Skip to content

Releases: antrea-io/antrea

Release v1.2.3

24 Sep 10:15
@tnqn tnqn
v1.2.3
aebed58
Compare
Choose a tag to compare
Release v1.2.3

Changed

  • Support returning partial supportbundle results when some Nodes fail to respond. (#2788, @hangyan)
  • Remove restriction that only GRE tunnels can be used when enabling IPsec: VXLAN can also be used, and so can Geneve (if the Linux kernel version for the Nodes is recent enough). (#2764, @luolanzone)
  • Reduce memory usage of antctl when collecting supportbundle. (#2821, @tnqn)

Fixed

  • Fix nil pointer error when collecting a supportbundle on a Node for which the antrea-agent container image does not include "iproute2"; this does not affect the standard antrea/antrea-ubuntu container image. (#2789, @liu4480)
  • When creating an IPsec OVS tunnel port to a remote Node, handle the case where the port already exists but with a stale config graciously: delete the existing port first, then recreate it. (#2765, @luolanzone)
  • Fix panic in the Antrea Controller when it processes ClusterGroups that are used by multiple ClusterNetworkPolicies. (#2768, @tnqn)
  • Fix nil pointer error when antrea-agent updates OpenFlow priorities of Antrea-native policies without Service ports. (#2758, @wenyingd)
  • Fix Pod-to-Service access on Windows when the Endpoints are not non-hostNetwork Pods (e.g. the kubernetes Service). (#2702, @wenyingd) [Windows]
  • Fix container network interface MTU configuration error when using containerd as the runtime on Windows. (#2773, @wenyingd) [Windows]
Assets 24
Loading

Release v1.3.0

04 Sep 00:07
@antoninbas antoninbas
v1.3.0
62e25bf
Compare
Choose a tag to compare
Release v1.3.0

Added

  • Add ability to use Fully Qualified Domain Names (FQDNs) in egress policy rules when defining Antrea-native policies: both exact matches and wildcards are supported. (#2613 #2634 #2667 #2623 #2691, [@Dyanngg] [@antoninbas] [@GraysonWu] [@madhukark] [@lzhecheng])
  • Add support for WireGuard to encrypt inter-Node Pod traffic (as an alternative to IPsec); traffic mode must be set to encap and the "tunnelType" option will be ignored. (#2297 #2697, [@xliuxu] [@tnqn])
  • Support for configurable transport interface for Pod traffic. (#2370, [@wenyingd])
    • Use the "transportInterface" configuration parameter for the Antrea Agent to choose an interface by name; the default behavior is unchanged (interface to which the K8s Node IP is assigned is used)
    • On Windows, SNAT is now performed by the host and no longer by OVS, to accommodate for this change [Windows]
  • Support for dual-stack transport interfaces (the IPv4 and IPv6 addresses have to be assigned to the same interface); this in turn enables support for the noEncap traffic mode in dual-stack clusters. (#2436, [@lzhecheng])
  • Add Status field to the ExternalIPPool CRD: it is used to report usage information for the pool (total number of IPs in the pool and number of IPs that are currently assigned). (#2490, [@wenqiq])
  • Add Egress support for IPv6 and dual-stack clusters. (#2196 #2655, [@wenqiq])
  • Add ability to filter logs by timestamp with the "antctl supportbundle" command. (#2389, [@hangyan] [@weiqiangt])
  • Support for IPv6 / dual-stack Kind clusters. (#2415, [@adobley] [@christianang] [@gwang550])
  • Add support for sending JSON records from the Flow Aggregator instead of IPFIX records (which is still the default), as it can achieve better performance with Logstash. (#2559, [@zyiou])
  • Support "--sort-by" flag for "antctl get networkpolicy" in Agent mode. (#2604, [@antoninbas])

