Antrea Versions Save

Kubernetes networking based on Open vSwitch

v2.0.0

2 weeks ago

Some deprecated APIs have been removed in Antrea v2.0. Before upgrading, please read these guidelines carefully.

Added

  • Support LoadBalancerIPMode in AntreaProxy to implement K8s KEP-1860. (#6102, @hongliangl)
  • Add sameLabels field support for Antrea ClusterNetworkPolicy peer Namespace selection to allow users to create ACNPs that isolate Namespaces based on their label values. (#4537, @Dyanngg)
  • Add multiple physical interfaces support for the secondary network bridge. (#5959, @aroradaman)
  • Use a Node's primary NIC as the secondary OVS bridge physical interface. (#6108, @aroradaman)
  • Add user documentation for Antrea native secondary network support. (#6015 #6042, @jianjuns @antoninbas)
  • Add a new versioned API NetworkPolicyEvaluation and a new antctl sub-command for querying the effective policy rule applied to particular traffic. (#5740 #6112, @qiyueyao)

Changed

  • Multiple deprecated APIs, fields and options have been removed from Antrea.
    • Remove deprecated v1alpha1 CRDs Tier, ClusterNetworkPolicy, NetworkPolicy, Traceflow and ExternalEntity. (#6162 #6177 #6238, @luolanzone @hjiajing @antoninbas)
    • Remove deprecated v1alpha2 and v1alpha3 CRDs ClusterGroups, ExternalIPPool, ClusterGroup and Group. (#6049 #6239, @luolanzone @antoninbas)
    • Remove deprecated ServiceAccount field in ClusterSet type for Antrea Multi-cluster. (#6134, @luolanzone)
    • Remove deprecated options enableIPSecTunnel,multicastInterfaces, multicluster.enable and legacyCRDMirroring. (#5158, @luolanzone)
    • Clean up unused code for NodePortLocal and remove the deprecated nplPortRange config. (#5943, @luolanzone)
    • Clean up deprecated APIServices. (#6002, @tnqn)
  • Documentation has been updated to reflect recent changes and provide better guidance to users.
    • Add upgrade instructions for Antrea v2.0. (#6261, @antoninbas)
    • Update the OVS pipeline document and workflow diagram to keep them up to date. (#5412, @hongliangl)
    • Clarify documentation for IPPool and ExternalIPPool CRDs. (#6183, @antoninbas)
    • Document Pods using FQDN based policies must respect DNS TTL. (#6230, @tnqn)
    • Document the limitations of Audit Logging for policy rules. (#6225, @antoninbas)
  • Optimizing Antrea binaries size.
    • Optimize package organization to reduce antctl binary size. (#6037, @tnqn)
    • Reduce antrea-cni binary size by removing unnecessary import packages. (#6038, @tnqn)
    • Strip all debug symbols from Go binaries by default. (#6035, @antoninbas)
    • Disable cgo for all Antrea binaries. (#5988, @antoninbas)
  • Increase the minimum supported Kubernetes version to v1.19. (#6089, @hjiajing)
  • Add OVS groups dump information to support bundle to help troubleshooting. (#6195, @shikharish)
  • Add egressNodeName in flow records for Antrea Flow Aggregator. (#6012, @Atish-iaf)
  • Add EgressNode field in the Traceflow Egress observation to include the name of the Egress Node. (#5949, @Atish-iaf)
  • Upgrade IPPool CRD to v1beta1 and make the subnet definition consistent with the one in ExternalIPPool CRD. (#6036, @mengdie-song)
  • Request basic memory for antrea-controller to improve its scheduling and reduce its OOM adjustment score, enhancing overall robustness. (#6233, @tnqn)
  • Increase default rate limit of antrea-controller to improve performance for batch requests. (#6231, @tnqn)
  • Remove Docker support for antrea-agent on Windows, update Windows documentation to remove all Docker-specific instructions, and all mentions of (userspace) kube-proxy. (#6019 #6255, @XinShuYang @antoninbas)
  • Stop publishing the legacy unified image. (#6182, @antoninbas)
  • Avoid unnecessary DNS queries for FQDN rule of NetworkPolicy in antrea-agent. (#6200, @tnqn)
  • Stop using projects.registry.vmware.com for user-facing images. (#6073, @antoninbas)
  • Fall back to lenient decoding when strict decoding config fails to tolerate unknown fields and duplicate fields, ensuring forward compatibility of configurations. (#6156, @tnqn)
  • Skip loading openvswitch kernel module if it's already built-in. (#5979, @antoninbas)
  • Persist TLS certificate and key of antrea-controller and sync the CA cert periodically to improve robustness. (#5955 #6205, @tnqn)
  • Add more validations for ExternalIPPool CRD to improve robustness. (#5898, @aroradaman)
  • Add Antrea L7 NetworkPolicy logs for allowed HTTP traffic. (#6014, @qiyueyao)
  • Update maximum number of buckets to 700 in OVS group add/insert_bucket message. (#5942, @hongliangl)
  • Add a flag for antctl to print OVS table names when users run antctl get ovsflows --table-names-only. (#5895 #6100, @luolanzone)
  • Improve log message when antrea-agent fails to join a new Node. (#6048, @roopeshsn)
  • Remove the prefix rancher-wins when collecting antrea-agent logs on Windows. (#6223, @wenyingd)
  • Upgrade K8s libraries to v0.29.2. (#5843, @hjiajing)
  • Upgrade base image from UBI8 to UBI9 for Antrea UBI images. (#5737, @xliuxu)

