Graduate AntreaPolicy Feature to Beta

We graduate this Feature to Beta for the Antrea v1.0 release.

See antrea-io#1725

.github/workflows/kind.yml

@@ -317,8 +317,11 @@ jobs:
         path: log.tar.gz
         retention-days: 30
 
-  test-e2e-encap-np:
-    name: E2e tests on a Kind cluster on Linux with Antrea NetworkPolicies enabled
+  # TODO: remove when https://github.com/vmware-tanzu/antrea/issues/897 is fixed.
+  # In the mean time, we keep this test around to ensure that at least one Kind
+  # test uses a Geneve overlay.
+  test-e2e-encap-no-np:
+    name: E2e tests on a Kind cluster on Linux with Antrea-native policies disabled
     needs: [build-antrea-coverage-image, build-flow-aggregator-coverage-image]
     runs-on: [ubuntu-latest]
     steps:
@@ -351,32 +354,32 @@ jobs:
     - name: Run e2e tests
       run: |
         mkdir log
-        mkdir test-e2e-encap-np-coverage
-        ANTREA_LOG_DIR=$PWD/log ANTREA_COV_DIR=$PWD/test-e2e-encap-np-coverage ./ci/kind/test-e2e-kind.sh --encap-mode encap --np --coverage
+        mkdir test-e2e-encap-no-np-coverage
+        ANTREA_LOG_DIR=$PWD/log ANTREA_COV_DIR=$PWD/test-e2e-encap-no-np-coverage ./ci/kind/test-e2e-kind.sh --encap-mode encap --no-np --coverage
     - name: Tar coverage files
-      run: tar -czf test-e2e-encap-np-coverage.tar.gz test-e2e-encap-np-coverage
-    - name: Upload coverage for test-e2e-encap-np-coverage
+      run: tar -czf test-e2e-encap-no-np-coverage.tar.gz test-e2e-encap-no-np-coverage
+    - name: Upload coverage for test-e2e-encap-no-np-coverage
       uses: actions/upload-artifact@v2
       with:
-        name: test-e2e-encap-np-coverage
-        path: test-e2e-encap-np-coverage.tar.gz
+        name: test-e2e-encap-no-np-coverage
+        path: test-e2e-encap-no-np-coverage.tar.gz
         retention-days: 30
     - name: Codecov
       uses: codecov/codecov-action@v1
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
         file: '*.cov.out*'
         flags: kind-e2e-tests
-        name: codecov-test-e2e-np-encap
-        directory: test-e2e-encap-np-coverage
+        name: codecov-test-e2e-no-np-encap
+        directory: test-e2e-encap-no-np-coverage
     - name: Tar log files
       if: ${{ failure() }}
       run: tar -czf log.tar.gz log
     - name: Upload test log
       uses: actions/upload-artifact@v2
       if: ${{ failure() }}
       with:
-        name: e2e-kind-encap-np.tar.gz
+        name: e2e-kind-encap-no-np.tar.gz
         path: log.tar.gz
         retention-days: 30
 
@@ -466,7 +469,7 @@ jobs:
   # yet.
   artifact-cleanup:
     name: Delete uploaded images
-    needs: [build-antrea-coverage-image, build-flow-aggregator-coverage-image, build-antrea-image, test-e2e-encap, test-e2e-encap-no-proxy, test-e2e-noencap, test-e2e-hybrid, test-e2e-encap-np, test-netpol-tmp, validate-prometheus-metrics-doc]
+    needs: [build-antrea-coverage-image, build-flow-aggregator-coverage-image, build-antrea-image, test-e2e-encap, test-e2e-encap-no-proxy, test-e2e-noencap, test-e2e-hybrid, test-e2e-encap-no-np, test-netpol-tmp, validate-prometheus-metrics-doc]
     if: ${{ always() }}
     runs-on: [ubuntu-latest]
     steps:

build/yamls/antrea-aks.yml

@@ -2433,7 +2433,7 @@ data:
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
     # feature that supports priorities, rule actions and externalEntities in the future.
-    #  AntreaPolicy: false
+    #  AntreaPolicy: true
 
     # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each
     # agent to a configured collector.
@@ -2588,7 +2588,7 @@ data:
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
     # feature that supports priorities, rule actions and externalEntities in the future.
-    #  AntreaPolicy: false
+    #  AntreaPolicy: true
 
