Antrea v2.2.0

Added

• Add a new feature PacketCapture to allow users to capture live traffic and upload captured packets to a specified location:
  • Add PacketCapture API. (#6257, @hangyan)
  • Add PacketCapture data path support. (#6756, @hangyan)
  • Refer to this document for more information about this feature.
• Add a few new antctl sub-commands for the BGPPolicy feature to improve usability:
  • antctl get bgppolicy to get the effective BGP policy applied on the local Node. (#6646, @Atish-iaf)
  • antctl get bgppeers to print the current status of all BGP peers of the effective BGPPolicy applied on the local Node. (#6689 #6755, @Atish-iaf)
  • antctl get bgproutes to print the BGP routes advertised from the local Node. (#6734, @Atish-iaf)
• Add an except field to the Antrea-native policy field ipBlock to allow users to exclude certain CIDRs from ipBlock.cidr. (#6658 #6677, @Dyanngg)
• Add a new templateRefreshTimeout configuration for FlowAggregator to define the template retransmission interval when using the UDP protocol to export records. (#6699, @antoninbas)
• Add EnableLogging and LogLabel support for Antrea Node NetworkPolicy. (#6626, @hongliangl)
• Add ServiceTrafficDistribution feature in Antrea Proxy that enables traffic distribution for Services. (#6604, @hongliangl)
• Support --random-fully for iptables SNAT / MASQUERADE rules. (#6602, @antoninbas)
• Add antctl-darwin-arm64 to Antrea release assets. (#6640, @antoninbas)
• Add documentation for the NodeLatencyMonitor feature. (#6561, @antoninbas)

Changed

• Uniform BGP router ID selection for IPv4 and IPv6 for the BGPPolicy feature. (#6605, @Atish-iaf)
• Use the default protocol / port when the destination is a Service in Traceflow. (#6601, @Atish-iaf)
• Add validations for Antrea Node NetworkPolicy to fail invalid configurations. (#6613, @Atish-iaf)
• More robust system Tier creation / update for Antrea-native policies. (#6696, @antoninbas)
• Handle ExternalIPPool range changes in Egress controller. (#6685, @antoninbas)
• Close connection to IPFIX collector explicitly on Stop for FlowAggregator. (#6635, @antoninbas)
• Unify the checker image and make it configurable when running antctl check cluster. (#6579, @tnqn)
• Update the Finalizer of ResourceExport to be a domain-qualified string. (#6742, @Dyanngg)
• Upgrade Ubuntu to 24.04 (Noble). (#6575, @antoninbas)
• Upgrade Go to 1.23. (#6647, @antoninbas)
• Upgrade Suricata to 7.0. (#6589, @antoninbas)

Fixed

• Install OpenFlow entries by PortStatus to fix an Antrea Agent failure on Windows when the OF port allocation takes longer than 5s. (#6763, @wenyingd)
• Match dstIP in ClassifierTable to fix a potential source MAC and IP mismatched issue on Windows when promiscuous mode is enabled. (#6528, @XinShuYang)
• Fix the checker image tag when running antctl check cluster with a released antctl binary. (#6565, @tnqn)
• Use the same MTU as uplink for bridge ports to fix a potential MTU mismatch issue when the traffic mode is changed. (#6577, @antoninbas)
• Cache TTLs for individual IP addresses in DNS responses to avoid evicting valid IPs before they are expired. (#6732, @hkiiita)
• Fix an issue with ipset or iptables chain removal during Antrea Node NetworkPolicy updates or deletions. (#6707, @hongliangl)
• Fix an issue with logging support for L7 NetworkPolicy causing the wrong packet to be logged by Suricata for the default reject rule. From now on, enableLogging only controls L4 audit logging and we unconditionally log the packet data for all Suricata alert events. (#6651, @qiyueyao)
• Fix NetworkPolicy related antctl commands including antctl get networkpolicy and antctl get ovsflows. (#6487, @Dyanngg)
• Fix the template ID not existing error in IPFIX exporter for FlowAggregator. (#6630, @antoninbas)
• Fix an antrea-agent crash issue when the host interface is already attached to the OVS bridge for SecondaryNetwork. (#6666, @xliuxu)
• Delay the initialization of ARP / NDP responders to fix the ServiceExternalIP feature when SecondaryNetwork is enabled. (#6700, @xliuxu)
• Run the IPPool webhook handler when SecondaryNetwork is enabled. (#6691, @luolanzone)
• Fix a slice init length issue for NetworkPolicy controller. (#6715, @cuishuang)
• Improve memory copying logic to avoid a potential memory fault on Windows. (#6664 #6673, @XinShuYang @tnqn)
• Document a workaround for using EgressSeparateSubnet feature on OpenShift. (#6622 #6775, @luolanzone @jianjuns)
• Clean up stale resources when antctl check cluster fails. (#6597, @luolanzone)
• Fix hint annotation implementation in AntreaProxy. (#6607, @hongliangl)
• Initialize creationTimestamp when creating instances of NodeLatencyStats to prevent a null creationTimestamp issue. (#6574, @hkiiita)
• Avoid error log when unmarshalling config for Antrea Multi-cluster Controller. (#6744, @antoninbas)