Fixed

  • Fix nil pointer dereference when ClusterGroup/Group is used in NetworkPolicy controller. (#6077, @tnqn)
  • Disable libcapng to make logrotate run as root in UBI images to fix an OVS crash issue. (#6052, @xliuxu)
  • Fix a race condition in antrea-agent Traceflow controller when a tag is associated again with a new Traceflow before the old Traceflow deletion event is processed. (#5954, @tnqn)
  • Change the maximum flags from 7 to 255 to fix the wrong TCP flags validation issue in Traceflow CRD. (#6050, @gran-vmv)
  • Use 65000 MTU upper bound for interfaces in encap mode to account for the MTU automatically configured by OVS on tunnel ports, and avoid packet drops on some clusters. (#5997, @antoninbas)
  • Install multicast related iptables rules only on IPv4 chains to fix the antrea-agent initialization failure occurred when the Multicast feature is enabled in dual-stack clusters. (#6123, @wenyingd)
  • Remove incorrect AntreaProxy warning on Windows when proxyAll is disabled. (#6242, @antoninbas)
  • Explicitly set kubelet's log files in Prepare-Node.ps1 on Windows, to ensure that they are included in support bundle collections. (#6221, @wenyingd)
  • Add validation on antrea-agent options to fail immediately when encryption is requested and the Multicast feature enabled. (#5920, @wenyingd)
  • Don't print the incorrect warning message when users run antrea-controller --version outside of K8s. (#5993, @prakrit55)
  • Record event when EgressIP is uninstalled from a Node and remains unassigned. (#6011, @jainpulkit22)
  • Fix a bug that the local traffic cannot be identified on networkPolicyOnly mode. (#6251, @hongliangl)
  • Use reserved OVS controller ports for the default Antrea ports to fix a potential ofport mismatch issue. (#6202, @antoninbas)

v1.13.4

1 month ago

Added

  • Enable Windows OVS container to run on pristine host environment, without requiring some dependencies to be installed manually ahead of time. (#5440, @NamanAg30)

Changed

  • Stop using projects.registry.vmware.com for user-facing images. (#6073, @antoninbas)
  • Persist TLS certificate and key of antrea-controller and periodically sync the CA cert to improve robustness. (#5955, @tnqn)
  • Disable cgo for all Antrea binaries. (#5988, @antoninbas)

