Releases: antrea-io/antrea
Releases · antrea-io/antrea
Release v1.8.0-alpha.1
The main purpose of this pre-release is to validate Antrea Helm chart releases.
Release v1.7.0
Added
- Add TrafficControl feature to control the transmission of Pod traffic; it allows users to mirror or redirect traffic originating from specific Pods or destined for specific Pods to a local network device or a remote destination via a tunnel of various types. (#3644 #3580 #3487, [@tnqn] [@hongliangl] [@wenqiq])
- Refer to this document for more information about this feature.
- Refer to this cookbook for more information about using this feature to provide network-based intrusion detection service to your Pods.
- Add support for the IPsec Certificate-based Authentication. (#3778, [@xliuxu])
- Add an Antrea Agent configuration option
ipsec.authenticationMode
to specify authentication mode. Supported options are "psk" (default) and "cert". - Add an Antrea Controller configuration option
ipsecCSRSigner.autoApprove
to specify the auto-approve policy of Antrea CSR signer for IPsec certificates management. By default, Antrea will auto-approve the CertificateSingingRequest (CSR) if it is verified. - Add an Antrea Controller configuration option
ipsecCSRSigner.selfSignedCA
to specify whether to use auto-generated self-signed CA certificate. By default, Antrea will auto-generate a self-signed CA certificate.
- Add an Antrea Agent configuration option
- Add the following capabilities to Antrea-native policies:
- Add the following capabilities to the Multicast feature:
- Add
antctl get podmulticaststats
command to query Pod-level multicast traffic statistics in Agent mode. (#3449, [@ceclinux]) - Add "MulticastGroup" API to query Pods that have joined multicast groups;
kubectl get multicastgroups
can generate requests and output responses of the API. (#3354 #3449, [@ceclinux]) - Add an Antrea Agent configuration option
multicast.igmpQueryInterval
to specify the interval at which the antrea-agent sends IGMP queries to Pods. (#3819, [@liu4480])
- Add
- Add the following capabilities to the Multi-cluster feature:
- Add the Multi-cluster Gateway functionality which supports routing Multi-cluster Service traffic across clusters through tunnels between the Gateway Nodes. It enables Multi-cluster Service access across clusters, without requiring direct reachability of Pod IPs between clusters. (#3689 #3463 #3603, [@luolanzone])
- Add a number of
antctl mc
subcommands for bootstrapping Multi-cluster; refer to the Multi-cluster antct document for more information. (#3474, [@hjiajing])
- Add the following capabilities to secondary network IPAM:
- Add support for NodePortLocal on Windows. (#3453, [@XinShuYang])
- Add support for Traceflow on Windows. (#3022, [@gran-vmv])
- Add support for containerd to antrea-eks-node-init.yml. (#3840, [@antoninbas])
- Add an Antrea Agent configuration option
disableTXChecksumOffload
to support cases in which the datapath's TX checksum offloading does not work properly. (#3832, [@tnqn]) - Add support for InternalTrafficPolicy in AntreaProxy. (#2792, [@hongliangl])
- Add the following documentations:
- Add documentation for the Antrea Agent RBAC permissions and how to restrict them using Gatekeeper/OPA. (#3694, [@antoninbas])
- Add quick start guide for Antrea Multi-cluster. (#3853, [@luolanzone] [@jianjuns])
- Add documentation for the AntreaProxy feature. (#3679, [@antoninbas])
- Add documentation for secondary network IPAM. (#3634, [@jianjuns])
Changed
- Optimize generic traffic performance by reducing OVS packet recirculation. (#3858, [@tnqn])
- Optimize NodePort traffic performance by reducing OVS packet recirculation. (#3862, [@hongliangl])
- Improve validation for IPPool CRD. (#3570, [@jianjuns])
- Improve validation for
egress.to.namespaces.match
