Releases: antrea-io/antrea
Releases · antrea-io/antrea
Release v1.10.0
Added
- Add L7NetworkPolicy feature which enables users to protect their applications by specifying how they are allowed to communicate with others, taking into account application context. (#4380 #4406 #4410, @hongliangl @qiyueyao @tnqn)
- Layer 7 NetworkPolicy can be configured through the
l7Protocols
field of Antrea-native policies. - Refer to this document for more information about this feature.
- Layer 7 NetworkPolicy can be configured through the
- Add SupportBundleCollection feature which enables a CRD API for Antrea to collect support bundle files on any K8s Node or ExternalNode, and upload to a user-defined file server. (#4184 #4338 #4249, @wenyingd @mengdie-song @ceclinux)
- Refer to this document for more information about this feature.
- Add support for NetworkPolicy for cross-cluster traffic. (#4432 #3914, @Dyanngg @GraysonWu)
- Setting
scope
of an ingress peer toclusterSet
expands the scope of thepodSelector
ornamespaceSelector
to the entire ClusterSet. - Setting
scope
oftoServices
toclusterSet
selects a Multi-cluster Service. (#4397, @Dyanngg) - Refer to this document for more information about this feature.
- Setting
- Add the following capabilities to the ExternalNode feature:
- Containerized option for antrea-agent installation on Linux VMs. (#4413, @Nithish555)
- Support for RHEL 8.4. (#4323, @Nithish555)
- Add support for running antrea-agent as DaemonSet when using containerd as the runtime on Windows. (#4279, @XinShuYang)
- Add documentation for Antrea Multicast. (#4339, @ceclinux)
Changed
- Extend
antctl mc get joinconfig
to print member token Secret. (#4363, @jianjuns) - Improve support for Egress in Traceflow. (#3926, @Atish-iaf)
- Add NodePortLocalPortRange field for AntreaAgentInfo. (#4379, @wenqiq)
- Use format "namespace/name" as the key for ExternalNode span calculation. (#4401, @wenyingd)
- Enclose Pod labels with single quotes when uploading CSV record to S3 in the FlowAggregator. (#4334, @dreamtalen)
- Upgrade Antrea base image to ubuntu 22.04. (#4459 #4499, @antoninbas)
- Update OVS to 2.17.3. (#4402, @mnaser)
- Reduce confusion caused by transient error encountered when creating static Tiers. (#4414, @tnqn)
Fixed
- Add a periodic job to rejoin dead Nodes, to fix Egress not working properly after long network downtime. (#4491, @tnqn)
- Fix potential deadlocks and memory leaks of memberlist maintenance in large-scale clusters. (#4469, @wenyingd)
- Fix connectivity issues caused by MAC address changes with systemd v242 and later. (#4428, @wenyingd)
- Fix error handling when S3Uploader partially succeeds. (#4433, @heanlan)
- Fix a ClusterInfo export bug when Multi-cluster Gateway changes. (#4412, @luolanzone)
- Fix OpenFlow rules not being updated when Multi-cluster Gateway updates. (#4388, @luolanzone)
- Delete Pod specific VF resource cache when a Pod gets deleted. (#4285, @arunvelayutham)
- Fix OpenAPI descriptions for AntreaAgentInfo and AntreaControllerInfo. (#4390, @tnqn)
Release v1.7.2
Changed
- Upgrade Antrea base image to ubuntu 22.04. (#4459, @antoninbas)
- Add OFSwitch connection check to Agent's liveness probes. (#4126, @tnqn)
- Improve install_cni_chaining to support updates to CNI config file. (#4012, @antoninbas)
Fixed
- Add a periodic job to rejoin dead Nodes to fix Egress not working properly after long network downtime. (#4491, @tnqn)
- Fix connectivity issues caused by MAC address changes with systemd v242 and later. (#4428, @wenyingd)
- Fix potential deadlocks and memory leaks of memberlist maintenance in large-scale clusters. (#4469, @wenyingd)
- Fix Windows AddNodePort parameter error. (#4103, @XinShuYang)
- Set no-flood config with ports for TrafficControl after Agent restarting. (#4318, @hongliangl)
- Fix multicast group not removed from cache when it is uninstalled. (#4176, @wenyingd)
- Remove redundant Openflow messages when syncing an updated group to OVS. (#4160, @hongliangl)
- Fix Antrea Octant plugin build. (#4107, @antoninbas)
Release v1.9.0
Added
- Add the following capabilities to the Multi-cluster feature:
- Add support for Pod-to-Pod connectivity across clusters. (#4219, @hjiajing)
