Configuring Felix

  • Operator
  • Manifest

If you have installed Calico using the operator, you cannot modify the environment provided to felix directly. To configure felix, see the FelixConfiguration resource instead.

Configuring Felix - 图1note

The following tables detail the configuration file and environment variable parameters. For FelixConfiguration resource settings, refer to Felix Configuration Resource.

Configuration for Felix is read from one of four possible locations, in order, as follows.

  1. Environment variables.
  2. The Felix configuration file.
  3. Host-specific FelixConfiguration resources (node.<nodename>).
  4. The global FelixConfiguration resource (default).

The value of any configuration parameter is the value read from the first location containing a value. For example, if an environment variable contains a value, it takes top precedence.

If not set in any of these locations, most configuration parameters have defaults, and it should be rare to have to explicitly set them.

The full list of parameters which can be set is as follows.

General configuration

Configuration file parameterEnvironment variableDescriptionSchema
DataplaneWatchdogTimeoutFELIX_DATAPLANEWATCHDOGTIMEOUTDeprecated: superceded by HealthTimeoutOverrides. Timeout before the main dataplane goroutine is determined to have hung and Felix will report non-live and non-ready. Can be increased if the liveness check incorrectly fails (for example if Felix is running slowly on a heavily loaded system). [Default: 90]int
AwsSrcDstCheckFELIX_AWSSRCDSTCHECKSet the source-destination-check when using AWS EC2 instances. Check IAM role and profile configuration for setting the necessary permission for this setting to work. [Default: DoNothing]DoNothing, Disable, Enable
DatastoreTypeFELIX_DATASTORETYPEThe datastore that Felix should read endpoints and policy information from. [Default: etcdv3]etcdv3, kubernetes
DeviceRouteSourceAddressFELIX_DEVICEROUTESOURCEADDRESSIPv4 address to use as the source hint on device routes programmed by Felix [Default: No source hint is set on programmed routes and for local traffic from host to workload the source address will be chosen by the kernel.]<IPv4-address>
DeviceRouteSourceAddressIPv6FELIX_DEVICEROUTESOURCEADDRESSIPV6IPv6 address to use as the source hint on device routes programmed by Felix [Default: No source hint is set on programmed routes and for local traffic from host to workload the source address will be chosen by the kernel.]<IPv6-address>
DeviceRouteProtocolFELIX_DEVICEROUTEPROTOCOLThis defines the route protocol added to programmed device routes. [Default: RTPROT_BOOT]int
DisableConntrackInvalidCheckFELIX_DISABLECONNTRACKINVALIDCHECKDisable the dropping of packets that aren’t either a valid handshake or part of an established connection. [Default: false]boolean
EndpointReportingDelaySecsFELIX_ENDPOINTREPORTINGDELAYSECSSet the endpoint reporting delay between status check intervals, in seconds. Only used if endpoint reporting is enabled. [Default: 1]int
EndpointReportingEnabledFELIX_ENDPOINTREPORTINGENABLEDEnable the endpoint status reporter. [Default: false]boolean
ExternalNodesCIDRListFELIX_EXTERNALNODESCIDRLISTComma-delimited list of IPv4 or CIDR of external-non-calico-nodes from which IPIP traffic is accepted by calico-nodes. [Default: “”]string
FailsafeInboundHostPortsFELIX_FAILSAFEINBOUNDHOSTPORTSComma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to “tcp”. If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value none. The default value allows ssh access, DHCP, BGP, etcd and the Kubernetes API. [Default: tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667]string
FailsafeOutboundHostPortsFELIX_FAILSAFEOUTBOUNDHOSTPORTSComma-delimited list of UDP/TCP/SCTP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For backwards compatibility, if the protocol is not specified, it defaults to “tcp”. If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value none. The default value opens etcd’s standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP, DNS, BGP and the Kubernetes API. [Default: udp:53, udp:67, tcp:179, tcp:2379, tcp:2380, tcp:5473, tcp:6443, tcp:6666, tcp:6667]string
FelixHostnameFELIX_FELIXHOSTNAMEThe hostname Felix reports to the plugin. Should be used if the hostname Felix autodetects is incorrect or does not match what the plugin will expect. [Default: socket.gethostname()]string
HealthEnabledFELIX_HEALTHENABLEDWhen enabled, exposes felix health information via an http endpoint.boolean
HealthHostFELIX_HEALTHHOSTThe address on which Felix will respond to health requests. [Default: localhost]string
HealthPortFELIX_HEALTHPORTThe port on which Felix will respond to health requests. [Default: 9099]int
HealthTimeoutOverridesFELIX_HEALTHTIMEOUTOVERRIDESAllows the internal watchdog timeouts of individual subcomponents to be overriden; example: “InternalDataplaneMainLoop=30s,CalculationGraph=2m”. This is useful for working around “false positive” liveness timeouts that can occur in particularly stressful workloads or if CPU is constrained. For a list of active subcomponents, see Felix’s logs. [Default: `]</td><td>Comma-delimited list of key/value pairs where the values are durations: <code>1s</code>, <code>10s</code>, <code>5m</code>, etc.</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>IpInIpEnabled</code></td><td><code>FELIX_IPINIPENABLED</code></td><td>Optional, you shouldn't need to change this setting as Felix calculates if IPIP should be enabled based on the existing IP Pools. When set, this overrides whether Felix should configure an IPinIP interface on the host. When explicitly disabled in FelixConfiguration, Felix will not clean up addresses from the <code>tunl0</code> interface (use this if you need to add addresses to that interface and don't want to have them removed). [Default: unset]</td><td>optional boolean</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>IpInIpMtu</code></td><td><code>FELIX_IPINIPMTU</code></td><td>The MTU to set on the IPIP tunnel device. Zero value means auto-detect. See <a href="$c39a938f31d1cde5.md">Configuring MTU</a> [Default: <code>0</code>]</td><td>int</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>IPv4VXLANTunnelAddr</code></td><td></td><td>IP address of the IPv4 VXLAN tunnel. This is system configured and should not be updated manually.