Release v1.10.0

Added

• Add L7NetworkPolicy feature which enables users to protect their applications by specifying how they are allowed to communicate with others, taking into account application context. (#4380 #4406 #4410, @hongliangl @qiyueyao @tnqn)
  • Layer 7 NetworkPolicy can be configured through the l7Protocols field of Antrea-native policies.
  • Refer to this document for more information about this feature.
• Add SupportBundleCollection feature which enables a CRD API for Antrea to collect support bundle files on any K8s Node or ExternalNode, and upload to a user-defined file server. (#4184 #4338 #4249, @wenyingd @mengdie-song @ceclinux)
  • Refer to this document for more information about this feature.
• Add support for NetworkPolicy for cross-cluster traffic. (#4432 #3914, @Dyanngg @GraysonWu)
  • Setting scope of an ingress peer to clusterSet expands the scope of the podSelector or namespaceSelector to the entire ClusterSet.
  • Setting scope of toServices to clusterSet selects a Multi-cluster Service. (#4397, @Dyanngg)
  • Refer to this document for more information about this feature.
• Add the following capabilities to the ExternalNode feature:
  • Containerized option for antrea-agent installation on Linux VMs. (#4413, @Nithish555)
  • Support for RHEL 8.4. (#4323, @Nithish555)
• Add support for running antrea-agent as DaemonSet when using containerd as the runtime on Windows. (#4279, @XinShuYang)
• Add documentation for Antrea Multicast. (#4339, @ceclinux)

Changed

• Extend antctl mc get joinconfig to print member token Secret. (#4363, @jianjuns)
• Improve support for Egress in Traceflow. (#3926, @Atish-iaf)
• Add NodePortLocalPortRange field for AntreaAgentInfo. (#4379, @wenqiq)
• Use format "namespace/name" as the key for ExternalNode span calculation. (#4401, @wenyingd)
• Enclose Pod labels with single quotes when uploading CSV record to S3 in the FlowAggregator. (#4334, @dreamtalen)
• Upgrade Antrea base image to ubuntu 22.04. (#4459 #4499, @antoninbas)
• Update OVS to 2.17.3. (#4402, @mnaser)
• Reduce confusion caused by transient error encountered when creating static Tiers. (#4414, @tnqn)

Fixed

• Add a periodic job to rejoin dead Nodes, to fix Egress not working properly after long network downtime. (#4491, @tnqn)
• Fix potential deadlocks and memory leaks of memberlist maintenance in large-scale clusters. (#4469, @wenyingd)
• Fix connectivity issues caused by MAC address changes with systemd v242 and later. (#4428, @wenyingd)
• Fix error handling when S3Uploader partially succeeds. (#4433, @heanlan)
• Fix a ClusterInfo export bug when Multi-cluster Gateway changes. (#4412, @luolanzone)
• Fix OpenFlow rules not being updated when Multi-cluster Gateway updates. (#4388, @luolanzone)
• Delete Pod specific VF resource cache when a Pod gets deleted. (#4285, @arunvelayutham)
• Fix OpenAPI descriptions for AntreaAgentInfo and AntreaControllerInfo. (#4390, @tnqn)

Release v1.7.2

Changed

• Upgrade Antrea base image to ubuntu 22.04. (#4459, @antoninbas)
• Add OFSwitch connection check to Agent's liveness probes. (#4126, @tnqn)
• Improve install_cni_chaining to support updates to CNI config file. (#4012, @antoninbas)

Fixed

• Add a periodic job to rejoin dead Nodes to fix Egress not working properly after long network downtime. (#4491, @tnqn)
• Fix connectivity issues caused by MAC address changes with systemd v242 and later. (#4428, @wenyingd)
• Fix potential deadlocks and memory leaks of memberlist maintenance in large-scale clusters. (#4469, @wenyingd)
• Fix Windows AddNodePort parameter error. (#4103, @XinShuYang)
• Set no-flood config with ports for TrafficControl after Agent restarting. (#4318, @hongliangl)
• Fix multicast group not removed from cache when it is uninstalled. (#4176, @wenyingd)
• Remove redundant Openflow messages when syncing an updated group to OVS. (#4160, @hongliangl)
• Fix Antrea Octant plugin build. (#4107, @antoninbas)

