file.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

FlowLogsFileIncludePolicies

AttributeValue
KeyFlowLogsFileIncludePolicies
Description

Used to configure if policy information are included in a Flow log entry written to file.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

FlowLogsFileIncludeService

AttributeValue
KeyFlowLogsFileIncludeService
Description

Used to configure if the destination service is included in a Flow log entry written to file. The service information can only be included if the flow was explicitly determined to be directed at the service (e.g. when the pre-DNAT destination corresponds to the service ClusterIP and port).

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

FlowLogsFileMaxFileSizeMB

AttributeValue
KeyFlowLogsFileMaxFileSizeMB
Description

Sets the max size in MB of flow logs files before rotation.

SchemaInteger
Default100

FlowLogsFileMaxFiles

AttributeValue
KeyFlowLogsFileMaxFiles
Description

Sets the number of log files to keep.

SchemaInteger
Default5

FlowLogsFileNatOutgoingPortLimit

AttributeValue
KeyFlowLogsFileNatOutgoingPortLimit
Description

Used to specify the maximum number of distinct post SNAT ports that will appear in the flowLogs. Default value is 3.

SchemaInteger
Default3

FlowLogsFilePerFlowProcessArgsLimit

AttributeValue
KeyFlowLogsFilePerFlowProcessArgsLimit
Description

Used to specify the maximum number of distinct process args that will appear in the flowLogs. Default value is 5.

SchemaInteger
Default5

FlowLogsFilePerFlowProcessLimit

AttributeValue
KeyFlowLogsFilePerFlowProcessLimit
Description

Used to specify the maximum number of flow log entries with distinct process information beyond which process information will be aggregated.

SchemaInteger
Default2

FlowLogsFlushInterval

AttributeValue
KeyFlowLogsFlushInterval
Description

Configures the interval at which Felix exports flow logs.

SchemaSeconds (floating point)
Default300 (5m0s)

FlowLogsGoldmaneServer

AttributeValue
KeyFlowLogsGoldmaneServer
Description

FlowLogGoldmaneServer is the flow server endpoint to which flow data should be published.

SchemaString
Defaultnone

FlowLogsMaxOriginalIPsIncluded

AttributeValue
KeyFlowLogsMaxOriginalIPsIncluded
Description

Specifies the number of unique IP addresses (if relevant) that should be included in Flow logs.

SchemaInteger
Default50

FlowLogsPolicyEvaluationMode

AttributeValue
KeyFlowLogsPolicyEvaluationMode
Description

Defines how policies are evaluated and reflected in flow logs. OnNewConnection - In this mode, staged policies are only evaluated when new connections are made in the dataplane. Staged/active policy changes will not be reflected in the pending_policies field of flow logs for long lived connections. Continuous - Felix evaluates active flows on a regular basis to determine the rule traces in the flow logs. Any policy updates that impact a flow will be reflected in the pending_policies field, offering a near-real-time view of policy changes across flows.

SchemaOne of: Continuous, OnNewConnection (case insensitive)
DefaultContinuous

FlowLogsPolicyScope

AttributeValue
KeyFlowLogsPolicyScope
Description

Controls which policies are included in flow logs. AllPolicies - Processes both transit policies for the local node and endpoint policies derived from packet source/destination IPs. Provides comprehensive visibility into all policy evaluations but increases log volume. EndpointPolicies - Processes only policies for endpoints identified as the source or destination of the packet (whether workload or host endpoints).

SchemaOne of: AllPolicies, EndpointPolicies (case insensitive)
DefaultEndpointPolicies

FlowLogsPositionFilePath

AttributeValue
KeyFlowLogsPositionFilePath
Description

Used specify the position of the external pipeline that reads flow logs. Default is /var/log/calico/flows.log.pos. This parameter only takes effect when FlowLogsDynamicAggregationEnabled is set to true.

SchemaString
Default/var/log/calico/flows.log.pos

DNS logs / policy

DNSCacheEpoch

AttributeValue
KeyDNSCacheEpoch
Description

An arbitrary number that can be changed, at runtime, to tell Felix to discard all its learnt DNS information. .

