diff --git a/.github/workflows/upload_release_assets.yml b/.github/workflows/upload_release_assets.yml index 8b81d0fa459..42cb674baba 100644 --- a/.github/workflows/upload_release_assets.yml +++ b/.github/workflows/upload_release_assets.yml @@ -119,6 +119,15 @@ jobs: asset_path: ./assets/antrea.yml asset_name: antrea.yml asset_content_type: application/octet-stream + - name: Upload antrea-crds.yml + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ github.event.release.upload_url }} + asset_path: ./assets/antrea-crds.yml + asset_name: antrea-crds.yml + asset_content_type: application/octet-stream - name: Upload antrea-ipsec.yml uses: actions/upload-release-asset@v1 env: @@ -245,3 +254,12 @@ jobs: asset_path: ./assets/Start-AntreaAgent.ps1 asset_name: Start-AntreaAgent.ps1 asset_content_type: application/octet-stream + - name: Upload Antrea Helm chart archive + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ github.event.release.upload_url }} + asset_path: ./assets/antrea-chart.tgz + asset_name: antrea-chart.tgz + asset_content_type: application/octet-stream diff --git a/build/charts/antrea/Chart.yaml b/build/charts/antrea/Chart.yaml index d835cf2b082..0e23a0b566c 100644 --- a/build/charts/antrea/Chart.yaml +++ b/build/charts/antrea/Chart.yaml @@ -3,8 +3,8 @@ name: antrea type: application displayName: Antrea home: https://antrea.io/ -version: 1.17.0-dev -appVersion: 1.17.0-dev +version: 0.0.0 +appversion: 0.0.0 kubeVersion: ">= 1.16.0-0" icon: https://raw.githubusercontent.com/antrea-io/antrea/main/docs/assets/logo/antrea_logo.svg description: Kubernetes networking based on Open vSwitch @@ -14,5 +14,7 @@ keywords: - Networking - CNI - Security + - Open vSwitch + - OVS sources: - https://github.com/antrea-io/antrea diff --git a/build/charts/antrea/templates/crds/antreaagentinfo.yaml b/build/charts/antrea/crds/antreaagentinfo.yaml similarity index 100% rename from build/charts/antrea/templates/crds/antreaagentinfo.yaml rename to build/charts/antrea/crds/antreaagentinfo.yaml diff --git a/build/charts/antrea/templates/crds/antreacontrollerinfo.yaml b/build/charts/antrea/crds/antreacontrollerinfo.yaml similarity index 100% rename from build/charts/antrea/templates/crds/antreacontrollerinfo.yaml rename to build/charts/antrea/crds/antreacontrollerinfo.yaml diff --git a/build/charts/antrea/templates/crds/clustergroup.yaml b/build/charts/antrea/crds/clustergroup.yaml similarity index 100% rename from build/charts/antrea/templates/crds/clustergroup.yaml rename to build/charts/antrea/crds/clustergroup.yaml diff --git a/build/charts/antrea/templates/crds/clusternetworkpolicy.yaml b/build/charts/antrea/crds/clusternetworkpolicy.yaml similarity index 100% rename from build/charts/antrea/templates/crds/clusternetworkpolicy.yaml rename to build/charts/antrea/crds/clusternetworkpolicy.yaml diff --git a/build/charts/antrea/templates/crds/egress.yaml b/build/charts/antrea/crds/egress.yaml similarity index 100% rename from build/charts/antrea/templates/crds/egress.yaml rename to build/charts/antrea/crds/egress.yaml diff --git a/build/charts/antrea/templates/crds/externalentity.yaml b/build/charts/antrea/crds/externalentity.yaml similarity index 100% rename from build/charts/antrea/templates/crds/externalentity.yaml rename to build/charts/antrea/crds/externalentity.yaml diff --git a/build/charts/antrea/templates/crds/externalippool.yaml b/build/charts/antrea/crds/externalippool.yaml similarity index 100% rename from build/charts/antrea/templates/crds/externalippool.yaml rename to build/charts/antrea/crds/externalippool.yaml diff --git a/build/charts/antrea/templates/crds/ippool.yaml b/build/charts/antrea/crds/ippool.yaml similarity index 100% rename from build/charts/antrea/templates/crds/ippool.yaml rename to build/charts/antrea/crds/ippool.yaml diff --git a/build/charts/antrea/templates/crds/networkpolicy.yaml b/build/charts/antrea/crds/networkpolicy.yaml similarity index 100% rename from build/charts/antrea/templates/crds/networkpolicy.yaml rename to build/charts/antrea/crds/networkpolicy.yaml diff --git a/build/charts/antrea/templates/crds/tier.yaml b/build/charts/antrea/crds/tier.yaml similarity index 100% rename from build/charts/antrea/templates/crds/tier.yaml rename to build/charts/antrea/crds/tier.yaml diff --git a/build/charts/antrea/templates/crds/traceflow.yaml b/build/charts/antrea/crds/traceflow.yaml similarity index 100% rename from build/charts/antrea/templates/crds/traceflow.yaml rename to build/charts/antrea/crds/traceflow.yaml diff --git a/build/charts/antrea/templates/crds/trafficcontrol.yaml b/build/charts/antrea/crds/trafficcontrol.yaml similarity index 100% rename from build/charts/antrea/templates/crds/trafficcontrol.yaml rename to build/charts/antrea/crds/trafficcontrol.yaml diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml index 0dac8be1865..613d257595f 100644 --- a/build/yamls/antrea-aks.yml +++ b/build/yamls/antrea-aks.yml @@ -1,571 +1,119 @@ --- -# Source: antrea/templates/agent/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: antrea-agent - namespace: kube-system - labels: - app: antrea ---- -# Source: antrea/templates/antctl/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: crds/antreaagentinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antctl - namespace: kube-system + name: antreaagentinfos.crd.antrea.io labels: app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai + --- -# Source: antrea/templates/controller/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: crds/antreacontrollerinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-controller - namespace: kube-system + name: antreacontrollerinfos.crd.antrea.io labels: app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci + --- -# Source: antrea/templates/agent/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antrea-agent-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antrea-agent -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/antctl/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antctl-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antctl -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap +# Source: crds/clustergroup.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-config - namespace: kube-system - labels: - app: antrea -data: - antrea-agent.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. - # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on - # Service traffic. - # AntreaProxy: true - - # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice - # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, - # this flag will not take effect. - # EndpointSlice: false - - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable NodePortLocal feature to make the Pods reachable externally through NodePort - # NodePortLocal: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each - # agent to a configured collector. - # FlowExporter: false - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - # Multicluster: false - - # Enable support for provisioning secondary network interfaces for Pods (using - # Pod annotations). At the moment, Antrea can only create secondary network - # interfaces using SR-IOV VFs on baremetal Nodes. - # SecondaryNetwork: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable mirroring or redirecting the traffic Pods send or receive. - # TrafficControl: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # Name of the OpenVSwitch bridge antrea-agent will create and use. - # Make sure it doesn't conflict with your existing OpenVSwitch bridges. - ovsBridge: "br-int" - - # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: - # - system - # - netdev - # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run - # OVS in userspace mode. Userspace mode requires the tun device driver to be available. - #ovsDatapathType: system - - # Name of the interface antrea-agent will create and use for host <--> pod communication. - # Make sure it doesn't conflict with your existing interfaces. - hostGateway: "antrea-gw0" - - # Determines how traffic is encapsulated. It has the following options: - # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network - # traffic is SNAT'd. - # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is - # SNAT'd if noSNAT is not set to true. Underlying network must be capable of - # supporting Pod traffic across IP subnets. - # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. - # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod - # IPAM and connectivity to the primary CNI. - # - trafficEncapMode: "networkPolicyOnly" - - # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. - # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap - # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to - # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never - # performs SNAT and this option will be ignored; for other modes it must be set to false. - noSNAT: false - - # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, - # this option will not take effect. Supported values: - # - geneve (default) - # - vxlan - # - gre - # - stt - # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). - tunnelType: "geneve" - - # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. - # It has the following options: - # - none (default): Inter-node Pod traffic will not be encrypted. - # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses - # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, - # the PSK value must be passed to Antrea Agent through an environment - # variable: ANTREA_IPSEC_PSK. - # - wireGuard: Enable WireGuard for tunnel traffic encryption. - trafficEncryptionMode: "none" - - # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected - # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are - # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the - # underlay network. - # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only - # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, - # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. - enableBridgingMode: false - - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. - disableTXChecksumOffload: false - - # Default MTU to use for the host gateway interface and the network interface of each Pod. - # If omitted, antrea-agent will discover the MTU of the Node's primary interface and - # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). - defaultMTU: 0 - - # wireGuard specifies WireGuard related configurations. - wireGuard: - # The port for WireGuard to receive traffic. - port: 51820 - - egress: - # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. - exceptCIDRs: - - # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be - # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When - # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. - serviceCIDR: "" - - # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack - # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by - # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. - # No default value for this field. - serviceCIDRv6: "" - - # The port for the antrea-agent APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-agent` container must be set to the same value. - apiPort: 10350 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Provide the IPFIX collector address as a string with format :[][:]. - # HOST can either be the DNS name or the IP of the Flow Collector. For example, - # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect - # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. - # However, IPv6 address should be wrapped with []. - # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and - # "udp" protocols. "tls" is used for securing communication between flow exporter and - # flow aggregator. - flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" - - # Provide flow poll interval as a duration string. This determines how often the - # flow exporter dumps connections from the conntrack module. Flow poll interval - # should be greater than or equal to 1s (one second). - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - flowPollInterval: "5s" - - # Provide the active flow export timeout, which is the timeout after which a flow - # record is sent to the collector for active flows. Thus, for flows with a continuous - # stream of packets, a flow record will be exported to the collector once the elapsed - # time since the last export event is equal to the value of this timeout. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - activeFlowExportTimeout: "5s" - - # Provide the idle flow export timeout, which is the timeout after which a flow - # record is sent to the collector for idle flows. A flow is considered idle if no - # packet matching this flow has been observed since the last export event. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - idleFlowExportTimeout: "15s" - - nodePortLocal: - # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To - # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature - # gate is also enabled (which is the default). - enable: false - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port - # from that range will be assigned whenever a Pod's container defines a specific port to be exposed - # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic - # directed to that port will be forwarded to the Pod. - portRange: "61000-62000" - - # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. - # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. - kubeAPIServerOverride: "" - - # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. - # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, - # [fd00:10:96::a]:53). - dnsServerOverride: "" - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. - # If there are multiple IP addresses configured on the interface, the first one is used. The IP - # address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterface: "" - - multicast: - # The names of the interfaces on Nodes that are used to forward multicast traffic. - # Defaults to transport interface if not set. - multicastInterfaces: - - # The interval at which the antrea-agent sends IGMP queries to Pods. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - igmpQueryInterval: "125s" - - # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across - # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The - # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterfaceCIDRs: - - # Option antreaProxy contains AntreaProxy related configuration options. - antreaProxy: - # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, - # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy - # feature to be enabled. - # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access - # apiserver directly. - proxyAll: false - # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. - # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. - # Note that the option is only valid when proxyAll is true. - nodePortAddresses: - # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these - # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name - # with Namespace (e.g. kube-system/kube-dns) - skipServices: - # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the - # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional - # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the - # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. - # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and - # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. - proxyLoadBalancerIPs: true - - # IPsec tunnel related configurations. - ipsec: - # The authentication mode of IPsec tunnel. It has the following options: - # - psk (default): Use pre-shared key (PSK) for IKE authentication. - # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` - # feature gate to be enabled. - authenticationMode: "psk" - - multicluster: - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - enable: false - # The Namespace where Antrea Multi-cluster Controller is running. - # The default is antrea-agent's Namespace. - namespace: "" - antrea-cni.conflist: | - { - "cniVersion":"0.3.0", - "name": "antrea", - "plugins": [ - { - "type": "antrea", - "ipam": { - "type": "host-local" - } - } - , - { - "type": "portmap", - "capabilities": {"portMappings": true} - } - , - { - "type": "bandwidth", - "capabilities": {"bandwidth": true} - } - ] - } - antrea-controller.