</td><td>string</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>LogFilePath</code></td><td><code>FELIX_LOGFILEPATH</code></td><td>The full path to the Felix log. Set to <code>none</code> to disable file logging. [Default: <code>/var/log/calico/felix.log</code>]</td><td>string</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>LogSeverityFile</code></td><td><code>FELIX_LOGSEVERITYFILE</code></td><td>The log severity above which logs are sent to the log file. [Default: <code>Info</code>]</td><td><code>Debug</code>, <code>Info</code>, <code>Warning</code>, <code>Error</code>, <code>Fatal</code></td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>LogSeverityScreen</code></td><td><code>FELIX_LOGSEVERITYSCREEN</code></td><td>The log severity above which logs are sent to the stdout. [Default: <code>Info</code>]</td><td><code>Debug</code>, <code>Info</code>, <code>Warning</code>, <code>Error</code>, <code>Fatal</code></td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>LogSeveritySys</code></td><td><code>FELIX_LOGSEVERITYSYS</code></td><td>The log severity above which logs are sent to the syslog. Set to <code>none</code> for no logging to syslog. [Default: <code>Info</code>]</td><td><code>Debug</code>, <code>Info</code>, <code>Warning</code>, <code>Error</code>, <code>Fatal</code></td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>LogDebugFilenameRegex</code></td><td><code>FELIX_LOGDEBUGFILENAMEREGEX</code></td><td>Controls which source code files have their Debug log output included in the logs. Only logs from files with names that match the given regular expression are included. The filter only applies to Debug level logs. [Default: <code>""</code>]</td><td>regex</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>PolicySyncPathPrefix</code></td><td><code>FELIX_POLICYSYNCPATHPREFIX</code></td><td>File system path where Felix notifies services of policy changes over Unix domain sockets. This is only required if you're configuring <a href="https://github.com/projectcalico/app-policy" target="_blank" rel="noopener noreferrer">application layer policy</a>. Set to <code>""</code> to disable. [Default: <code>""</code>]</td><td>string</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>PrometheusGoMetricsEnabled</code></td><td><code>FELIX_PROMETHEUSGOMETRICSENABLED</code></td><td>Set to <code>false</code> to disable Go runtime metrics collection, which the Prometheus client does by default. This reduces the number of metrics reported, reducing Prometheus load. [Default: <code>true</code>]</td><td>boolean</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>PrometheusMetricsEnabled</code></td><td><code>FELIX_PROMETHEUSMETRICSENABLED</code></td><td>Set to <code>true</code> to enable the Prometheus metrics server in Felix. [Default: <code>false</code>]</td><td>boolean</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>PrometheusMetricsHost</code></td><td><code>FELIX_PROMETHEUSMETRICSHOST</code></td><td>TCP network address that the Prometheus metrics server should bind to. [Default: <code>""</code>]</td><td>string</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>PrometheusMetricsPort</code></td><td><code>FELIX_PROMETHEUSMETRICSPORT</code></td><td>TCP port that the Prometheus metrics server should bind to. [Default: <code>9091</code>]</td><td>int</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>PrometheusProcessMetricsEnabled</code></td><td><code>FELIX_PROMETHEUSPROCESSMETRICSENABLED</code></td><td>Set to <code>false</code> to disable process metrics collection, which the Prometheus client does by default. This reduces the number of metrics reported, reducing Prometheus load. [Default: <code>true</code>]</td><td>boolean</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>PrometheusWireGuardMetricsEnabled</code></td><td><code>FELIX_PROMETHEUSWIREGUARDMETRICSENABLED</code></td><td>Set to <code>false</code> to disable wireguard device metrics collection, which Felix does by default. [Default: <code>true</code>]</td><td>boolean</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>RemoveExternalRoutes</code></td><td><code>FELIX_REMOVEEXTERNALROUTES</code></td><td>Whether or not to remove device routes that have not been programmed by Felix. Disabling this will allow external applications to also add device routes. [Default: <code>true</code>]</td><td>bool</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>ReportingIntervalSecs</code></td><td><code>FELIX_REPORTINGINTERVALSECS</code></td><td>Interval at which Felix reports its status into the datastore. 0 means disabled and is correct for Kubernetes-only clusters. Must be non-zero in OpenStack deployments. [Default: <code>30</code>]</td><td>int</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>ReportingTTLSecs</code></td><td><code>FELIX_REPORTINGTTLSECS</code></td><td>Time-to-live setting for process-wide status reports. [Default: <code>90</code>]</td><td>int</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>RouteTableRange</code></td><td><code>FELIX_ROUTETABLERANGE</code></td><td><em>deprecated in favor of <code>RouteTableRanges</code></em> Calico programs additional Linux route tables for various purposes. <code>RouteTableRange</code> specifies the indices of the route tables that Calico should use. [Default: <code>""</code>]</td><td><code>&lt;min&gt;-&lt;max&gt;</code></td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>RouteTableRanges</code></td><td><code>FELIX_ROUTETABLERANGES</code></td><td>Calico programs additional Linux route tables for various purposes. <code>RouteTableRanges</code> specifies a set of table index ranges that Calico should use. Deprecates <code>RouteTableRange</code>, overrides <code>RouteTableRange</code>. [Default: <code>"1-250"</code>]</td><td><code>&lt;min&gt;-&lt;max&gt;,&lt;min&gt;-&lt;max&gt;,...