SchemaInteger
Default0

DNSCacheFile

AttributeValue
KeyDNSCacheFile
Description

The name of the file that Felix uses to preserve learnt DNS information when restarting. .

SchemaPath to file
Default/var/run/calico/felix-dns-cache.txt

DNSCacheSaveInterval

AttributeValue
KeyDNSCacheSaveInterval
Description

The periodic interval at which Felix saves learnt DNS information to the cache file. .

SchemaSeconds (floating point)
Default60 (1m0s)

DNSExtraTTL

AttributeValue
KeyDNSExtraTTL
Description

Extra time to keep IPs and alias names that are learnt from DNS, in addition to each name or IP's advertised TTL. .

SchemaSeconds (floating point)
Default0 (0s)

DNSLogsFileAggregationKind

AttributeValue
KeyDNSLogsFileAggregationKind
Description

Used to choose the type of aggregation for DNS log entries. . Accepted values are 0 and 1. 0 - No aggregation. 1 - Aggregate over clients with the same name prefix.

SchemaInteger: [0,1]
Default1

DNSLogsFileDirectory

AttributeValue
KeyDNSLogsFileDirectory
Description

Sets the directory where DNS log files are stored.

SchemaString
Default/var/log/calico/dnslogs

DNSLogsFileEnabled

AttributeValue
KeyDNSLogsFileEnabled
Description

Controls logging DNS logs to a file. If false no DNS logging to file will occur.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

DNSLogsFileIncludeLabels

AttributeValue
KeyDNSLogsFileIncludeLabels
Description

Used to configure if endpoint labels are included in a DNS log entry written to file.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaulttrue

DNSLogsFileMaxFileSizeMB

AttributeValue
KeyDNSLogsFileMaxFileSizeMB
Description

Sets the max size in MB of DNS log files before rotation.

SchemaInteger
Default100

DNSLogsFileMaxFiles

AttributeValue
KeyDNSLogsFileMaxFiles
Description

Sets the number of DNS log files to keep.

SchemaInteger
Default5

DNSLogsFilePerNodeLimit

AttributeValue
KeyDNSLogsFilePerNodeLimit
Description

Limit on the number of DNS logs that can be emitted within each flush interval. When this limit has been reached, Felix counts the number of unloggable DNS responses within the flush interval, and emits a WARNING log with that count at the same time as it flushes the buffered DNS logs.

SchemaInteger
Default0

DNSLogsFlushInterval

AttributeValue
KeyDNSLogsFlushInterval
Description

Configures the interval at which Felix exports DNS logs.

SchemaSeconds (floating point)
Default300 (5m0s)

DNSLogsLatency

AttributeValue
KeyDNSLogsLatency
Description

Indicates to include measurements of DNS request/response latency in each DNS log.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaulttrue

DNSPacketsNfqueueID

AttributeValue
KeyDNSPacketsNfqueueID
Description

The NFQUEUE ID to use for capturing DNS packets to ensure programming IPSets occurs before the response is released. Used when DNSPolicyMode is DelayDNSResponse.

SchemaInteger
Default101

DNSPacketsNfqueueMaxHoldDuration

AttributeValue
KeyDNSPacketsNfqueueMaxHoldDuration
Description

The max length of time to hold on to a DNS response while waiting for the the dataplane to be programmed. Used when DNSPolicyMode is DelayDNSResponse.

SchemaMilliseconds (floating point)
Default3000 (3s)

DNSPacketsNfqueueSize

AttributeValue
KeyDNSPacketsNfqueueSize
Description

The size of the NFQUEUE for captured DNS packets. This is the maximum number of DNS packets that may be queued awaiting programming in the dataplane. Used when DNSPolicyMode is DelayDNSResponse.

SchemaInteger
Default100

DNSPolicyMode

AttributeValue
KeyDNSPolicyMode
Description

Specifies how DNS policy programming will be handled. DelayDeniedPacket - Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. DelayDNSResponse - Felix delays any DNS response until related IPSets are programmed. This introduces some latency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics are accurate. This is the recommended setting when you are making use of staged policies or policy rule hit statistics. NoDelay - Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial connection attempts fail. This may be problematic for some applications or for very low DNS TTLs.