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Run Kubernetes NodeIPAMController with Antrea. - # NodeIPAM: false - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # The port for the antrea-controller APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-controller` container must be set to the same value. - apiPort: 10349 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Indicates whether to use auto-generated self-signed TLS certificate. - # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: - # ca.crt: - # tls.crt: - # tls.key: - selfSignedCert: true - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - nodeIPAM: - # Enable the integrated Node IPAM controller within the Antrea controller. - enableNodeIPAM: false - # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. - # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. - # Value ignored when enableNodeIPAM is false. - clusterCIDRs: - # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. - # Value ignored when enableNodeIPAM is false. - serviceCIDR: "" - serviceCIDRv6: "" - # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. - nodeCIDRMaskSizeIPv4: 24 - # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. - nodeCIDRMaskSizeIPv6: 64 - - ipsecCSRSigner: - # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. - # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions - # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, - # the Pod identity will also be validated to provide maximum security. - # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved - # manually by `kubectl certificate approve`. - autoApprove: true - # Indicates whether to use auto-generated self-signed CA certificate. - # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: - # tls.crt: - # tls.key: - selfSignedCA: true ---- -# Source: antrea/templates/crds/antreaagentinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreaagentinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of this Agent - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of this Agent - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Node on which this Agent is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of local Pods managed by this Agent - jsonPath: ".localPodNum" - name: Num Pods - type: integer - priority: 2 - - description: Subnets used by this Agent for Pod IPAM - jsonPath: ".nodeSubnets" - name: Subnets - type: string - priority: 2 - scope: Cluster - names: - plural: antreaagentinfos - singular: antreaagentinfo - kind: AntreaAgentInfo - shortNames: - - aai ---- -# Source: antrea/templates/crds/antreacontrollerinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreacontrollerinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of the Controller - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of the Controller - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Number of Agents connected to the Controller - jsonPath: ".connectedAgentNum" - name: Connected Agents - type: integer - priority: 1 - - description: Node on which the Controller is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of Network Policies computed by Controller - jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" - name: Num Network Policies - type: integer - priority: 2 - scope: Cluster - names: - plural: antreacontrollerinfos - singular: antreacontrollerinfo - kind: AntreaControllerInfo - shortNames: - - aci ---- -# Source: antrea/templates/crds/clustergroup.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clustergroups.crd.antrea.io + name: clustergroups.crd.antrea.io labels: app: antrea spec: @@ -825,8 +373,9 @@ spec: kind: ClusterGroup shortNames: - cg + --- -# Source: antrea/templates/crds/clusternetworkpolicy.yaml +# Source: crds/clusternetworkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1434,8 +983,9 @@ spec: kind: ClusterNetworkPolicy shortNames: - acnp + --- -# Source: antrea/templates/crds/egress.yaml +# Source: crds/egress.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1548,8 +1098,9 @@ spec: kind: Egress shortNames: - eg + --- -# Source: antrea/templates/crds/externalentity.yaml +# Source: crds/externalentity.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1608,8 +1159,9 @@ spec: kind: ExternalEntity shortNames: - ee + --- -# Source: antrea/templates/crds/externalippool.yaml +# Source: crds/externalippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1713,8 +1265,9 @@ spec: kind: ExternalIPPool shortNames: - eip + --- -# Source: antrea/templates/crds/ippool.yaml +# Source: crds/ippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1827,8 +1380,9 @@ spec: kind: IPPool shortNames: - ipp + --- -# Source: antrea/templates/crds/networkpolicy.yaml +# Source: crds/networkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2337,8 +1891,9 @@ spec: kind: NetworkPolicy shortNames: - anp + --- -# Source: antrea/templates/crds/tier.yaml +# Source: crds/tier.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2381,8 +1936,9 @@ spec: kind: Tier shortNames: - tr + --- -# Source: antrea/templates/crds/traceflow.yaml +# Source: crds/traceflow.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2634,8 +2190,9 @@ spec: kind: Traceflow shortNames: - tf + --- -# Source: antrea/templates/crds/trafficcontrol.yaml +# Source: crds/trafficcontrol.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2919,6 +2476,461 @@ spec: kind: TrafficControl shortNames: - tc + +--- +# Source: antrea/templates/agent/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-agent + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/antctl/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antctl + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/controller/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-controller + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/agent/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antrea-agent-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antrea-agent +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/antctl/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antctl-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antctl +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: antrea-config + namespace: kube-system + labels: + app: antrea +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + # Multicluster: false + + # Enable support for provisioning secondary network interfaces for Pods (using + # Pod annotations). At the moment, Antrea can only create secondary network + # interfaces using SR-IOV VFs on baremetal Nodes. + # SecondaryNetwork: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable mirroring or redirecting the traffic Pods send or receive. + # TrafficControl: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + ovsBridge: "br-int" + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + hostGateway: "antrea-gw0" + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + trafficEncapMode: "networkPolicyOnly" + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, + # this option will not take effect. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). + tunnelType: "geneve" + + # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. + # It has the following options: + # - none (default): Inter-node Pod traffic will not be encrypted. + # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses + # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, + # the PSK value must be passed to Antrea Agent through an environment + # variable: ANTREA_IPSEC_PSK. + # - wireGuard: Enable WireGuard for tunnel traffic encryption. + trafficEncryptionMode: "none" + + # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected + # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are + # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the + # underlay network. + # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only + # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, + # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. + enableBridgingMode: false + + # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the + # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. + # It affects Pods running on Linux Nodes only. + disableTXChecksumOffload: false + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + defaultMTU: 0 + + # wireGuard specifies WireGuard related configurations. + wireGuard: + # The port for WireGuard to receive traffic. + port: 51820 + + egress: + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + serviceCIDR: "" + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + serviceCIDRv6: "" + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + activeFlowExportTimeout: "5s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + idleFlowExportTimeout: "15s" + + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + enable: false + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + portRange: "61000-62000" + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + kubeAPIServerOverride: "" + + # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. + # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, + # [fd00:10:96::a]:53). + dnsServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. + # If there are multiple IP addresses configured on the interface, the first one is used. The IP + # address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterface: "" + + multicast: + # The names of the interfaces on Nodes that are used to forward multicast traffic. + # Defaults to transport interface if not set. + multicastInterfaces: + + # The interval at which the antrea-agent sends IGMP queries to Pods. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + igmpQueryInterval: "125s" + + # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across + # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The + # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterfaceCIDRs: + + # Option antreaProxy contains AntreaProxy related configuration options. + antreaProxy: + # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, + # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy + # feature to be enabled. + # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access + # apiserver directly. + proxyAll: false + # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. + # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. + # Note that the option is only valid when proxyAll is true. + nodePortAddresses: + # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these + # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name + # with Namespace (e.g. kube-system/kube-dns) + skipServices: + # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the + # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional + # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the + # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. + # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and + # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. + proxyLoadBalancerIPs: true + + # IPsec tunnel related configurations. + ipsec: + # The authentication mode of IPsec tunnel. It has the following options: + # - psk (default): Use pre-shared key (PSK) for IKE authentication. + # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` + # feature gate to be enabled. + authenticationMode: "psk" + + multicluster: + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + enable: false + # The Namespace where Antrea Multi-cluster Controller is running. + # The default is antrea-agent's Namespace. + namespace: "" + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + } + , + { + "type": "portmap", + "capabilities": {"portMappings": true} + } + , + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Run Kubernetes NodeIPAMController with Antrea. + # NodeIPAM: false + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + nodeIPAM: + # Enable the integrated Node IPAM controller within the Antrea controller. + enableNodeIPAM: false + # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. + # Value ignored when enableNodeIPAM is false. + clusterCIDRs: + # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + serviceCIDR: "" + serviceCIDRv6: "" + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + nodeCIDRMaskSizeIPv4: 24 + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + nodeCIDRMaskSizeIPv6: 64 + + ipsecCSRSigner: + # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. + # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions + # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, + # the Pod identity will also be validated to provide maximum security. + # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved + # manually by `kubectl certificate approve`. + autoApprove: true + # Indicates whether to use auto-generated self-signed CA certificate. + # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: + # tls.crt: + # tls.key: + selfSignedCA: true --- # Source: antrea/templates/agent/clusterrole.yaml kind: ClusterRole diff --git a/build/yamls/antrea-crds.yml b/build/yamls/antrea-crds.yml new file mode 100644 index 00000000000..64f7a1a2b62 --- /dev/null +++ b/build/yamls/antrea-crds.yml @@ -0,0 +1,2455 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: antreaagentinfos.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: antreacontrollerinfos.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clustergroups.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + - name: v1alpha3 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: "antrea" + namespace: "kube-system" + path: "/convert/clustergroup" + scope: Cluster + names: + plural: clustergroups + singular: clustergroup + kind: ClusterGroup + shortNames: + - cg +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusternetworkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this ClusterNetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + fqdn: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + toServices: + type: array + items: + type: object + required: + - name + - namespace + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + scope: Cluster + names: + plural: clusternetworkpolicies + singular: clusternetworkpolicy + kind: ClusterNetworkPolicy + shortNames: + - acnp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: egresses.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - appliedTo + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + egressIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + externalIPPool: + type: string + status: + type: object + properties: + egressNode: + type: string + additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + subresources: + status: {} + scope: Cluster + names: + plural: egresses + singular: egress + kind: Egress + shortNames: + - eg +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalentities.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + endpoints: + type: array + items: + type: object + properties: + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + name: + type: string + externalNode: + type: string + - name: v1alpha1 + served: false + storage: false + schema: + openAPIV3Schema: + type: object + scope: Namespaced + names: + plural: externalentities + singular: externalentity + kind: ExternalEntity + shortNames: + - ee +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + scope: Cluster + names: + plural: externalippools + singular: externalippool + kind: ExternalIPPool + shortNames: + - eip +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + required: + - ipVersion + - ipRanges + type: object + properties: + ipVersion: + type: integer + enum: [ 4, 6 ] + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + minimum: 1 + maximum: 128 + vlan: + type: integer + minimum: 0 + maximum: 4094 + type: object + type: array + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + name: + type: string + namespace: + type: string + containerID: + type: string + ifName: + type: string + type: object + statefulSet: + properties: + name: + type: string + namespace: + type: string + index: + type: integer + type: object + type: object + phase: + type: string + type: object + type: array + type: object + subresources: + status: {} + scope: Cluster + names: + plural: ippools + singular: ippool + kind: IPPool + shortNames: + - ipp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this Antrea NetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + fqdn: + type: string + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + toServices: + type: array + items: + type: object + required: + - name + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + scope: Namespaced + names: + plural: networkpolicies + singular: networkpolicy + kind: NetworkPolicy + shortNames: + - anp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tiers.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Priority + type: integer + description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + required: + - priority + type: object + properties: + priority: + type: integer + minimum: 0 + maximum: 255 + description: + type: string + scope: Cluster + names: + plural: tiers + singular: tier + kind: Tier + shortNames: + - tr +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: traceflows.