of AntreaClusterNetworkPolicy rules. (#3727, [@qiyueyao]) - Deprecate the Antrea Agent configuration option
multicastInterfaces
in favor ofmulticast.multicastInterfaces
. (#3898, [@tnqn]) - Reduce permissions of Antrea Agent ServiceAccount. (#3691, [@xliuxu])
- Create a Secret in the Antrea manifest for the antctl and antrea-agent ServiceAccount as K8s v1.24 no longer creates a token for each ServiceAccount automatically. (#3730, [@antoninbas])
- Implement garbage collector for IP Pools to clean up allocations and reservations for which owner no longer exists. (#3672, [@annakhm])
- Preserve client IP if the selected Endpoint is local regardless of ExternalTrafficPolicy. (#3604, [@hongliangl])
- Add a Helm chart for Antrea and use the Helm templates to generate the standard Antrea YAML manifests. (#3578, [@antoninbas])
- Make "Agent mode" antctl work out-of-the-box on Windows. (#3645, [@antoninbas])
- Truncate SessionAffinity timeout values of Services instead of wrapping around. (#3609, [@antoninbas])
- Move Antrea Windows log dir from
C:\k\antrea\logs\
toC:\var\log\antrea\
. (#3416, [@GraysonWu]) - Limit max number of data values displayed on Grafana panels. (#3812, [@heanlan])
- Support deploying ClickHouse with Persistent Volume. (#3608, [@yanjunz97])
- Remove support for ELK Flow Collector. (#3738, [@heanlan])
- Improve documentation for Antrea-native policies. (#3512, [@Dyanngg])
- Update OVS version to 2.17.0. (#3591, [@antoninbas])
Fixed
- Fix Egress not working with kube-proxy IPVS strictARP mode. (#3837, [@xliuxu])
- Fix intra-Node Pod traffic bypassing Ingress NetworkPolicies in some scenarios. (#3809, [@hongliangl])
- Fix FQDN policy support for IPv6. (#3869, [@tnqn])
- Fix multicast not working if the AntreaPolicy feature is disabled. (#3807, [@liu4480])
- Fix tolerations for Pods running on control-plane for Kubernetes >= 1.24. (#3731, [@xliuxu])
- Fix DNS resolution error of antrea-agent on AKS by using
ClusterFirst
dnsPolicy. (#3701, [@tnqn]) - Clean up stale routes installed by AntreaProxy when ProxyAll is disabled. (#3465, [@hongliangl])
- Ensure that Service traffic does not bypass NetworkPolicies when ProxyAll is enabled on Windows. (#3510, [@hongliangl])
- Use IP and MAC to find virtual management adapter to fix Agent crash in some scenarios on Windows. (#3641, [@wenyingd])
- Fix handling of the "reject" packets generated by the Antrea Agent to avoid infinite looping. (#3569, [@GraysonWu])
- Fix export/import of Serv...
Release v1.5.3
Fixed
- Fix export/import of Services with named ports when using the Antrea Multi-cluster feature. (#3561, @luolanzone)
- Fix handling of the "reject" packets generated by the Antrea Agent to avoid infinite looping. (#3569, @GraysonWu)
- Fix DNS resolution error of Antrea Agent on AKS by using
ClusterFirst
dnsPolicy. (#3701, @tnqn) - Fix tolerations for Pods running on control-plane for Kubernetes >= 1.24. (#3731, @xliuxu)
- Reduce permissions of Antrea Agent ServiceAccount. (#3691, @xliuxu)
Release v1.6.1
Added
- Add documentation for the Antrea Agent RBAC permissions and how to restrict them using Gatekeeper/OPA. (#3694, @antoninbas)
Fixed
- Clean up stale routes installed by AntreaProxy when ProxyAll is disabled. (#3465, @hongliangl)
- Fix export/import of Services with named ports when using the Antrea Multi-cluster feature. (#3561, @luolanzone)
- Fix handling of the "reject" packets generated by the Antrea Agent to avoid infinite looping. (#3569, @GraysonWu)
- Fix DNS resolution error of Antrea Agent on AKS by using
ClusterFirst
dnsPolicy. (#3701, @tnqn) - Fix tolerations for Pods running on control-plane for Kubernetes >= 1.24. (#3731, @xliuxu)
- Reduce permissions of Antrea Agent ServiceAccount. (#3691, @xliuxu)
- [Windows] Ensure that Service traffic does not bypass NetworkPolicies when ProxyAll is enabled. (#3510, @hongliangl)