Inline - Parses DNS response inline with DNS response packet processing within IPTables. This guarantees the DNS rules reflect any change immediately. This mode works for iptables only and matches the same mode for BPFDNSPolicyMode. This setting is ignored on Windows and "NoDelay" is always used.

This setting is ignored by eBPF and BPFDNSPolicyMode is used instead.

This field has no effect in NFTables mode. Please use NFTablesDNSPolicyMode instead.

SchemaOne of: DelayDNSResponse, DelayDeniedPacket, Inline, NoDelay (case insensitive)
DefaultDelayDeniedPacket

DNSPolicyNfqueueID

AttributeValue
KeyDNSPolicyNfqueueID
Description

The NFQUEUE ID to use for DNS Policy re-evaluation when the domains IP hasn't been programmed to ipsets yet. Used when DNSPolicyMode is DelayDeniedPacket.

SchemaInteger
Default100

DNSPolicyNfqueueSize

AttributeValue
KeyDNSPolicyNfqueueSize
Description

DNSPolicyNfqueueID is the size of the NFQUEUE for DNS policy re-evaluation. This is the maximum number of denied packets that may be queued up pending re-evaluation. Used when DNSPolicyMode is DelayDeniedPacket.

SchemaInteger
Default255

DNSTrustedServers

AttributeValue
KeyDNSTrustedServers
Description

The DNS servers that Felix should trust. Each entry here must be <ip>[:<port>] - indicating an explicit DNS server IP - or k8s-service:[<namespace>/]<name>[:port] - indicating a Kubernetes DNS service. <port> defaults to the first service port, or 53 for an IP, and <namespace> to kube-system. An IPv6 address with a port must use the square brackets convention, for example [fd00:83a6::12]:5353.Note that Felix (calico-node) will need RBAC permission to read the details of each service specified by a k8s-service:... form. .

SchemaComma-delimited list of DNS servers. Each entry can be: <IP address>, an <IP address>:<port> (IPv6 addresses must be wrapped in square brackets), or, a Kubernetes service name k8s-service:(namespace/)service-name.
Defaultk8s-service:kube-dns

L7 logs

L7LogsFileAggregationDestinationInfo

AttributeValue
KeyL7LogsFileAggregationDestinationInfo
Description

Used to choose the type of aggregation for the destination metadata on L7 log entries. . Accepted values are IncludeL7DestinationInfo and ExcludeL7DestinationInfo. IncludeL7DestinationInfo - Include destination metadata in the logs. ExcludeL7DestinationInfo - Aggregate over all other fields ignoring the destination aggregated name, namespace, and type.

SchemaString
DefaultIncludeL7DestinationInfo

L7LogsFileAggregationHTTPHeaderInfo

AttributeValue
KeyL7LogsFileAggregationHTTPHeaderInfo
Description

Used to choose the type of aggregation for HTTP header data on L7 log entries. . Accepted values are IncludeL7HTTPHeaderInfo and ExcludeL7HTTPHeaderInfo. IncludeL7HTTPHeaderInfo - Include HTTP header data in the logs. ExcludeL7HTTPHeaderInfo - Aggregate over all other fields ignoring the user agent and log type.

SchemaString
DefaultExcludeL7HTTPHeaderInfo

L7LogsFileAggregationHTTPMethod

AttributeValue
KeyL7LogsFileAggregationHTTPMethod
Description

Used to choose the type of aggregation for the HTTP request method on L7 log entries. . Accepted values are IncludeL7HTTPMethod and ExcludeL7HTTPMethod. IncludeL7HTTPMethod - Include HTTP method in the logs. ExcludeL7HTTPMethod - Aggregate over all other fields ignoring the HTTP method.

SchemaString
DefaultIncludeL7HTTPMethod

L7LogsFileAggregationNumURLPath

AttributeValue
KeyL7LogsFileAggregationNumURLPath
Description

Used to choose the number of components in the url path to display. This allows for the url to be truncated in case parts of the path provide no value. Setting this value to negative will allow all parts of the path to be displayed. .