Changed

  • Remove the restriction that a ClusterGroup must exist before it can be used as a child group to define other ClusterGroups. (#2443, [@Dyanngg])
  • Remove the restriction that a ClusterGroup must exist before it can be used in an Antrea ClusterNetworkPolicy. (#2478, [@Dyanngg] [@abhiraut])
  • Remove "controlplane.antrea.tanzu.vmware.com/v1beta1" API as per our API deprecation policy. (#2528 #2631, [@luolanzone])
  • Controller responses to ClusterGroup membership queries ("/clustergroupmembers" API) now include the list of IPBlocks when appropriate. (#2577, [@Dyanngg] [@abhiraut])
  • Install all Endpoint flows belonging to a Service via a single OpenFlow bundle, to reduce flow installation time when the Agent starts. (#2476, [@tnqn])
  • Improve the batch installation of NetworkPolicy rules when the Agent starts: only generate flow operations based on final desired state instead of incrementally. (#2479, [@tnqn] [@Dyanngg])
  • Use GroupMemberSet.Merge instead of GroupMemberSet.Union to reduce CPU usage and memory footprint in the Agent's policy controller. (#2467, [@tnqn])
  • When checking for the existence of an iptables chain, stop listing all the chains and searching through them; this change reduces the Agent's memory footprint. (#2458, [@tnqn])
  • Tolerate more failures for the Agent's readiness probe, as the Agent may stay disconnected from the Controller for a long time in some scenarios. (#2535, [@tnqn])
  • Remove restriction that only GRE tunnels can be used when enabling IPsec: VXLAN can also be used, and so can Geneve (if the Linux kernel version for the Nodes is recent enough). (#2489, [@luolanzone])
  • Automatically perform deduplication on NetworkPolicy audit logs for denied connections: all duplicate connections received within a 1 second buffer window will be merged and the corresponding log entry will include the connection count. (#2294 #2578, [@qiyueyao])
  • Support returning partial supportbundle results when some Nodes fail to respond. (#2399, [@hangyan])
  • When listing NetworkPolicyStats through the Controller API, return an empty list if the NetworkPolicyStats Feature Gate is disabled, instead of returning an error. (#2386, [@PeterEltgroth])
  • Update OVS version from 2.14.2 to 2.15.1: the new version fixes Geneve tunnel support in the userspace datapath (used for Kind clusters). (#2515, [@antoninbas])
  • Update [go-ipfix] to version v0.5.7 to improve overall performance of the FlowExporter feature, and in particular of the Flow Aggregator component. (#2574, [@srikartati] [@zyiou])
  • Support pretty-printing for AntreaAgentInfo and AntreaControllerInfo CRDs. (#2572, [@antoninbas])
  • Improve the process of updating the Status of an Egress resource to report the name of the Node to which the Egress IP is assigned. (#2444, [@wenqiq])
  • Change the singular name of the ClusterGroup CRD from "group" to "clustergroup". (#2484, [@abhiraut])
  • Officially-supported Go version is no longer 1.15 but 1.17. (#2609 #2640, [@antoninbas])
    • There was a notable change in the implementation of the "ParseIP" and "ParseCIDR" functions, but Antrea users should not be affected; refer to this issue
  • Standardize the process of reserving OVS register ranges and defining constant values for them; OVS registers are used to store per-packet information when required to implement specific features. (#2455, [@wenyingd])
  • Update ELK stack reference configuration to support TCP transport. (#2387, [@zyiou])
  • Update Windows installation instructions. (#2456, [@lzheheng])
  • Update Antrea-native policies documentation to reflect the addition of the "kubernetes.io/metadata.name" in upstream K8s. (#2596, [@abhiraut])
  • Default to containerd as the container runtime in the Vagrant-based test K8s cluster. (#2583, [@stanleywbwong])
  • Update AllowToCoreDNS example in Antrea-native policies documentation. (#2605, [@btrieger])
  • Update actions/setup-go to v2 in all Github workflows. (#2517, [@MysteryBlokHed])

Fixed

  • Fix panic in Agent when calculating the stats for a rule newly added to an existing NetworkPolicy. (#2495, [@tnqn])
  • Fix bug in iptables rule installation for dual-stack clusters: if a rule was already present for one protocol but not the other, its installation may have been skipped. (#2469, [@lzhecheng])
  • Fix deadlock in the Agent's FlowExporter, between the export goroutine and the conntrack polling goroutine. (#2429, [@srikartati])
  • Upgrade OVS version to 2.14.2-antrea.1 for Windows Nodes; this version of OVS is built on top of the upstream 2.14.2 release and also includes a patch to fix TCP checksum computation when the DNAT action is used. (#2549, [@lzhecheng]) [Windows]
  • Handle transient iptables-restore failures (caused by xtables lock contention) in the NodePortLocal initialization logic. (#2555, [@antoninbas])
  • Query and check the list of features supported by the OVS datapath during Agent initialization: if any required feature is not supported, the Agent will log an error and crash, instead of continuing to run which makes it hard to troubleshoot such issues. (#2571, [@tnqn])
  • On Linux, wait for the ovs-vswitchd PID file to be ready before running ovs-apptcl commands. (#2695, [@tnqn])
  • Periodically delete stale connections in the Flow Exporter if they cannot be exported (e.g. because the collector is not available), to avoid running out-of-memory. (#2516, [@srikartati])
  • F...
Read more
Assets 24
Loading