Fixed

  • Disable libcapng to make logrotate run as root in UBI images to fix an OVS crash issue. (#6052, @xliuxu)
  • Fix nil pointer dereference when ClusterGroup/Group is used in NetworkPolicy controller. (#6077, @tnqn)
  • Fix race condition in agent Traceflow controller when a tag is associated again with a new Traceflow before the old Traceflow deletion event is processed. (#5954, @tnqn)
  • Change the maximum flags from 7 to 255 to fix the wrong TCP flags validation issue in Traceflow CRD. (#6050, @gran-vmv)
  • Fix incorrect MTU configurations for the WireGuard encryption mode and GRE tunnel mode. (#5880 #5926, @hjiajing @tnqn)
  • Use 65000 MTU upper bound for interfaces in encap mode in case of large packets being dropped unexpectedly. (#5997, @antoninbas)
  • Install Multicast related iptables rules only on IPv4 chains to fix the Antrea agent initialization failure occurred when Multicast feature is enabled in dual-stack clusters. (#6123, @wenyingd)

v1.14.3

1 month ago

Changed

  • Stop using projects.registry.vmware.com for user-facing images. (#6073, @antoninbas)
  • Persist TLS certificate and key of antrea-controller and periodically sync the CA cert to improve robustness. (#5955, @tnqn)
  • Disable cgo for all Antrea binaries. (#5988, @antoninbas)

Fixed

  • Disable libcapng to make logrotate run as root in UBI images to fix an OVS crash issue. (#6052, @xliuxu)
  • Fix nil pointer dereference when ClusterGroup/Group is used in NetworkPolicy controller. (#6077, @tnqn)
  • Fix race condition in agent Traceflow controller when a tag is associated again with a new Traceflow before the old Traceflow deletion event is processed. (#5954, @tnqn)
  • Change the maximum flags from 7 to 255 to fix the wrong TCP flags validation issue in Traceflow CRD. (#6050, @gran-vmv)
  • Update maximum number of buckets to 700 in OVS group add/insert_bucket message. (#5942, @hongliangl)
  • Use 65000 MTU upper bound for interfaces in encap mode in case of large packets being dropped unexpectedly. (#5997, @antoninbas)

v1.15.1

1 month ago

Changed

  • Stop using projects.registry.vmware.com for user-facing images. (#6073, @antoninbas)
  • Persist TLS certificate and key of antrea-controller and periodically sync the CA cert to improve robustness. (#5955, @tnqn)
  • Disable cgo for all Antrea binaries. (#5988, @antoninbas)

Fixed

  • Disable libcapng to make logrotate run as root in UBI images to fix an OVS crash issue. (#6052, @xliuxu)
  • Fix nil pointer dereference when ClusterGroup/Group is used in NetworkPolicy controller. (#6077, @tnqn)
  • Fix race condition in agent Traceflow controller when a tag is associated again with a new Traceflow before the old Traceflow deletion event is processed. (#5954, @tnqn)
  • Change the maximum flags from 7 to 255 to fix the wrong TCP flags validation issue in Traceflow CRD. (#6050, @gran-vmv)
  • Update maximum number of buckets to 700 in OVS group add/insert_bucket message. (#5942, @hongliangl)
  • Use 65000 MTU upper bound for interfaces in encap mode in case of large packets being dropped unexpectedly. (#5997, @antoninbas)
  • Skip loading openvswitch kernel module if it's already built-in. (#5979, @antoninbas)

v1.15.0

3 months ago

Added

  • Support Egress using IPs from a subnet that is different from the default Node subnet . (#5799, @tnqn)
    • Refer to this document for more information about this feature.
  • Add a migration tool to support migrating from other CNIs to Antrea. (#5677, @hjiajing)
  • Add L7 network flow export support in Antrea that enables exporting network flows with L7 protocol information. (#5218, @tushartathgur)
    • Refer to this document for more information about this feature.
  • Add a new feature NodeNetworkPolicy that allows users to apply ClusterNetworkPolicy to Kubernetes Nodes. (#5658 #5716, @hongliangl @Atish-iaf)
    • Refer to this document for more information about this feature.
  • Add Antrea flexible IPAM support for the Multicast feature. (#4922, @ceclinux)
  • Support Talos clusters to run Antrea as the CNI, and add Talos to the K8s installers document. (#5718 #5766, @antoninbas)
  • Support secondary network when the network configuration in NetworkAttachmentDefinition does not include IPAM configuration. (#5762, @jianjuns)
  • Add instructions to install Antrea in encap mode in AKS. (#5901, @antoninbas)