- Add active-passive mode high availability support for Gateway Nodes. (#4069, @luolanzone)
- Allow Pod IPs as Endpoints of Multi-cluster Service; option
endpointIPType
is added to the Multi-cluster Controller ConfigMap to specify the Service Endpoints type. (#4198, @luolanzone) - Add
antctl mc get joinconfig
command to print ClusterSet join parameters. (#4299, @jianjuns) - Add
antctl mc get|delete membertoken
commands to get/delete member token. (#4254, @bangqipropel)
- Add rule name to Audit Logging for Antrea-native policies. (#4178, @qiyueyao)
- Add Service health check similar to kube-proxy in antrea-agent; it provides HTTP endpoints
<nodeIP>:<healthCheckNodePort>/healthz
for querying number of local Endpoints of a Service. (#4120, @shettyg) - Add S3Uploader as a new exporter of Flow Aggregator, which periodically exports expired flow records to AWS S3 storage bucket. (#4143, @heanlan)
- Add scripts and binaries needed for running Antrea on non-Kubernetes Nodes (ExternalNode) in release assets. (#4266 #4113, @antoninbas @Anandkumar26)
Changed
- AntreaProxy now supports more than 800 Endpoints for a Service. (#4167, @hongliangl)
- Add OVS connection check to Agent's liveness probes for self-healing on OVS disconnection. (#4126, @tnqn)
- antrea-agent startup scripts now perform cleanup automatically on non-Kubernetes Nodes (ExternalNode) upon Node restart. (#4277, @Anandkumar26)
- Make tunnel csum option configurable and default to false which avoids double encapsulation checksum issues on some platforms. (#4250, @tnqn)
- Use standard value type for k8s.v1.cni.cncf.io/networks annotation for the SecondaryNetwork feature. (#4146, @antoninbas)
- Update Go to v1.19. (#4106, @antoninbas)
- Add API support for reporting Antrea NetworkPolicy realization failure. (#4248, @wenyingd)
- Update ResourceExport's json tag to lowerCamelCase. (#4211, @luolanzone)
- Add clusterUUID column to S3 uploader and ClickHouseExporter to support multiple clusters in the same data warehouse. (#4214, @heanlan)
Fixed
- Fix nil pointer error when collecting support bundle from Agent fails. (#4306, @tnqn)
- Set no-flood config for TrafficControl ports after restarting Agent to prevent ARP packet loops. (#4318, @hongliangl)
- Fix packet resubmission issue when AntreaProxy is enabled and AntreaPolicy is disable. (#4261, @GraysonWu)
- Fix ownerReferences in APIExternalEntities generated from ExternalNodes. (#4259, @wenyingd)
- Fix the issue that "MulticastGroup" API returned wrong Pods that have joined multicast groups. (#4240, @ceclinux)
- Fix inappropriate route for IPv6 ClusterIPs in the host network when proxyAll is enabled. (#4297, @tnqn)
- Fix log spam when there is any DNS based LoadBalancer Service. (#4234, @tnqn)
- Remove multicast group from cache when group is uninstalled. (#4176, @wenyingd)
- Remove redundant Openflow messages when syncing an updated group to OVS. (#4160, @hongliangl)
- Fix nil pointer error when there is no ClusterSet found during MemberClusterAnnounce validation. (#4154, @luolanzone)
- Fix data race when Multi-cluster controller reconciles ServiceExports concurrently. (#4305, @Dyanngg)
- Fix memory leak in Multi-cluster resource import controllers. (#4251, @Dyanngg)
- Fix Antrea-native policies for multicast traffic matching IGMP traffic unexpectedly. (#4206, @liu4480)
- Fix IPsec not working in UBI-based image. (#4244, @xliuxu)
- Fix
antctl mc get clusterset
command output when a ClusterSet's status is empty. (#4174, @luolanzone)
Release v1.8.0
Added
- Add ExternalNode feature which enables Antrea to manage security policies for non-Kubernetes Nodes (like virtual machines or bare-metal servers). (#4110, @wenyingd @mengdie-song @Anandkumar26)
- It introduces the ExternalNode CRD; each resource of this kind represents a virtual machine or bare-metal server and supports specifying which network interfaces on the external Node are expected to be protected with Antrea-native policies.
- An ExternalEntity resource will be created for each network interface specified in the ExternalNode resource. Antrea-native policies are applied to an external Node by using the ExternalEntity selector.
- Refer to this document for more information about this feature.