Antrea v2.2.0-alpha.2

The main purpose of this pre-release is to validate the updated workflow for building and publishing Antrea images. This release is not meant to be used in production.

Antrea v2.2.0-alpha.1

Release is not usable as image manifests were not published correctly.

The main purpose of this pre-release is to validate the updated workflow for building and publishing Antrea images. This release is not meant to be used in production.

Antrea v2.2.0-alpha.0

Release is not usable as image manifests were not published correctly.

The main purpose of this pre-release is to validate the updated workflow for building and publishing Antrea images. This release is not meant to be used in production.

Antrea v2.1.0

Added

• Add a new feature BGPPolicy that allows users to run a BGP process on selected Kubernetes Nodes and advertise Service IPs, Pod IPs, and Egress IPs to remote BGP peers.
  • Add BGPPolicy API and Controller. (#6009 #6203, @hongliangl)
  • Add BGP datapath interface and implement goBGP integration. (#6447, @hongliangl)
  • Add documentation for the BGPPolicy feature. (#6524, @hongliangl)
  • Refer to this document for more information about this feature.
• Add a new feature NodeLatencyMonitor that allows users to do east/west connectivity monitoring and provides an API to query inter-Node latency. (#6120 #6392 #6479, @IRONICBo)
• Add two new antctl commands to validate a K8s Cluster before Antrea installation, and allow users to validate basic network and security functionalities after Antrea is installed.
  • Add antctl check cluster command to to ensure that a K8s cluster is configured properly before Antrea installation. (#6278, @kanha-gupta)
  • Add antctl check installation command to conduct Pod/Service connectivity checks and verify basic NetworkPolicy rules. (#6133 #6313 #6367, @kanha-gupta)
  • Add documentation for the new antctl check commands. (#6373, @kanha-gupta)
  • Refer to this document for more information about these new commands.

Changed

• Ensure Antrea Proxy handles all Service traffic with proxyAll enabled, even when kube-proxy is present. (#6308, @hongliangl)
• Optimize the containerized OVS installation on Windows, manual installation of the OVS kernel driver is usually not required anymore. (#6383, @wenyingd)
• Add OVS driver installation in initContainer for Antrea Agent on Windows. (#6312, @XinShuYang)
• Use HostProcess container base image and buildx to build the Antrea Agent Windows image, Window Server 2019 and later are now supported with the same image, including Windows Server 2022. (#6325, @wenyingd)
• Support shared LoadBalancerIP for multiple Services by introducing a new annotation service.antrea.io/allow-shared-load-balancer-ip: true. (#6480, @tnqn)
• Promote feature CleanupStaleUDPSvcConntrack from Alpha to Beta. (#6372, @hongliangl)
• Always include Pod labels in FlowAggregator IPFIX template. (#6418, @antoninbas)
• Fix live config updates on IPFIXExporter for FlowAggregator. (#6385, @antoninbas)
• Improve handling of config changes in FlowAggregator to support updating recordContents.podLabels at runtime. (#6378, @antoninbas)
• Add an EndpointResolver to remove Antrea Agent's dependency on proxy to access Antrea Service. (#6361, @antoninbas)
• Replace bincover with built-in Go coverage profiling tool. (#6090, @shikharish)
• Trim unneeded fields stored in informers and Node objects to reduce memory footprint. (#6317 #6351, @tnqn)
• Remove stale multicast routes to improve the readability of multicast routes. (#3242, @ceclinux)
• Add srcPodIP field in Traceflow observations. (#6247, @Atish-iaf)
• Use Helm to generate Antrea Windows manifests. (#6360, @shikharish)
• Upgrade CNI plugins from v1.4.1 to v1.5.1. (#6475, @antoninbas)
• Add documentation for the sameLabels feature in Antrea ClusterNetworkPolicy. (#6280, @Dyanngg)
• Add recommended usage of FQDN policies. (#6389, @Dyanngg)