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.phase + description: The phase of the Traceflow. + name: Phase + type: string + - jsonPath: .spec.source.pod + description: The name of the source Pod. + name: Source-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.pod + description: The name of the destination Pod. + name: Destination-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.ip + description: The IP address of the destination. + name: Destination-IP + type: string + priority: 10 + - jsonPath: .spec.liveTraffic + description: Trace live traffic. + name: Live-Traffic + type: boolean + priority: 10 + - jsonPath: .spec.droppedOnly + description: Capture only the dropped packet. + name: Dropped-Only + type: boolean + priority: 10 + - jsonPath: .spec.timeout + description: Timeout in seconds. + name: Timeout + type: integer + priority: 10 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + properties: + source: + type: object + properties: + pod: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + destination: + type: object + properties: + pod: + type: string + service: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + packet: + type: object + properties: + ipHeader: + type: object + properties: + srcIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + protocol: + type: integer + ttl: + type: integer + flags: + type: integer + ipv6Header: + type: object + properties: + srcIP: + type: string + format: ipv6 + nextHeader: + type: integer + hopLimit: + type: integer + transportHeader: + type: object + properties: + icmp: + type: object + properties: + id: + type: integer + sequence: + type: integer + udp: + type: object + properties: + srcPort: + type: integer + dstPort: + type: integer + tcp: + type: object + properties: + srcPort: + type: integer + dstPort: + type: integer + flags: + type: integer + liveTraffic: + type: boolean + droppedOnly: + type: boolean + timeout: + type: integer + status: + type: object + properties: + reason: + type: string + dataplaneTag: + type: integer + phase: + type: string + startTime: + type: string + results: + type: array + items: + type: object + properties: + node: + type: string + role: + type: string + timestamp: + type: integer + observations: + type: array + items: + type: object + properties: + component: + type: string + componentInfo: + type: string + action: + type: string + pod: + type: string + dstMAC: + type: string + networkPolicy: + type: string + ttl: + type: integer + translatedSrcIP: + type: string + translatedDstIP: + type: string + tunnelDstIP: + type: string + capturedPacket: + properties: + srcIP: + type: string + dstIP: + type: string + length: + type: integer + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + transportHeader: + properties: + tcp: + properties: + dstPort: + type: integer + srcPort: + type: integer + flags: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + type: object + type: object + subresources: + status: {} + scope: Cluster + names: + plural: traceflows + singular: traceflow + kind: Traceflow + shortNames: + - tf +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: trafficcontrols.crd.antrea.io +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - appliedTo + - direction + - action + - targetPort + properties: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + direction: + type: string + enum: + - Ingress + - Egress + - Both + action: + type: string + enum: + - Mirror + - Redirect + targetPort: + type: object + oneOf: + - required: [ovsInternal] + - required: [device] + - required: [geneve] + - required: [vxlan] + - required: [gre] + - required: [erspan] + properties: + ovsInternal: + type: object + required: + - name + properties: + name: + type: string + device: + type: object + required: + - name + properties: + name: + type: string + geneve: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + vni: + type: integer + minimum: 0 + maximum: 16777215 + destinationPort: + type: integer + minimum: 1 + maximum: 65535 + vxlan: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + vni: + type: integer + minimum: 0 + maximum: 16777215 + destinationPort: + type: integer + minimum: 1 + maximum: 65535 + gre: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + key: + type: integer + minimum: 0 + maximum: 4294967295 + erspan: + type: object + required: + - remoteIP + - version + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + sessionID: + type: integer + minimum: 0 + maximum: 1023 + version: + type: integer + enum: + - 1 + - 2 + index: + type: integer + dir: + type: integer + enum: + - 0 + - 1 + hardwareID: + type: integer + returnPort: + type: object + oneOf: + - required: [ovsInternal] + - required: [device] + - required: [geneve] + - required: [vxlan] + - required: [gre] + properties: + ovsInternal: + type: object + required: + - name + properties: + name: + type: string + device: + type: object + required: + - name + properties: + name: + type: string + geneve: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + vni: + type: integer + minimum: 0 + maximum: 16777215 + destinationPort: + type: integer + minimum: 1 + maximum: 65535 + vxlan: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + vni: + type: integer + minimum: 0 + maximum: 16777215 + destinationPort: + type: integer + minimum: 1 + maximum: 65535 + gre: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + key: + type: integer + minimum: 0 + maximum: 4294967295 + additionalPrinterColumns: + - description: Specifies the direction of traffic that should be matched. + jsonPath: .spec.direction + name: Direction + type: string + - description: Specifies the action that should be taken for the traffic. + jsonPath: .spec.action + name: Action + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + scope: Cluster + names: + plural: trafficcontrols + singular: trafficcontrol + kind: TrafficControl + shortNames: + - tc diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index 9adf78a6d50..bf90bf55705 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -1,571 +1,119 @@ --- -# Source: antrea/templates/agent/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: antrea-agent - namespace: kube-system - labels: - app: antrea ---- -# Source: antrea/templates/antctl/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: crds/antreaagentinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antctl - namespace: kube-system + name: antreaagentinfos.crd.antrea.io labels: app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai + --- -# Source: antrea/templates/controller/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: crds/antreacontrollerinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-controller - namespace: kube-system + name: antreacontrollerinfos.crd.antrea.io labels: app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci + --- -# Source: antrea/templates/agent/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antrea-agent-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antrea-agent -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/antctl/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antctl-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antctl -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap +# Source: crds/clustergroup.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-config - namespace: kube-system - labels: - app: antrea -data: - antrea-agent.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. - # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on - # Service traffic. - # AntreaProxy: true - - # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice - # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, - # this flag will not take effect. - # EndpointSlice: false - - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable NodePortLocal feature to make the Pods reachable externally through NodePort - # NodePortLocal: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each - # agent to a configured collector. - # FlowExporter: false - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - # Multicluster: false - - # Enable support for provisioning secondary network interfaces for Pods (using - # Pod annotations). At the moment, Antrea can only create secondary network - # interfaces using SR-IOV VFs on baremetal Nodes. - # SecondaryNetwork: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable mirroring or redirecting the traffic Pods send or receive. - # TrafficControl: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # Name of the OpenVSwitch bridge antrea-agent will create and use. - # Make sure it doesn't conflict with your existing OpenVSwitch bridges. - ovsBridge: "br-int" - - # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: - # - system - # - netdev - # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run - # OVS in userspace mode. Userspace mode requires the tun device driver to be available. - #ovsDatapathType: system - - # Name of the interface antrea-agent will create and use for host <--> pod communication. - # Make sure it doesn't conflict with your existing interfaces. - hostGateway: "antrea-gw0" - - # Determines how traffic is encapsulated. It has the following options: - # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network - # traffic is SNAT'd. - # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is - # SNAT'd if noSNAT is not set to true. Underlying network must be capable of - # supporting Pod traffic across IP subnets. - # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. - # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod - # IPAM and connectivity to the primary CNI. - # - trafficEncapMode: "networkPolicyOnly" - - # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. - # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap - # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to - # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never - # performs SNAT and this option will be ignored; for other modes it must be set to false. - noSNAT: false - - # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, - # this option will not take effect. Supported values: - # - geneve (default) - # - vxlan - # - gre - # - stt - # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). - tunnelType: "geneve" - - # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. - # It has the following options: - # - none (default): Inter-node Pod traffic will not be encrypted. - # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses - # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, - # the PSK value must be passed to Antrea Agent through an environment - # variable: ANTREA_IPSEC_PSK. - # - wireGuard: Enable WireGuard for tunnel traffic encryption. - trafficEncryptionMode: "none" - - # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected - # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are - # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the - # underlay network. - # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only - # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, - # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. - enableBridgingMode: false - - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. - disableTXChecksumOffload: false - - # Default MTU to use for the host gateway interface and the network interface of each Pod. - # If omitted, antrea-agent will discover the MTU of the Node's primary interface and - # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). - defaultMTU: 0 - - # wireGuard specifies WireGuard related configurations. - wireGuard: - # The port for WireGuard to receive traffic. - port: 51820 - - egress: - # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. - exceptCIDRs: - - # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be - # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When - # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. - serviceCIDR: "" - - # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack - # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by - # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. - # No default value for this field. - serviceCIDRv6: "" - - # The port for the antrea-agent APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-agent` container must be set to the same value. - apiPort: 10350 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Provide the IPFIX collector address as a string with format :[][:]. - # HOST can either be the DNS name or the IP of the Flow Collector. For example, - # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect - # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. - # However, IPv6 address should be wrapped with []. - # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and - # "udp" protocols. "tls" is used for securing communication between flow exporter and - # flow aggregator. - flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" - - # Provide flow poll interval as a duration string. This determines how often the - # flow exporter dumps connections from the conntrack module. Flow poll interval - # should be greater than or equal to 1s (one second). - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - flowPollInterval: "5s" - - # Provide the active flow export timeout, which is the timeout after which a flow - # record is sent to the collector for active flows. Thus, for flows with a continuous - # stream of packets, a flow record will be exported to the collector once the elapsed - # time since the last export event is equal to the value of this timeout. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - activeFlowExportTimeout: "5s" - - # Provide the idle flow export timeout, which is the timeout after which a flow - # record is sent to the collector for idle flows. A flow is considered idle if no - # packet matching this flow has been observed since the last export event. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - idleFlowExportTimeout: "15s" - - nodePortLocal: - # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To - # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature - # gate is also enabled (which is the default). - enable: false - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port - # from that range will be assigned whenever a Pod's container defines a specific port to be exposed - # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic - # directed to that port will be forwarded to the Pod. - portRange: "61000-62000" - - # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. - # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. - kubeAPIServerOverride: "" - - # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. - # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, - # [fd00:10:96::a]:53). - dnsServerOverride: "" - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. - # If there are multiple IP addresses configured on the interface, the first one is used. The IP - # address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterface: "" - - multicast: - # The names of the interfaces on Nodes that are used to forward multicast traffic. - # Defaults to transport interface if not set. - multicastInterfaces: - - # The interval at which the antrea-agent sends IGMP queries to Pods. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - igmpQueryInterval: "125s" - - # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across - # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The - # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterfaceCIDRs: - - # Option antreaProxy contains AntreaProxy related configuration options. - antreaProxy: - # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, - # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy - # feature to be enabled. - # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access - # apiserver directly. - proxyAll: false - # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. - # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. - # Note that the option is only valid when proxyAll is true. - nodePortAddresses: - # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these - # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name - # with Namespace (e.g. kube-system/kube-dns) - skipServices: - # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the - # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional - # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the - # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. - # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and - # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. - proxyLoadBalancerIPs: true - - # IPsec tunnel related configurations. - ipsec: - # The authentication mode of IPsec tunnel. It has the following options: - # - psk (default): Use pre-shared key (PSK) for IKE authentication. - # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` - # feature gate to be enabled. - authenticationMode: "psk" - - multicluster: - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - enable: false - # The Namespace where Antrea Multi-cluster Controller is running. - # The default is antrea-agent's Namespace. - namespace: "" - antrea-cni.conflist: | - { - "cniVersion":"0.3.0", - "name": "antrea", - "plugins": [ - { - "type": "antrea", - "ipam": { - "type": "host-local" - } - } - , - { - "type": "portmap", - "capabilities": {"portMappings": true} - } - , - { - "type": "bandwidth", - "capabilities": {"bandwidth": true} - } - ] - } - antrea-controller.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Run Kubernetes NodeIPAMController with Antrea. - # NodeIPAM: false - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # The port for the antrea-controller APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-controller` container must be set to the same value. - apiPort: 10349 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Indicates whether to use auto-generated self-signed TLS certificate. - # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: - # ca.crt: - # tls.crt: - # tls.key: - selfSignedCert: true - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - nodeIPAM: - # Enable the integrated Node IPAM controller within the Antrea controller. - enableNodeIPAM: false - # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. - # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. - # Value ignored when enableNodeIPAM is false. - clusterCIDRs: - # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. - # Value ignored when enableNodeIPAM is false. - serviceCIDR: "" - serviceCIDRv6: "" - # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. - nodeCIDRMaskSizeIPv4: 24 - # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. - nodeCIDRMaskSizeIPv6: 64 - - ipsecCSRSigner: - # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. - # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions - # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, - # the Pod identity will also be validated to provide maximum security. - # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved - # manually by `kubectl certificate approve`. - autoApprove: true - # Indicates whether to use auto-generated self-signed CA certificate. - # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: - # tls.crt: - # tls.key: - selfSignedCA: true ---- -# Source: antrea/templates/crds/antreaagentinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreaagentinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of this Agent - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of this Agent - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Node on which this Agent is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of local Pods managed by this Agent - jsonPath: ".localPodNum" - name: Num Pods - type: integer - priority: 2 - - description: Subnets used by this Agent for Pod IPAM - jsonPath: ".nodeSubnets" - name: Subnets - type: string - priority: 2 - scope: Cluster - names: - plural: antreaagentinfos - singular: antreaagentinfo - kind: AntreaAgentInfo - shortNames: - - aai ---- -# Source: antrea/templates/crds/antreacontrollerinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreacontrollerinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of the Controller - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of the Controller - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Number of Agents connected to the Controller - jsonPath: ".connectedAgentNum" - name: Connected Agents - type: integer - priority: 1 - - description: Node on which the Controller is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of Network Policies computed by Controller - jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" - name: Num Network Policies - type: integer - priority: 2 - scope: Cluster - names: - plural: antreacontrollerinfos - singular: antreacontrollerinfo - kind: AntreaControllerInfo - shortNames: - - aci ---- -# Source: antrea/templates/crds/clustergroup.