Release v1.9.0

Added

• Add the following capabilities to the Multi-cluster feature:
  • Add support for Pod-to-Pod connectivity across clusters. (#4219, @hjiajing)
  • Add active-passive mode high availability support for Gateway Nodes. (#4069, @luolanzone)
  • Allow Pod IPs as Endpoints of Multi-cluster Service; option endpointIPType is added to the Multi-cluster Controller ConfigMap to specify the Service Endpoints type. (#4198, @luolanzone)
  • Add antctl mc get joinconfig command to print ClusterSet join parameters. (#4299, @jianjuns)
  • Add antctl mc get|delete membertoken commands to get/delete member token. (#4254, @bangqipropel)
• Add rule name to Audit Logging for Antrea-native policies. (#4178, @qiyueyao)
• Add Service health check similar to kube-proxy in antrea-agent; it provides HTTP endpoints <nodeIP>:<healthCheckNodePort>/healthz for querying number of local Endpoints of a Service. (#4120, @shettyg)
• Add S3Uploader as a new exporter of Flow Aggregator, which periodically exports expired flow records to AWS S3 storage bucket. (#4143, @heanlan)
• Add scripts and binaries needed for running Antrea on non-Kubernetes Nodes (ExternalNode) in release assets. (#4266 #4113, @antoninbas @Anandkumar26)

Changed

• AntreaProxy now supports more than 800 Endpoints for a Service. (#4167, @hongliangl)
• Add OVS connection check to Agent's liveness probes for self-healing on OVS disconnection. (#4126, @tnqn)
• antrea-agent startup scripts now perform cleanup automatically on non-Kubernetes Nodes (ExternalNode) upon Node restart. (#4277, @Anandkumar26)
• Make tunnel csum option configurable and default to false which avoids double encapsulation checksum issues on some platforms. (#4250, @tnqn)
• Use standard value type for k8s.v1.cni.cncf.io/networks annotation for the SecondaryNetwork feature. (#4146, @antoninbas)
• Update Go to v1.19. (#4106, @antoninbas)
• Add API support for reporting Antrea NetworkPolicy realization failure. (#4248, @wenyingd)
• Update ResourceExport's json tag to lowerCamelCase. (#4211, @luolanzone)
• Add clusterUUID column to S3 uploader and ClickHouseExporter to support multiple clusters in the same data warehouse. (#4214, @heanlan)

Fixed

• Fix nil pointer error when collecting support bundle from Agent fails. (#4306, @tnqn)
• Set no-flood config for TrafficControl ports after restarting Agent to prevent ARP packet loops. (#4318, @hongliangl)
• Fix packet resubmission issue when AntreaProxy is enabled and AntreaPolicy is disable. (#4261, @GraysonWu)
• Fix ownerReferences in APIExternalEntities generated from ExternalNodes. (#4259, @wenyingd)
• Fix the issue that "MulticastGroup" API returned wrong Pods that have joined multicast groups. (#4240, @ceclinux)
• Fix inappropriate route for IPv6 ClusterIPs in the host network when proxyAll is enabled. (#4297, @tnqn)
• Fix log spam when there is any DNS based LoadBalancer Service. (#4234, @tnqn)
• Remove multicast group from cache when group is uninstalled. (#4176, @wenyingd)
• Remove redundant Openflow messages when syncing an updated group to OVS. (#4160, @hongliangl)
• Fix nil pointer error when there is no ClusterSet found during MemberClusterAnnounce validation. (#4154, @luolanzone)
• Fix data race when Multi-cluster controller reconciles ServiceExports concurrently. (#4305, @Dyanngg)
• Fix memory leak in Multi-cluster resource import controllers. (#4251, @Dyanngg)
• Fix Antrea-native policies for multicast traffic matching IGMP traffic unexpectedly. (#4206, @liu4480)
• Fix IPsec not working in UBI-based image. (#4244, @xliuxu)
• Fix antctl mc get clusterset command output when a ClusterSet's status is empty. (#4174, @luolanzone)