- Fix Antrea wildcard FQDN NetworkPolicies not working when NodeLocal DNSCache is enabled. (#3510, @hongliangl)
Release v1.2.4
Changed
- Use iptables-wrapper in Antrea container. Now antrea-agent can work with distros that lack the iptables kernel module of "legacy" mode (ip_tables). (#3276, @antoninbas)
- Reduce permissions of Antrea ServiceAccount for updating annotations. (#3393, @tnqn)
- [Windows] Use uplink MAC as source MAC when transmitting packets to underlay network from Windows Nodes. Therefore, MAC address spoofing configuration like "Forged transmits" in VMware vSphere doesn't need to be enabled. (#3516, @wenyingd)
Fixed
- Fix DNS resolution error of antrea-agent on AKS by using
ClusterFirst
dnsPolicy. (#3701, @tnqn) - Fix status report of Antrea-native policies with multiple rules that have different AppliedTo. (#3074, @tnqn)
- Upgrade Go version to 1.17 to pick up security fix for CVE-2021-44716. (#3189, @antoninbas)
- Fix NetworkPolicy resources dump for Agent's supportbundle. (#3083, @antoninbas)
- Fix gateway interface MTU configuration error on Windows. (#3043, @lzhecheng) [Windows]
- Fix initialization error of antrea-agent on Windows by specifying hostname explicitly in VMSwitch commands. (#3169, @XinShuYang) [Windows]
- Ensure that the Windows Node name obtained from the environment or from hostname is converted to lower-case. (#2672, @shettyg) [Windows]
- Fix typos in the example YAML in antrea-network-policy doc. (#3079 #3092, @antoninbas @Jexf)
- Fix ipBlock referenced in nested ClusterGroup not processed correctly. (#3383, @Dyanngg)
- Fix NetworkPolicy may not be enforced correctly after restarting a Node. (#3467, @tnqn)
- Fix antrea-agent crash caused by interface detection in AKS/EKS with NetworkPolicyOnly mode. (#3219, @wenyingd)
- Fix locally generated packets from Node net namespace might be SNATed mistakenly when Egress is enabled. (#3430, @tnqn)
Release v1.6.0
- The Egress feature is graduated from Alpha to Beta and is therefore enabled by default.
- The support for proxying all Service traffic by Antrea Proxy (enabled by
antreaProxy.proxyAll
) is now Beta.
Added
- Add the following capabilities to the [Antrea IPAM] feature:
- Add the following capabilities to the [Antrea Multi-cluster] feature:
- Add the following capabilities to the [AntreaPolicy] feature:
- Add Node selector in Antrea-native policies to allow matching traffic originating from specific Nodes or destined to specific Nodes. (#3038, [@wenqiq])
- Add ServiceAccount selector in Antrea-native policies to allow selecting Pods by ServiceAccount. (#3044, [@GraysonWu])
- Support Pagination for ClusterGroupMembership API. (#3183, [@qiyueyao])
- Add Port Number to Audit Logging. (#3277, [@qiyueyao])
- [Flow Visibility] Add Grafana Flow Collector as the new visualization tool for flow records.
- Add Grafana dashboards, Clickhouse data schema, deployment files, and doc. (#3063 #3525, [@heanlan] [@zyiou] [@dreamtalen])
- Add support for exporting flow records to ClickHouse from Flow Aggregator. (#3196 #3526, [@wsquan171] [@dreamtalen])
- Add ClickHouse monitor to ensure data retention for in-memory ClickHouse deployment. (#3244 #3498, [@yanjunz97])
- [Multicast] Support IGMPv3 leave action. (#3389, [@wenyingd])
- [Windows] Add support for EndpointSlices on Windows Nodes. (#3321, [@XinShuYang])
- Add SKIP_CNI_BINARIES environment variable to support skipping the installation of specified CNI plugins. (#3454, [@jainpulkit22])
- Support UBI8-based container image to run Antrea. (#3273, [@ksamoray])
- Add the following documentations:
- Add documentation for ServiceExternalIP feature and Service of type LoadBalancer. (#3322, [@hty690])
- Add documentation for deploying Antrea to Minikube cluster. (#3391, [@jainpulkit22])
- Add documentation for
antctl