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clustergroups.crd.antrea.io + name: clustergroups.crd.antrea.io labels: app: antrea spec: @@ -825,8 +373,9 @@ spec: kind: ClusterGroup shortNames: - cg + --- -# Source: antrea/templates/crds/clusternetworkpolicy.yaml +# Source: crds/clusternetworkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1434,8 +983,9 @@ spec: kind: ClusterNetworkPolicy shortNames: - acnp + --- -# Source: antrea/templates/crds/egress.yaml +# Source: crds/egress.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1548,8 +1098,9 @@ spec: kind: Egress shortNames: - eg + --- -# Source: antrea/templates/crds/externalentity.yaml +# Source: crds/externalentity.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1608,8 +1159,9 @@ spec: kind: ExternalEntity shortNames: - ee + --- -# Source: antrea/templates/crds/externalippool.yaml +# Source: crds/externalippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1713,8 +1265,9 @@ spec: kind: ExternalIPPool shortNames: - eip + --- -# Source: antrea/templates/crds/ippool.yaml +# Source: crds/ippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1827,8 +1380,9 @@ spec: kind: IPPool shortNames: - ipp + --- -# Source: antrea/templates/crds/networkpolicy.yaml +# Source: crds/networkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2337,8 +1891,9 @@ spec: kind: NetworkPolicy shortNames: - anp + --- -# Source: antrea/templates/crds/tier.yaml +# Source: crds/tier.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2381,8 +1936,9 @@ spec: kind: Tier shortNames: - tr + --- -# Source: antrea/templates/crds/traceflow.yaml +# Source: crds/traceflow.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2634,8 +2190,9 @@ spec: kind: Traceflow shortNames: - tf + --- -# Source: antrea/templates/crds/trafficcontrol.yaml +# Source: crds/trafficcontrol.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2919,6 +2476,461 @@ spec: kind: TrafficControl shortNames: - tc + +--- +# Source: antrea/templates/agent/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-agent + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/antctl/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antctl + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/controller/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-controller + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/agent/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antrea-agent-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antrea-agent +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/antctl/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antctl-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antctl +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: antrea-config + namespace: kube-system + labels: + app: antrea +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + # Multicluster: false + + # Enable support for provisioning secondary network interfaces for Pods (using + # Pod annotations). At the moment, Antrea can only create secondary network + # interfaces using SR-IOV VFs on baremetal Nodes. + # SecondaryNetwork: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable mirroring or redirecting the traffic Pods send or receive. + # TrafficControl: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + ovsBridge: "br-int" + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + hostGateway: "antrea-gw0" + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + trafficEncapMode: "networkPolicyOnly" + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, + # this option will not take effect. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). + tunnelType: "geneve" + + # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. + # It has the following options: + # - none (default): Inter-node Pod traffic will not be encrypted. + # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses + # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, + # the PSK value must be passed to Antrea Agent through an environment + # variable: ANTREA_IPSEC_PSK. + # - wireGuard: Enable WireGuard for tunnel traffic encryption. + trafficEncryptionMode: "none" + + # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected + # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are + # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the + # underlay network. + # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only + # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, + # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. + enableBridgingMode: false + + # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the + # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. + # It affects Pods running on Linux Nodes only. + disableTXChecksumOffload: false + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + defaultMTU: 0 + + # wireGuard specifies WireGuard related configurations. + wireGuard: + # The port for WireGuard to receive traffic. + port: 51820 + + egress: + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + serviceCIDR: "" + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + serviceCIDRv6: "" + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + activeFlowExportTimeout: "5s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + idleFlowExportTimeout: "15s" + + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + enable: false + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + portRange: "61000-62000" + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + kubeAPIServerOverride: "" + + # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. + # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, + # [fd00:10:96::a]:53). + dnsServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. + # If there are multiple IP addresses configured on the interface, the first one is used. The IP + # address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterface: "" + + multicast: + # The names of the interfaces on Nodes that are used to forward multicast traffic. + # Defaults to transport interface if not set. + multicastInterfaces: + + # The interval at which the antrea-agent sends IGMP queries to Pods. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + igmpQueryInterval: "125s" + + # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across + # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The + # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterfaceCIDRs: + + # Option antreaProxy contains AntreaProxy related configuration options. + antreaProxy: + # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, + # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy + # feature to be enabled. + # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access + # apiserver directly. + proxyAll: false + # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. + # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. + # Note that the option is only valid when proxyAll is true. + nodePortAddresses: + # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these + # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name + # with Namespace (e.g. kube-system/kube-dns) + skipServices: + # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the + # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional + # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the + # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. + # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and + # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. + proxyLoadBalancerIPs: true + + # IPsec tunnel related configurations. + ipsec: + # The authentication mode of IPsec tunnel. It has the following options: + # - psk (default): Use pre-shared key (PSK) for IKE authentication. + # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` + # feature gate to be enabled. + authenticationMode: "psk" + + multicluster: + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + enable: false + # The Namespace where Antrea Multi-cluster Controller is running. + # The default is antrea-agent's Namespace. + namespace: "" + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + } + , + { + "type": "portmap", + "capabilities": {"portMappings": true} + } + , + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Run Kubernetes NodeIPAMController with Antrea. + # NodeIPAM: false + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + nodeIPAM: + # Enable the integrated Node IPAM controller within the Antrea controller. + enableNodeIPAM: false + # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. + # Value ignored when enableNodeIPAM is false. + clusterCIDRs: + # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + serviceCIDR: "" + serviceCIDRv6: "" + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + nodeCIDRMaskSizeIPv4: 24 + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + nodeCIDRMaskSizeIPv6: 64 + + ipsecCSRSigner: + # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. + # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions + # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, + # the Pod identity will also be validated to provide maximum security. + # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved + # manually by `kubectl certificate approve`. + autoApprove: true + # Indicates whether to use auto-generated self-signed CA certificate. + # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: + # tls.crt: + # tls.key: + selfSignedCA: true --- # Source: antrea/templates/agent/clusterrole.yaml kind: ClusterRole diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index a4afa9678a3..82bf6c0bfae 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -1,571 +1,119 @@ --- -# Source: antrea/templates/agent/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: antrea-agent - namespace: kube-system - labels: - app: antrea ---- -# Source: antrea/templates/antctl/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: crds/antreaagentinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antctl - namespace: kube-system + name: antreaagentinfos.crd.antrea.io labels: app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai + --- -# Source: antrea/templates/controller/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: crds/antreacontrollerinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-controller - namespace: kube-system + name: antreacontrollerinfos.crd.antrea.io labels: app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci + --- -# Source: antrea/templates/agent/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antrea-agent-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antrea-agent -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/antctl/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antctl-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antctl -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap +# Source: crds/clustergroup.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-config - namespace: kube-system - labels: - app: antrea -data: - antrea-agent.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. - # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on - # Service traffic. - # AntreaProxy: true - - # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice - # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, - # this flag will not take effect. - # EndpointSlice: false - - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable NodePortLocal feature to make the Pods reachable externally through NodePort - # NodePortLocal: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each - # agent to a configured collector. - # FlowExporter: false - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - # Multicluster: false - - # Enable support for provisioning secondary network interfaces for Pods (using - # Pod annotations). At the moment, Antrea can only create secondary network - # interfaces using SR-IOV VFs on baremetal Nodes. - # SecondaryNetwork: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable mirroring or redirecting the traffic Pods send or receive. - # TrafficControl: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # Name of the OpenVSwitch bridge antrea-agent will create and use. - # Make sure it doesn't conflict with your existing OpenVSwitch bridges. - ovsBridge: "br-int" - - # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: - # - system - # - netdev - # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run - # OVS in userspace mode. Userspace mode requires the tun device driver to be available. - #ovsDatapathType: system - - # Name of the interface antrea-agent will create and use for host <--> pod communication. - # Make sure it doesn't conflict with your existing interfaces. - hostGateway: "antrea-gw0" - - # Determines how traffic is encapsulated. It has the following options: - # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network - # traffic is SNAT'd. - # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is - # SNAT'd if noSNAT is not set to true. Underlying network must be capable of - # supporting Pod traffic across IP subnets. - # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. - # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod - # IPAM and connectivity to the primary CNI. - # - trafficEncapMode: "noEncap" - - # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. - # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap - # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to - # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never - # performs SNAT and this option will be ignored; for other modes it must be set to false. - noSNAT: false - - # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, - # this option will not take effect. Supported values: - # - geneve (default) - # - vxlan - # - gre - # - stt - # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). - tunnelType: "geneve" - - # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. - # It has the following options: - # - none (default): Inter-node Pod traffic will not be encrypted. - # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses - # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, - # the PSK value must be passed to Antrea Agent through an environment - # variable: ANTREA_IPSEC_PSK. - # - wireGuard: Enable WireGuard for tunnel traffic encryption. - trafficEncryptionMode: "none" - - # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected - # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are - # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the - # underlay network. - # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only - # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, - # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. - enableBridgingMode: false - - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. - disableTXChecksumOffload: false - - # Default MTU to use for the host gateway interface and the network interface of each Pod. - # If omitted, antrea-agent will discover the MTU of the Node's primary interface and - # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). - defaultMTU: 0 - - # wireGuard specifies WireGuard related configurations. - wireGuard: - # The port for WireGuard to receive traffic. - port: 51820 - - egress: - # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. - exceptCIDRs: - - # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be - # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When - # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. - serviceCIDR: "" - - # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack - # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by - # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. - # No default value for this field. - serviceCIDRv6: "" - - # The port for the antrea-agent APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-agent` container must be set to the same value. - apiPort: 10350 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Provide the IPFIX collector address as a string with format :[][:]. - # HOST can either be the DNS name or the IP of the Flow Collector. For example, - # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect - # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. - # However, IPv6 address should be wrapped with []. - # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and - # "udp" protocols. "tls" is used for securing communication between flow exporter and - # flow aggregator. - flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" - - # Provide flow poll interval as a duration string. This determines how often the - # flow exporter dumps connections from the conntrack module. Flow poll interval - # should be greater than or equal to 1s (one second). - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - flowPollInterval: "5s" - - # Provide the active flow export timeout, which is the timeout after which a flow - # record is sent to the collector for active flows. Thus, for flows with a continuous - # stream of packets, a flow record will be exported to the collector once the elapsed - # time since the last export event is equal to the value of this timeout. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - activeFlowExportTimeout: "5s" - - # Provide the idle flow export timeout, which is the timeout after which a flow - # record is sent to the collector for idle flows. A flow is considered idle if no - # packet matching this flow has been observed since the last export event. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - idleFlowExportTimeout: "15s" - - nodePortLocal: - # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To - # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature - # gate is also enabled (which is the default). - enable: false - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port - # from that range will be assigned whenever a Pod's container defines a specific port to be exposed - # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic - # directed to that port will be forwarded to the Pod. - portRange: "61000-62000" - - # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. - # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. - kubeAPIServerOverride: "" - - # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. - # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, - # [fd00:10:96::a]:53). - dnsServerOverride: "" - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. - # If there are multiple IP addresses configured on the interface, the first one is used. The IP - # address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterface: "" - - multicast: - # The names of the interfaces on Nodes that are used to forward multicast traffic. - # Defaults to transport interface if not set. - multicastInterfaces: - - # The interval at which the antrea-agent sends IGMP queries to Pods. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - igmpQueryInterval: "125s" - - # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across - # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The - # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterfaceCIDRs: - - # Option antreaProxy contains AntreaProxy related configuration options. - antreaProxy: - # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, - # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy - # feature to be enabled. - # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access - # apiserver directly. - proxyAll: false - # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. - # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. - # Note that the option is only valid when proxyAll is true. - nodePortAddresses: - # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these - # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name - # with Namespace (e.g. kube-system/kube-dns) - skipServices: - # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the - # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional - # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the - # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. - # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and - # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. - proxyLoadBalancerIPs: true - - # IPsec tunnel related configurations. - ipsec: - # The authentication mode of IPsec tunnel. It has the following options: - # - psk (default): Use pre-shared key (PSK) for IKE authentication. - # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` - # feature gate to be enabled. - authenticationMode: "psk" - - multicluster: - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - enable: false - # The Namespace where Antrea Multi-cluster Controller is running. - # The default is antrea-agent's Namespace. - namespace: "" - antrea-cni.conflist: | - { - "cniVersion":"0.3.0", - "name": "antrea", - "plugins": [ - { - "type": "antrea", - "ipam": { - "type": "host-local" - } - } - , - { - "type": "portmap", - "capabilities": {"portMappings": true} - } - , - { - "type": "bandwidth", - "capabilities": {"bandwidth": true} - } - ] - } - antrea-controller.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Run Kubernetes NodeIPAMController with Antrea. - # NodeIPAM: false - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # The port for the antrea-controller APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-controller` container must be set to the same value. - apiPort: 10349 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Indicates whether to use auto-generated self-signed TLS certificate. - # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: - # ca.crt: - # tls.crt: - # tls.key: - selfSignedCert: true - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - nodeIPAM: - # Enable the integrated Node IPAM controller within the Antrea controller. - enableNodeIPAM: false - # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. - # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. - # Value ignored when enableNodeIPAM is false. - clusterCIDRs: - # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. - # Value ignored when enableNodeIPAM is false. - serviceCIDR: "" - serviceCIDRv6: "" - # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. - nodeCIDRMaskSizeIPv4: 24 - # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. - nodeCIDRMaskSizeIPv6: 64 - - ipsecCSRSigner: - # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. - # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions - # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, - # the Pod identity will also be validated to provide maximum security. - # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved - # manually by `kubectl certificate approve`. - autoApprove: true - # Indicates whether to use auto-generated self-signed CA certificate. - # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: - # tls.crt: - # tls.key: - selfSignedCA: true ---- -# Source: antrea/templates/crds/antreaagentinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreaagentinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of this Agent - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of this Agent - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Node on which this Agent is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of local Pods managed by this Agent - jsonPath: ".localPodNum" - name: Num Pods - type: integer - priority: 2 - - description: Subnets used by this Agent for Pod IPAM - jsonPath: ".nodeSubnets" - name: Subnets - type: string - priority: 2 - scope: Cluster - names: - plural: antreaagentinfos - singular: antreaagentinfo - kind: AntreaAgentInfo - shortNames: - - aai ---- -# Source: antrea/templates/crds/antreacontrollerinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreacontrollerinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of the Controller - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of the Controller - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Number of Agents connected to the Controller - jsonPath: ".connectedAgentNum" - name: Connected Agents - type: integer - priority: 1 - - description: Node on which the Controller is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of Network Policies computed by Controller - jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" - name: Num Network Policies - type: integer - priority: 2 - scope: Cluster - names: - plural: antreacontrollerinfos - singular: antreacontrollerinfo - kind: AntreaControllerInfo - shortNames: - - aci ---- -# Source: antrea/templates/crds/clustergroup.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clustergroups.crd.antrea.io + name: clustergroups.crd.antrea.io labels: app: antrea spec: @@ -825,8 +373,9 @@ spec: kind: ClusterGroup shortNames: - cg + --- -# Source: antrea/templates/crds/clusternetworkpolicy.yaml +# Source: crds/clusternetworkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1434,8 +983,9 @@ spec: kind: ClusterNetworkPolicy shortNames: - acnp + --- -# Source: antrea/templates/crds/egress.yaml +# Source: crds/egress.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1548,8 +1098,9 @@ spec: kind: Egress shortNames: - eg + --- -# Source: antrea/templates/crds/externalentity.yaml +# Source: crds/externalentity.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1608,8 +1159,9 @@ spec: kind: ExternalEntity shortNames: - ee + --- -# Source: antrea/templates/crds/externalippool.yaml +# Source: crds/externalippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1713,8 +1265,9 @@ spec: kind: ExternalIPPool shortNames: - eip + --- -# Source: antrea/templates/crds/ippool.yaml +# Source: crds/ippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1827,8 +1380,9 @@ spec: kind: IPPool shortNames: - ipp + --- -# Source: antrea/templates/crds/networkpolicy.yaml +# Source: crds/networkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2337,8 +1891,9 @@ spec: kind: NetworkPolicy shortNames: - anp + --- -# Source: antrea/templates/crds/tier.yaml +# Source: crds/tier.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2381,8 +1936,9 @@ spec: kind: Tier shortNames: - tr + --- -# Source: antrea/templates/crds/traceflow.yaml +# Source: crds/traceflow.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2634,8 +2190,9 @@ spec: kind: Traceflow shortNames: - tf + --- -# Source: antrea/templates/crds/trafficcontrol.yaml +# Source: crds/trafficcontrol.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2919,6 +2476,461 @@ spec: kind: TrafficControl shortNames: - tc + +--- +# Source: antrea/templates/agent/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-agent + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/antctl/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antctl + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/controller/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-controller + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/agent/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antrea-agent-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antrea-agent +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/antctl/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antctl-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antctl +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: antrea-config + namespace: kube-system + labels: + app: antrea +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + # Multicluster: false + + # Enable support for provisioning secondary network interfaces for Pods (using + # Pod annotations). At the moment, Antrea can only create secondary network + # interfaces using SR-IOV VFs on baremetal Nodes. + # SecondaryNetwork: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable mirroring or redirecting the traffic Pods send or receive. + # TrafficControl: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + ovsBridge: "br-int" + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + hostGateway: "antrea-gw0" + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + trafficEncapMode: "noEncap" + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, + # this option will not take effect. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). + tunnelType: "geneve" + + # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. + # It has the following options: + # - none (default): Inter-node Pod traffic will not be encrypted. + # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses + # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, + # the PSK value must be passed to Antrea Agent through an environment + # variable: ANTREA_IPSEC_PSK. + # - wireGuard: Enable WireGuard for tunnel traffic encryption. + trafficEncryptionMode: "none" + + # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected + # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are + # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the + # underlay network. + # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only + # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, + # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. + enableBridgingMode: false + + # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the + # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. + # It affects Pods running on Linux Nodes only. + disableTXChecksumOffload: false + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + defaultMTU: 0 + + # wireGuard specifies WireGuard related configurations. + wireGuard: + # The port for WireGuard to receive traffic. + port: 51820 + + egress: + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + serviceCIDR: "" + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + serviceCIDRv6: "" + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + activeFlowExportTimeout: "5s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + idleFlowExportTimeout: "15s" + + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + enable: false + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + portRange: "61000-62000" + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + kubeAPIServerOverride: "" + + # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. + # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, + # [fd00:10:96::a]:53). + dnsServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. + # If there are multiple IP addresses configured on the interface, the first one is used. The IP + # address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterface: "" + + multicast: + # The names of the interfaces on Nodes that are used to forward multicast traffic. + # Defaults to transport interface if not set. + multicastInterfaces: + + # The interval at which the antrea-agent sends IGMP queries to Pods. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + igmpQueryInterval: "125s" + + # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across + # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The + # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterfaceCIDRs: + + # Option antreaProxy contains AntreaProxy related configuration options. + antreaProxy: + # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, + # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy + # feature to be enabled. + # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access + # apiserver directly. + proxyAll: false + # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. + # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. + # Note that the option is only valid when proxyAll is true. + nodePortAddresses: + # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these + # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name + # with Namespace (e.g. kube-system/kube-dns) + skipServices: + # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the + # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional + # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the + # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. + # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and + # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. + proxyLoadBalancerIPs: true + + # IPsec tunnel related configurations. + ipsec: + # The authentication mode of IPsec tunnel. It has the following options: + # - psk (default): Use pre-shared key (PSK) for IKE authentication. + # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` + # feature gate to be enabled. + authenticationMode: "psk" + + multicluster: + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + enable: false + # The Namespace where Antrea Multi-cluster Controller is running. + # The default is antrea-agent's Namespace. + namespace: "" + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + } + , + { + "type": "portmap", + "capabilities": {"portMappings": true} + } + , + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Run Kubernetes NodeIPAMController with Antrea. + # NodeIPAM: false + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + nodeIPAM: + # Enable the integrated Node IPAM controller within the Antrea controller. + enableNodeIPAM: false + # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. + # Value ignored when enableNodeIPAM is false. + clusterCIDRs: + # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + serviceCIDR: "" + serviceCIDRv6: "" + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + nodeCIDRMaskSizeIPv4: 24 + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + nodeCIDRMaskSizeIPv6: 64 + + ipsecCSRSigner: + # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. + # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions + # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, + # the Pod identity will also be validated to provide maximum security. + # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved + # manually by `kubectl certificate approve`. + autoApprove: true + # Indicates whether to use auto-generated self-signed CA certificate. + # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: + # tls.crt: + # tls.key: + selfSignedCA: true --- # Source: antrea/templates/agent/clusterrole.yaml kind: ClusterRole diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index f3bda059167..a62bb3cc043 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -1,584 +1,119 @@ --- -# Source: antrea/templates/agent/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: antrea-agent - namespace: kube-system - labels: - app: antrea ---- -# Source: antrea/templates/antctl/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: antctl - namespace: kube-system - labels: - app: antrea ---- -# Source: antrea/templates/controller/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: crds/antreaagentinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-controller - namespace: kube-system + name: antreaagentinfos.crd.antrea.io labels: app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai + --- -# Source: antrea/templates/agent/ipsec-secret.yaml -apiVersion: v1 -kind: Secret +# Source: crds/antreacontrollerinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-ipsec - namespace: kube-system + name: antreacontrollerinfos.crd.antrea.io labels: app: antrea -type: Opaque -stringData: - # Preshared Key used by IKE for authentication with peers. - psk: "changeme" ---- -# Source: antrea/templates/agent/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antrea-agent-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antrea-agent -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/antctl/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antctl-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antctl -type: kubernetes.io/service-account-token +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci + --- -# Source: antrea/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap +# Source: crds/clustergroup.