</code></td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>RouteSyncDisabled</code></td><td><code>FELIX_ROUTESYNCDISABLED</code></td><td>Set to <code>true</code> to disable Calico programming routes to local workloads. [Default: <code>false</code>]</td><td>boolean</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>SidecarAccelerationEnabled</code></td><td><code>FELIX_SIDECARACCELERATIONENABLED</code></td><td>Enable experimental acceleration between application and proxy sidecar when using <a href="$74c04135dba31ad8.md">application layer policy</a>. [Default: <code>false</code>]</td><td>boolean</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>UsageReportingEnabled</code></td><td><code>FELIX_USAGEREPORTINGENABLED</code></td><td>Reports anonymous Calico version number and cluster size to projectcalico.org. Logs warnings returned by the usage server. For example, if a significant security vulnerability has been discovered in the version of Calico being used. [Default: <code>true</code>]</td><td>boolean</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>UsageReportingInitialDelaySecs</code></td><td><code>FELIX_USAGEREPORTINGINITIALDELAYSECS</code></td><td>Minimum delay before first usage report, in seconds. [Default: <code>300</code>]</td><td>int</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>UsageReportingIntervalSecs</code></td><td><code>FELIX_USAGEREPORTINGINTERVALSECS</code></td><td>Interval at which to make usage reports, in seconds. [Default: <code>86400</code>]</td><td>int</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>VXLANEnabled</code></td><td><code>FELIX_VXLANENABLED</code></td><td>Optional, you shouldn't need to change this setting as Felix calculates if VXLAN should be enabled based on the existing IP Pools. When set, this overrides whether Felix should create the VXLAN tunnel device for VXLAN networking. [Default: unset]</td><td>optional boolean</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>VXLANMTU</code></td><td><code>FELIX_VXLANMTU</code></td><td>The MTU to set on the IPv4 VXLAN tunnel device. Zero value means auto-detect. Also controls NodePort MTU when eBPF enabled. See <a href="$c39a938f31d1cde5.md">Configuring MTU</a> [Default: <code>0</code>]</td><td>int</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>VXLANMTUV6</code></td><td><code>FELIX_VXLANMTUV6</code></td><td>The MTU to set on the IPv6 VXLAN tunnel device. Zero value means auto-detect. Also controls NodePort MTU when eBPF enabled. See <a href="$c39a938f31d1cde5.md">Configuring MTU</a> [Default: <code>0</code>]</td><td>int</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>VXLANPort</code></td><td><code>FELIX_VXLANPORT</code></td><td>The UDP port to use for VXLAN. [Default: <code>4789</code>]</td><td>int</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>VXLANTunnelMACAddr</code></td><td></td><td>MAC address of the IPv4 VXLAN tunnel. This is system configured and should not be updated manually.</td><td>string</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>VXLANVNI</code></td><td><code>FELIX_VXLANVNI</code></td><td>The virtual network ID to use for VXLAN. [Default: <code>4096</code>]</td><td>int</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>AllowVXLANPacketsFromWorkloads</code></td><td><code>FELIX_ALLOWVXLANPACKETSFROMWORKLOADS</code></td><td>Set to <code>true</code> to allow VXLAN encapsulated traffic from workloads. [Default: <code>false</code>]</td><td>boolean</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>AllowIPIPPacketsFromWorkloads</code></td><td><code>FELIX_ALLOWIPIPPACKETSFROMWORKLOADS</code></td><td>Set to <code>true</code> to allow IPIP encapsulated traffic from workloads. [Default: <code>false</code>]</td><td>boolean</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>TyphaAddr</code></td><td><code>FELIX_TYPHAADDR</code></td><td>IPv4 address at which Felix should connect to Typha. [Default: none]</td><td>string</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>TyphaK8sServiceName</code></td><td><code>FELIX_TYPHAK8SSERVICENAME</code></td><td>Name of the Typha Kubernetes service</td><td>string</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>Ipv6Support</code></td><td><code>FELIX_IPV6SUPPORT</code></td><td>Enable Calico networking and security for IPv6 traffic as well as for IPv4.</td><td>boolean</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>RouteSource</code></td><td><code>FELIX_ROUTESOURCE</code></td><td>Where Felix gets is routing information from for VXLAN and the BPF dataplane. The CalicoIPAM setting is more efficient because it supports route aggregation, but it only works when Calico's IPAM or host-local IPAM is in use. Use the WorkloadIPs setting if you are using Calico's VXLAN or BPF dataplane and not using Calico IPAM or host-local IPAM. [Default: "CalicoIPAM"]</td><td>'CalicoIPAM', or 'WorkloadIPs'</td><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td><code>mtuIfacePattern</code></td><td><code>FELIX_MTUIFACEPATTERN</code></td><td>Pattern used to discover the host's interface for MTU auto-detection. [Default:^((enwlwwslib)[copsx].(ethwlanwwan).)`regex
FeatureDetectOverrideFELIX_FEATUREDETECTOVERRIDEIs used to override the feature detection. Values are specified in a comma separated list with no spaces, example; “SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=true,IPIPDeviceIsL3=true. “true” or “false” will force the feature, empty or omitted values are auto-detected. [Default: “”]string