Release v1.8.0

Added

• Add ExternalNode feature which enables Antrea to manage security policies for non-Kubernetes Nodes (like virtual machines or bare-metal servers). (#4110, @wenyingd @mengdie-song @Anandkumar26)
  • It introduces the ExternalNode CRD; each resource of this kind represents a virtual machine or bare-metal server and supports specifying which network interfaces on the external Node are expected to be protected with Antrea-native policies.
  • An ExternalEntity resource will be created for each network interface specified in the ExternalNode resource. Antrea-native policies are applied to an external Node by using the ExternalEntity selector.
  • Refer to this document for more information about this feature.
• Add the following capabilities to Antrea-native policies:
  • Add Audit Logging support for K8s Networkpolicy. (#4047, @qiyueyao)
  • Support applying Antrea ClusterNetworkPolicy to NodePort Services for securing ingress traffic. (#3997, @GraysonWu)
  • Introduce the Group CRD to logically group different network endpoints and reference them together in Antrea NetworkPolicy. (#2438, @qiyueyao @abhiraut)
• Release new Antrea Helm chart version for each Antrea release. (#3935 #3952, @antoninbas @yanjunz97)
  • Refer to this document for Helm installation method. (#3989, @antoninbas)
• Support TopologyAwareHints in AntreaProxy. (#3515, @hongliangl)
• Add encap mode support for the Multicast feature. (#3947, @wenyingd)
• Support configurable Geneve, VXLAN, or STT port number for encap mode. (#4065, @Jexf)
• Add Status field to the IPPool CRD: it is used to report usage information for the pool (total number of IPs in the pool and number of IPs that are currently assigned). (#3072 #4088, @ksamoray @tnqn)
• Support updating configuration at runtime for flow-aggregator via antctl or by updating the ConfigMap. (#3642, @yuntanghsu)
• Add antctl commands to set up and delete Multi-cluster ClusterSet. (#3992, @hjiajing)
• Add documentation to set up Multi-cluster ClusterSet with antctl. (#4096, @jianjuns)

Changed

• Antrea now uses OpenFlow 1.5 to program OVS. (#3770, @wenyingd @ashish-varma)
• Rename Windows script Start.ps1 to Start-AntreaAgent.ps1, and rename Stop.ps1 to Stop-AntreaAgent.ps1. (#3904, @wenyingd)
• Unify NodePortLocal behavior across Linux and Windows. Linux agents now support allocating different Node ports for different protocols even when the Pod port number is the same. (#3936, @XinShuYang)
• Antrea IPAM now uses the name of the uplink interface to name the host internal port, and the uplink interface will be renamed with a ~ suffix, e.g. eth0~. (#3938, @gran-vmv)
• Send Neighbor Advertisement messages after creating Pods in an IPv6 cluster. (#3998, @gran-vmv)
• Add an output formatter "raw" to better display multi-line string responses for antctl. (#3589, @Atish-iaf)
• Add new ports to network requirement doc. (#4063, @luolanzone)
• Windows OVS installation script now installs required SSL library if missing. (#4029, @XinShuYang)
• Upgrade whereabouts CNI to v0.5.4 and provide required pluginArgs when invoking the CNI binary. (#3987, @arunvelayutham)
• Remove Grafana flow collector files in the Antrea repo (as they were moved to the Theia repo). (#4048, @dreamtalen)
• Make the following changes to the Multi-cluster feature:
  • Add columns of kubectl outputs for Multi-cluster custom resources. (#3923, @jianjuns)
  • Use hostNetwork for Multi-cluster controller. (#3965, @luolanzone)
  • Update ClusterClaim CRD to v1alpha2. (#3755, @bangqipropel)
  • Update GatewayIPPrecedence to support the "external/internal" options. (#3930, @luolanzone)
  • Disable metrics API and change the health binding address port to 8080. (#4101, @luolanzone)
  • Improve CRD validation. (#4062 #4090 #4043, @luolanzone)
  • Auto create MemberClusterAnnounce and update ClusterSet in leader cluster for each member cluster. (#3956 #4054 #4026, @hjiajing @luolanzone)
  • Add Multi-cluster Gateway descriptions in the Multi-cluster architecture document. (#3638 #3899, @luolanzone @jianjuns)

Fixed

• Fix reconnection issue between Agent and OVS. (#4091, @wenyingd)
• Fix the wrong DNAT IP used by AntreaProxy for serving NodePort traffic on Windows Nodes. (#4103, @XinShuYang)
• Fix Antrea Octant plugin build. (#4107, @antoninbas)
• Fix Pod-to-external traffic on EKS in policyOnly mode. (#3975, @antoninbas)
• Fix problems caused by Node restart on EKS in policyOnly mode. (#4012 #4042, @antoninbas)
• Fix race conditions in NetworkPolicyController. (#4028, @tnqn)
• Fix FlowExporter memory bloat when export process is dead. (#3994, @wsquan171)
• Fix socket leak in an IPv6 cluster. (#4104, @wenyingd)
• Fix ClickHouse client race during batch commit. (#4071, @wsquan171)
• Retry when retrieval of PodCIDRs fails to avoid Agent crash due to the delay in allocating PodCIDRs for the Node. (#3950, @ksamoray)
• Fix nil pointer issue when ClusterSet is deleted in leader cluster. (#3915, @luolanzone)
• Clean up ResourceExport if the exported Service has no available Endpoints. (#4056, @luolanzone)

Release v1.7.1

Fixed

• Fix FlowExporter memory bloat when export process is dead. (#3994, @wsquan171)
• Fix Pod-to-external traffic on EKS in policyOnly mode. (#3975, @antoninbas)
• Use uplink interface name for host interface internal port to support DHCP client. (#3938, @gran-vmv)

Release v1.8.0-alpha.2

The main purpose of this pre-release is to validate Antrea Helm chart releases.