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-config - namespace: kube-system - labels: - app: antrea -data: - antrea-agent.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. - # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on - # Service traffic. - # AntreaProxy: true - - # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice - # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, - # this flag will not take effect. - # EndpointSlice: false - - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable NodePortLocal feature to make the Pods reachable externally through NodePort - # NodePortLocal: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each - # agent to a configured collector. - # FlowExporter: false - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - # Multicluster: false - - # Enable support for provisioning secondary network interfaces for Pods (using - # Pod annotations). At the moment, Antrea can only create secondary network - # interfaces using SR-IOV VFs on baremetal Nodes. - # SecondaryNetwork: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable mirroring or redirecting the traffic Pods send or receive. - # TrafficControl: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # Name of the OpenVSwitch bridge antrea-agent will create and use. - # Make sure it doesn't conflict with your existing OpenVSwitch bridges. - ovsBridge: "br-int" - - # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: - # - system - # - netdev - # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run - # OVS in userspace mode. Userspace mode requires the tun device driver to be available. - #ovsDatapathType: system - - # Name of the interface antrea-agent will create and use for host <--> pod communication. - # Make sure it doesn't conflict with your existing interfaces. - hostGateway: "antrea-gw0" - - # Determines how traffic is encapsulated. It has the following options: - # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network - # traffic is SNAT'd. - # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is - # SNAT'd if noSNAT is not set to true. Underlying network must be capable of - # supporting Pod traffic across IP subnets. - # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. - # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod - # IPAM and connectivity to the primary CNI. - # - trafficEncapMode: "encap" - - # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. - # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap - # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to - # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never - # performs SNAT and this option will be ignored; for other modes it must be set to false. - noSNAT: false - - # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, - # this option will not take effect. Supported values: - # - geneve (default) - # - vxlan - # - gre - # - stt - # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). - tunnelType: "gre" - - # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. - # It has the following options: - # - none (default): Inter-node Pod traffic will not be encrypted. - # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses - # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, - # the PSK value must be passed to Antrea Agent through an environment - # variable: ANTREA_IPSEC_PSK. - # - wireGuard: Enable WireGuard for tunnel traffic encryption. - trafficEncryptionMode: "ipsec" - - # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected - # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are - # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the - # underlay network. - # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only - # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, - # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. - enableBridgingMode: false - - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. - disableTXChecksumOffload: false - - # Default MTU to use for the host gateway interface and the network interface of each Pod. - # If omitted, antrea-agent will discover the MTU of the Node's primary interface and - # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). - defaultMTU: 0 - - # wireGuard specifies WireGuard related configurations. - wireGuard: - # The port for WireGuard to receive traffic. - port: 51820 - - egress: - # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. - exceptCIDRs: - - # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be - # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When - # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. - serviceCIDR: "" - - # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack - # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by - # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. - # No default value for this field. - serviceCIDRv6: "" - - # The port for the antrea-agent APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-agent` container must be set to the same value. - apiPort: 10350 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Provide the IPFIX collector address as a string with format :[][:]. - # HOST can either be the DNS name or the IP of the Flow Collector. For example, - # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect - # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. - # However, IPv6 address should be wrapped with []. - # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and - # "udp" protocols. "tls" is used for securing communication between flow exporter and - # flow aggregator. - flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" - - # Provide flow poll interval as a duration string. This determines how often the - # flow exporter dumps connections from the conntrack module. Flow poll interval - # should be greater than or equal to 1s (one second). - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - flowPollInterval: "5s" - - # Provide the active flow export timeout, which is the timeout after which a flow - # record is sent to the collector for active flows. Thus, for flows with a continuous - # stream of packets, a flow record will be exported to the collector once the elapsed - # time since the last export event is equal to the value of this timeout. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - activeFlowExportTimeout: "5s" - - # Provide the idle flow export timeout, which is the timeout after which a flow - # record is sent to the collector for idle flows. A flow is considered idle if no - # packet matching this flow has been observed since the last export event. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - idleFlowExportTimeout: "15s" - - nodePortLocal: - # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To - # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature - # gate is also enabled (which is the default). - enable: false - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port - # from that range will be assigned whenever a Pod's container defines a specific port to be exposed - # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic - # directed to that port will be forwarded to the Pod. - portRange: "61000-62000" - - # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. - # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. - kubeAPIServerOverride: "" - - # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. - # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, - # [fd00:10:96::a]:53). - dnsServerOverride: "" - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. - # If there are multiple IP addresses configured on the interface, the first one is used. The IP - # address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterface: "" - - multicast: - # The names of the interfaces on Nodes that are used to forward multicast traffic. - # Defaults to transport interface if not set. - multicastInterfaces: - - # The interval at which the antrea-agent sends IGMP queries to Pods. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - igmpQueryInterval: "125s" - - # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across - # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The - # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterfaceCIDRs: - - # Option antreaProxy contains AntreaProxy related configuration options. - antreaProxy: - # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, - # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy - # feature to be enabled. - # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access - # apiserver directly. - proxyAll: false - # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. - # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. - # Note that the option is only valid when proxyAll is true. - nodePortAddresses: - # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these - # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name - # with Namespace (e.g. kube-system/kube-dns) - skipServices: - # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the - # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional - # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the - # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. - # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and - # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. - proxyLoadBalancerIPs: true - - # IPsec tunnel related configurations. - ipsec: - # The authentication mode of IPsec tunnel. It has the following options: - # - psk (default): Use pre-shared key (PSK) for IKE authentication. - # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` - # feature gate to be enabled. - authenticationMode: "psk" - - multicluster: - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - enable: false - # The Namespace where Antrea Multi-cluster Controller is running. - # The default is antrea-agent's Namespace. - namespace: "" - antrea-cni.conflist: | - { - "cniVersion":"0.3.0", - "name": "antrea", - "plugins": [ - { - "type": "antrea", - "ipam": { - "type": "host-local" - } - } - , - { - "type": "portmap", - "capabilities": {"portMappings": true} - } - , - { - "type": "bandwidth", - "capabilities": {"bandwidth": true} - } - ] - } - antrea-controller.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Run Kubernetes NodeIPAMController with Antrea. - # NodeIPAM: false - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # The port for the antrea-controller APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-controller` container must be set to the same value. - apiPort: 10349 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Indicates whether to use auto-generated self-signed TLS certificate. - # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: - # ca.crt: - # tls.crt: - # tls.key: - selfSignedCert: true - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - nodeIPAM: - # Enable the integrated Node IPAM controller within the Antrea controller. - enableNodeIPAM: false - # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. - # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. - # Value ignored when enableNodeIPAM is false. - clusterCIDRs: - # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. - # Value ignored when enableNodeIPAM is false. - serviceCIDR: "" - serviceCIDRv6: "" - # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. - nodeCIDRMaskSizeIPv4: 24 - # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. - nodeCIDRMaskSizeIPv6: 64 - - ipsecCSRSigner: - # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. - # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions - # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, - # the Pod identity will also be validated to provide maximum security. - # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved - # manually by `kubectl certificate approve`. - autoApprove: true - # Indicates whether to use auto-generated self-signed CA certificate. - # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: - # tls.crt: - # tls.key: - selfSignedCA: true ---- -# Source: antrea/templates/crds/antreaagentinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreaagentinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of this Agent - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of this Agent - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Node on which this Agent is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of local Pods managed by this Agent - jsonPath: ".localPodNum" - name: Num Pods - type: integer - priority: 2 - - description: Subnets used by this Agent for Pod IPAM - jsonPath: ".nodeSubnets" - name: Subnets - type: string - priority: 2 - scope: Cluster - names: - plural: antreaagentinfos - singular: antreaagentinfo - kind: AntreaAgentInfo - shortNames: - - aai ---- -# Source: antrea/templates/crds/antreacontrollerinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreacontrollerinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of the Controller - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of the Controller - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Number of Agents connected to the Controller - jsonPath: ".connectedAgentNum" - name: Connected Agents - type: integer - priority: 1 - - description: Node on which the Controller is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of Network Policies computed by Controller - jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" - name: Num Network Policies - type: integer - priority: 2 - scope: Cluster - names: - plural: antreacontrollerinfos - singular: antreacontrollerinfo - kind: AntreaControllerInfo - shortNames: - - aci ---- -# Source: antrea/templates/crds/clustergroup.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clustergroups.crd.antrea.io + name: clustergroups.crd.antrea.io labels: app: antrea spec: @@ -838,8 +373,9 @@ spec: kind: ClusterGroup shortNames: - cg + --- -# Source: antrea/templates/crds/clusternetworkpolicy.yaml +# Source: crds/clusternetworkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1447,8 +983,9 @@ spec: kind: ClusterNetworkPolicy shortNames: - acnp + --- -# Source: antrea/templates/crds/egress.yaml +# Source: crds/egress.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1561,8 +1098,9 @@ spec: kind: Egress shortNames: - eg + --- -# Source: antrea/templates/crds/externalentity.yaml +# Source: crds/externalentity.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1621,8 +1159,9 @@ spec: kind: ExternalEntity shortNames: - ee + --- -# Source: antrea/templates/crds/externalippool.yaml +# Source: crds/externalippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1726,8 +1265,9 @@ spec: kind: ExternalIPPool shortNames: - eip + --- -# Source: antrea/templates/crds/ippool.yaml +# Source: crds/ippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1840,8 +1380,9 @@ spec: kind: IPPool shortNames: - ipp + --- -# Source: antrea/templates/crds/networkpolicy.yaml +# Source: crds/networkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2350,8 +1891,9 @@ spec: kind: NetworkPolicy shortNames: - anp + --- -# Source: antrea/templates/crds/tier.yaml +# Source: crds/tier.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2394,8 +1936,9 @@ spec: kind: Tier shortNames: - tr + --- -# Source: antrea/templates/crds/traceflow.yaml +# Source: crds/traceflow.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2647,8 +2190,9 @@ spec: kind: Traceflow shortNames: - tf + --- -# Source: antrea/templates/crds/trafficcontrol.yaml +# Source: crds/trafficcontrol.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2932,6 +2476,474 @@ spec: kind: TrafficControl shortNames: - tc + +--- +# Source: antrea/templates/agent/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-agent + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/antctl/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antctl + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/controller/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-controller + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/agent/ipsec-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antrea-ipsec + namespace: kube-system + labels: + app: antrea +type: Opaque +stringData: + # Preshared Key used by IKE for authentication with peers. + psk: "changeme" +--- +# Source: antrea/templates/agent/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antrea-agent-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antrea-agent +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/antctl/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antctl-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antctl +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: antrea-config + namespace: kube-system + labels: + app: antrea +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + # Multicluster: false + + # Enable support for provisioning secondary network interfaces for Pods (using + # Pod annotations). At the moment, Antrea can only create secondary network + # interfaces using SR-IOV VFs on baremetal Nodes. + # SecondaryNetwork: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable mirroring or redirecting the traffic Pods send or receive. + # TrafficControl: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + ovsBridge: "br-int" + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + hostGateway: "antrea-gw0" + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + trafficEncapMode: "encap" + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, + # this option will not take effect. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). + tunnelType: "gre" + + # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. + # It has the following options: + # - none (default): Inter-node Pod traffic will not be encrypted. + # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses + # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, + # the PSK value must be passed to Antrea Agent through an environment + # variable: ANTREA_IPSEC_PSK. + # - wireGuard: Enable WireGuard for tunnel traffic encryption. + trafficEncryptionMode: "ipsec" + + # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected + # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are + # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the + # underlay network. + # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only + # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, + # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. + enableBridgingMode: false + + # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the + # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. + # It affects Pods running on Linux Nodes only. + disableTXChecksumOffload: false + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + defaultMTU: 0 + + # wireGuard specifies WireGuard related configurations. + wireGuard: + # The port for WireGuard to receive traffic. + port: 51820 + + egress: + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + serviceCIDR: "" + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + serviceCIDRv6: "" + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + activeFlowExportTimeout: "5s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + idleFlowExportTimeout: "15s" + + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + enable: false + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + portRange: "61000-62000" + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + kubeAPIServerOverride: "" + + # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. + # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, + # [fd00:10:96::a]:53). + dnsServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. + # If there are multiple IP addresses configured on the interface, the first one is used. The IP + # address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterface: "" + + multicast: + # The names of the interfaces on Nodes that are used to forward multicast traffic. + # Defaults to transport interface if not set. + multicastInterfaces: + + # The interval at which the antrea-agent sends IGMP queries to Pods. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + igmpQueryInterval: "125s" + + # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across + # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The + # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterfaceCIDRs: + + # Option antreaProxy contains AntreaProxy related configuration options. + antreaProxy: + # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, + # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy + # feature to be enabled. + # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access + # apiserver directly. + proxyAll: false + # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. + # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. + # Note that the option is only valid when proxyAll is true. + nodePortAddresses: + # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these + # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name + # with Namespace (e.g. kube-system/kube-dns) + skipServices: + # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the + # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional + # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the + # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. + # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and + # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. + proxyLoadBalancerIPs: true + + # IPsec tunnel related configurations. + ipsec: + # The authentication mode of IPsec tunnel. It has the following options: + # - psk (default): Use pre-shared key (PSK) for IKE authentication. + # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` + # feature gate to be enabled. + authenticationMode: "psk" + + multicluster: + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + enable: false + # The Namespace where Antrea Multi-cluster Controller is running. + # The default is antrea-agent's Namespace. + namespace: "" + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + } + , + { + "type": "portmap", + "capabilities": {"portMappings": true} + } + , + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Run Kubernetes NodeIPAMController with Antrea. + # NodeIPAM: false + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + nodeIPAM: + # Enable the integrated Node IPAM controller within the Antrea controller. + enableNodeIPAM: false + # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. + # Value ignored when enableNodeIPAM is false. + clusterCIDRs: + # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + serviceCIDR: "" + serviceCIDRv6: "" + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + nodeCIDRMaskSizeIPv4: 24 + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + nodeCIDRMaskSizeIPv6: 64 + + ipsecCSRSigner: + # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. + # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions + # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, + # the Pod identity will also be validated to provide maximum security. + # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved + # manually by `kubectl certificate approve`. + autoApprove: true + # Indicates whether to use auto-generated self-signed CA certificate. + # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: + # tls.crt: + # tls.key: + selfSignedCA: true --- # Source: antrea/templates/agent/clusterrole.yaml kind: ClusterRole diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index 78717183955..1bb9be1c0f5 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -1,571 +1,119 @@ --- -# Source: antrea/templates/agent/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: antrea-agent - namespace: kube-system - labels: - app: antrea ---- -# Source: antrea/templates/antctl/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: crds/antreaagentinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antctl - namespace: kube-system + name: antreaagentinfos.crd.antrea.io labels: app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai + --- -# Source: antrea/templates/controller/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: crds/antreacontrollerinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-controller - namespace: kube-system + name: antreacontrollerinfos.crd.antrea.io labels: app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci + --- -# Source: antrea/templates/agent/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antrea-agent-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antrea-agent -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/antctl/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antctl-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antctl -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap +# Source: crds/clustergroup.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-config - namespace: kube-system - labels: - app: antrea -data: - antrea-agent.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. - # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on - # Service traffic. - # AntreaProxy: true - - # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice - # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, - # this flag will not take effect. - # EndpointSlice: false - - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable NodePortLocal feature to make the Pods reachable externally through NodePort - # NodePortLocal: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each - # agent to a configured collector. - # FlowExporter: false - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - # Multicluster: false - - # Enable support for provisioning secondary network interfaces for Pods (using - # Pod annotations). At the moment, Antrea can only create secondary network - # interfaces using SR-IOV VFs on baremetal Nodes. - # SecondaryNetwork: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable mirroring or redirecting the traffic Pods send or receive. - # TrafficControl: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # Name of the OpenVSwitch bridge antrea-agent will create and use. - # Make sure it doesn't conflict with your existing OpenVSwitch bridges. - ovsBridge: "br-int" - - # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: - # - system - # - netdev - # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run - # OVS in userspace mode. Userspace mode requires the tun device driver to be available. - #ovsDatapathType: system - - # Name of the interface antrea-agent will create and use for host <--> pod communication. - # Make sure it doesn't conflict with your existing interfaces. - hostGateway: "antrea-gw0" - - # Determines how traffic is encapsulated. It has the following options: - # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network - # traffic is SNAT'd. - # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is - # SNAT'd if noSNAT is not set to true. Underlying network must be capable of - # supporting Pod traffic across IP subnets. - # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. - # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod - # IPAM and connectivity to the primary CNI. - # - trafficEncapMode: "encap" - - # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. - # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap - # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to - # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never - # performs SNAT and this option will be ignored; for other modes it must be set to false. - noSNAT: false - - # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, - # this option will not take effect. Supported values: - # - geneve (default) - # - vxlan - # - gre - # - stt - # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). - tunnelType: "geneve" - - # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. - # It has the following options: - # - none (default): Inter-node Pod traffic will not be encrypted. - # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses - # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, - # the PSK value must be passed to Antrea Agent through an environment - # variable: ANTREA_IPSEC_PSK. - # - wireGuard: Enable WireGuard for tunnel traffic encryption. - trafficEncryptionMode: "none" - - # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected - # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are - # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the - # underlay network. - # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only - # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, - # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. - enableBridgingMode: false - - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. - disableTXChecksumOffload: false - - # Default MTU to use for the host gateway interface and the network interface of each Pod. - # If omitted, antrea-agent will discover the MTU of the Node's primary interface and - # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). - defaultMTU: 0 - - # wireGuard specifies WireGuard related configurations. - wireGuard: - # The port for WireGuard to receive traffic. - port: 51820 - - egress: - # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. - exceptCIDRs: - - # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be - # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When - # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. - serviceCIDR: "" - - # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack - # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by - # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. - # No default value for this field. - serviceCIDRv6: "" - - # The port for the antrea-agent APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-agent` container must be set to the same value. - apiPort: 10350 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Provide the IPFIX collector address as a string with format :[][:]. - # HOST can either be the DNS name or the IP of the Flow Collector. For example, - # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect - # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. - # However, IPv6 address should be wrapped with []. - # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and - # "udp" protocols. "tls" is used for securing communication between flow exporter and - # flow aggregator. - flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" - - # Provide flow poll interval as a duration string. This determines how often the - # flow exporter dumps connections from the conntrack module. Flow poll interval - # should be greater than or equal to 1s (one second). - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - flowPollInterval: "5s" - - # Provide the active flow export timeout, which is the timeout after which a flow - # record is sent to the collector for active flows. Thus, for flows with a continuous - # stream of packets, a flow record will be exported to the collector once the elapsed - # time since the last export event is equal to the value of this timeout. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - activeFlowExportTimeout: "5s" - - # Provide the idle flow export timeout, which is the timeout after which a flow - # record is sent to the collector for idle flows. A flow is considered idle if no - # packet matching this flow has been observed since the last export event. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - idleFlowExportTimeout: "15s" - - nodePortLocal: - # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To - # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature - # gate is also enabled (which is the default). - enable: false - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port - # from that range will be assigned whenever a Pod's container defines a specific port to be exposed - # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic - # directed to that port will be forwarded to the Pod. - portRange: "61000-62000" - - # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. - # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. - kubeAPIServerOverride: "" - - # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. - # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, - # [fd00:10:96::a]:53). - dnsServerOverride: "" - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. - # If there are multiple IP addresses configured on the interface, the first one is used. The IP - # address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterface: "" - - multicast: - # The names of the interfaces on Nodes that are used to forward multicast traffic. - # Defaults to transport interface if not set. - multicastInterfaces: - - # The interval at which the antrea-agent sends IGMP queries to Pods. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - igmpQueryInterval: "125s" - - # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across - # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The - # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterfaceCIDRs: - - # Option antreaProxy contains AntreaProxy related configuration options. - antreaProxy: - # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, - # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy - # feature to be enabled. - # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access - # apiserver directly. - proxyAll: false - # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. - # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. - # Note that the option is only valid when proxyAll is true. - nodePortAddresses: - # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these - # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name - # with Namespace (e.g. kube-system/kube-dns) - skipServices: - # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the - # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional - # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the - # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. - # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and - # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. - proxyLoadBalancerIPs: true - - # IPsec tunnel related configurations. - ipsec: - # The authentication mode of IPsec tunnel. It has the following options: - # - psk (default): Use pre-shared key (PSK) for IKE authentication. - # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` - # feature gate to be enabled. - authenticationMode: "psk" - - multicluster: - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - enable: false - # The Namespace where Antrea Multi-cluster Controller is running. - # The default is antrea-agent's Namespace. - namespace: "" - antrea-cni.conflist: | - { - "cniVersion":"0.3.0", - "name": "antrea", - "plugins": [ - { - "type": "antrea", - "ipam": { - "type": "host-local" - } - } - , - { - "type": "portmap", - "capabilities": {"portMappings": true} - } - , - { - "type": "bandwidth", - "capabilities": {"bandwidth": true} - } - ] - } - antrea-controller.