etcd datastore configuration

Configuration parameterEnvironment variableDescriptionSchema
EtcdCaFileFELIX_ETCDCAFILEPath to the file containing the root certificate of the certificate authority (CA) that issued the etcd server certificate. Configures Felix to trust the CA that signed the root certificate. The file may contain multiple root certificates, causing Felix to trust each of the CAs included. To disable authentication of the server by Felix, set the value to none. [Default: /etc/ssl/certs/ca-certificates.crt]string
EtcdCertFileFELIX_ETCDCERTFILEPath to the file containing the client certificate issued to Felix. Enables Felix to participate in mutual TLS authentication and identify itself to the etcd server. Example: /etc/felix/cert.pem (optional)string
EtcdEndpointsFELIX_ETCDENDPOINTSComma-delimited list of etcd endpoints to connect to. Example: http://127.0.0.1:2379,http://127.0.0.2:2379.<scheme>://<ip-or-fqdn>:<port>
EtcdKeyFileFELIX_ETCDKEYFILEPath to the file containing the private key matching Felix’s client certificate. Enables Felix to participate in mutual TLS authentication and identify itself to the etcd server. Example: /etc/felix/key.pem (optional)string

Kubernetes API datastore configuration

The Kubernetes API datastore driver reads its configuration from Kubernetes-provided environment variables.