Multi-cluster commands. (#3414, [@bangqipropel]) - Add documentation for Multiple-VLAN support. (#3507, [@gran-vmv])
- Add upgrade guide for Multi-cluster. (#3374, [@luolanzone])
- Add a per-rule example for NetworkpolicyStats docs. (#3356, [@ceclinux])
Changed
- Remove all legacy (*.antrea.tanzu.vmware.com) APIs. (#3299, [@antoninbas])
- Remove Kind-specific manifest and scripts. Antrea now uses OVS kernel datapath for Kind clusters. (#3413, [@antoninbas])
- [Windows] Use uplink MAC as source MAC when transmitting packets to underlay network from Windows Nodes. Therefore, MAC address spoofing configuration like "Forged transmits" in VMware vSphere doesn't need to be enabled. (#3516, [@wenyingd])
- Add an agent config parameter "enableBridgingMode" for enabling flexible IPAM (bridging mode). (#3297 #3365, [@jianjuns])
- Use iptables-wrapper in Antrea container to support distros that runs iptables in "nft" mode. (#3276, [@antoninbas])
- Install CNI configuration files after installing CNI binaries to support container runtime
cri-o
. (#3154, [@tnqn]) - Upgrade packaged Whereabouts version to v0.5.1. (#3511, [@antoninbas])
- Upgrade to go-ipfix v0.5.12. (#3352, [@yanjunz97])
- Upgrade Kustomize from v3.8.8 to v4.4.1 to fix Cronjob patching bugs. (#3402, [@yanjunz97])
- Fail in Agent initialization if GRE tunnel type is used with IPv6. (#3156, [@antoninbas])
- Refactor the OpenFlow pipeline for future extensibility. (#3058, [@hongliangl])
- Validate IP ranges of IPPool for Antrea IPAM. (#2995, [@ksamoray])
- Validate protocol in the CRD schema of Antrea-native policies. (#3342, [@KMAnju-2021])
- Validate labels in the CRD schema of Antrea-native policies and ClusterGroup. (#3331, [@GraysonWu])
- Reduce permissions of Antrea ServiceAccounts. (#3393, [@tnqn])
- Remove --k8s-1.15 flag from hack/generate-manifest.sh. (#3350, [@antoninbas])
- Remove unnecessary CRDs and RBAC rules from Multi-cluster manifest. (#3491, [@luolanzone])
- Update label and image repo of antrea-mc-controller to be consistent with antrea-controller and antrea-agent. (#3266 #3466, [@luolanzone])
- Add clusterID annotation to ServiceExport/Import resources. (#3359, [@luolanzone])
- Do not log error when Service for Endpoints is not found to avoid log spam. (#3256, [@tnqn])
- Ignore Services of type ExternalName for NodePortLocal feature. (#3114, [@antoninbas])
- Add powershell command replacement in the Antrea Windows documentation. (#3264, [@GraysonWu])
Fixed
- Add userspace ARP/NDP responders to fix Egress and ServiceExternalIP support for IPv6 clusters. (#3318, [@hty690])
- Fix incorrect results by
antctl get networkpolicy
when both Pod and Namespace are specified. (#3499, [@Dyanngg]) - Fix IP leak issue when AntreaIPAM is enabled. (#3314, [@gran-vmv])
- Fix error when dumping OVS flows for a NetworkPolicy via
antctl get ovsflows
. (#3335, [@jainpulkit22]) - Fix IPsec encryption for IPv6 overlays. (#3155, [@antoninbas])
- Add ignored interfaces names when getting interface by IP to fix NetworkPolicyOnly mode in AKE. (#3219, [@wenyingd])
- Fix duplicate IP case for NetworkPolicy. (#3467, [@tnqn])
- Don't delete the routes which are added for the peer IPv6 gateways on Agent startup. (#3336 #3490, [@Jexf] [@xliuxu])
- Fix pkt mark conflict between HostLocalSourceMark and SNATIPMark. (#3430, [@tnqn])
- Unconditionally sync CA cert for Controller webhooks to fix Egress support when AntreaPolicy is disabled. (#3421, [@antoninbas])
- Fix inability to access NodePort in particular cases. (#3371, [@hongliangl])
- Fix ipBlocks referenced in nested ClusterGroup not processed correctly. (#3383, [@Dyanngg])
- Realize Egress for a Pod as soon as its network is created. (#3360, [@tnqn])
- Fix NodePort/LoadBalancer issue when proxyAll is enabled. (#3295, [@hongliangl])
- Do not panic when processing a PacketIn message for a denied connection. (#3447, [@antoninbas])
- ...