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Run Kubernetes NodeIPAMController with Antrea. - # NodeIPAM: false - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # The port for the antrea-controller APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-controller` container must be set to the same value. - apiPort: 10349 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Indicates whether to use auto-generated self-signed TLS certificate. - # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: - # ca.crt: - # tls.crt: - # tls.key: - selfSignedCert: true - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - nodeIPAM: - # Enable the integrated Node IPAM controller within the Antrea controller. - enableNodeIPAM: false - # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. - # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. - # Value ignored when enableNodeIPAM is false. - clusterCIDRs: - # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. - # Value ignored when enableNodeIPAM is false. - serviceCIDR: "" - serviceCIDRv6: "" - # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. - nodeCIDRMaskSizeIPv4: 24 - # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. - nodeCIDRMaskSizeIPv6: 64 - - ipsecCSRSigner: - # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. - # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions - # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, - # the Pod identity will also be validated to provide maximum security. - # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved - # manually by `kubectl certificate approve`. - autoApprove: true - # Indicates whether to use auto-generated self-signed CA certificate. - # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: - # tls.crt: - # tls.key: - selfSignedCA: true ---- -# Source: antrea/templates/crds/antreaagentinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreaagentinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of this Agent - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of this Agent - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Node on which this Agent is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of local Pods managed by this Agent - jsonPath: ".localPodNum" - name: Num Pods - type: integer - priority: 2 - - description: Subnets used by this Agent for Pod IPAM - jsonPath: ".nodeSubnets" - name: Subnets - type: string - priority: 2 - scope: Cluster - names: - plural: antreaagentinfos - singular: antreaagentinfo - kind: AntreaAgentInfo - shortNames: - - aai ---- -# Source: antrea/templates/crds/antreacontrollerinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreacontrollerinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of the Controller - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of the Controller - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Number of Agents connected to the Controller - jsonPath: ".connectedAgentNum" - name: Connected Agents - type: integer - priority: 1 - - description: Node on which the Controller is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of Network Policies computed by Controller - jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" - name: Num Network Policies - type: integer - priority: 2 - scope: Cluster - names: - plural: antreacontrollerinfos - singular: antreacontrollerinfo - kind: AntreaControllerInfo - shortNames: - - aci ---- -# Source: antrea/templates/crds/clustergroup.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clustergroups.crd.antrea.io + name: clustergroups.crd.antrea.io labels: app: antrea spec: @@ -825,8 +373,9 @@ spec: kind: ClusterGroup shortNames: - cg + --- -# Source: antrea/templates/crds/clusternetworkpolicy.yaml +# Source: crds/clusternetworkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1434,8 +983,9 @@ spec: kind: ClusterNetworkPolicy shortNames: - acnp + --- -# Source: antrea/templates/crds/egress.yaml +# Source: crds/egress.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1548,8 +1098,9 @@ spec: kind: Egress shortNames: - eg + --- -# Source: antrea/templates/crds/externalentity.yaml +# Source: crds/externalentity.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1608,8 +1159,9 @@ spec: kind: ExternalEntity shortNames: - ee + --- -# Source: antrea/templates/crds/externalippool.yaml +# Source: crds/externalippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1713,8 +1265,9 @@ spec: kind: ExternalIPPool shortNames: - eip + --- -# Source: antrea/templates/crds/ippool.yaml +# Source: crds/ippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1827,8 +1380,9 @@ spec: kind: IPPool shortNames: - ipp + --- -# Source: antrea/templates/crds/networkpolicy.yaml +# Source: crds/networkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2337,8 +1891,9 @@ spec: kind: NetworkPolicy shortNames: - anp + --- -# Source: antrea/templates/crds/tier.yaml +# Source: crds/tier.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2381,8 +1936,9 @@ spec: kind: Tier shortNames: - tr + --- -# Source: antrea/templates/crds/traceflow.yaml +# Source: crds/traceflow.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2634,8 +2190,9 @@ spec: kind: Traceflow shortNames: - tf + --- -# Source: antrea/templates/crds/trafficcontrol.yaml +# Source: crds/trafficcontrol.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2919,6 +2476,461 @@ spec: kind: TrafficControl shortNames: - tc + +--- +# Source: antrea/templates/agent/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-agent + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/antctl/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antctl + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/controller/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-controller + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/agent/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antrea-agent-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antrea-agent +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/antctl/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antctl-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antctl +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: antrea-config + namespace: kube-system + labels: + app: antrea +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + # Multicluster: false + + # Enable support for provisioning secondary network interfaces for Pods (using + # Pod annotations). At the moment, Antrea can only create secondary network + # interfaces using SR-IOV VFs on baremetal Nodes. + # SecondaryNetwork: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable mirroring or redirecting the traffic Pods send or receive. + # TrafficControl: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + ovsBridge: "br-int" + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + hostGateway: "antrea-gw0" + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + trafficEncapMode: "encap" + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, + # this option will not take effect. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). + tunnelType: "geneve" + + # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. + # It has the following options: + # - none (default): Inter-node Pod traffic will not be encrypted. + # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses + # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, + # the PSK value must be passed to Antrea Agent through an environment + # variable: ANTREA_IPSEC_PSK. + # - wireGuard: Enable WireGuard for tunnel traffic encryption. + trafficEncryptionMode: "none" + + # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected + # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are + # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the + # underlay network. + # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only + # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, + # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. + enableBridgingMode: false + + # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the + # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. + # It affects Pods running on Linux Nodes only. + disableTXChecksumOffload: false + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + defaultMTU: 0 + + # wireGuard specifies WireGuard related configurations. + wireGuard: + # The port for WireGuard to receive traffic. + port: 51820 + + egress: + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + serviceCIDR: "" + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + serviceCIDRv6: "" + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + activeFlowExportTimeout: "5s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + idleFlowExportTimeout: "15s" + + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + enable: false + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + portRange: "61000-62000" + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + kubeAPIServerOverride: "" + + # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. + # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, + # [fd00:10:96::a]:53). + dnsServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. + # If there are multiple IP addresses configured on the interface, the first one is used. The IP + # address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterface: "" + + multicast: + # The names of the interfaces on Nodes that are used to forward multicast traffic. + # Defaults to transport interface if not set. + multicastInterfaces: + + # The interval at which the antrea-agent sends IGMP queries to Pods. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + igmpQueryInterval: "125s" + + # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across + # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The + # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterfaceCIDRs: + + # Option antreaProxy contains AntreaProxy related configuration options. + antreaProxy: + # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, + # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy + # feature to be enabled. + # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access + # apiserver directly. + proxyAll: false + # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. + # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. + # Note that the option is only valid when proxyAll is true. + nodePortAddresses: + # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these + # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name + # with Namespace (e.g. kube-system/kube-dns) + skipServices: + # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the + # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional + # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the + # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. + # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and + # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. + proxyLoadBalancerIPs: true + + # IPsec tunnel related configurations. + ipsec: + # The authentication mode of IPsec tunnel. It has the following options: + # - psk (default): Use pre-shared key (PSK) for IKE authentication. + # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` + # feature gate to be enabled. + authenticationMode: "psk" + + multicluster: + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + enable: false + # The Namespace where Antrea Multi-cluster Controller is running. + # The default is antrea-agent's Namespace. + namespace: "" + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + } + , + { + "type": "portmap", + "capabilities": {"portMappings": true} + } + , + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Run Kubernetes NodeIPAMController with Antrea. + # NodeIPAM: false + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + nodeIPAM: + # Enable the integrated Node IPAM controller within the Antrea controller. + enableNodeIPAM: false + # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. + # Value ignored when enableNodeIPAM is false. + clusterCIDRs: + # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + serviceCIDR: "" + serviceCIDRv6: "" + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + nodeCIDRMaskSizeIPv4: 24 + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + nodeCIDRMaskSizeIPv6: 64 + + ipsecCSRSigner: + # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. + # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions + # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, + # the Pod identity will also be validated to provide maximum security. + # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved + # manually by `kubectl certificate approve`. + autoApprove: true + # Indicates whether to use auto-generated self-signed CA certificate. + # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: + # tls.crt: + # tls.key: + selfSignedCA: true --- # Source: antrea/templates/agent/clusterrole.yaml kind: ClusterRole diff --git a/hack/generate-helm-release.sh b/hack/generate-helm-release.sh new file mode 100755 index 00000000000..6947dbafdba --- /dev/null +++ b/hack/generate-helm-release.sh @@ -0,0 +1,93 @@ +#!/usr/bin/env bash + +# Copyright 2022 Antrea Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -eo pipefail + +function echoerr { + >&2 echo "$@" +} + +_usage="Usage: $0 [--mode (dev|release)] --out +Package the Antrea chart into a chart archive. +Environment variable VERSION must be set. + --out Output directory for chart archive + --help, -h Print this message and exit + +You can set the HELM environment variable to the path of the helm binary you wan t us to +use. Otherwise we will download the appropriate version of the helm binary and use it." + +function print_usage { + echoerr "$_usage" +} + +function print_help { + echoerr "Try '$0 --help' for more information." +} + +MODE="dev" +OUT="" + +while [[ $# -gt 0 ]] +do +key="$1" + +case $key in + --mode) + MODE="$2" + shift 2 + ;; + --out) + OUT="$2" + shift 2 + ;; + -h|--help) + print_usage + exit 0 + ;; + *) # unknown option + echoerr "Unknown option $1" + exit 1 + ;; +esac +done + +if [ -z "$VERSION" ]; then + echoerr "Environment variable VERSION must be set" + print_help + exit 1 +fi + +if [ "$OUT" == "" ]; then + echoerr "--out is required to provide output path" + print_help + exit 1 +fi + +THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" + +source $THIS_DIR/verify-helm.sh + +if [ -z "$HELM" ]; then + HELM="$(verify_helm)" +elif ! $HELM version > /dev/null 2>&1; then + echoerr "$HELM does not appear to be a valid helm binary" + print_help + exit 1 +fi + +ANTREA_CHART="$THIS_DIR/../build/charts/antrea" +$HELM package --app-version $VERSION --version $VERSION $ANTREA_CHART +mv "antrea-$VERSION.tgz" $OUT diff --git a/hack/generate-manifest.sh b/hack/generate-manifest.sh index e42924f3056..96362b0a0b3 100755 --- a/hack/generate-manifest.sh +++ b/hack/generate-manifest.sh @@ -430,7 +430,7 @@ done ANTREA_CHART="$THIS_DIR/../build/charts/antrea" # Suppress potential Helm warnings about invalid permissions for Kubeconfig file # by throwing away related warnings. -$HELM template \ +$HELM template --include-crds \ --namespace kube-system \ $HELM_VALUES_OPTION \ $HELM_VALUES_FILES_OPTION \ diff --git a/hack/generate-standard-manifests.sh b/hack/generate-standard-manifests.sh index b9270c33a26..6b423e33ba8 100755 --- a/hack/generate-standard-manifests.sh +++ b/hack/generate-standard-manifests.sh @@ -23,7 +23,7 @@ function echoerr { _usage="Usage: $0 [--mode (dev|release)] --out Generate standard YAML manifests for Antrea using Helm and writes them to output directory. --mode (dev|release) Choose the configuration variant that you need (default is 'dev') - --out Output directory for generated manifetss + --out Output directory for generated manifests --help, -h Print this message and exit In 'release' mode, environment variables IMG_NAME and IMG_TAG must be set. @@ -121,7 +121,7 @@ VALUES_FILES=$(cd $VALUES_DIR && find * -type f -name "*.yml" ) # Suppress potential Helm warnings about invalid permissions for Kubeconfig file # by throwing away related warnings. for values in $VALUES_FILES; do - $HELM template \ + $HELM template --include-crds \ --namespace kube-system \ -f "$VALUES_DIR/$values" \ $EXTRA_VALUES \ @@ -129,3 +129,13 @@ for values in $VALUES_FILES; do > "$OUTPUT_DIR/$values" \ 2> >(grep -v 'This is insecure' >&2) done + +# We also generate a manifest which only includes CRD resources (all of them). +# This is useful for Antrea upgrades when using Helm. +CRD_FILES=$(cd $ANTREA_CHART/crds && find * -type f -name "*.yaml" ) +CRD_OUTPUT_FILE="$OUTPUT_DIR/antrea-crds.yml" +touch "$CRD_OUTPUT_FILE" +for crd in $CRD_FILES; do + echo "---" >> "$CRD_OUTPUT_FILE" + cat "$ANTREA_CHART/crds/$crd" >> "$CRD_OUTPUT_FILE" +done diff --git a/hack/release/prepare-assets.sh b/hack/release/prepare-assets.sh index eec9ab6249b..b5c93fd8ca1 100755 --- a/hack/release/prepare-assets.sh +++ b/hack/release/prepare-assets.sh @@ -91,4 +91,9 @@ cd multicluster ./hack/generate-manifest.sh -r -l antrea-multicluster > "$OUTPUT_DIR"/antrea-multicluster-leader-namespaced.yml ./hack/generate-manifest.sh -r -m > "$OUTPUT_DIR"/antrea-multicluster-member.yml +# Package the Antrea chart +# We need to strip the leading "v" from the version string to ensure that we use +# a valid SemVer 2 version. +VERSION=${VERSION:1} ./hack/generate-helm-release.sh --out "$OUTPUT_DIR/antrea-chart.tgz" + ls "$OUTPUT_DIR" | cat