- Add the following capabilities to Antrea-native policies:
- Add Audit Logging support for K8s Networkpolicy. (#4047, @qiyueyao)
- Support applying Antrea ClusterNetworkPolicy to NodePort Services for securing ingress traffic. (#3997, @GraysonWu)
- Introduce the Group CRD to logically group different network endpoints and reference them together in Antrea NetworkPolicy. (#2438, @qiyueyao @abhiraut)
- Release new Antrea Helm chart version for each Antrea release. (#3935 #3952, @antoninbas @yanjunz97)
- Refer to this document for Helm installation method. (#3989, @antoninbas)
- Support TopologyAwareHints in AntreaProxy. (#3515, @hongliangl)
- Add encap mode support for the Multicast feature. (#3947, @wenyingd)
- Support configurable Geneve, VXLAN, or STT port number for encap mode. (#4065, @Jexf)
- Add Status field to the IPPool CRD: it is used to report usage information for the pool (total number of IPs in the pool and number of IPs that are currently assigned). (#3072 #4088, @ksamoray @tnqn)
- Support updating configuration at runtime for flow-aggregator via antctl or by updating the ConfigMap. (#3642, @yuntanghsu)
- Add antctl commands to set up and delete Multi-cluster ClusterSet. (#3992, @hjiajing)
- Add documentation to set up Multi-cluster ClusterSet with antctl. (#4096, @jianjuns)
Changed
- Antrea now uses OpenFlow 1.5 to program OVS. (#3770, @wenyingd @ashish-varma)
- Rename Windows script Start.ps1 to Start-AntreaAgent.ps1, and rename Stop.ps1 to Stop-AntreaAgent.ps1. (#3904, @wenyingd)
- Unify NodePortLocal behavior across Linux and Windows. Linux agents now support allocating different Node ports for different protocols even when the Pod port number is the same. (#3936, @XinShuYang)
- Antrea IPAM now uses the name of the uplink interface to name the host internal port, and the uplink interface will be renamed with a
~
suffix, e.g.eth0~
. (#3938, @gran-vmv) - Send Neighbor Advertisement messages after creating Pods in an IPv6 cluster. (#3998, @gran-vmv)
- Add an output formatter "raw" to better display multi-line string responses for antctl. (#3589, @Atish-iaf)
- Add new ports to network requirement doc. (#4063, @luolanzone)
- Windows OVS installation script now installs required SSL library if missing. (#4029, @XinShuYang)
- Upgrade whereabouts CNI to v0.5.4 and provide required pluginArgs when invoking the CNI binary. (#3987, @arunvelayutham)
- Remove Grafana flow collector files in the Antrea repo (as they were moved to the Theia repo). (#4048, @dreamtalen)
- Make the following changes to the Multi-cluster feature:
- Add columns of kubectl outputs for Multi-cluster custom resources. (#3923, @jianjuns)
- Use hostNetwork for Multi-cluster controller. (#3965, @luolanzone)
- Update ClusterClaim CRD to v1alpha2. (#3755, @bangqipropel)
- Update GatewayIPPrecedence to support the "external/internal" options. (#3930, @luolanzone)
- Disable metrics API and change the health binding address port to 8080. (#4101, @luolanzone)
- Improve CRD validation. (#4062 #4090 #4043, @luolanzone)
- Auto create MemberClusterAnnounce and update ClusterSet in leader cluster for each member cluster. (#3956 #4054 #4026, @hjiajing @luolanzone)
- Add Multi-cluster Gateway descriptions in the Multi-cluster architecture document. (#3638 #3899, @luolanzone @jianjuns)
Fixed
- Fix reconnection issue between Agent and OVS. (#4091, @wenyingd)
- Fix the wrong DNAT IP used by AntreaProxy for serving NodePort traffic on Windows Nodes. (#4103, @XinShuYang)
- Fix Antrea Octant plugin build. (#4107, @antoninbas)
- Fix Pod-to-external traffic on EKS in policyOnly mode. (#3975, @antoninbas)
- Fix problems caused by Node restart on EKS in policyOnly mode. (#4012 #4042, @antoninbas)
- Fix race conditions in NetworkPolicyController. (#4028, @tnqn)
- Fix FlowExporter memory bloat when export process is dead. (#3994, @wsquan171)
- Fix socket leak in an IPv6 cluster. (#4104, @wenyingd)
- Fix ClickHouse client race during batch commit. (#4071, @wsquan171)
- Retry when retrieval of PodCIDRs fails to avoid Agent crash due to the delay in allocating PodCIDRs for the Node. (#3950, @ksamoray)
- Fix nil pointer issue when ClusterSet is deleted in leader cluster. (#3915, @luolanzone)
- Clean up ResourceExport if the exported Service has no available Endpoints. (#4056, @luolanzone)
Release v1.7.1
Fixed
- Fix FlowExporter memory bloat when export process is dead. (#3994, @wsquan171)
- Fix Pod-to-external traffic on EKS in policyOnly mode. (#3975, @antoninbas)
- Use uplink interface name for host interface internal port to support DHCP client. (#3938, @gran-vmv)
Release v1.8.0-alpha.2
The main purpose of this pre-release is to validate Antrea Helm chart releases.