iptables dataplane configuration

Configuration parameterEnvironment variableDescriptionSchema
ChainInsertModeFELIX_CHAININSERTMODEControls whether Felix hooks the kernel’s top-level iptables chains by inserting a rule at the top of the chain or by appending a rule at the bottom. Insert is the safe default since it prevents Calico’s rules from being bypassed. If you switch to Append mode, be sure that the other rules in the chains signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed. [Default: Insert]Insert, Append
DefaultEndpointToHostActionFELIX_DEFAULTENDPOINTTOHOSTACTIONThis parameter controls what happens to traffic that goes from a workload endpoint to the host itself (after the traffic hits the endpoint egress policy). By default Calico blocks traffic from workload endpoints to the host itself with an iptables Drop action. If you want to allow some or all traffic from endpoint to host, set this parameter to Return or Accept. Use Return if you have your own rules in the iptables “INPUT” chain; Calico will insert its rules at the top of that chain, then Return packets to the “INPUT” chain once it has completed processing workload endpoint egress policy. Use Accept to unconditionally accept packets from workloads after processing workload endpoint egress policy. [Default: Drop]Drop, Return, Accept
GenericXDPEnabledFELIX_GENERICXDPENABLEDWhen enabled, Felix can fallback to the non-optimized generic XDP mode. This should only be used for testing since it doesn’t improve performance over the non-XDP mode. [Default: false]boolean
InterfaceExcludeFELIX_INTERFACEEXCLUDEA comma-separated list of interface names that should be excluded when Felix is resolving host endpoints. The default value ensures that Felix ignores Kubernetes’ internal kube-ipvs0 device. If you want to exclude multiple interface names using a single value, the list supports regular expressions. For regular expressions you must wrap the value with /. For example having values /^kube/,veth1 will exclude all interfaces that begin with kube and also the interface veth1. [Default: kube-ipvs0]string
IpsetsRefreshIntervalFELIX_IPSETSREFRESHINTERVALPeriod, in seconds, at which Felix re-checks the IP sets in the dataplane to ensure that no other process has accidentally broken Calico’s rules. Set to 0 to disable IP sets refresh. Note: the default for this value is lower than the other refresh intervals as a workaround for a Linux kernel bug that was fixed in kernel version 4.11. If you are using v4.11 or greater you may want to set this to, a higher value to reduce Felix CPU usage. [Default: 10]int
IptablesBackendFELIX_IPTABLESBACKENDThis parameter controls which variant of iptables binary Felix uses. Set this to Auto for auto detection of the backend. If a specific backend is needed then use NFT for hosts using a netfilter backend or Legacy for others. [Default: Auto]Legacy, NFT, Auto
IptablesFilterAllowActionFELIX_IPTABLESFILTERALLOWACTIONThis parameter controls what happens to traffic that is allowed by a Felix policy chain in the iptables filter table (i.e., a normal policy chain). The default will immediately Accept the traffic. Use Return to send the traffic back up to the system chains for further processing. [Default: Accept]Accept, Return
IptablesLockFilePathFELIX_IPTABLESLOCKFILEPATHDeprecated: For iptables versions prior to v1.6.2, location of the iptables lock file (later versions of iptables always use value “/run/xtables.lock”). You may need to change this if the lock file is not in its standard location (for example if you have mapped it into Felix’s container at a different path). [Default: /run/xtables.lock]string
IptablesLockProbeIntervalMillisFELIX_IPTABLESLOCKPROBEINTERVALMILLISTime, in milliseconds, that Felix will wait between attempts to acquire the iptables lock if it is not available. Lower values make Felix more responsive when the lock is contended, but use more CPU. [Default: 50]int
IptablesLockTimeoutSecsFELIX_IPTABLESLOCKTIMEOUTSECSTime, in seconds, that Felix will wait for the iptables lock. Versions of iptables prior to v1.6.2 support disabling the iptables lock by setting this value to 0; v1.6.2 and above do not so Felix will default to 10s if a non-positive number is used. To use this feature, Felix must share the iptables lock file with all other processes that also take the lock. When running Felix inside a container, this typically requires the file /run/xtables.lock on the host to be mounted into the calico/node or calico/felix container. [Default: 0 disabled for iptables <v1.6.2 or 10s for later versions]int
IptablesMangleAllowActionFELIX_IPTABLESMANGLEALLOWACTIONThis parameter controls what happens to traffic that is allowed by a Felix policy chain in the iptables mangle table (i.e., a pre-DNAT policy chain). The default will immediately Accept the traffic. Use Return to send the traffic back up to the system chains for further processing. [Default: Accept]Accept, Return
IptablesMarkMaskFELIX_IPTABLESMARKMASKMask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal number with at least 8 bits set, none of which clash with any other mark bits in use on the system. When using Calico with Kubernetes’ kube-proxy in IPVS mode, we recommend allowing at least 16 bits. [Default: 0xffff0000]netmask
IptablesNATOutgoingInterfaceFilterFELIX_IPTABLESNATOUTGOINGINTERFACEFILTERThis parameter can be used to limit the host interfaces on which Calico will apply SNAT to traffic leaving a Calico IPAM pool with “NAT outgoing” enabled. This can be useful if you have a main data interface, where traffic should be SNATted and a secondary device (such as the docker bridge) which is local to the host and doesn’t require SNAT. This parameter uses the iptables interface matching syntax, which allows + as a wildcard. Most users will not need to set this. Example: if your data interfaces are eth0 and eth1 and you want to exclude the docker bridge, you could set this to eth+string
IptablesPostWriteCheckIntervalSecsFELIX_IPTABLESPOSTWRITECHECKINTERVALSECSPeriod, in seconds, after Felix has done a write to the dataplane that it schedules an extra read back in order to check the write was not clobbered by another process. This should only occur if another application on the system doesn’t respect the iptables lock. [Default: 1]int
IptablesRefreshIntervalFELIX_IPTABLESREFRESHINTERVALPeriod, in seconds, at which Felix re-checks all iptables state to ensure that no other process has accidentally broken Calico’s rules. Set to 0 to disable iptables refresh. [Default: 90]int
LogPrefixFELIX_LOGPREFIXThe log prefix that Felix uses when rendering LOG rules. [Default: calico-packet]string
MaxIpsetSizeFELIX_MAXIPSETSIZEMaximum size for the ipsets used by Felix. Should be set to a number that is greater than the maximum number of IP addresses that are ever expected in a selector. [Default: 1048576]int
NATPortRangeFELIX_NATPORTRANGEPort range used by iptables for port mapping when doing outgoing NAT. (Example: 32768:65000). [Default: iptables maps source ports below 512 to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alteration will occur.]string
NATOutgoingAddressFELIX_NATOUTGOINGADDRESSSource address used by iptables for an SNAT rule when doing outgoing NAT. [Default: an iptables MASQUERADE rule is used for outgoing NAT which will use the address on the interface traffic is leaving on.]<IPv4-address>
NetlinkTimeoutSecsFELIX_NETLINKTIMEOUTSECSTime, in seconds, that Felix will wait for netlink (i.e. routing table list/update) operations to complete before giving up and retrying. [Default: 10]float
RouteRefreshIntervalFELIX_ROUTEREFRESHINTERVALPeriod, in seconds, at which Felix re-checks the routes in the dataplane to ensure that no other process has accidentally broken Calico’s rules. Set to 0 to disable route refresh. [Default: 90]int
ServiceLoopPreventionFELIX_SERVICELOOPPREVENTIONWhen service IP advertisement is enabled, prevent routing loops to service IPs that are not in use, by dropping or rejecting packets that do not get DNAT’d by kube-proxy. Unless set to “Disabled”, in which case such routing loops continue to be allowed. [Default: Drop]Drop, Reject, Disabled
WorkloadSourceSpoofingFELIX_WORKLOADSOURCESPOOFINGControls whether pods can enable source IP address spoofing with the cni.projectcalico.org/allowedSourcePrefixes annotation. When set to Any, pods can use this annotation to send packets from any IP address. [Default: Disabled]Any, Disabled
XDPRefreshIntervalFELIX_XDPREFRESHINTERVALPeriod, in seconds, at which Felix re-checks the XDP state in the dataplane to ensure that no other process has accidentally broken Calico’s rules. Set to 0 to disable XDP refresh. [Default: 90]int
XDPEnabledFELIX_XDPENABLEDEnable XDP acceleration for host endpoint policies. [Default: true]boolean