Changed

  • Change secondary network Pod controller to subscribe to CNIServer events to support bridging and VLAN network. (#5767, @jianjuns)
  • Use Antrea IPAM for secondary network support. (#5427, @jianjuns)
  • Create different images for antrea-agent and antrea-controller to minimize the overall image size, speeding up the startup of both antrea-agent and antrea-controller. (#5856 #5902 #5903, @jainpulkit22)
  • Don't create tunnel interface (antrea-tun0) when using Wireguard encryption mode. (#5885 #5909, @antoninbas)
  • Record an event when Egress IP assignment changes for better troubleshooting. (#5765, @jainpulkit22)
  • Update Windows documentation with clearer installation guide and instructions. (#5789, @antoninbas)
  • Enable IPv4/IPv6 forwarding on demand automatically to eliminate the need for user intervention or dependencies on other components. (#5833, @tnqn)
  • Add ability to skip loading kernel modules in antrea-agent to support some specialized distributions (e.g.: Talos). (#5754, @antoninbas)
  • Add NetworkPolicy rule name in Traceflow observation. (#5667, @Atish-iaf)
  • Use Traceflow API v1beta1 instead of the deprecated API version in antctl traceflow. (#5689, @Atish-iaf)
  • Replace net.IP with netip.Addr in FlowExporter which optimizes the memory usage and improves the performance of the FlowExporter. (#5532, @antoninbas)
  • Update kubemark from v1.18.4 to v1.29.0 for antrea-agent-simulator. (#5820, @luolanzone)
  • Upgrade CNI plugins to v1.4.0. (#5747 #5813, @antoninbas @luolanzone)
  • Update the document for Egress feature's options and usage on AWS cloud. (#5436, @tnqn)
  • Add Flexible IPAM design details in antrea-ipam.md. (#5339, @gran-vmv)

Fixed

  • Fix incorrect MTU configurations for the WireGuard encryption mode and GRE tunnel mode. (#5880 #5926, @hjiajing @tnqn)
  • Prioritize L7 NetworkPolicy flows over TrafficControl to avoid a potential issue that a TrafficControl CR with a redirect action to the same Pod could bypass the L7 engine. (#5768, @hongliangl)
  • Delete OVS port and flows before releasing Pod IP. (#5788, @tnqn)
  • Store NetworkPolicy in filesystem as fallback data source to let antre-agent fallback to use the files if it can't connect to antrea-controller on startup. (#5739, @tnqn)
  • Enable Pod network after realizing initial NetworkPolicies to avoid traffic from/to Pods bypassing NetworkPolicy when antrea-agent restarts. (#5777, @tnqn)
  • Fix Clean-AntreaNetwork.ps1 invocation in Prepare-AntreaAgent.ps1 for containerized OVS on Windows. (#5859, @antoninbas)
  • Add missing space to kubelet args in Prepare-Node.ps1 so that kubelet can start successfully on Windows. (#5858, @antoninbas)
  • Fix antctl trace-packet command failure which is caused by missing arguments. (#5838, @luolanzone)
  • Support Local ExternalTrafficPolicy for Services with ExternalIPs when Antrea proxyAll mode is enabled. (#5795, @tnqn)
  • Set net.ipv4.conf.antrea-gw0.arp_announce to 1 to fix an ARP request leak when a Node or hostNetwork Pod accesses a local Pod and AntreaIPAM is enabled. (#5657, @gran-vmv)
  • Skip enforcement of ingress NetworkPolicies rules for hairpinned Service traffic (Pod accessing itself via a Service). (#5687 #5705, @GraysonWu)
  • Add host-local IPAM GC on startup to avoid potential IP leak issue after antrea-agent restart. (#5660, @antoninbas)
  • Fix the CrashLookBackOff issue when using the UBI-based image. (#5723, @antoninbas)
  • Remove redundant log in fillPodInfo/fillServiceInfo to fix log flood issue, and update DestinationServiceAddress for deny connections. (#5592 #5704, @yuntanghsu)
  • Enhance HNS network initialization on Windows to avoid some corner cases. (#5841, @XinShuYang)
  • Fix endpoint querier rule index in response to improve troubleshooting. (#5783, @qiyueyao)
  • Avoid unnecessary rule reconciliations in FQDN controller. (#5893, @Dyanngg)
  • Update Windows OVS download link to remove the invalid certificate preventing unsigned OVS driver installation. (#5839, @XinShuYang)
  • Fix IP annotation not working on StatefulSets for Antrea FlexibleIPAM. (#5715, @gran-vmv)
  • Add DHCP IP retries in PrepareHNSNetwork to fix potential IP retrieving failure. (#5819, @XinShuYang)
  • Revise antctl mc deploy to support Antrea Multi-cluster deployment update when the manifests are changed. (#5257, @luolanzone)