Release v1.5.2
Fixed
- Fix NetworkPolicy may not be enforced correctly after restarting a Node. (#3467, @tnqn)
- Fix antrea-agent crash caused by interface detection in AKS/EKS with NetworkPolicyOnly mode. (#3219, @wenyingd)
- Fix locally generated packets from Node net namespace might be SNATed mistakenly when Egress is enabled. (#3430, @tnqn)
Release v1.5.1
Changed
- Use iptables-wrapper in Antrea container. Now antrea-agent can work with distros that lack the iptables kernel module of "legacy" mode (ip_tables). (#3308, @antoninbas)
- Reduce permissions of Antrea ServiceAccount for updating annotations. (#3408, @tnqn)
Fixed
- Fix NodePort/LoadBalancer Service cannot be accessed when externalTrafficPolicy changed from Cluster to Local with proxyAll enabled. (#3330, @hongliangl)
- Fix initial egress connections from Pods may go out with node IP rather than Egress IP. (#3378, @tnqn)
- Fix NodePort Service access when an Egress selects the same Pod as the NodePort Service. (#3397, @hongliangl)
- Fix ipBlock referenced in nested ClusterGroup not processed correctly. (#3405, @Dyanngg)
Release v1.5.0
Added
- Add Antrea Multi-cluster feature which allows users to export and import Services and Endpoints across multiple clusters within a ClusterSet, and enables inter-cluster Service communication in the ClusterSet. (#3199, @luolanzone @aravindakidambi @bangqipropel @hjiajing @Dyanngg [@suwang48404] @abhiraut) [Alpha]
- Refer to Antrea Multi-cluster Installation to get started
- Refer to Antrea Multi-cluster Architecture for more information regarding the implementation
- Add support for multicast that allows forwarding multicast traffic within the cluster network (i.e., between Pods) and between the external network and the cluster network. (#2652 #3142 #2835 #3171 #2986, [@wenyingd] @ceclinux [@XinShuYang]) [Alpha - Feature Gate:
Multicast
]- In this release the feature is only supported on Linux Nodes for IPv4 traffic in
noEncap
mode
- In this release the feature is only supported on Linux Nodes for IPv4 traffic in
- Add support for IPPool and IP annotations on Pod and PodTemplate of Deployment and StatefulSet in AntreaIPAM mode. (#3093 #3042 #3141 #3164 #3146, @gran-vmv @annakhm)
- IPPool annotation on Pod has a higher priority than the IPPool annotation on Namespace
- A StatefulSet Pod's IP will be kept after Pod restarts when the IP is allocated from IPPool
- Refer to Antrea IPAM Capabilities for more information
- Add support for SR-IOV secondary network. Antrea can now create secondary network interfaces for Pods using SR-IOV VFs on bare metal Nodes. (#2651, @arunvelayutham) [Alpha - Feature Gate:
SecondaryNetwork
] - Add support for allocating external IPs for Services of type LoadBalancer from an ExternalIPPool. (#3147 [@Shengkai2000]) [Alpha - Feature Gate:
ServiceExternalIP
] - Add support for antctl in the flow aggregator Pod. (#2878, [@yanjunz97])
- Support
antctl log-level
for changing log verbosity level - Support
antctl get flowrecords [-o json]
for dumping flow records - Support
antctl get recordmetrics
for dumping flow records metrics
- Support
- Add support for the "Pass" action in Antrea-native policies to skip evaluation of further Antrea-native policy rules and delegate evaluation to Kubernetes NetworkPolicy. (#2964, @Dyanngg)
- Add user documentation for using Project Antrea with Fluentd in order to collect audit logs from each Node. (#2853, [@qiyueyao])
- Add user documentation for deploying Antrea on AKS Engine. (#2963, @jianjuns)
- Improve NodePortLocal documentation to list supported Service types and add information about existing integrations with external Load Balancers. (#3113, @antoninbas)
- Document how to run Antrea e2e tests on an existing K8s cluster (#3045, [@xiaoxiaobaba])
Changed
- Make LoadBalancer IP proxying configurable for AntreaProxy to support scenarios in which it is desirable to send Pod-to-ExternalIP traffic to the external LoadBalancer. (#3130, @antoninbas)
- Add
startTime
to the Traceflow Status to avoid issues caused by clock skew. (#2952, @antoninbas) - Add
reason
field in antctl traceflow command output. (#3175, @Jexf) - Validate serviceCIDR configuration only if AntreaProxy is disabled. (#2936, [@wenyingd])
- Improve configuration parameter validation for NodeIPAM. (#3009, [@tnqn])