Release v1.8.0-alpha.1

The main purpose of this pre-release is to validate Antrea Helm chart releases.

Release v1.7.0

Added

• Add TrafficControl feature to control the transmission of Pod traffic; it allows users to mirror or redirect traffic originating from specific Pods or destined for specific Pods to a local network device or a remote destination via a tunnel of various types. (#3644 #3580 #3487, [@tnqn] [@hongliangl] [@wenqiq])
  • Refer to this document for more information about this feature.
  • Refer to this cookbook for more information about using this feature to provide network-based intrusion detection service to your Pods.
• Add support for the IPsec Certificate-based Authentication. (#3778, [@xliuxu])
  • Add an Antrea Agent configuration option ipsec.authenticationMode to specify authentication mode. Supported options are "psk" (default) and "cert".
  • Add an Antrea Controller configuration option ipsecCSRSigner.autoApprove to specify the auto-approve policy of Antrea CSR signer for IPsec certificates management. By default, Antrea will auto-approve the CertificateSingingRequest (CSR) if it is verified.
  • Add an Antrea Controller configuration option ipsecCSRSigner.selfSignedCA to specify whether to use auto-generated self-signed CA certificate. By default, Antrea will auto-generate a self-signed CA certificate.
• Add the following capabilities to Antrea-native policies:
  • Add support for matching ICMP traffic. (#3472, [@GraysonWu])
  • Add support for matching multicast and IGMP traffic. (#3660, [@liu4480])
  • Add support for rule-level statistics for multicast and IGMP traffic. (#3449, [@ceclinux])
• Add the following capabilities to the Multicast feature:
  • Add antctl get podmulticaststats command to query Pod-level multicast traffic statistics in Agent mode. (#3449, [@ceclinux])
  • Add "MulticastGroup" API to query Pods that have joined multicast groups; kubectl get multicastgroups can generate requests and output responses of the API. (#3354 #3449, [@ceclinux])
  • Add an Antrea Agent configuration option multicast.igmpQueryInterval to specify the interval at which the antrea-agent sends IGMP queries to Pods. (#3819, [@liu4480])
• Add the following capabilities to the Multi-cluster feature:
  • Add the Multi-cluster Gateway functionality which supports routing Multi-cluster Service traffic across clusters through tunnels between the Gateway Nodes. It enables Multi-cluster Service access across clusters, without requiring direct reachability of Pod IPs between clusters. (#3689 #3463 #3603, [@luolanzone])
  • Add a number of antctl mc subcommands for bootstrapping Multi-cluster; refer to the Multi-cluster antct document for more information. (#3474, [@hjiajing])
• Add the following capabilities to secondary network IPAM:
  • Add support for IPAM for Pod secondary networks managed by Multus. (#3529, [@jianjuns])
  • Add support for multiple IPPools. (#3606, [@jianjuns])
  • Add support for static addresses. (#3633, [@jianjuns])
• Add support for NodePortLocal on Windows. (#3453, [@XinShuYang])
• Add support for Traceflow on Windows. (#3022, [@gran-vmv])
• Add support for containerd to antrea-eks-node-init.yml. (#3840, [@antoninbas])
• Add an Antrea Agent configuration option disableTXChecksumOffload to support cases in which the datapath's TX checksum offloading does not work properly. (#3832, [@tnqn])
• Add support for InternalTrafficPolicy in AntreaProxy. (#2792, [@hongliangl])
• Add the following documentations:
  • Add documentation for the Antrea Agent RBAC permissions and how to restrict them using Gatekeeper/OPA. (#3694, [@antoninbas])
  • Add quick start guide for Antrea Multi-cluster. (#3853, [@luolanzone] [@jianjuns])
  • Add documentation for the AntreaProxy feature. (#3679, [@antoninbas])
  • Add documentation for secondary network IPAM. (#3634, [@jianjuns])

