github antrea-io/antrea v0.13.0
Release v0.13.0
on GitHub

latest releases: v2.1.0, v2.1.0-beta.0, v1.15.2...
3 years ago

Includes all the changes from 0.12.1.

Added

  • Add NodePortLocal feature to improve integration with external load-balancers. (#1459 #1743 #1758, @monotosh-avi @shubhamavi @hemantavi) [Alpha - Feature Gate: NodePortLocal]
    • Services can be annotated with "nodeportlocal.antrea.io/enabled" to indicate that NodePortLocal should be enabled for this Service's Pod Endpoints
    • For each container port exposed by such a Pod, the Antrea Agent will allocate a local Node port value and traffic sent to this Node port will be forwarded to the container port using DNAT
    • The mapping from allocated Node ports to container ports is stored in a new Pod annotation, "nodeportlocal.antrea.io", e.g. to be consumed by external load-balancers
  • Introduce the ClusterGroup CRD to logically group different network endpoints and reference them together in Antrea-native policies. (#1782, @abhiraut @Dyanngg)
    • The extra level of indirection enables separation between workload selection and policy definition
    • ClusterGroups can be referenced in Antrea ClusterNetworkPolicies, either in the AppliedTo or as peers in policy rules (#1750 #1734)
    • In addition to the Pod / Namespace selectors and ipBlocks, ClusterGroups can reference a Service by name directly, and all Pod Endpoints for this Service will be included in the ClusterGroup (#1797)
    • ClusterGroups can also select ExternalEntitites, which are used to represent labelled non-Pod endpoints (#1828)
    • The ClusterGroup CRD includes a Status subresource used to indicate whether the Antrea Controller has already computed the membership list for the group (#1778)
    • New APIs are defined in "controlplane.antrea.tanzu.vmware.com/v1beta2": "/clustergroupmembers" retrieves the list of members of a group and "/groupassociations" retrieves the list of groups that a given endpoint (Pod or ExternalEntity) belongs to (#1688)
  • Add support for containerd runtime on Windows Nodes. (#1781 #1832, @ruicao93) [Windows]
  • Add EndpointSlice support to AntreaProxy. (#1703, @hongliangl) [Alpha - Feature Gate: EndpointSlice]
    • EndpointSlice needs to be enabled in the K8s cluster
    • Only the "discovery.k8s.io/v1beta1" EndpointSlice API is supported
  • Add support for arm/v7 and arm64 by providing Antrea Docker images for these architectures. (#1771, @antoninbas)
    • Refer to the documentation for instructions on how to use the image
  • Support IPv6 packets in Traceflow. (#1579, @gran-vmv)
  • Add the following Prometheus metrics to the the AntreaProxy implementation: "antrea_proxy_sync_proxy_rules_duration_seconds", "antrea_proxy_total_endpoints_installed", "antrea_proxy_total_endpoints_updates", "antrea_proxy_total_services_installed", "antrea_proxy_total_services_updates". (#1704, @weiqiangt)
  • Add the following Prometheus metrics to count Status updates for Antrea-native policies: "antrea_controller_acnp_status_updates", "antrea_controller_anp_status_updates". (#1801, @antoninbas)
  • Add support for TLS between the Antrea Agent FlowExporter and the FlowAggregator, using self-signed certificates. (#1649, @zyiou)
  • New Antrea Agent configuration option, "kubeAPIServerOverride", which can be used to explicitly provide an address for the K8s apiserver when the Agent is running as Pod; by default, the Agent uses the ClusterIP for the kubernetes Service. (#1735, @anfernee)
  • Provide ability to configure TLS cipher suites supported by the Antrea apiservers (Agent and Controller). (#1784, @lzhecheng)
  • Add liveness probe to Antrea Controller to ensure it is automatically restarted after a while by kubelet if it stops being responsive. (#1839, @antoninbas)
  • Document workaround to install OVS and Antrea on Windows Nodes for which the CPU does not have the required virtualization capabilities, as may be the case for cloud VMs. (#1744, @ruicao93) [Windows]
  • Improve documentation for "noEncap" and "hybrid" traffic modes, and add information about how to use Kube-router to advertise Pod CIDRs to the fabric with BGP. (#1798, @jianjuns)
  • Add new NetworkPolicy testsuite based on auto-generated test cases. (#1765, @mattfenwick)

Changed

  • Change permissions for the "/var/run/antrea" directory created by the Antrea Agent on each Node to prevent non-root users from accessing it; among other things, it includes the socket file used to send CNI commands to the Agent. (#1770, @jianjuns)
  • Add multi-table support to the "antctl get ovsflows" command, to dump flows from multiple tables at once. (#1708, @weiqiangt)
  • Change the sanity check performed by the Antrea Agent to validate that the Hyper-V dependency is satisfied. (#1741, @ruicao93)
  • Periodically verify that the static iptables rules required by Antrea are present and install missing rules if any. (#1751, @siddhant94)
  • Update Mellanox/sriovnet dependency to version v1.0.2 to support OVS hardware offload to Mellanox devices with Kernel versions 5.8 and above. (#1845, @Mmduh-483)
  • Remove dependency on juju libraries, which are distributed under an LGPL v3 license. (#1796, @antoninbas)

Fixed

  • Ensure that NodePort traffic does not bypass NetworkPolicies. (#1816, @tnqn)
    • NodePort traffic for which ExternalTrafficPolicy is set to Cluster goes through SNAT before NetworkPolicies are enforced; after SNAT the source IP is the IP of the local gateway interface (antrea-gw0)
    • Users will need to define the appropriate NetworkPolicies to allow ingress access to isolated Pods for NodePort traffic
    • This new behavior only applies to Linux Nodes using the OVS system datapath (default)
  • When clearing the flow-restore-wait config for the OVS bridge after re-installing flows, ensure that the operation happened successfully and retry if anything unexpected happen; if flow-restore-wait is not cleared, the bridge will not f
    orward packets correctly. (#1730, @tnqn)
  • Stop mounting the host's kmod binary to the Antrea initContainer as it may depend on shared libraries not available in the container. (#1777, @antoninbas)
  • Fix crashes in the FlowAggregator, along with numerous spurious warnings, by updating the version of the go-ipfix library. (#1817, @zyiou @srikartati)
  • Fix issues with reference logstash configuration and improve reference Kibana dashboards for flow visualization with the FlowExporter feature. (#1727, @zyiou)
Check out latest releases or
releases around antrea-io/antrea v0.13.0

Don't miss a new antrea release

NewReleases is sending notifications on new releases.

Get notifications