- More comprehensive validation for Antrea-native policies. (#3104 #3109, @GraysonWu [@tnqn])
- Update Antrea Octant plugin to support Octant 0.24 and to use the Dashboard client to perform CRUD operations on Antrea CRDs. (#2951, @antoninbas)
- Omit hostNetwork Pods when computing members of ClusterGroup and AddressGroup. (#3080, @Dyanngg)
- Support for using an env parameter
ALLOW_NO_ENCAP_WITHOUT_ANTREA_PROXY
to allow running Antrea in noEncap mode without AntreaProxy. (#3116, @Jexf [@WenzelZ]) - Move throughput calculation for network flow visibility from logstash to flow-aggregator. (#2692, @heanlan)
- Add Go version information to full version string for Antrea binaries. (#3182, @antoninbas)
- Improve kind-setup.sh script and Kind documentation. (#2937, @antoninbas)
- Enable Go benchmark tests in CI. (#3004, [@wenqiq])
- Upgrade Windows OVS version to 2.15.2 to pick up some recent patches. (#2996, [@lzhecheng]) [Windows]
- Remove HNSEndpoint only if infra container fails to create. (#2976, [@lzhecheng]) [Windows]
- Use OVS Port externalIDs instead of HNSEndpoint to cache the externalIDS when using containerd as the runtime on Windows. (#2931, [@wenyingd]) [Windows]
- Reduce network downtime when starting antrea-agent on Windows Node by using Windows management virtual network adapter as OVS internal port. (#3067, [@wenyingd]) [Windows]
Fixed
- Fix error handling of the "Reject" action of Antrea-native policies when determining if the packet belongs to Service traffic. (#3010, @GraysonWu)
- Make the "Reject" action of Antrea-native policies work in AntreaIPAM mode. (#3003, @GraysonWu)
- Set ClusterGroup with child groups to
groupMembersComputed
after all its child groups are created and processed. (#3030, @Dyanngg) - Fix status report of Antrea-native policies with multiple rules that have different AppliedTo. (#3074, [@tnqn])
- Fix typos and improve the example YAML in antrea-network-policy doc. (#3079, #3092, #3108 @antoninbas @Jexf [@tnqn])
- Fix duplicated attempts to delete unreferenced AddressGroups when deleting Antrea-native policies. (#3136, @Jexf)
- Add retry to update NetworkPolicy status to avoid error logs. (#3134, @Jexf)
- Fix NetworkPolicy resources dump for Agent's supportbundle. (#3083, @antoninbas)
- Use go 1.17 to build release assets. (#3007, @antoninbas)
- Restore the gateway route automatically configured by kernel when configuring IP address if it is missing. (#2835, @antoninbas)
- Fix incorrect parameter used to check if a container is the infra container, which caused errors when reattaching HNS Endpoint. (#3089, [@XinShuYang]) [Windows]
- Fix gateway interface MTU configuration error on Windows. (#3043, @[lzhecheng]) [Windows]
- Fix initialization error of antrea-agent on Windows by specifying hostname explicitly in VMSwitch commands. (#3169, [@XinShuYang]) [Windows]
Release v1.4.0
The NodePortLocal feature is graduated from Alpha to Beta.
Added
- Support for proxying all Service traffic by Antrea Proxy, including NodePort, LoadBalancer, and ClusterIP traffic. Therefore, running kube-proxy is no longer required. (#2599 #2235 #2897 #2863, @hongliangl @lzhecheng)
- The feature works for both Linux and Windows
- The feature is experimental and therefore disabled by default. Use the
antreaProxy.proxyAll
configuration parameter for the Antrea Agent to enable it - If kube-proxy is removed, the
kubeAPIServerOverride
configuration parameter for the Antrea Agent must be set to access kube-apiserver directly
- Add AntreaIPAM feature that allows flexible control over Pod IP Addressing by assigning pools of IP addresses to specific Namespaces. (#2956, @gran-vmv @annakhm)
- Add new IPPool API to define ranges of IP addresses which can be used as Pod IPs; the IPs in the IPPools must be in the same "underlay" subnet as the Node IP
- A Pod's IP will be allocated from the IPPool specified by the
ipam.antrea.io/ippools
annotation of the Pod's Namespace if there is one - When the feature is enabled, the Node's network interface will be connected to the OVS bridge, in order to forward cross-Node traffic of AntreaIPAM Pods through the underlay network
- Refer to the feature documentation for more information
- Add NodeIPAM feature to handle the per-Node PodCIDR allocation for clusters where kube-controller-manager does not run NodeIPAMController. (#1561, @ksamoray)