Release v1.2.2

17 Aug 02:22
@antoninbas antoninbas
v1.2.2
191c7b7
Compare
Choose a tag to compare
Release v1.2.2

Changed

  • Update go-ipfix to version v0.5.7 to improve overall performance of the FlowExporter feature, and in particular of the Flow Aggregator component. (#2574, @srikartati @zyiou)

Fixed

  • Handle transient iptables-restore failures (caused by xtables lock contention) in the NodePortLocal initialization logic. (#2555, @antoninbas)
  • Fix handling of the "reject" packets generated by the Antrea Agent in the OVS pipeline, to avoid infinite looping when traffic between two endpoints is rejected by network policies in both directions. (#2579, @GraysonWu)
  • Fix interface naming for IPsec tunnels: based on Node names, the first char could sometimes be a dash, which is not valid. (#2486, @luolanzone)
Assets 24
Loading

Release v1.1.2

12 Aug 05:39
@antoninbas antoninbas
v1.1.2
abbfa6d
Compare
Choose a tag to compare
Release v1.1.2

Changed

  • Improve the batch installation of NetworkPolicy rules when the Agent starts: only generate flow operations based on final desired state instead of incrementally. (#2479, @tnqn)

Fixed

  • Fix deadlock when initializing the GroupEntityIndex (in the Antrea Controller) with many groups; this was preventing correct distribution and enforcement of NetworkPolicies. (#2376, @tnqn)
  • Use "os/exec" package instead of third-party modules to run PowerShell commands and configure host networking on Windows; this change prevents Agent goroutines from getting stuck when configuring routes. (#2363, @lzhecheng) [Windows]
  • Fix panic in Agent when calculating the stats for a rule newly added to an existing NetworkPolicy. (#2495, @tnqn)
  • Fix bug in iptables rule installation for dual-stack clusters: if a rule was already present for one protocol but not the other, its installation may have been skipped. (#2469, @lzhecheng)
  • Upgrade OVS version to 2.14.2 to pick up security fixes for CVE-2015-8011, CVE-2020-27827 and CVE-2020-35498. (#2451, @antoninbas)
Assets 24
Loading

Release v1.0.3

12 Aug 03:13
@antoninbas antoninbas
v1.0.3
4974ca6
Compare
Choose a tag to compare
Release v1.0.3

Changed

  • Improve the batch installation of NetworkPolicy rules when the Agent starts: only generate flow operations based on final desired state instead of incrementally. (#2479, @tnqn)

Fixed

  • Fix deadlock when initializing the GroupEntityIndex (in the Antrea Controller) with many groups; this was preventing correct distribution and enforcement of NetworkPolicies. (#2376, @tnqn)
  • Use "os/exec" package instead of third-party modules to run PowerShell commands and configure host networking on Windows; this change prevents Agent goroutines from getting stuck when configuring routes. (#2363, @lzhecheng) [Windows]
  • Fix panic in Agent when calculating the stats for a rule newly added to an existing NetworkPolicy. (#2495, @tnqn)
  • Upgrade OVS version to 2.14.2 to pick up security fixes for CVE-2015-8011, CVE-2020-27827 and CVE-2020-35498. (#2451, @antoninbas)
Assets 24
Loading

Release v1.2.1

06 Aug 20:17
@antoninbas antoninbas
v1.2.1
2051c8e
Compare
Choose a tag to compare
Release v1.2.1

Changed

  • Install all Endpoint flows belonging to a Service via a single OpenFlow bundle, to reduce flow installation time when the Agent starts. (#2476, @tnqn)
  • Improve the batch installation of NetworkPolicy rules when the Agent starts: only generate flow operations based on final desired state instead of incrementally. (#2479, @tnqn)
  • Use GroupMemberSet.Merge instead of GroupMemberSet.Union to reduce CPU usage and memory footprint in the Agent's policy controller. (#2467, @tnqn)
  • When checking for the existence of an iptables chain, stop listing all the chains and searching through them; this change reduces the Agent's memory footprint. (#2458, @tnqn)
  • Tolerate more failures for the Agent's readiness probe, as the Agent may stay disconnected from the Controller for a long time in some scenarios. (#2535, @tnqn)
  • When listing NetworkPolicyStats through the Controller API, return an empty list if the NetworkPolicyStats Feature Gate is disabled, instead of returning an error. (#2386, @PeterEltgroth)