eBPF dataplane configuration

eBPF dataplane mode uses the Linux Kernel’s eBPF virtual machine to implement networking and policy instead of iptables. When BPFEnabled is set to true, Felix will:

  • Require a v5.3 Linux kernel.
  • Implement policy with eBPF programs instead of iptables.
  • Activate its embedded implementation of kube-proxy to implement Kubernetes service load balancing.
  • Disable support for IPv6.

See the HOWTO guide for step-by step instructions to enable this feature.

Configuration parameter / Environment variableDescriptionSchemaDefault
BPFEnabled /
FELIX_BPFENABLED
Enable eBPF dataplane mode. eBPF mode has a number of limitations, see the HOWTO guide.true, falsefalse
BPFDisableUnprivileged /
FELIX_BPFDISABLEUNPRIVILEGED
If true, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable unprivileged use of BPF. This ensures that unprivileged users cannot access Calico’s BPF maps and cannot insert their own BPF programs to interfere with the ones that Calico installs.true, falsetrue
BPFLogLevel /
FELIX_BPFLOGLEVEL
The log level used by the BPF programs. The logs are emitted to the BPF trace pipe, accessible with the command tc exec BPF debug.Off,Info,DebugOff
BPFDataIfacePattern /
FELIX_BPFDATAIFACEPATTERN
Controls which interfaces Felix should attach BPF programs to in order to catch traffic to/from the external network. This needs to match the interfaces that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to NodePorts and services from outside the cluster. It should not match the workload interfaces (usually named cali…)..regular expression^((en</td><td>wl</td><td>ww</td><td>sl</td><td>ib)[Popsx].*</td><td>(eth</td><td>wlan</td><td>wwan).*</td><td>tunl0$</td><td>vxlan.calico$</td><td>wireguard.cali$</td><td>wg-v6.cali$)
BPFL3IfacePattern /
FELIX_BPFL3IFACEPATTERN
Allows to list tunnel devices like wireguard or vxlan (i.e., L3 devices) in addition to BPFDataIfacePattern. That is, tunnel interfaces not created by Calico, that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster.regular expression“”
BPFConnectTimeLoadBalancingEnabled /
FELIX_BPFCONNECTTIMELOADBALANCINGENABLED
Controls whether Felix installs the connect-time load balancer. In the current release, the connect-time load balancer is required for the host to reach kubernetes services.true,falsetrue
BPFExternalServiceMode /
FELIX_BPFEXTERNALSERVICEMODE
Controls how traffic from outside the cluster to NodePorts and ClusterIPs is handled. In Tunnel mode, packet is tunneled from the ingress host to the host with the backing pod and back again. In DSR mode, traffic is tunneled to the host with the backing pod and then returned directly; this requires a network that allows direct return.Tunnel,DSRTunnel
BPFExtToServiceConnmark /
FELIX_BPFEXTTOSERVICECONNMARK
Controls a 32bit mark that is set on connections from an external client to a local service. This mark allows us to control how packets of that connection are routed within the host and how is routing interpreted by RPF check.int0
BPFEnforceRPF /
FELIX_BPFENFORCERPF
Enforce RPF on all host interfaces with BPF programs regardless of what is the per-interfaces or global setting.Disabled,Strict,LooseStrict
BPFKubeProxyIptablesCleanupEnabled /
FELIX_BPFKUBEPROXYIPTABLESCLEANUPENABLED
Controls whether Felix will clean up the iptables rules created by the Kubernetes kube-proxy; should only be enabled if kube-proxy is not running.true,falsetrue
BPFKubeProxyMinSyncPeriod /
FELIX_BPFKUBEPROXYMINSYNCPERIOD
Controls the minimum time between dataplane updates for Felix’s embedded kube-proxy implementation.seconds1
BPFKubeProxyEndpointSlicesEnabled /
FELIX_BPFKUBEPROXYENDPOINTSLICESENABLED
Controls whether Felix’s embedded kube-proxy derives its services from Kubernetes’ EndpointSlices resources. Using EndpointSlices is more efficient but it requires EndpointSlices support to be enabled at the Kubernetes API server.true,falsefalse
BPFMapSizeConntrack /
FELIX_BPFMapSizeConntrack
Controls the size of the conntrack map. This map must be large enough to hold an entry for each active connection. Warning: changing the size of the conntrack map can cause disruption.int512000
BPFMapSizeNATFrontend /
FELIX_BPFMapSizeNATFrontend
Controls the size of the NAT frontend map. FrontendMap should be large enough to hold an entry for each nodeport, external IP and each port in each service.int65536
BPFMapSizeNATBackend /
FELIX_BPFMapSizeNATBackend
Controls the size of the NAT backend map. This is the total number of endpoints. This is mostly more than the size of the number of services.int262144
BPFMapSizeNATAffinity /
FELIX_BPFMapSizeNATAffinity
Controls the size of the NAT affinity map.int65536
BPFMapSizeIPSets /
FELIX_BPFMapSizeIPSets
Controls the size of the IPSets map. The IP sets map must be large enough to hold an entry for each endpoint matched by every selector in the source/destination matches in network policy. Selectors such as “all()” can result in large numbers of entries (one entry per endpoint in that case).int1048576
BPFMapSizeRoute /
FELIX_BPFMapSizeRoute
Controls the size of the route map. The routes map should be large enough to hold one entry per workload and a handful of entries per host (enough to cover its own IPs and tunnel IPs).int262144
BPFHostConntrackBypass /
FELIX_BPFHostConntrackBypass
Controls whether to bypass Linux conntrack in BPF mode for workloads and services.true,falsetrue
BPFPolicyDebugEnabled /
FELIX_BPFPOLICYDEBUGENABLED
In eBPF dataplane mode, Felix records detailed information about the BPF policy programs, which can be examined with the calico-bpf command-line tool.true, falsetrue