- Refer to the feature documentation for instructions on how to configure it
- Support for configurable transport interface CIDRs for Pod traffic. (#2704, @Jexf)
- Use the
transportInterfaceCIDRs
configuration parameter for the Antrea Agent to choose an interface by network CIDRs
- Use the
- Add UDP support for NodePortLocal. (#2448, @chauhanshubham)
- Add the
nodePortLocal.enable
configuration parameter for the Antrea Agent to enable NodePortLocal. (#2924, @antoninbas) - Add more visibility metrics to report the connection status of the Antrea Agent to the Flow Aggregator. (#2668, @zyiou)
- Add the
antreaProxy.skipServices
configuration parameter for the Antrea Agent to specify Services which should be ignored by AntreaProxy. (#2882, @luolanzone)- A typical use case is setting
antreaProxy.skipServices
to["kube-system/kube-dns"]
to make NodeLocal DNSCache work when AntreaProxy is enabled
- A typical use case is setting
- Add support for
ToServices
in the rules of Antrea-native policies to allow matching traffic intended for Services. (#2755, @GraysonWu) - Add the
egress.exceptCIDRs
configuration parameter for the Antrea Agent, to specify IP destinations for which SNAT should not be performed on outgoing traffic. (#2749, @leonstack) - Add user documentation for WireGuard encryption. (#2902, @jianjuns)
- Add user documentation for encap mode installation for EKS. (#2929, @jianjuns)
Changed
- Remove chmod for OVSDB file from start_ovs, as the permissions are set correctly by OVS 2.15.1. (#2803, @antoninbas)
- Reduce memory usage of antctl when collecting supportbundle. (#2813, @tnqn)
- Do not perform SNAT for egress traffic to Kubernetes Node IPs. (#2762, @leonstack)
- Send gratuitous ARP for EgressIP via the transport interface, as opposed to the interface with Node IP (if they are different). (#2845, @Jexf)
- Ignore hostNetwork Pods selected by Egress, as they are not supported. (#2851, @Jexf)
- Avoid duplicate processing of Egress. (#2884, @Jexf)
- Ignore the IPs of kube-ipvs0 for Egress as they cannot be used for SNAT. (#2930, @Jexf)
- Change flow exporter export expiry mechanism to priority queue based, to reduce CPU usage and memory footprint. (#2360, @heanlan)
- Make Pod labels optional in the flow records. By default, they will not be included in the flow records. Use the
recordContents.podLabels
configuration parameter for the Flow Aggregator to include them. (#2739, @yanjunz97) - Wait for AntreaProxy to be ready before accessing any K8s Service if
antreaProxy.proxyAll
is enabled, to avoid connection issues on Agent startup. (#2858, @tnqn) - Update OVS pipeline documentation to include information about AntreaProxy. (#2725, @hongliangl)
- Remove offensive words from scripts and documentation. (#2799, @xiaoxiaobaba)
- Use readable names for OpenFlow tables. (#2585, @wenyingd)
- Improve the OpenAPI schema for CRDs to validate the
matchExpressions
field. (#2887, @wenqiq) - Fail fast if the source Pod for non-live-traffic Traceflow is invalid. (#2736, @gran-vmv)
- Use the
RenewIPConfig
parameter to indicate whether to renew ipconfig on the host forClean-AntreaNetwork.ps1
. It defaults to false. (#2955, @wenyingd) [Windows] - Add Windows task delay up to 30s to improve job resiliency of
Prepare-AntreaAgent.ps1
, to avoid a failure in initialization after Windows startup. (#2864, @perithompson) [Windows]
Fixed
- Fix nil pointer error when antrea-agent updates OpenFlow priorities of Antrea-native policies without Service ports. (#2730, @wenyingd)
- Fix panic in the Antrea Controller when it processes ClusterGroups that are used by multiple ClusterNetworkPolicies. (#2768, @tnqn)
- Fix an issue with NodePortLocal when a given Pod port needs to be exposed for both TCP and UDP. (#2903, @antoninbas)
- Fix handling of the "Reject" action of Antrea-native policies when the traffic is intended for Services. (#2772, @GraysonWu)
- Fix Agent crash when removing the existing NetNat on Windows Nodes. (#2751, @wenyingd) [Windows]
- Fix container network interface MTU configuration error when using containerd as the runtime on Windows. (#2778, @wenyingd) [Windows]
- Fix path to Prepare-AntreaAgent.ps1 in Windows docs. (#2840, @perithompson) [Windows]
- Fix NetNeighbor Powershell error handling. (#2905, @lzhecheng) [Windows]