Release v1.8.0-alpha.1
The main purpose of this pre-release is to validate Antrea Helm chart releases.
Release v1.7.0
Added
- Add TrafficControl feature to control the transmission of Pod traffic; it allows users to mirror or redirect traffic originating from specific Pods or destined for specific Pods to a local network device or a remote destination via a tunnel of various types. (#3644 #3580 #3487, [@tnqn] [@hongliangl] [@wenqiq])
- Refer to this document for more information about this feature.
- Refer to this cookbook for more information about using this feature to provide network-based intrusion detection service to your Pods.
- Add support for the IPsec Certificate-based Authentication. (#3778, [@xliuxu])
- Add an Antrea Agent configuration option
ipsec.authenticationMode
to specify authentication mode. Supported options are "psk" (default) and "cert". - Add an Antrea Controller configuration option
ipsecCSRSigner.autoApprove
to specify the auto-approve policy of Antrea CSR signer for IPsec certificates management. By default, Antrea will auto-approve the CertificateSingingRequest (CSR) if it is verified. - Add an Antrea Controller configuration option
ipsecCSRSigner.selfSignedCA
to specify whether to use auto-generated self-signed CA certificate. By default, Antrea will auto-generate a self-signed CA certificate.
- Add an Antrea Agent configuration option
- Add the following capabilities to Antrea-native policies:
- Add the following capabilities to the Multicast feature:
- Add
antctl get podmulticaststats
command to query Pod-level multicast traffic statistics in Agent mode. (#3449, [@ceclinux]) - Add "MulticastGroup" API to query Pods that have joined multicast groups;
kubectl get multicastgroups
can generate requests and output responses of the API. (#3354 #3449, [@ceclinux]) - Add an Antrea Agent configuration option
multicast.igmpQueryInterval
to specify the interval at which the antrea-agent sends IGMP queries to Pods. (#3819, [@liu4480])
- Add
- Add the following capabilities to the Multi-cluster feature:
- Add the Multi-cluster Gateway functionality which supports routing Multi-cluster Service traffic across clusters through tunnels between the Gateway Nodes. It enables Multi-cluster Service access across clusters, without requiring direct reachability of Pod IPs between clusters. (#3689 #3463 #3603, [@luolanzone])
- Add a number of
antctl mc
subcommands for bootstrapping Multi-cluster; refer to the Multi-cluster antct document for more information. (#3474, [@hjiajing])
- Add the following capabilities to secondary network IPAM:
- Add support for NodePortLocal on Windows. (#3453, [@XinShuYang])
- Add support for Traceflow on Windows. (#3022, [@gran-vmv])
- Add support for containerd to antrea-eks-node-init.yml. (#3840, [@antoninbas])
- Add an Antrea Agent configuration option
disableTXChecksumOffload
to support cases in which the datapath's TX checksum offloading does not work properly. (#3832, [@tnqn]) - Add support for InternalTrafficPolicy in AntreaProxy. (#2792, [@hongliangl])
- Add the following documentations:
- Add documentation for the Antrea Agent RBAC permissions and how to restrict them using Gatekeeper/OPA. (#3694, [@antoninbas])
- Add quick start guide for Antrea Multi-cluster. (#3853, [@luolanzone] [@jianjuns])
- Add documentation for the AntreaProxy feature. (#3679, [@antoninbas])
- Add documentation for secondary network IPAM. (#3634, [@jianjuns])
Changed
- Optimize generic traffic performance by reducing OVS packet recirculation. (#3858, [@tnqn])
- Optimize NodePort traffic performance by reducing OVS packet recirculation. (#3862, [@hongliangl])
- Improve validation for IPPool CRD. (#3570, [@jianjuns])
- Improve validation for
egress.to.namespaces.match
of AntreaClusterNetworkPolicy rules. (#3727, [@qiyueyao]) - Deprecate the Antrea Agent configuration option