v1.14.2

3 months ago

Changed

  • Enable IPv4/IPv6 forwarding on demand automatically to eliminate the need for user intervention or dependencies on other components. (#5833, @tnqn)

Fixed

  • Store NetworkPolicy in filesystem as fallback data source to let antrea-agent fallback to use the files if it can't connect to antrea-controller on startup. (#5739, @tnqn)
  • Support Local ExternalTrafficPolicy for Services with ExternalIPs when Antrea proxyAll mode is enabled. (#5795, @tnqn)
  • Enable Pod network after realizing initial NetworkPolicies to avoid traffic from/to Pods bypassing NetworkPolicy when antrea-agent restarts. (#5777, @tnqn)
  • Fix Clean-AntreaNetwork.ps1 invocation in Prepare-AntreaAgent.ps1 for containerized OVS on Windows. (#5859, @antoninbas)
  • Add missing space to kubelet args in Prepare-Node.ps1 so that kubelet can start successfully on Windows. (#5858, @antoninbas)
  • Update Windows OVS download link to remove the redundant certificate to fix OVS driver installation failure. (#5839, @XinShuYang)
  • Add DHCP IP retries in PrepareHNSNetwork on Windows to fix the potential race condition issue where acquiring a DHCP IP address may fail after CreateHNSNetwork. (#5819, @XinShuYang)
  • Fix antctl trace-packet command failure which is caused by arguments missing issue. (#5838, @luolanzone)
  • Fix incorrect MTU configurations for the WireGuard encryption mode and GRE tunnel mode. (#5880 #5926, @hjiajing @tnqn)

v1.13.3

4 months ago

Fixed

  • Update Install-WindowsCNI-Containerd.ps1 script to make it compatible with containerd 1.7. (#5528, @NamanAg30)
  • Store NetworkPolicy in filesystem as fallback data source to let antrea-agent fallback to use the files if it can't connect to antrea-controller on startup. (#5739, @tnqn)
  • Support Local ExternalTrafficPolicy for Services with ExternalIPs when Antrea proxyAll mode is enabled. (#5795, @tnqn)
  • Enable Pod network after realizing initial NetworkPolicies to avoid traffic from/to Pods bypassing NetworkPolicy when antrea-agent restarts. (#5777, @tnqn)
  • Fix Clean-AntreaNetwork.ps1 invocation in Prepare-AntreaAgent.ps1 for containerized OVS on Windows. (#5859, @antoninbas)
  • Fix antctl trace-packet command failure which is caused by arguments missing issue. (#5838, @luolanzone)
  • Skip enforcement of ingress NetworkPolicies rules for hairpinned Service traffic (Pod accessing itself via a Service). (#5687 #5705, @GraysonWu)
  • Set net.ipv4.conf.antrea-gw0.arp_announce to 1 to fix an ARP request leak when a Node or hostNetwork Pod accesses a local Pod and AntreaIPAM is enabled. (#5657, @gran-vmv)
  • Add DHCP IP retries in PrepareHNSNetwork on Windows to fix the potential race condition issue where acquiring a DHCP IP address may fail after CreateHNSNetwork. (#5819, @XinShuYang)