Fixed

• Fix NodePortLocal rules being deleted incorrectly due to PodIP recycle. (#6531, @tnqn)
• Fix "Access is denied" error when importing certificates into the trusted publishers store on Windows server 2022. (#6529, @wenyingd)
• Fix the Node network connection breaking when attaching a host interface to the secondary OVS bridge. (#6504, @wenyingd)
• Exclude terminated Pods from group members when calculating AppliedToGroups and EgressGroups to prevent NetworkPolicies or Egresses applying to wrong Pods. (#6508, @tnqn)
• Fix install_cni_chaining script not configuring CNI conf correctly with AKS or CNI chaining, when the CNI conf file is not ready. (#6506, @tnqn)
• Wait for OVS bridge datapath ID to be available after creating br-int to avoid failures when the Antrea Agent tries to query supported OVS datapath features. (#6472, @antoninbas)
• Fix a bug causing Antrea Proxy not to delete stale UDP conntrack entries for the virtual NodePort DNAT IP. (#6379, @hongliangl)
• Fix Antrea Agent crash when enabling proxyAll in networkPolicyOnly mode. (#6259, @hongliangl)
• Improve stale UDP conntrack entries deletion accuracy in Antrea Proxy. (#6193, @hongliangl)
• Remove unexpected altname after renaming interface to avoid failure when moving host interface to OVS bridge. (#6321, @gran-vmv)
• Avoid generating a zombie process when starting Suricata, the L7 ANP engine. (#6366, @hongliangl)
• Fix a single rule deletion bug for NodePortLocal on Linux and improve robustness of NPL rule cleanup. (#6284, @antoninbas)
• Delay removal of flow-restore-wait to fix traffic interruption issue when Antrea Agent restarts. (#6342, @antoninbas)
• Fix antctl mc deploy command usage to make the version parameter optional. (#6287, @roopeshsn)
• Fix inaccuracy in Traceflow user guide. (#6319, @antoninbas)

Antrea v2.1.0-beta.0

Note that this pre-release of v2.1.0 does not include BGPPolicy support, which will be a major feature in the final v2.1.0 release.

Antrea v2.0.1

Changed

• Update CNI binaries version to v1.4.1. (#6334, @antoninbas)
• Add documentation for the sameLabels feature in ACNP. (#6280, @Dyanngg)

Fixed

• Remove unexpected altname after renaming interface to avoid failure when moving host interface to OVS bridge. (#6321, @gran-vmv)
• Fix a single rule deletion bug for NodePortLocal on Linux and improve robustness of NPL rule cleanup. (#6284, @antoninbas)
• Fix a bug causing AntreaProxy not to delete stale UDP conntrack entries for the virtual NodePort DNAT IP. (#6379, @hongliangl)
• Improve stale UDP conntrack entries deletion accuracy in AntreaProxy. (#6193, @hongliangl)
• Fix antrea-agent crash when enabling proxyAll in networkPolicyOnly mode. (#6259, @hongliangl)
• Avoid generating defunct process when starting Suricata, the L7 ANP engine. (#6366, @hongliangl)
• Fix inaccuracy in Traceflow user guide. (#6319, @antoninbas)

Antrea v1.15.2

Fixed

• Remove unexpected altname after renaming interface to avoid failure when moving host interface to OVS bridge. (#6321, @gran-vmv)
• Do not try to update type of Secret in selfSignedCertProvider to avoid self-signed certificate update failure. (#6205, @tnqn)
• Install multicast related iptables rules only on IPv4 chains to fix the antrea-agent initialization failure occurring when the Multicast feature is enabled in dual-stack clusters. (#6123, @wenyingd)
• Fix a single rule deletion bug for NodePortLocal on Linux and improve robustness of NPL rule cleanup. (#6284, @antoninbas)
• Fix a bug causing AntreaProxy not to delete stale UDP conntrack entries for the virtual NodePort DNAT IP. (#6379, @hongliangl)
• Improve stale UDP conntrack entries deletion accuracy in AntreaProxy. (#6193, @hongliangl)
• Fix antrea-agent crash when enabling proxyAll in networkPolicyOnly mode. (#6259, @hongliangl)
• Fix a bug preventing local traffic from being identified in networkPolicyOnly mode. (#6251, @hongliangl)
• Avoid generating defunct process when starting Suricata, the L7 ANP engine. (#6366, @hongliangl)

Antrea v2.0.0

Some deprecated APIs have been removed in Antrea v2.0. Before upgrading, please read these guidelines carefully.