Changed

• Optimize generic traffic performance by reducing OVS packet recirculation. (#3858, [@tnqn])
• Optimize NodePort traffic performance by reducing OVS packet recirculation. (#3862, [@hongliangl])
• Improve validation for IPPool CRD. (#3570, [@jianjuns])
• Improve validation for egress.to.namespaces.match of AntreaClusterNetworkPolicy rules. (#3727, [@qiyueyao])
• Deprecate the Antrea Agent configuration option multicastInterfaces in favor of multicast.multicastInterfaces. (#3898, [@tnqn])
• Reduce permissions of Antrea Agent ServiceAccount. (#3691, [@xliuxu])
• Create a Secret in the Antrea manifest for the antctl and antrea-agent ServiceAccount as K8s v1.24 no longer creates a token for each ServiceAccount automatically. (#3730, [@antoninbas])
• Implement garbage collector for IP Pools to clean up allocations and reservations for which owner no longer exists. (#3672, [@annakhm])
• Preserve client IP if the selected Endpoint is local regardless of ExternalTrafficPolicy. (#3604, [@hongliangl])
• Add a Helm chart for Antrea and use the Helm templates to generate the standard Antrea YAML manifests. (#3578, [@antoninbas])
• Make "Agent mode" antctl work out-of-the-box on Windows. (#3645, [@antoninbas])
• Truncate SessionAffinity timeout values of Services instead of wrapping around. (#3609, [@antoninbas])
• Move Antrea Windows log dir from C:\k\antrea\logs\ to C:\var\log\antrea\. (#3416, [@GraysonWu])
• Limit max number of data values displayed on Grafana panels. (#3812, [@heanlan])
• Support deploying ClickHouse with Persistent Volume. (#3608, [@yanjunz97])
• Remove support for ELK Flow Collector. (#3738, [@heanlan])
• Improve documentation for Antrea-native policies. (#3512, [@Dyanngg])
• Update OVS version to 2.17.0. (#3591, [@antoninbas])

Fixed

• Fix Egress not working with kube-proxy IPVS strictARP mode. (#3837, [@xliuxu])
• Fix intra-Node Pod traffic bypassing Ingress NetworkPolicies in some scenarios. (#3809, [@hongliangl])
• Fix FQDN policy support for IPv6. (#3869, [@tnqn])
• Fix multicast not working if the AntreaPolicy feature is disabled. (#3807, [@liu4480])
• Fix tolerations for Pods running on control-plane for Kubernetes >= 1.24. (#3731, [@xliuxu])
• Fix DNS resolution error of antrea-agent on AKS by using ClusterFirst dnsPolicy. (#3701, [@tnqn])
• Clean up stale routes installed by AntreaProxy when ProxyAll is disabled. (#3465, [@hongliangl])
• Ensure that Service traffic does not bypass NetworkPolicies when ProxyAll is enabled on Windows. (#3510, [@hongliangl])
• Use IP and MAC to find virtual management adapter to fix Agent crash in some scenarios on Windows. (#3641, [@wenyingd])
• Fix handling of the "reject" packets generated by the Antrea Agent to avoid infinite looping. (#3569, [@GraysonWu])
• Fix export/import of Serv...

Release v1.5.3

Fixed

• Fix export/import of Services with named ports when using the Antrea Multi-cluster feature. (#3561, @luolanzone)
• Fix handling of the "reject" packets generated by the Antrea Agent to avoid infinite looping. (#3569, @GraysonWu)
• Fix DNS resolution error of Antrea Agent on AKS by using ClusterFirst dnsPolicy. (#3701, @tnqn)
• Fix tolerations for Pods running on control-plane for Kubernetes >= 1.24. (#3731, @xliuxu)
• Reduce permissions of Antrea Agent ServiceAccount. (#3691, @xliuxu)

Release v1.6.1

Added

• Add documentation for the Antrea Agent RBAC permissions and how to restrict them using Gatekeeper/OPA. (#3694, @antoninbas)

Fixed

• Clean up stale routes installed by AntreaProxy when ProxyAll is disabled. (#3465, @hongliangl)
• Fix export/import of Services with named ports when using the Antrea Multi-cluster feature. (#3561, @luolanzone)
• Fix handling of the "reject" packets generated by the Antrea Agent to avoid infinite looping. (#3569, @GraysonWu)
• Fix DNS resolution error of Antrea Agent on AKS by using ClusterFirst dnsPolicy. (#3701, @tnqn)
• Fix tolerations for Pods running on control-plane for Kubernetes >= 1.24. (#3731, @xliuxu)
• Reduce permissions of Antrea Agent ServiceAccount. (#3691, @xliuxu)
• [Windows] Ensure that Service traffic does not bypass NetworkPolicies when ProxyAll is enabled. (#3510, @hongliangl)
• Fix Antrea wildcard FQDN NetworkPolicies not working when NodeLocal DNSCache is enabled. (#3510, @hongliangl)