Fixed

  • Fix panic in Agent when calculating the stats for a rule newly added to an existing NetworkPolicy. (#2495, @tnqn)
  • Fix bug in iptables rule installation for dual-stack clusters: if a rule was already present for one protocol but not the other, its installation may have been skipped. (#2469, @lzhecheng)
  • Fix deadlock in the Agent's FlowExporter, between the export goroutine and the conntrack polling goroutine. (#2429, @srikartati)
  • Upgrade OVS version to 2.14.2 to pick up security fixes for CVE-2015-8011, CVE-2020-27827 and CVE-2020-35498. (#2451, @antoninbas)
  • Upgrade OVS version to 2.14.2-antrea.1 for Windows Nodes; this version of OVS is built on top of the upstream 2.14.2 release and also includes a patch to fix TCP checksum computation when the DNAT action is used. (#2549, @lzhecheng) [Windows]
  • Periodically delete stale connections in the Flow Exporter if they cannot be exported (e.g. because the collector is not available), to avoid running out-of-memory. (#2516, @srikartati)
  • Clean up log files for the Flow Aggregator periodically: prior to this fix, the "--log_file_max_size" and "--log_file_max_num" command-line flags were ignore for the flow-aggregator Pod. (#2522, @srikartati)
  • Fix missing template ID when sending the first IPFIX flow record from the FlowAggregator. (#2546, @zyiou)
  • Fix reference Logstash configuration to avoid division by zero in throughput calculation. (#2432, @zyiou)
Assets 24
Loading

Release v0.13.5

28 Jul 04:06
@antoninbas antoninbas
v0.13.5
8d59c7f
Compare
Choose a tag to compare
Release v0.13.5

Fixed

Assets 24
Loading

Release v0.13.4

16 Jul 19:18
@antoninbas antoninbas
v0.13.4
b54cce6
Compare
Choose a tag to compare
Release v0.13.4

Fixed

  • Use "os/exec" package instead of third-party modules to run PowerShell commands and configure host networking on Windows; this change prevents Agent goroutines from getting stuck when configuring routes. (#2363, @lzhecheng) [Windows]
Assets 24
Loading

Release v1.2.0

15 Jul 02:44
@antoninbas antoninbas
v1.2.0
b1c7a5b
Compare
Choose a tag to compare
Release v1.2.0

The NetworkPolicyStats feature is graduated from Alpha to Beta and is therefore enabled by default.

Added

  • Add new ExternalIPPool API to define ranges of IP addresses which can be used as Egress SNAT IPs; these IPs are allocated to Nodes according to a nodeSelector, with support for failover if a Node goes down. (#2236 #2237 #2186 #2358 #2345 #2371, @tnqn @wenqiq)
  • Use OpenFlow meters on Linux to rate-limit PacketIn messages sent by the OVS datapath to the Antrea Agent. (#2215, @GraysonWu @antoninbas)
  • Add K8s labels for the source and destination Pods (when applicable) as IPFIX Information Elements when exporting flow records from the FlowAggregator. (#2240, @dreamtalen)
  • Add ability to print Antrea Agent and / or Antrea Controller FeatureGates using antctl, with the "antctl get featuregates" command. (#2082, @luolanzone)
  • Add support for running the same Traceflow request again (with the same parameters) from the Antrea Octant plugin. (#2202, @Dhruv-J)
  • Add ability for the Antrea Agent to configure SR-IOV secondary network interfaces for Pods (these interfaces are not attached to the OVS bridge); however, there is currently no available API for users to request secondary Pod network interfaces. (#2151, @ramay1)

Changed

  • When enabling NodePortLocal on a Service, use the Service's target ports instead of the (optional) container ports for the selected Pods to determine how to configure port forwarding for the Pods. (#2222, @monotosh-avi)
  • Update version of the go-ipfix dependency to improve FlowExporter performance. (#2129, @zyiou)
  • Remove deprecated API version networking.antrea.tanzu.vmware.com/v1beta1 as per our API deprecation policy. (#2265, @hangyan)
  • Show translated source IP address in Traceflow observations when Antrea performs SNAT in OVS. (#2227, @luolanzone)
  • Remove unnecessary IPFIX Information Elements from the flow records exported by the FlowAggregator: "originalExporterIPv4Address", "originalExporterIPv6Address" and "originalObservationDomainId". (#2361, @zyiou)
  • Ignore non-TCP Service ports in the NodePortLocal implementation and document the restriction that only TCP is supported. (#2396, @antoninbas)
  • Drop packets received by the uplink in PREROUTING (using iptables) when using the OVS userspace datapath (Kind clusters), to prevent these packets from being processed by the Node's TCP/IP stack. (#2143, @antoninbas)
  • Improve documentation for Antrea-native policies to include information about the "namespaces" field introduced in Antrea v1.1 for the ClusterNetworkPolicy API. (#2271, @abhiraut)