Kubernetes-specific configuration

Configuration parameterEnvironment variableDescriptionSchema
KubeNodePortRangesFELIX_KUBENODEPORTRANGESA list of port ranges that Felix should treat as Kubernetes node ports. Only when kube-proxy is configured to use IPVS mode: Felix assumes that traffic arriving at the host of one of these ports will ultimately be forwarded instead of being terminated by a host process. [Default: 30000:32767]Comma-delimited list of <min>:<max> port ranges or single ports.

Configuring Felix - 图2note

When using Calico with Kubernetes’ `kube-proxy` in IPVS mode, Calico uses additional iptables mark bits to store an ID for each local Calico endpoint. For example, the default `IptablesMarkMask` value, `0xffff0000` gives Calico 16 bits, up to 6 of which are used for internal purposes, leaving 10 bits for endpoint IDs. 10 bits is enough for 1024 different values and Calico uses 2 of those for internal purposes, leaving enough for 1022 endpoints on the host.

OpenStack-specific configuration

Configuration parameterEnvironment variableDescriptionSchema
MetadataAddrFELIX_METADATAADDRThe IP address or domain name of the server that can answer VM queries for cloud-init metadata. In OpenStack, this corresponds to the machine running nova-api (or in Ubuntu, nova-api-metadata). A value of none (case insensitive) means that Felix should not set up any NAT rule for the metadata path. [Default: 127.0.0.1]<IPv4-address>, <hostname>, none
MetadataPortFELIX_METADATAPORTThe port of the metadata server. This, combined with global.MetadataAddr (if not ‘None’), is used to set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. In most cases this should not need to be changed [Default: 8775].int
OpenstackRegionFELIX_OPENSTACKREGIONIn a multi-region deployment, the name of the region that this Felix is in. [Default: none].string*

* If non-empty, the value specified for OpenstackRegion must be a string of lower case alphanumeric characters or ‘-‘, starting and ending with an alphanumeric character.

Bare metal specific configuration

Configuration parameterEnvironment variableDescriptionSchema
InterfacePrefixFELIX_INTERFACEPREFIXThe interface name prefix that identifies workload endpoints and so distinguishes them from host endpoint interfaces. Accepts more than one interface name prefix in comma-delimited format, e.g., tap,cali. Note: in environments other than bare metal, the orchestrators configure this appropriately. For example our Kubernetes and Docker integrations set the cali value, and our OpenStack integration sets the tap value. [Default: cali]string

Felix-Typha Configuration

Configuration parameterEnvironment variableDescriptionSchema
TyphaAddrFELIX_TYPHAADDRAddress of the Typha Server when running outside a K8S Cluster, in the format IP:PORTstring
TyphaK8sServiceNameFELIX_TYPHAK8SSERVICENAMEService Name of Typha Deployment when running inside a K8S Clusterstring
TyphaK8sNamespaceFELIX_TYPHAK8SNAMESPACENamespace of Typha Deployment when running inside a K8S Cluster. [Default: kube-system]string
TyphaReadTimeoutFELIX_TYPHAREADTIMEOUTTimeout of Felix when reading information from Typha, in seconds. [Default: 30]int
TyphaWriteTimeoutFELIX_TYPHAWRITETIMEOUTTimeout of Felix when writing information to Typha, in seconds. [Default: 30]int