SchemaInteger
Default5

L7LogsFileAggregationResponseCode

AttributeValue
KeyL7LogsFileAggregationResponseCode
Description

Used to choose the type of aggregation for the response code on L7 log entries. . Accepted values are IncludeL7ResponseCode and ExcludeL7ResponseCode. IncludeL7ResponseCode - Include the response code in the logs. ExcludeL7ResponseCode - Aggregate over all other fields ignoring the response code.

SchemaString
DefaultIncludeL7ResponseCode

L7LogsFileAggregationServiceInfo

AttributeValue
KeyL7LogsFileAggregationServiceInfo
Description

Used to choose the type of aggregation for the service data on L7 log entries. . Accepted values are IncludeL7ServiceInfo and ExcludeL7ServiceInfo. IncludeL7ServiceInfo - Include service data in the logs. ExcludeL7ServiceInfo - Aggregate over all other fields ignoring the service name, namespace, and port.

SchemaString
DefaultIncludeL7ServiceInfo

L7LogsFileAggregationSourceInfo

AttributeValue
KeyL7LogsFileAggregationSourceInfo
Description

L7LogsFileAggregationExcludeSourceInfo is used to choose the type of aggregation for the source metadata on L7 log entries. . Accepted values are IncludeL7SourceInfo, IncludeL7SourceInfoNoPort, and ExcludeL7SourceInfo. IncludeL7SourceInfo - Include source metadata in the logs. IncludeL7SourceInfoNoPort - Include source metadata in the logs excluding the source port. ExcludeL7SourceInfo - Aggregate over all other fields ignoring the source aggregated name, namespace, and type.

SchemaString
DefaultIncludeL7SourceInfoNoPort

L7LogsFileAggregationTrimURL

AttributeValue
KeyL7LogsFileAggregationTrimURL
Description

Used to choose the type of aggregation for the url on L7 log entries. . Accepted values: IncludeL7FullURL - Include the full URL up to however many path components are allowed by L7LogsFileAggregationNumURLPath. TrimURLQuery - Aggregate over all other fields ignoring the query parameters on the URL. TrimURLQueryAndPath - Aggregate over all other fields and the base URL only. ExcludeL7URL - Aggregate over all other fields ignoring the URL entirely.

SchemaString
DefaultIncludeL7FullURL

L7LogsFileAggregationURLCharLimit

AttributeValue
KeyL7LogsFileAggregationURLCharLimit
Description

Limit on the length of the URL collected in L7 logs. When a URL length reaches this limit it is sliced off, and the sliced URL is sent to log storage.

SchemaInteger
Default250

L7LogsFileDirectory

AttributeValue
KeyL7LogsFileDirectory
Description

Sets the directory where L7 log files are stored.

SchemaString
Default/var/log/calico/l7logs

L7LogsFileEnabled

AttributeValue
KeyL7LogsFileEnabled
Description

Controls logging L7 logs to a file. If false no L7 logging to file will occur.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaulttrue

L7LogsFileMaxFileSizeMB

AttributeValue
KeyL7LogsFileMaxFileSizeMB
Description

Sets the max size in MB of L7 log files before rotation.

SchemaInteger
Default100

L7LogsFileMaxFiles

AttributeValue
KeyL7LogsFileMaxFiles
Description

Sets the number of L7 log files to keep.

SchemaInteger
Default5

L7LogsFilePerNodeLimit

AttributeValue
KeyL7LogsFilePerNodeLimit
Description

Limit on the number of L7 logs that can be emitted within each flush interval. When this limit has been reached, Felix counts the number of unloggable L7 responses within the flush interval, and emits a WARNING log with that count at the same time as it flushes the buffered L7 logs. A value of 0 means no limit.

SchemaInteger
Default1500

L7LogsFlushInterval

AttributeValue
KeyL7LogsFlushInterval
Description

Configures the interval at which Felix exports L7 logs.

SchemaSeconds (floating point)
Default300 (5m0s)

AWS integration

AWSRequestTimeout

AttributeValue
KeyAWSRequestTimeout
Description

The timeout on AWS API requests.

SchemaSeconds (floating point)
Default30 (30s)

AWSSecondaryIPRoutingRulePriority

AttributeValue
KeyAWSSecondaryIPRoutingRulePriority
Description

Controls the priority that Felix will use for routing rules when programming them for AWS Secondary IP support.