Fixed

  • Fix inter-Node ClusterIP Service access when AntreaProxy is disabled. (#2318, @tnqn)
  • Fix duplicate group ID allocation in AntreaProxy when using a combination of IPv4 and IPv6 Services in dual-stack clusters; this was causing Service connectivity issues. (#2317, @hongliangl)
  • Fix intra-Node ClusterIP Service access when both the AntreaProxy and Egress features are enabled. (#2332, @tnqn)
  • Fix deadlock when initializing the GroupEntityIndex (in the Antrea Controller) with many groups; this was preventing correct distribution and enforcement of NetworkPolicies. (#2376, @tnqn)
  • Fix implementation of ClusterNetworkPolicy rules with an empty "From" field (for ingress rules) or an empty "To" field (for egress rules). (#2383, @Dyanngg)
  • Use "os/exec" package instead of third-party modules to run PowerShell commands and configure host networking on Windows; this change prevents Agent goroutines from getting stuck when configuring routes. (#2363, @lzhecheng) [Windows]
  • Fix invalid clean-up of the HNS Endpoint during Pod deletion, when Docker is used as the container runtime. (#2306, @wenyingd) [Windows]
  • Fix race condition on Windows when retrieving the local HNS Network created by Antrea for containers. (#2253, @tnqn) [Windows]
  • Fix checksum computation error when sending PacketOut messages to OVS. (#2273, @Dyanngg)
  • Fix invalid conversion function between internal and versioned types for controlplane API, which was causing JSON marshalling errors. (#2302, @tnqn)
  • Fix implementation of the v1beta1 version of the legacy "controlplane.antrea.tanzu.vmware.com" API: the API was incorrectly using some v1beta2 types and it was missing some field selectors. (#2305, @tnqn)
  • Verify that the discovered uplink is not virtual when creating the HNSNetwork; if it is, log a better error message. (#2246, @tnqn) [Windows]
  • When allocating a host port for NodePortLocal, make sure that the port is available first and reserve it by binding to it. (#2385, @antoninbas)
  • Change default port range for NodePortLocal to 61000-62000, in order to avoid conflict with the default ip_local_port_range on Linux. (#2382, @antoninbas)
  • Add NamespaceIndex to PodInformer of the NodePortLocal Controller to avoid error logs and slow searches. (#2377, @tnqn)
  • When mutating an Antrea-native policy, only set the "PatchType" field in the mutating webhook's response if the "Patch" field is not empty, or the response may not be valid. (#2295, @Dyanngg)
  • Populate the "egressNetworkPolicyRuleAction" IPFIX Information Element correctly in the FlowAggregator. (#2228, @zyiou)
  • Protect Traceflow state from concurrent access in Antrea Octant plugin (in case of multiple browser sessions). (#2261, @antoninbas)
  • Remove assumption that there is a single ovs-vswitchd .ctl file when invoking ovs-appctl from the Antrea Agent. (#2260, @antoninbas)
  • Fix file permissions for the whereabouts binary included in the antrea/antrea-ubuntu Docker image. (#2353, @antoninbas)
Assets 24
Loading

Release v1.1.1

08 Jul 03:51
@antoninbas antoninbas
v1.1.1
7ad11e9
Compare
Choose a tag to compare
Release v1.1.1

Fixed

  • Fix inter-Node ClusterIP Service access when AntreaProxy is disabled. (#2318, @tnqn)
  • Fix duplicate group ID allocation in AntreaProxy when using a combination of IPv4 and IPv6 Services in dual-stack clusters; this was causing Service connectivity issues. (#2317, @hongliangl)
  • Fix intra-Node ClusterIP Service access when both the AntreaProxy and Egress features are enabled. (#2332, @tnqn)
  • Fix invalid clean-up of the HNS Endpoint during Pod deletion, when Docker is used as the container runtime. (#2306, [@wenyingd]) [Windows]
  • Fix race condition on Windows when retrieving the local HNS Network created by Antrea for containers. (#2253, @tnqn) [Windows]
  • Fix invalid conversion function between internal and versioned types for controlplane API, which was causing JSON marshalling errors. (#2312, @tnqn)
  • Fix implementation of the v1beta1 version of the legacy "controlplane.antrea.tanzu.vmware.com" API: the API was incorrectly using some v1beta2 types and it was missing some field selectors. (#2305, @tnqn)
Assets 24
Loading