Added

• Support LoadBalancerIPMode in AntreaProxy to implement K8s KEP-1860. (#6102, @hongliangl)
• Add sameLabels field support for Antrea ClusterNetworkPolicy peer Namespace selection to allow users to create ACNPs that isolate Namespaces based on their label values. (#4537, @Dyanngg)
• Add multiple physical interfaces support for the secondary network bridge. (#5959, @aroradaman)
• Use a Node's primary NIC as the secondary OVS bridge physical interface. (#6108, @aroradaman)
• Add user documentation for Antrea native secondary network support. (#6015 #6042, @jianjuns @antoninbas)
• Add a new versioned API NetworkPolicyEvaluation and a new antctl sub-command for querying the effective policy rule applied to particular traffic. (#5740 #6112, @qiyueyao)

Changed

• Multiple deprecated APIs, fields and options have been removed from Antrea.
  • Remove deprecated v1alpha1 CRDs Tier, ClusterNetworkPolicy, NetworkPolicy, Traceflow and ExternalEntity. (#6162 #6177 #6238, @luolanzone @hjiajing @antoninbas)
  • Remove deprecated v1alpha2 and v1alpha3 CRDs ClusterGroups, ExternalIPPool, ClusterGroup and Group. (#6049 #6239, @luolanzone @antoninbas)
  • Remove deprecated ServiceAccount field in ClusterSet type for Antrea Multi-cluster. (#6134, @luolanzone)
  • Remove deprecated options enableIPSecTunnel,multicastInterfaces, multicluster.enable and legacyCRDMirroring. (#5158, @luolanzone)
  • Clean up unused code for NodePortLocal and remove the deprecated nplPortRange config. (#5943, @luolanzone)
  • Clean up deprecated APIServices. (#6002, @tnqn)
• Documentation has been updated to reflect recent changes and provide better guidance to users.
  • Add upgrade instructions for Antrea v2.0. (#6261, @antoninbas)
  • Update the OVS pipeline document and workflow diagram to keep them up to date. (#5412, @hongliangl)
  • Clarify documentation for IPPool and ExternalIPPool CRDs. (#6183, @antoninbas)
  • Document Pods using FQDN based policies must respect DNS TTL. (#6230, @tnqn)
  • Document the limitations of Audit Logging for policy rules. (#6225, @antoninbas)
• Optimizing Antrea binaries size.
  • Optimize package organization to reduce antctl binary size. (#6037, @tnqn)
  • Reduce antrea-cni binary size by removing unnecessary import packages. (#6038, @tnqn)
  • Strip all debug symbols from Go binaries by default. (#6035, @antoninbas)
  • Disable cgo for all Antrea binaries. (#5988, @antoninbas)
• Increase the minimum supported Kubernetes version to v1.19. (#6089, @hjiajing)
• Add OVS groups dump information to support bundle to help troubleshooting. (#6195, @shikharish)
• Add egressNodeName in flow records for Antrea Flow Aggregator. (#6012, @Atish-iaf)
• Add EgressNode field in the Traceflow Egress observation to include the name of the Egress Node. (#5949, @Atish-iaf)
• Upgrade IPPool CRD to v1beta1 and make the subnet definition consistent with the one in ExternalIPPool CRD. (#6036, @mengdie-song)
• Request basic memory for antrea-controller to improve its scheduling and reduce its OOM adjustment score, enhancing overall robustness. (#6233, @tnqn)
• Increase default rate limit of antrea-controller to improve performance for batch requests. (#6231, @tnqn)
• Remove Docker support for antrea-agent on Windows, update Windows documentation to remove all Docker-specific instructions, and all mentions of (userspace) kube-proxy. (#6019 #6255, @XinShuYang @antoninbas)
• Stop publishing the legacy unified image. (#6182, @antoninbas)
• Avoid unnecessary DNS queries for FQDN rule of NetworkPolicy in antrea-agent. (#6200, @tnqn)
• Stop using projects.registry.vmware.com for user-facing images. (#6073, @antoninbas)
• Fall back to lenient decoding when strict decoding config fails to tolerate unknown fields and duplicate fields, ensuring forward compatibility of configurations. (#6156, @tnqn)
• Skip loading openvswitch kernel module if it's already built-in. (#5979, @antoninbas)
• Persist TLS certificate and key of antrea-controller and sync the CA cert periodically to improve robustness. (#5955 #6205, @tnqn)
• Add more validations for ExternalIPPool CRD to improve robustness. (#5898, @aroradaman)
• Add Antrea L7 NetworkPolicy logs for allowed HTTP traffic. (#6014, @qiyueyao)
• Update maximum number of buckets to 700 in OVS group add/insert_bucket message. (#5942, @hongliangl)
• Add a flag for antctl to print OVS table names when users run antctl get ovsflows --table-names-only. (#5895 #6100, @luolanzone)
• Improve log message when antrea-agent fails to join a new Node. (#6048, @roopeshsn)
• Remove the prefix rancher-wins when collecting antrea-agent logs on Windows. (#6223, @wenyingd)
• Upgrade K8s libraries to v0.29.2. (#5843, @hjiajing)
• Upgrade base image from UBI8 to UBI9 for Antrea UBI images. (#5737, @xliuxu)