SchemaInteger: [0,4294967295]
Default101

AWSSecondaryIPSupport

AttributeValue
KeyAWSSecondaryIPSupport
Description

Controls whether Felix will try to provision AWS secondary ENIs for workloads that have IPs from IP pools that are configured with an AWS subnet ID. If the field is set to "EnabledENIPerWorkload" then each workload with an AWS-backed IP will be assigned its own secondary ENI. If set to "Enabled" then each workload with an AWS-backed IP pool will be allocated a secondary IP address on a secondary ENI; this mode requires additional IP pools to be provisioned for the host to claim IPs for the primary IP of the secondary ENIs. Accepted value must be one of "Enabled", "EnabledENIPerWorkload" or "Disabled".

SchemaOne of: Disabled, EnabledENIPerWorkload, Enabled (case insensitive)
DefaultDisabled

AWSSrcDstCheck

AttributeValue
KeyAWSSrcDstCheck
Description

Controls whether Felix will try to change the "source/dest check" setting on the EC2 instance on which it is running. A value of "Disable" will try to disable the source/dest check. Disabling the check allows for sending workload traffic without encapsulation within the same AWS subnet.

SchemaOne of: Disable, DoNothing, Enable (case insensitive)
DefaultDoNothing

Egress gateway

EgressGatewayPollFailureCount

AttributeValue
KeyEgressGatewayPollFailureCount
Description

The minimum number of poll failures before a remote Egress Gateway is considered to have failed.

SchemaInteger
Default3

EgressGatewayPollInterval

AttributeValue
KeyEgressGatewayPollInterval
Description

The interval at which Felix will poll remote egress gateways to check their health. Only Egress Gateways with a named "health" port will be polled in this way. Egress Gateways that fail the health check will be taken our of use as if they have been deleted.

SchemaSeconds (floating point)
Default10 (10s)

EgressIPHostIfacePattern

AttributeValue
KeyEgressIPHostIfacePattern
Description

A comma-separated list of interface names which might send and receive egress traffic across the cluster boundary, after it has left an Egress Gateway pod. Felix will ensure src_valid_mark sysctl flags are set correctly for matching interfaces. To target multiple interfaces with a single string, the list supports regular expressions. For regular expressions, wrap the value with /. Example: /^bond/,eth0 will match all interfaces that begin with bond and also the interface eth0.

SchemaComma-delimited list of Linux interface names/regex patterns. Regex patterns must start/end with /.
Defaultnone

EgressIPRoutingRulePriority

AttributeValue
KeyEgressIPRoutingRulePriority
Description

Controls the priority value to use for the egress IP routing rule.

SchemaInteger
Default100

EgressIPSupport

AttributeValue
KeyEgressIPSupport
Description

Defines three different support modes for egress IP function. - Disabled: Egress IP function is disabled. - EnabledPerNamespace: Egress IP function is enabled and can be configured on a per-namespace basis; per-pod egress annotations are ignored. - EnabledPerNamespaceOrPerPod: Egress IP function is enabled and can be configured per-namespace or per-pod, with per-pod egress annotations overriding namespace annotations.

SchemaOne of: Disabled, EnabledPerNamespaceOrPerPod, EnabledPerNamespace (case insensitive)
DefaultDisabled

EgressIPVXLANPort

AttributeValue
KeyEgressIPVXLANPort
Description

The port number of vxlan tunnel device for egress traffic.

SchemaInteger
Default4790

EgressIPVXLANVNI

AttributeValue
KeyEgressIPVXLANVNI
Description

The VNI ID of vxlan tunnel device for egress traffic.

SchemaInteger
Default4097

External network support

ExternalNetworkRoutingRulePriority

AttributeValue
KeyExternalNetworkRoutingRulePriority
Description

Controls the priority value to use for the external network routing rule.

SchemaInteger
Default102

ExternalNetworkSupport

AttributeValue
KeyExternalNetworkSupport
Description

Defines two different support modes for external network function. - Disabled: External network function is disabled. - Enabled: External network function is enabled.

SchemaOne of: Disabled, Enabled (case insensitive)
DefaultDisabled

Packet capture

CaptureDir

AttributeValue
KeyCaptureDir
Description

Controls directory to store file capture.

