Added
- Add ExternalNode feature which enables Antrea to manage security policies for non-Kubernetes Nodes (like virtual machines or bare-metal servers). (#4110, @wenyingd @mengdie-song @Anandkumar26)
- It introduces the ExternalNode CRD; each resource of this kind represents a virtual machine or bare-metal server and supports specifying which network interfaces on the external Node are expected to be protected with Antrea-native policies.
- An ExternalEntity resource will be created for each network interface specified in the ExternalNode resource. Antrea-native policies are applied to an external Node by using the ExternalEntity selector.
- Refer to this document for more information about this feature.
- Add the following capabilities to Antrea-native policies:
- Add Audit Logging support for K8s Networkpolicy. (#4047, @qiyueyao)
- Support applying Antrea ClusterNetworkPolicy to NodePort Services for securing ingress traffic. (#3997, @GraysonWu)
- Introduce the Group CRD to logically group different network endpoints and reference them together in Antrea NetworkPolicy. (#2438, @qiyueyao @abhiraut)
- Release new Antrea Helm chart version for each Antrea release. (#3935 #3952, @antoninbas @yanjunz97)
- Refer to this document for Helm installation method. (#3989, @antoninbas)
- Support TopologyAwareHints in AntreaProxy. (#3515, @hongliangl)
- Add encap mode support for the Multicast feature. (#3947, @wenyingd)
- Support configurable Geneve, VXLAN, or STT port number for encap mode. (#4065, @Jexf)
- Add Status field to the IPPool CRD: it is used to report usage information for the pool (total number of IPs in the pool and number of IPs that are currently assigned). (#3072 #4088, @ksamoray @tnqn)
- Support updating configuration at runtime for flow-aggregator via antctl or by updating the ConfigMap. (#3642, @yuntanghsu)
- Add antctl commands to set up and delete Multi-cluster ClusterSet. (#3992, @hjiajing)
- Add documentation to set up Multi-cluster ClusterSet with antctl. (#4096, @jianjuns)
Changed
- Antrea now uses OpenFlow 1.5 to program OVS. (#3770, @wenyingd @ashish-varma)
- Rename Windows script Start.ps1 to Start-AntreaAgent.ps1, and rename Stop.ps1 to Stop-AntreaAgent.ps1. (#3904, @wenyingd)
- Unify NodePortLocal behavior across Linux and Windows. Linux agents now support allocating different Node ports for different protocols even when the Pod port number is the same. (#3936, @XinShuYang)
- Antrea IPAM now uses the name of the uplink interface to name the host internal port, and the uplink interface will be renamed with a
~
suffix, e.g.eth0~
. (#3938, @gran-vmv) - Send Neighbor Advertisement messages after creating Pods in an IPv6 cluster. (#3998, @gran-vmv)
- Add an output formatter "raw" to better display multi-line string responses for antctl. (#3589, @Atish-iaf)
- Add new ports to network requirement doc. (#4063, @luolanzone)
- Windows OVS installation script now installs required SSL library if missing. (#4029, @XinShuYang)
- Upgrade whereabouts CNI to v0.5.4 and provide required pluginArgs when invoking the CNI binary. (#3987, @arunvelayutham)
- Remove Grafana flow collector files in the Antrea repo (as they were moved to the Theia repo). (#4048, @dreamtalen)
- Make the following changes to the Multi-cluster feature:
- Add columns of kubectl outputs for Multi-cluster custom resources. (#3923, @jianjuns)
- Use hostNetwork for Multi-cluster controller. (#3965, @luolanzone)
- Update ClusterClaim CRD to v1alpha2. (#3755, @bangqipropel)
- Update GatewayIPPrecedence to support the "external/internal" options. (#3930, @luolanzone)
- Disable metrics API and change the health binding address port to 8080. (#4101, @luolanzone)
- Improve CRD validation. (#4062 #4090 #4043, @luolanzone)
- Auto create MemberClusterAnnounce and update ClusterSet in leader cluster for each member cluster. (#3956 #4054 #4026, @hjiajing @luolanzone)
- Add Multi-cluster Gateway descriptions in the Multi-cluster architecture document. (#3638 #3899, @luolanzone @jianjuns)
Fixed
- Fix reconnection issue between Agent and OVS. (#4091, @wenyingd)
- Fix the wrong DNAT IP used by AntreaProxy for serving NodePort traffic on Windows Nodes. (#4103, @XinShuYang)
- Fix Antrea Octant plugin build. (#4107, @antoninbas)
- Fix Pod-to-external traffic on EKS in policyOnly mode. (#3975, @antoninbas)
- Fix problems caused by Node restart on EKS in policyOnly mode. (#4012 #4042, @antoninbas)
- Fix race conditions in NetworkPolicyController. (#4028, @tnqn)
- Fix FlowExporter memory bloat when export process is dead. (#3994, @wsquan171)
- Fix socket leak in an IPv6 cluster. (#4104, @wenyingd)
- Fix ClickHouse client race during batch commit. (#4071, @wsquan171)
- Retry when retrieval of PodCIDRs fails to avoid Agent crash due to the delay in allocating PodCIDRs for the Node. (#3950, @ksamoray)
- Fix nil pointer issue when ClusterSet is deleted in leader cluster. (#3915, @luolanzone)
- Clean up ResourceExport if the exported Service has no available Endpoints. (#4056, @luolanzone)