Fixed

• Fix nil pointer dereference when ClusterGroup/Group is used in NetworkPolicy controller. (#6077, @tnqn)
• Disable libcapng to make logrotate run as root in UBI images to fix an OVS crash issue. (#6052, @xliuxu)
• Fix a race condition in antrea-agent Traceflow controller when a tag is associated again with a new Traceflow before the old Traceflow deletion event is processed. (#5954, @tnqn)
• Change the maximum flags from 7 to 255 to fix the wrong TCP flags validation issue in Traceflow CRD. (#6050, @gran-vmv)
• Use 65000 MTU upper bound for interfaces in encap mode to account for the MTU automatically configured by OVS on tunnel ports, and avoid packet drops on some clusters. (#5997, @antoninbas)
• Install multicast related iptables rules only on IPv4 chains to fix the antrea-agent initialization failure occurred when the Multicast feature is enabled in dual-stack clusters. (#6123, @wenyingd)
• Remove incorrect AntreaProxy warning on Windows when proxyAll is disabled. (#6242, @antoninbas)
• Explicitly set kubelet's log files in Prepare-Node.ps1 on Windows, to ensure that they are included in support bundle collections. (#6221, @wenyingd)
• Add validation on antrea-agent options to fail immediately when encryption is requested and the Multicast feature enabled. (#5920, @wenyingd)
• Don't print the incorrect warning message when users run antrea-controller --version outside of K8s. (#5993, @prakrit55)
• Record event when EgressIP is uninstalled from a Node and remains unassigned. (#6011, @jainpulkit22)
• Fix a bug that the local traffic cannot be identified on networkPolicyOnly mode. (#6251, @HongLia...

Antrea v1.13.4

Added

• Enable Windows OVS container to run on pristine host environment, without requiring some dependencies to be installed manually ahead of time. (#5440, @NamanAg30)

Changed

• Stop using projects.registry.vmware.com for user-facing images. (#6073, @antoninbas)
• Persist TLS certificate and key of antrea-controller and periodically sync the CA cert to improve robustness. (#5955, @tnqn)
• Disable cgo for all Antrea binaries. (#5988, @antoninbas)

Fixed

• Disable libcapng to make logrotate run as root in UBI images to fix an OVS crash issue. (#6052, @xliuxu)
• Fix nil pointer dereference when ClusterGroup/Group is used in NetworkPolicy controller. (#6077, @tnqn)
• Fix race condition in agent Traceflow controller when a tag is associated again with a new Traceflow before the old Traceflow deletion event is processed. (#5954, @tnqn)
• Change the maximum flags from 7 to 255 to fix the wrong TCP flags validation issue in Traceflow CRD. (#6050, @gran-vmv)
• Fix incorrect MTU configurations for the WireGuard encryption mode and GRE tunnel mode. (#5880 #5926, @hjiajing @tnqn)
• Use 65000 MTU upper bound for interfaces in encap mode in case of large packets being dropped unexpectedly. (#5997, @antoninbas)
• Install Multicast related iptables rules only on IPv4 chains to fix the Antrea agent initialization failure occurred when Multicast feature is enabled in dual-stack clusters. (#6123, @wenyingd)