SchemaString
Default/var/log/calico/pcap

CaptureMaxFiles

AttributeValue
KeyCaptureMaxFiles
Description

Controls number of rotated capture file to keep.

SchemaInteger
Default2

CaptureMaxSizeBytes

AttributeValue
KeyCaptureMaxSizeBytes
Description

Controls the max size of a file capture.

SchemaInteger
Default10000000

CaptureRotationSeconds

AttributeValue
KeyCaptureRotationSeconds
Description

Controls the time rotation of a packet capture.

SchemaInteger
Default3600

L7 proxy

TPROXYMode

AttributeValue
KeyTPROXYMode
Description

Sets whether traffic is directed through a transparent proxy for further processing or not and how is the proxying done.

SchemaOne of: Disabled, EnabledAllServices, Enabled (case insensitive)
DefaultDisabled

TPROXYPort

AttributeValue
KeyTPROXYPort
Description

Sets to which port proxied traffic should be redirected.

SchemaInteger
Default16001

TPROXYUpstreamConnMark

AttributeValue
KeyTPROXYUpstreamConnMark
Description

Tells Felix which mark is used by the proxy for its upstream connections so that Felix can program the dataplane correctly.

Schema32-bit bitmask (hex or deccimal allowed) with at least 2 bits set, example: 0xffff0000
Default0x17

Debug/test-only (generally unsupported)

DebugBPFCgroupV2

AttributeValue
KeyDebugBPFCgroupV2
Description

Controls the cgroup v2 path that we apply the connect-time load balancer to. Most distros are configured for cgroup v1, which prevents all but the root cgroup v2 from working so this is only useful for development right now.

SchemaString
Defaultnone

DebugBPFMapRepinEnabled

AttributeValue
KeyDebugBPFMapRepinEnabled
Description

Can be used to prevent Felix from repinning its BPF maps at startup. This is useful for testing with multiple Felix instances running on one host.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

DebugCPUProfilePath

AttributeValue
KeyDebugCPUProfilePath
Description

Unsupported diagnostic setting, used when testing Felix. Not exposed in FelixConfiguration.

SchemaPath to file
Default/tmp/felix-cpu-<timestamp>.pprof

DebugCloudWatchLogsFile

AttributeValue
KeyDebugCloudWatchLogsFile
Description

Unsupported diagnostic setting, used when testing Felix. Not exposed in FelixConfiguration.

SchemaPath to file
Defaultnone

DebugConsoleEnabled

AttributeValue
KeyDebugConsoleEnabled
Description

Unsupported diagnostic setting, used when testing Felix. Not exposed in FelixConfiguration.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

DebugDNSDoNotWriteIPSets

AttributeValue
KeyDebugDNSDoNotWriteIPSets
Description

Unsupported diagnostic setting, used when testing Felix. Not exposed in FelixConfiguration.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

DebugDNSResponseDelay

AttributeValue
KeyDebugDNSResponseDelay
Description

Unsupported diagnostic setting, used when testing Felix. Not exposed in FelixConfiguration.

SchemaMilliseconds (floating point)
Default0

DebugDisableLogDropping

AttributeValue
KeyDebugDisableLogDropping
Description

Disables the dropping of log messages when the log buffer is full. This can significantly impact performance if log write-out is a bottleneck.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

DebugHost

AttributeValue
KeyDebugHost
Description

The host IP or hostname to bind the debug port to. Only used if DebugPort is set.

SchemaString matching regex ^[a-zA-Z0-9:._+-]{1,64}$
Defaultlocalhost

DebugMemoryProfilePath

AttributeValue
KeyDebugMemoryProfilePath
Description

The path to write the memory profile to when triggered by signal.

SchemaPath to file
Defaultnone

DebugPanicAfter

AttributeValue
KeyDebugPanicAfter
Description

Unsupported diagnostic setting, used when testing Felix. Not exposed in FelixConfiguration.

SchemaSeconds (floating point)
Default0

DebugPort

AttributeValue
KeyDebugPort
Description

If set, enables Felix's debug HTTP port, which allows memory and CPU profiles to be retrieved. The debug port is not secure, it should not be exposed to the internet.