v1.12.3

4 months ago

Fixed

  • Update Install-WindowsCNI-Containerd.ps1 script to make it compatible with containerd 1.7. (#5528, @NamanAg30)
  • Store NetworkPolicy in filesystem as fallback data source to let antre-agent fallback to use the files if it can't connect to antrea-controller on startup. (#5739, @tnqn)
  • Support Local ExternalTrafficPolicy for Services with ExternalIPs when Antrea proxyAll mode is enabled. (#5795, @tnqn)
  • Enable Pod network after realizing initial NetworkPolicies to avoid traffic from/to Pods bypassing NetworkPolicy when antrea-agent restarts. (#5777, @tnqn)
  • Fix a deadlock issue in NetworkPolicy Controller which causes a FQDN resolution failure. (#5566 #5583, @Dyanngg @tnqn)
  • Skip enforcement of ingress NetworkPolicies rules for hairpinned Service traffic (Pod accessing itself via a Service). (#5687 #5705, @GraysonWu)
  • Set net.ipv4.conf.antrea-gw0.arp_announce to 1 to fix an ARP request leak when a Node or hostNetwork Pod accesses a local Pod and AntreaIPAM is enabled. (#5657, @gran-vmv)
  • Fix antctl tf CLI failure when the Traceflow is using an IPv6 address. (#5588, @Atish-iaf)
  • Fix NetworkPolicy span calculation to avoid out-dated data when multiple NetworkPolicies have the same selector. (#5554, @tnqn)
  • Fix SSL library downloading failure in Install-OVS.ps1 on Windows. (#5510, @XinShuYang)
  • Fix rollback invocation after CmdAdd failure in CNI server. (#5548, @antoninbas)
  • Do not apply Egress to traffic destined for ServiceCIDRs to avoid performance issue and unexpected behaviors. (#5495, @tnqn)
  • Do not delete IPv6 link-local route in route reconciler to fix cross-Node Pod traffic or Pod-to-external traffic. (#5483, @wenyingd)

v1.14.1

5 months ago

Fixed

  • Fix the CrashLookBackOff issue when using the UBI-based image. (#5723, @antoninbas)
  • Skip enforcement of ingress NetworkPolicies rules for hairpinned Service traffic (Pod accessing itself via a Service). (#5687 #5705, @GraysonWu)
  • Set net.ipv4.conf.antrea-gw0.arp_announce to 1 to fix an ARP request leak when a Node or hostNetwork Pod accesses a local Pod and AntreaIPAM is enabled. (#5657, @gran-vmv)

v1.13.2

6 months ago

Fixed

  • Fix antctl tf CLI failure when the Traceflow is using an IPv6 address. (#5588, @Atish-iaf)
  • Fix a deadlock issue in NetworkPolicy Controller which causes a FQDN resolution failure. (#5566 #5583, @Dyanngg @tnqn)
  • Fix NetworkPolicy span calculation to avoid out-dated data when multiple NetworkPolicies have the same selector. (#5554, @tnqn)
  • Fix SSL library downloading failure in Install-OVS.ps1 on Windows. (#5510, @XinShuYang)
  • Fix rollback invocation after CmdAdd failure in CNI server. (#5548, @antoninbas)
  • Do not apply Egress to traffic destined for ServiceCIDRs to avoid performance issue and unexpected behaviors. (#5495, @tnqn)
  • Do not delete IPv6 link-local route in route reconciler to fix cross-Node Pod traffic or Pod-to-external traffic. (#5483, @wenyingd)