multicastInterfaces
in favor ofmulticast.multicastInterfaces
. (#3898, [@tnqn]) - Reduce permissions of Antrea Agent ServiceAccount. (#3691, [@xliuxu])
- Create a Secret in the Antrea manifest for the antctl and antrea-agent ServiceAccount as K8s v1.24 no longer creates a token for each ServiceAccount automatically. (#3730, [@antoninbas])
- Implement garbage collector for IP Pools to clean up allocations and reservations for which owner no longer exists. (#3672, [@annakhm])
- Preserve client IP if the selected Endpoint is local regardless of ExternalTrafficPolicy. (#3604, [@hongliangl])
- Add a Helm chart for Antrea and use the Helm templates to generate the standard Antrea YAML manifests. (#3578, [@antoninbas])
- Make "Agent mode" antctl work out-of-the-box on Windows. (#3645, [@antoninbas])
- Truncate SessionAffinity timeout values of Services instead of wrapping around. (#3609, [@antoninbas])
- Move Antrea Windows log dir from
C:\k\antrea\logs\
toC:\var\log\antrea\
. (#3416, [@GraysonWu]) - Limit max number of data values displayed on Grafana panels. (#3812, [@heanlan])
- Support deploying ClickHouse with Persistent Volume. (#3608, [@yanjunz97])
- Remove support for ELK Flow Collector. (#3738, [@heanlan])
- Improve documentation for Antrea-native policies. (#3512, [@Dyanngg])
- Update OVS version to 2.17.0. (#3591, [@antoninbas])
Fixed
- Fix Egress not working with kube-proxy IPVS strictARP mode. (#3837, [@xliuxu])
- Fix intra-Node Pod traffic bypassing Ingress NetworkPolicies in some scenarios. (#3809, [@hongliangl])
- Fix FQDN policy support for IPv6. (#3869, [@tnqn])
- Fix multicast not working if the AntreaPolicy feature is disabled. (#3807, [@liu4480])
- Fix tolerations for Pods running on control-plane for Kubernetes >= 1.24. (#3731, [@xliuxu])
- Fix DNS resolution error of antrea-agent on AKS by using
ClusterFirst
dnsPolicy. (#3701, [@tnqn]) - Clean up stale routes installed by AntreaProxy when ProxyAll is disabled. (#3465, [@hongliangl])
- Ensure that Service traffic does not bypass NetworkPolicies when ProxyAll is enabled on Windows. (#3510, [@hongliangl])
- Use IP and MAC to find virtual management adapter to fix Agent crash in some scenarios on Windows. (#3641, [@wenyingd])
- Fix handling of the "reject" packets generated by the Antrea Agent to avoid infinite looping. (#3569, [@GraysonWu])
- Fix export/import of Serv...
Release v1.5.3
Fixed
- Fix export/import of Services with named ports when using the Antrea Multi-cluster feature. (#3561, @luolanzone)
- Fix handling of the "reject" packets generated by the Antrea Agent to avoid infinite looping. (#3569, @GraysonWu)
- Fix DNS resolution error of Antrea Agent on AKS by using
ClusterFirst
dnsPolicy. (#3701, @tnqn) - Fix tolerations for Pods running on control-plane for Kubernetes >= 1.24. (#3731, @xliuxu)
- Reduce permissions of Antrea Agent ServiceAccount. (#3691, @xliuxu)
Release v1.6.1
Added
- Add documentation for the Antrea Agent RBAC permissions and how to restrict them using Gatekeeper/OPA. (#3694, @antoninbas)
Fixed
- Clean up stale routes installed by AntreaProxy when ProxyAll is disabled. (#3465, @hongliangl)
- Fix export/import of Services with named ports when using the Antrea Multi-cluster feature. (#3561, @luolanzone)
- Fix handling of the "reject" packets generated by the Antrea Agent to avoid infinite looping. (#3569, @GraysonWu)
- Fix DNS resolution error of Antrea Agent on AKS by using
ClusterFirst
dnsPolicy. (#3701, @tnqn) - Fix tolerations for Pods running on control-plane for Kubernetes >= 1.24. (#3731, @xliuxu)
- Reduce permissions of Antrea Agent ServiceAccount. (#3691, @xliuxu)
- [Windows] Ensure that Service traffic does not bypass NetworkPolicies when ProxyAll is enabled. (#3510, @hongliangl)
- Fix Antrea wildcard FQDN NetworkPolicies not working when NodeLocal DNSCache is enabled. (#3510, @hongliangl)