SchemaInteger: [0,65535]
Defaultnone

DebugSimulateCalcGraphHangAfter

AttributeValue
KeyDebugSimulateCalcGraphHangAfter
Description

Used to simulate a hang in the calculation graph after the specified duration. This is useful in tests of the watchdog system only!

SchemaSeconds (floating point)
Default0 (0s)

DebugSimulateDataRace

AttributeValue
KeyDebugSimulateDataRace
Description

Unsupported diagnostic setting, used when testing Felix. Not exposed in FelixConfiguration.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

DebugSimulateDataplaneApplyDelay

AttributeValue
KeyDebugSimulateDataplaneApplyDelay
Description

Adds an artificial delay to every dataplane operation. This is useful for simulating a heavily loaded system for test purposes only.

SchemaSeconds (floating point)
Default0 (0s)

DebugSimulateDataplaneHangAfter

AttributeValue
KeyDebugSimulateDataplaneHangAfter
Description

Used to simulate a hang in the dataplane after the specified duration. This is useful in tests of the watchdog system only!

SchemaSeconds (floating point)
Default0 (0s)

DebugUseShortPollIntervals

AttributeValue
KeyDebugUseShortPollIntervals
Description

Unsupported diagnostic setting, used when testing Felix. Not exposed in FelixConfiguration.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaultfalse

DebugWindowsPktMonStartArgs

AttributeValue
KeyDebugWindowsPktMonStartArgs
Description

Unsupported diagnostic setting, used when testing Felix. Not exposed in FelixConfiguration.

SchemaString
Defaultnone

StatsDumpFilePath

AttributeValue
KeyStatsDumpFilePath
Description

The path to write a diagnostic flow logs statistics dump to when triggered by signal.

SchemaPath to file
Default/var/log/calico/stats/dump

Usage reporting

UsageReportingEnabled

AttributeValue
KeyUsageReportingEnabled
Description

Unused in Calico Enterprise, usage reporting is permanently disabled.

SchemaBoolean: true, 1, yes, y, t accepted as True; false, 0, no, n, f accepted (case insensitively) as False.
Defaulttrue

UsageReportingInitialDelaySecs

AttributeValue
KeyUsageReportingInitialDelaySecs
Description

Unused in Calico Enterprise, usage reporting is permanently disabled.

SchemaSeconds (floating point)
Default300 (5m0s)

UsageReportingIntervalSecs

AttributeValue
KeyUsageReportingIntervalSecs
Description

Unused in Calico Enterprise, usage reporting is permanently disabled.

SchemaSeconds (floating point)
Default86400 (24h0m0s)

Environment variables

The highest priority of configuration is that read from environment variables. To set a configuration parameter via an environment variable, set the environment variable formed by taking FELIX_ and appending the uppercase form of the variable name. For example, to set the etcd address, set the environment variable FELIX_ETCDADDR. Other examples include FELIX_ETCDSCHEME, FELIX_ETCDKEYFILE, FELIX_ETCDCERTFILE, FELIX_ETCDCAFILE, FELIX_FELIXHOSTNAME, FELIX_LOGFILEPATH and FELIX_METADATAADDR.

Configuration file

On startup, Felix reads an ini-style configuration file. The path to this file defaults to /etc/calico/felix.cfg but can be overridden using the -c or --config-file options on the command line. If the file exists, then it is read (ignoring section names) and all parameters are set from it.

In OpenStack, we recommend putting all configuration into configuration files, since the etcd database is transient (and may be recreated by the OpenStack plugin in certain error cases). However, in a Docker environment the use of environment variables or etcd is often more convenient.

Datastore

Felix also reads configuration parameters from the datastore. It supports a global setting and a per-host override.

  1. Get the current felixconfig settings.

    kubectl get felixconfiguration.projectcalico.org default -o yaml --export > felix.yaml

  2. Modify logFilePath to your intended path, e.g. "/tmp/felix.log"

    vim felix.yaml
    tip

    For a global change set name to "default". For a node-specific change: set name to node.<nodename>, e.g. "node.Calico Enterprise-node-1"

  3. Replace the current felixconfig settings

    kubectl replace -f felix.yaml

For more information, see Felix Configuration Resource.