Felix-Typha TLS configuration

Configuration parameterEnvironment variableDescriptionSchema
TyphaCAFileFELIX_TYPHACAFILEPath to the file containing the root certificate of the CA that issued the Typha server certificate. Configures Felix to trust the CA that signed the root certificate. The file may contain multiple root certificates, causing Felix to trust each of the CAs included. Example: /etc/felix/ca.pemstring
TyphaCertFileFELIX_TYPHACERTFILEPath to the file containing the client certificate issued to Felix. Enables Felix to participate in mutual TLS authentication and identify itself to the Typha server. Example: /etc/felix/cert.pemstring
TyphaCNFELIX_TYPHACNIf set, the Common Name that Typha’s certificate must have. If you have enabled TLS on the communications from Felix to Typha, you must set a value here or in TyphaURISAN. You can set values in both, as well, such as to facilitate a migration from using one to the other. If either matches, the communication succeeds. [Default: none]string
TyphaKeyFileFELIX_TYPHAKEYFILEPath to the file containing the private key matching the Felix client certificate. Enables Felix to participate in mutual TLS authentication and identify itself to the Typha server. Example: /etc/felix/key.pem (optional)string
TyphaURISANFELIX_TYPHAURISANIf set, a URI SAN that Typha’s certificate must have. We recommend populating this with a SPIFFE string that identifies Typha. All Typha instances should use the same SPIFFE ID. If you have enabled TLS on the communications from Felix to Typha, you must set a value here or in TyphaCN. You can set values in both, as well, such as to facilitate a migration from using one to the other. If either matches, the communication succeeds. [Default: none]string

For more information on how to use and set these variables, refer to Connections from Felix to Typha (Kubernetes).

WireGuard configuration

Configuration parameterEnvironment variableDescriptionSchema
wireguardEnabledEnable encryption for IPv4 on WireGuard supported nodes in cluster. When enabled, pod to pod traffic will be sent over encrypted tunnels between the nodes.true, falsebooleanfalse
wireguardEnabledV6Enable encryption for IPv6 on WireGuard supported nodes in cluster. When enabled, pod to pod traffic will be sent over encrypted tunnels between the nodes.true, falsebooleanfalse
wireguardInterfaceNameName of the IPv4 WireGuard interface created by Felix. If you change the name, and want to clean up the previously-configured interface names on each node, this is a manual process.stringstringwireguard.cali
wireguardInterfaceNameV6Name of the IPv6 WireGuard interface created by Felix. If you change the name, and want to clean up the previously-configured interface names on each node, this is a manual process.stringstringwg-v6.cali
wireguardListeningPortPort used by IPv4 WireGuard tunnels. Felix sets up an IPv4 WireGuard tunnel on each node specified by this port. Available for configuration only in the global FelixConfiguration resource; setting it per host, config-file or environment variable will not work.1-65535int51820
wireguardListeningPortV6Port used by IPv6 WireGuard tunnels. Felix sets up an IPv6 WireGuard tunnel on each node specified by this port. Available for configuration only in the global FelixConfiguration resource; setting it per host, config-file or environment variable will not work.1-65535int51821
wireguardMTUMTU set on the IPv4 WireGuard interface created by Felix. Zero value means auto-detect. See Configuring MTU.intint0
wireguardMTUV6MTU set on the IPv6 WireGuard interface created by Felix. Zero value means auto-detect. See Configuring MTU.intint0
wireguardRoutingRulePriorityWireGuard routing rule priority value set up by Felix. If you change the default value, set it to a value most appropriate to routing rules for your nodes.1-32765int99
wireguardHostEncryptionEnabledExperimental: Adds host-namespace workload IP’s to WireGuard’s list of peers. Should not be enabled when WireGuard is enabled on a cluster’s control-plane node, as networking deadlock can occur.true, falsebooleanfalse
wireguardKeepAliveWireguardKeepAlive controls Wireguard PersistentKeepalive option. Set 0 to disable. [Default: 0]intint25

For more information on encrypting in-cluster traffic with WireGuard, refer to Encrypt cluster pod traffic

Environment variables

The highest priority of configuration is that read from environment variables. To set a configuration parameter via an environment variable, set the environment variable formed by taking FELIX_ and appending the uppercase form of the variable name. For example, to set the etcd address, set the environment variable FELIX_ETCDADDR. Other examples include FELIX_ETCDSCHEME, FELIX_ETCDKEYFILE, FELIX_ETCDCERTFILE, FELIX_ETCDCAFILE, FELIX_FELIXHOSTNAME, FELIX_LOGFILEPATH and FELIX_METADATAADDR.

Configuration file

On startup, Felix reads an ini-style configuration file. The path to this file defaults to /etc/calico/felix.cfg but can be overridden using the -c or --config-file options on the command line. If the file exists, then it is read (ignoring section names) and all parameters are set from it.

In OpenStack, we recommend putting all configuration into configuration files, since the etcd database is transient (and may be recreated by the OpenStack plugin in certain error cases). However, in a Docker environment the use of environment variables or etcd is often more convenient.

Datastore

Felix also reads configuration parameters from the datastore. It supports a global setting and a per-host override.

  1. Get the current felixconfig settings.

    1. calicoctl get felixconfig default -o yaml --export > felix.yaml
  2. Modify logFilePath to your intended path, e.g. “/tmp/felix.log”

    1. vim felix.yaml

    Configuring Felix - 图3tip

    For a global change set name to “default”. For a node-specific change: set name to node.<nodename>, e.g. “node.Calico-node-1”

  3. Replace the current felixconfig settings

    1. calicoctl replace -f felix.yaml

For more information, see Felix Configuration Resource.