     # Enable collecting and exposing NetworkPolicy statistics.
     #  NetworkPolicyStats: false
@@ -2640,7 +2640,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-bm46tm9f88
+  name: antrea-config-gg4m728h98
   namespace: kube-system
 ---
 apiVersion: v1
@@ -2760,7 +2760,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-bm46tm9f88
+          name: antrea-config-gg4m728h98
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -3069,7 +3069,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-bm46tm9f88
+          name: antrea-config-gg4m728h98
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-eks.yml

@@ -2433,7 +2433,7 @@ data:
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
     # feature that supports priorities, rule actions and externalEntities in the future.
-    #  AntreaPolicy: false
+    #  AntreaPolicy: true
 
     # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each
     # agent to a configured collector.
@@ -2588,7 +2588,7 @@ data:
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
     # feature that supports priorities, rule actions and externalEntities in the future.
-    #  AntreaPolicy: false
+    #  AntreaPolicy: true
 
     # Enable collecting and exposing NetworkPolicy statistics.
     #  NetworkPolicyStats: false
@@ -2640,7 +2640,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-bm46tm9f88
+  name: antrea-config-gg4m728h98
   namespace: kube-system
 ---
 apiVersion: v1
@@ -2760,7 +2760,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-bm46tm9f88
+          name: antrea-config-gg4m728h98
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -3071,7 +3071,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-bm46tm9f88
+          name: antrea-config-gg4m728h98
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-gke.yml

@@ -2433,7 +2433,7 @@ data:
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
     # feature that supports priorities, rule actions and externalEntities in the future.
-    #  AntreaPolicy: false
+    #  AntreaPolicy: true
 
     # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each
     # agent to a configured collector.
@@ -2588,7 +2588,7 @@ data:
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
     # feature that supports priorities, rule actions and externalEntities in the future.
-    #  AntreaPolicy: false
+    #  AntreaPolicy: true
 
     # Enable collecting and exposing NetworkPolicy statistics.
     #  NetworkPolicyStats: false
@@ -2640,7 +2640,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-5c954cd56b
+  name: antrea-config-6bb22hc7fg
   namespace: kube-system
 ---
 apiVersion: v1
@@ -2760,7 +2760,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-5c954cd56b
+          name: antrea-config-6bb22hc7fg
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -3072,7 +3072,7 @@ spec:
           path: /home/kubernetes/bin
         name: host-cni-bin
       - configMap:
-          name: antrea-config-5c954cd56b
+          name: antrea-config-6bb22hc7fg
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-ipsec.yml

@@ -2433,7 +2433,7 @@ data:
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
     # feature that supports priorities, rule actions and externalEntities in the future.
-    #  AntreaPolicy: false
+    #  AntreaPolicy: true
 
     # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each
     # agent to a configured collector.
@@ -2593,7 +2593,7 @@ data:
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
     # feature that supports priorities, rule actions and externalEntities in the future.
-    #  AntreaPolicy: false
+    #  AntreaPolicy: true
 
     # Enable collecting and exposing NetworkPolicy statistics.
     #  NetworkPolicyStats: false
@@ -2645,7 +2645,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-29788ckmb7
+  name: antrea-config-f57t688chc
   namespace: kube-system
 ---
 apiVersion: v1
@@ -2774,7 +2774,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-29788ckmb7
+          name: antrea-config-f57t688chc
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -3118,7 +3118,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-29788ckmb7
+          name: antrea-config-f57t688chc
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea.yml

@@ -2433,7 +2433,7 @@ data:
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
     # feature that supports priorities, rule actions and externalEntities in the future.
-    #  AntreaPolicy: false
+    #  AntreaPolicy: true
 
     # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each
     # agent to a configured collector.
@@ -2593,7 +2593,7 @@ data:
     # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
     # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
     # feature that supports priorities, rule actions and externalEntities in the future.
-    #  AntreaPolicy: false
+    #  AntreaPolicy: true
 
     # Enable collecting and exposing NetworkPolicy statistics.
     #  NetworkPolicyStats: false
@@ -2645,7 +2645,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-f27tdcgm22
+  name: antrea-config-5ct9ktdt77
   namespace: kube-system
 ---
 apiVersion: v1
@@ -2765,7 +2765,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-f27tdcgm22
+          name: antrea-config-5ct9ktdt77
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -3074,7 +3074,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-f27tdcgm22
+          name: antrea-config-5ct9ktdt77
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/base/conf/antrea-agent.conf

@@ -19,7 +19,7 @@ featureGates:
 # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
 # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
 # feature that supports priorities, rule actions and externalEntities in the future.
-#  AntreaPolicy: false
+#  AntreaPolicy: true
 
 # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each
 # agent to a configured collector.

build/yamls/base/conf/antrea-controller.conf

@@ -6,7 +6,7 @@ featureGates:
 # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins
 # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy
 # feature that supports priorities, rule actions and externalEntities in the future.
-#  AntreaPolicy: false
+#  AntreaPolicy: true
 
 # Enable collecting and exposing NetworkPolicy statistics.
 #  NetworkPolicyStats: false

ci/kind/test-e2e-kind.sh

@@ -26,7 +26,7 @@ _usage="Usage: $0 [--encap-mode <mode>] [--no-proxy] [--np] [--coverage] [--help
         --encap-mode                  Traffic encapsulation mode. (default is 'encap').
         --no-proxy                    Disables Antrea proxy.
         --endpointslice               Enables Antrea proxy and EndpointSlice support.
-        --np                          Enables Namespaced Antrea NetworkPolicy CRDs and ClusterNetworkPolicy related CRDs.
+        --no-np                       Disables Antrea-native policies.
         --coverage                    Enables measure Antrea code coverage when run e2e tests on kind.
         --help, -h                    Print this message and exit.
 "
@@ -51,7 +51,7 @@ trap "quit" INT EXIT
 mode=""
 proxy=true
 endpointslice=false
-np=false
+np=true
 coverage=false
 while [[ $# -gt 0 ]]
 do
@@ -66,8 +66,8 @@ case $key in
     endpointslice=true
     shift
     ;;
-    --np)
-    np=true
+    --no-np)
+    np=false
     shift
     ;;
     --encap-mode)
@@ -98,7 +98,9 @@ if $endpointslice; then
 fi
 if $np; then
     # See https://github.com/vmware-tanzu/antrea/issues/897
-    manifest_args="$manifest_args --np --tun vxlan"
+    manifest_args="$manifest_args --tun vxlan"
+else
+    manifest_args="$manifest_args --no-np"
 fi
 
 COMMON_IMAGES_LIST=("gcr.io/kubernetes-e2e-test-images/agnhost:2.8" "projects.registry.vmware.com/library/busybox" "projects.registry.vmware.com/antrea/nginx" "projects.registry.vmware.com/antrea/perftool" "projects.registry.vmware.com/antrea/ipfix-collector:v0.4.7")

docs/antrea-network-policy.md

@@ -39,6 +39,10 @@ few new CRDs supported by Antrea to provide the administrator with more control
 over security within the cluster, and which are meant to co-exist with and
 complement the K8s NetworkPolicy.
 
+Starting with Antrea v1.0, Antrea-native policies are enabled by default, which
+means that no additional configuration is required in order to use the
+Antrea-native Policy CRDs.
+
 ## Tier
 
 Antrea supports grouping Antrea-native Policy CRDs together in a tiered fashion
@@ -170,28 +174,6 @@ their apps and affects Pods within the Namespace in which the K8s NetworkPolicy
 is created. Rules belonging to ClusterNetworkPolicies are enforced before any
 rule belonging to a K8s NetworkPolicy.
 
-**Note**: ClusterNetworkPolicy is currently in "Alpha" stage. In order to
-enable them, edit the Controller and Agent configuration in the `antrea`
-ConfigMap as follows:
-
-```yaml
-   antrea-controller.conf: |
-     featureGates:
-       # Enable AntreaPolicy feature to complement K8s NetworkPolicy
-       # for cluster admins to define security policies which apply to the
-       # entire cluster.
-       AntreaPolicy: true
-```
-
-```yaml
-   antrea-agent.conf: |
-     featureGates:
-       # Enable AntreaPolicy feature to complement K8s NetworkPolicy
-       # for cluster admins to define security policies which apply to the
-       # entire cluster.
-       AntreaPolicy: true
-```
-
 ### The Antrea ClusterNetworkPolicy resource
 
 Example ClusterNetworkPolicies might look like this:
@@ -447,10 +429,6 @@ advanced NetworkPolicy features and apply them within a Namespace to
 complement the K8s NetworkPolicies. Similar to the ClusterNetworkPolicy
 resource, Antrea NetworkPolicy can also be associated with Tiers.
 
-**Note**: Antrea NetworkPolicy is currently in "Alpha" stage and is enabled
-along with Tiers and ClusterNetworkPolicy as part of the `AntreaPolicy`
-feature gate.
-
 ### The Antrea NetworkPolicy resource
 
 An example Antrea NetworkPolicy might look like this: