Skip to content

Releases: antrea-io/antrea

Release v1.2.4

02 May 06:24
@tnqn tnqn
v1.2.4
fa19f4a
Compare
Choose a tag to compare
Release v1.2.4

Changed

  • Use iptables-wrapper in Antrea container. Now antrea-agent can work with distros that lack the iptables kernel module of "legacy" mode (ip_tables). (#3276, @antoninbas)
  • Reduce permissions of Antrea ServiceAccount for updating annotations. (#3393, @tnqn)
  • [Windows] Use uplink MAC as source MAC when transmitting packets to underlay network from Windows Nodes. Therefore, MAC address spoofing configuration like "Forged transmits" in VMware vSphere doesn't need to be enabled. (#3516, @wenyingd)

Fixed

  • Fix DNS resolution error of antrea-agent on AKS by using ClusterFirst dnsPolicy. (#3701, @tnqn)
  • Fix status report of Antrea-native policies with multiple rules that have different AppliedTo. (#3074, @tnqn)
  • Upgrade Go version to 1.17 to pick up security fix for CVE-2021-44716. (#3189, @antoninbas)
  • Fix NetworkPolicy resources dump for Agent's supportbundle. (#3083, @antoninbas)
  • Fix gateway interface MTU configuration error on Windows. (#3043, @lzhecheng) [Windows]
  • Fix initialization error of antrea-agent on Windows by specifying hostname explicitly in VMSwitch commands. (#3169, @XinShuYang) [Windows]
  • Ensure that the Windows Node name obtained from the environment or from hostname is converted to lower-case. (#2672, @shettyg) [Windows]
  • Fix typos in the example YAML in antrea-network-policy doc. (#3079 #3092, @antoninbas @Jexf)
  • Fix ipBlock referenced in nested ClusterGroup not processed correctly. (#3383, @Dyanngg)
  • Fix NetworkPolicy may not be enforced correctly after restarting a Node. (#3467, @tnqn)
  • Fix antrea-agent crash caused by interface detection in AKS/EKS with NetworkPolicyOnly mode. (#3219, @wenyingd)
  • Fix locally generated packets from Node net namespace might be SNATed mistakenly when Egress is enabled. (#3430, @tnqn)
Assets 24

Release v1.6.0

29 Mar 16:43
@tnqn tnqn
v1.6.0
7a79389
Compare
Choose a tag to compare
Release v1.6.0
  • The Egress feature is graduated from Alpha to Beta and is therefore enabled by default.
  • The support for proxying all Service traffic by Antrea Proxy (enabled by antreaProxy.proxyAll) is now Beta.

Added

  • Add the following capabilities to the [Antrea IPAM] feature:
    • Support pre-allocating continuous IPs for StatefulSet. (#3281, [@annakhm])
    • Support specifying VLAN for IPPool. Traffic from Pods whose IPPools are configured with a VLAN ID will be tagged when leaving the Node uplink. (#3247, [@gran-vmv])
  • Add the following capabilities to the [Antrea Multi-cluster] feature:
  • Add the following capabilities to the [AntreaPolicy] feature:
    • Add Node selector in Antrea-native policies to allow matching traffic originating from specific Nodes or destined to specific Nodes. (#3038, [@wenqiq])
    • Add ServiceAccount selector in Antrea-native policies to allow selecting Pods by ServiceAccount. (#3044, [@GraysonWu])
    • Support Pagination for ClusterGroupMembership API. (#3183, [@qiyueyao])
    • Add Port Number to Audit Logging. (#3277, [@qiyueyao])
  • [Flow Visibility] Add Grafana Flow Collector as the new visualization tool for flow records.
  • [Multicast] Support IGMPv3 leave action. (#3389, [@wenyingd])
  • [Windows] Add support for EndpointSlices on Windows Nodes. (#3321, [@XinShuYang])
  • Add SKIP_CNI_BINARIES environment variable to support skipping the installation of specified CNI plugins. (#3454, [@jainpulkit22])
  • Support UBI8-based container image to run Antrea. (#3273, [@ksamoray])
  • Add the following documentations:

Changed

  • Remove all legacy (*.antrea.tanzu.vmware.com) APIs. (#3299, [@antoninbas])
  • Remove Kind-specific manifest and scripts. Antrea now uses OVS kernel datapath for Kind clusters. (#3413, [@antoninbas])
  • [Windows] Use uplink MAC as source MAC when transmitting packets to underlay network from Windows Nodes. Therefore, MAC address spoofing configuration like "Forged transmits" in VMware vSphere doesn't need to be enabled. (#3516, [@wenyingd])
  • Add an agent config parameter "enableBridgingMode" for enabling flexible IPAM (bridging mode). (#3297 #3365, [@jianjuns])
  • Use iptables-wrapper in Antrea container to support distros that runs iptables in "nft" mode. (#3276, [@antoninbas])
  • Install CNI configuration files after installing CNI binaries to support container runtime cri-o. (#3154, [@tnqn])
  • Upgrade packaged Whereabouts version to v0.5.1. (#3511, [@antoninbas])
  • Upgrade to go-ipfix v0.5.12. (#3352, [@yanjunz97])
  • Upgrade Kustomize from v3.8.8 to v4.4.1 to fix Cronjob patching bugs. (#3402, [@yanjunz97])
  • Fail in Agent initialization if GRE tunnel type is used with IPv6. (#3156, [@antoninbas])
  • Refactor the OpenFlow pipeline for future extensibility. (#3058, [@hongliangl])
  • Validate IP ranges of IPPool for Antrea IPAM. (#2995, [@ksamoray])
  • Validate protocol in the CRD schema of Antrea-native policies. (#3342, [@KMAnju-2021])
  • Validate labels in the CRD schema of Antrea-native policies and ClusterGroup. (#3331, [@GraysonWu])
  • Reduce permissions of Antrea ServiceAccounts. (#3393, [@tnqn])
  • Remove --k8s-1.15 flag from hack/generate-manifest.sh. (#3350, [@antoninbas])
  • Remove unnecessary CRDs and RBAC rules from Multi-cluster manifest. (#3491, [@luolanzone])
  • Update label and image repo of antrea-mc-controller to be consistent with antrea-controller and antrea-agent. (#3266 #3466, [@luolanzone])
  • Add clusterID annotation to ServiceExport/Import resources. (#3359, [@luolanzone])
  • Do not log error when Service for Endpoints is not found to avoid log spam. (#3256, [@tnqn])
  • Ignore Services of type ExternalName for NodePortLocal feature. (#3114, [@antoninbas])
  • Add powershell command replacement in the Antrea Windows documentation. (#3264, [@GraysonWu])

Fixed

  • Add userspace ARP/NDP responders to fix Egress and ServiceExternalIP support for IPv6 clusters. (#3318, [@hty690])
  • Fix incorrect results by antctl get networkpolicy when both Pod and Namespace are specified. (#3499, [@Dyanngg])
  • Fix IP leak issue when AntreaIPAM is enabled. (#3314, [@gran-vmv])
  • Fix error when dumping OVS flows for a NetworkPolicy via antctl get ovsflows. (#3335, [@jainpulkit22])
  • Fix IPsec encryption for IPv6 overlays. (#3155, [@antoninbas])
  • Add ignored interfaces names when getting interface by IP to fix NetworkPolicyOnly mode in AKE. (#3219, [@wenyingd])
  • Fix duplicate IP case for NetworkPolicy. (#3467, [@tnqn])
  • Don't delete the routes which are added for the peer IPv6 gateways on Agent startup. (#3336 #3490, [@Jexf] [@xliuxu])
  • Fix pkt mark conflict between HostLocalSourceMark and SNATIPMark. (#3430, [@tnqn])
  • Unconditionally sync CA cert for Controller webhooks to fix Egress support when AntreaPolicy is disabled. (#3421, [@antoninbas])
  • Fix inability to access NodePort in particular cases. (#3371, [@hongliangl])
  • Fix ipBlocks referenced in nested ClusterGroup not processed correctly. (#3383, [@Dyanngg])
  • Realize Egress for a Pod as soon as its network is created. (#3360, [@tnqn])
  • Fix NodePort/LoadBalancer issue when proxyAll is enabled. (#3295, [@hongliangl])
  • Do not panic when processing a PacketIn message for a denied connection. (#3447, [@antoninbas])
  • ...
Read more
Assets 27

Release v1.5.2

21 Mar 16:03
@tnqn tnqn
v1.5.2
a66dde0
Compare
Choose a tag to compare
Release v1.5.2

Fixed

  • Fix NetworkPolicy may not be enforced correctly after restarting a Node. (#3467, @tnqn)
  • Fix antrea-agent crash caused by interface detection in AKS/EKS with NetworkPolicyOnly mode. (#3219, @wenyingd)
  • Fix locally generated packets from Node net namespace might be SNATed mistakenly when Egress is enabled. (#3430, @tnqn)
Assets 27

Release v1.5.1

08 Mar 10:15
@tnqn tnqn
v1.5.1
28b499c
Compare
Choose a tag to compare
Release v1.5.1

Changed

  • Use iptables-wrapper in Antrea container. Now antrea-agent can work with distros that lack the iptables kernel module of "legacy" mode (ip_tables). (#3308, @antoninbas)
  • Reduce permissions of Antrea ServiceAccount for updating annotations. (#3408, @tnqn)

Fixed

  • Fix NodePort/LoadBalancer Service cannot be accessed when externalTrafficPolicy changed from Cluster to Local with proxyAll enabled. (#3330, @hongliangl)
  • Fix initial egress connections from Pods may go out with node IP rather than Egress IP. (#3378, @tnqn)
  • Fix NodePort Service access when an Egress selects the same Pod as the NodePort Service. (#3397, @hongliangl)
  • Fix ipBlock referenced in nested ClusterGroup not processed correctly. (#3405, @Dyanngg)
Assets 27

Release v1.5.0

21 Jan 11:41
@tnqn tnqn
v1.5.0
c37aea0
Compare
Choose a tag to compare
Release v1.5.0

Added

  • Add Antrea Multi-cluster feature which allows users to export and import Services and Endpoints across multiple clusters within a ClusterSet, and enables inter-cluster Service communication in the ClusterSet. (#3199, @luolanzone @aravindakidambi @bangqipropel @hjiajing @Dyanngg [@suwang48404] @abhiraut) [Alpha]
  • Add support for multicast that allows forwarding multicast traffic within the cluster network (i.e., between Pods) and between the external network and the cluster network. (#2652 #3142 #2835 #3171 #2986, [@wenyingd] @ceclinux [@XinShuYang]) [Alpha - Feature Gate: Multicast]
    • In this release the feature is only supported on Linux Nodes for IPv4 traffic in noEncap mode
  • Add support for IPPool and IP annotations on Pod and PodTemplate of Deployment and StatefulSet in AntreaIPAM mode. (#3093 #3042 #3141 #3164 #3146, @gran-vmv @annakhm)
    • IPPool annotation on Pod has a higher priority than the IPPool annotation on Namespace
    • A StatefulSet Pod's IP will be kept after Pod restarts when the IP is allocated from IPPool
    • Refer to Antrea IPAM Capabilities for more information
  • Add support for SR-IOV secondary network. Antrea can now create secondary network interfaces for Pods using SR-IOV VFs on bare metal Nodes. (#2651, @arunvelayutham) [Alpha - Feature Gate: SecondaryNetwork]
  • Add support for allocating external IPs for Services of type LoadBalancer from an ExternalIPPool. (#3147 [@Shengkai2000]) [Alpha - Feature Gate: ServiceExternalIP]
  • Add support for antctl in the flow aggregator Pod. (#2878, [@yanjunz97])
    • Support antctl log-level for changing log verbosity level
    • Support antctl get flowrecords [-o json] for dumping flow records
    • Support antctl get recordmetrics for dumping flow records metrics
  • Add support for the "Pass" action in Antrea-native policies to skip evaluation of further Antrea-native policy rules and delegate evaluation to Kubernetes NetworkPolicy. (#2964, @Dyanngg)
  • Add user documentation for using Project Antrea with Fluentd in order to collect audit logs from each Node. (#2853, [@qiyueyao])
  • Add user documentation for deploying Antrea on AKS Engine. (#2963, @jianjuns)
  • Improve NodePortLocal documentation to list supported Service types and add information about existing integrations with external Load Balancers. (#3113, @antoninbas)
  • Document how to run Antrea e2e tests on an existing K8s cluster (#3045, [@xiaoxiaobaba])

Changed

  • Make LoadBalancer IP proxying configurable for AntreaProxy to support scenarios in which it is desirable to send Pod-to-ExternalIP traffic to the external LoadBalancer. (#3130, @antoninbas)
  • Add startTime to the Traceflow Status to avoid issues caused by clock skew. (#2952, @antoninbas)
  • Add reason field in antctl traceflow command output. (#3175, @Jexf)
  • Validate serviceCIDR configuration only if AntreaProxy is disabled. (#2936, [@wenyingd])
  • Improve configuration parameter validation for NodeIPAM. (#3009, [@tnqn])
  • More comprehensive validation for Antrea-native policies. (#3104 #3109, @GraysonWu [@tnqn])
  • Update Antrea Octant plugin to support Octant 0.24 and to use the Dashboard client to perform CRUD operations on Antrea CRDs. (#2951, @antoninbas)
  • Omit hostNetwork Pods when computing members of ClusterGroup and AddressGroup. (#3080, @Dyanngg)
  • Support for using an env parameter ALLOW_NO_ENCAP_WITHOUT_ANTREA_PROXY to allow running Antrea in noEncap mode without AntreaProxy. (#3116, @Jexf [@WenzelZ])
  • Move throughput calculation for network flow visibility from logstash to flow-aggregator. (#2692, @heanlan)
  • Add Go version information to full version string for Antrea binaries. (#3182, @antoninbas)
  • Improve kind-setup.sh script and Kind documentation. (#2937, @antoninbas)
  • Enable Go benchmark tests in CI. (#3004, [@wenqiq])
  • Upgrade Windows OVS version to 2.15.2 to pick up some recent patches. (#2996, [@lzhecheng]) [Windows]
  • Remove HNSEndpoint only if infra container fails to create. (#2976, [@lzhecheng]) [Windows]
  • Use OVS Port externalIDs instead of HNSEndpoint to cache the externalIDS when using containerd as the runtime on Windows. (#2931, [@wenyingd]) [Windows]
  • Reduce network downtime when starting antrea-agent on Windows Node by using Windows management virtual network adapter as OVS internal port. (#3067, [@wenyingd]) [Windows]

Fixed

  • Fix error handling of the "Reject" action of Antrea-native policies when determining if the packet belongs to Service traffic. (#3010, @GraysonWu)
  • Make the "Reject" action of Antrea-native policies work in AntreaIPAM mode. (#3003, @GraysonWu)
  • Set ClusterGroup with child groups to groupMembersComputed after all its child groups are created and processed. (#3030, @Dyanngg)
  • Fix status report of Antrea-native policies with multiple rules that have different AppliedTo. (#3074, [@tnqn])
  • Fix typos and improve the example YAML in antrea-network-policy doc. (#3079, #3092, #3108 @antoninbas @Jexf [@tnqn])
  • Fix duplicated attempts to delete unreferenced AddressGroups when deleting Antrea-native policies. (#3136, @Jexf)
  • Add retry to update NetworkPolicy status to avoid error logs. (#3134, @Jexf)
  • Fix NetworkPolicy resources dump for Agent's supportbundle. (#3083, @antoninbas)
  • Use go 1.17 to build release assets. (#3007, @antoninbas)
  • Restore the gateway route automatically configured by kernel when configuring IP address if it is missing. (#2835, @antoninbas)
  • Fix incorrect parameter used to check if a container is the infra container, which caused errors when reattaching HNS Endpoint. (#3089, [@XinShuYang]) [Windows]
  • Fix gateway interface MTU configuration error on Windows. (#3043, @[lzhecheng]) [Windows]
  • Fix initialization error of antrea-agent on Windows by specifying hostname explicitly in VMSwitch commands. (#3169, [@XinShuYang]) [Windows]
Read more
Assets 27

Release v1.4.0

05 Nov 19:05
@tnqn tnqn
v1.4.0
bd88118
Compare
Choose a tag to compare
Release v1.4.0

The NodePortLocal feature is graduated from Alpha to Beta.

Added

  • Support for proxying all Service traffic by Antrea Proxy, including NodePort, LoadBalancer, and ClusterIP traffic. Therefore, running kube-proxy is no longer required. (#2599 #2235 #2897 #2863, @hongliangl @lzhecheng)
    • The feature works for both Linux and Windows
    • The feature is experimental and therefore disabled by default. Use the antreaProxy.proxyAll configuration parameter for the Antrea Agent to enable it
    • If kube-proxy is removed, the kubeAPIServerOverride configuration parameter for the Antrea Agent must be set to access kube-apiserver directly
  • Add AntreaIPAM feature that allows flexible control over Pod IP Addressing by assigning pools of IP addresses to specific Namespaces. (#2956, @gran-vmv @annakhm)
    • Add new IPPool API to define ranges of IP addresses which can be used as Pod IPs; the IPs in the IPPools must be in the same "underlay" subnet as the Node IP
    • A Pod's IP will be allocated from the IPPool specified by the ipam.antrea.io/ippools annotation of the Pod's Namespace if there is one
    • When the feature is enabled, the Node's network interface will be connected to the OVS bridge, in order to forward cross-Node traffic of AntreaIPAM Pods through the underlay network
    • Refer to the feature documentation for more information
  • Add NodeIPAM feature to handle the per-Node PodCIDR allocation for clusters where kube-controller-manager does not run NodeIPAMController. (#1561, @ksamoray)
  • Support for configurable transport interface CIDRs for Pod traffic. (#2704, @Jexf)
    • Use the transportInterfaceCIDRs configuration parameter for the Antrea Agent to choose an interface by network CIDRs
  • Add UDP support for NodePortLocal. (#2448, @chauhanshubham)
  • Add the nodePortLocal.enable configuration parameter for the Antrea Agent to enable NodePortLocal. (#2924, @antoninbas)
  • Add more visibility metrics to report the connection status of the Antrea Agent to the Flow Aggregator. (#2668, @zyiou)
  • Add the antreaProxy.skipServices configuration parameter for the Antrea Agent to specify Services which should be ignored by AntreaProxy. (#2882, @luolanzone)
    • A typical use case is setting antreaProxy.skipServices to ["kube-system/kube-dns"] to make NodeLocal DNSCache work when AntreaProxy is enabled
  • Add support for ToServices in the rules of Antrea-native policies to allow matching traffic intended for Services. (#2755, @GraysonWu)
  • Add the egress.exceptCIDRs configuration parameter for the Antrea Agent, to specify IP destinations for which SNAT should not be performed on outgoing traffic. (#2749, @leonstack)
  • Add user documentation for WireGuard encryption. (#2902, @jianjuns)
  • Add user documentation for encap mode installation for EKS. (#2929, @jianjuns)

Changed

  • Remove chmod for OVSDB file from start_ovs, as the permissions are set correctly by OVS 2.15.1. (#2803, @antoninbas)
  • Reduce memory usage of antctl when collecting supportbundle. (#2813, @tnqn)
  • Do not perform SNAT for egress traffic to Kubernetes Node IPs. (#2762, @leonstack)
  • Send gratuitous ARP for EgressIP via the transport interface, as opposed to the interface with Node IP (if they are different). (#2845, @Jexf)
  • Ignore hostNetwork Pods selected by Egress, as they are not supported. (#2851, @Jexf)
  • Avoid duplicate processing of Egress. (#2884, @Jexf)
  • Ignore the IPs of kube-ipvs0 for Egress as they cannot be used for SNAT. (#2930, @Jexf)
  • Change flow exporter export expiry mechanism to priority queue based, to reduce CPU usage and memory footprint. (#2360, @heanlan)
  • Make Pod labels optional in the flow records. By default, they will not be included in the flow records. Use the recordContents.podLabels configuration parameter for the Flow Aggregator to include them. (#2739, @yanjunz97)
  • Wait for AntreaProxy to be ready before accessing any K8s Service if antreaProxy.proxyAll is enabled, to avoid connection issues on Agent startup. (#2858, @tnqn)
  • Update OVS pipeline documentation to include information about AntreaProxy. (#2725, @hongliangl)
  • Remove offensive words from scripts and documentation. (#2799, @xiaoxiaobaba)
  • Use readable names for OpenFlow tables. (#2585, @wenyingd)
  • Improve the OpenAPI schema for CRDs to validate the matchExpressions field. (#2887, @wenqiq)
  • Fail fast if the source Pod for non-live-traffic Traceflow is invalid. (#2736, @gran-vmv)
  • Use the RenewIPConfig parameter to indicate whether to renew ipconfig on the host for Clean-AntreaNetwork.ps1. It defaults to false. (#2955, @wenyingd) [Windows]
  • Add Windows task delay up to 30s to improve job resiliency of Prepare-AntreaAgent.ps1, to avoid a failure in initialization after Windows startup. (#2864, @perithompson) [Windows]

Fixed

  • Fix nil pointer error when antrea-agent updates OpenFlow priorities of Antrea-native policies without Service ports. (#2730, @wenyingd)
  • Fix panic in the Antrea Controller when it processes ClusterGroups that are used by multiple ClusterNetworkPolicies. (#2768, @tnqn)
  • Fix an issue with NodePortLocal when a given Pod port needs to be exposed for both TCP and UDP. (#2903, @antoninbas)
  • Fix handling of the "Reject" action of Antrea-native policies when the traffic is intended for Services. (#2772, @GraysonWu)
  • Fix Agent crash when removing the existing NetNat on Windows Nodes. (#2751, @wenyingd) [Windows]
  • Fix container network interface MTU configuration error when using containerd as the runtime on Windows. (#2778, @wenyingd) [Windows]
  • Fix path to Prepare-AntreaAgent.ps1 in Windows docs. (#2840, @perithompson) [Windows]
  • Fix NetNeighbor Powershell error handling. (#2905, @lzhecheng) [Windows]
Assets 24

Release v1.2.3

24 Sep 10:15
@tnqn tnqn
v1.2.3
aebed58
Compare
Choose a tag to compare
Release v1.2.3

Changed

  • Support returning partial supportbundle results when some Nodes fail to respond. (#2788, @hangyan)
  • Remove restriction that only GRE tunnels can be used when enabling IPsec: VXLAN can also be used, and so can Geneve (if the Linux kernel version for the Nodes is recent enough). (#2764, @luolanzone)
  • Reduce memory usage of antctl when collecting supportbundle. (#2821, @tnqn)

Fixed

  • Fix nil pointer error when collecting a supportbundle on a Node for which the antrea-agent container image does not include "iproute2"; this does not affect the standard antrea/antrea-ubuntu container image. (#2789, @liu4480)
  • When creating an IPsec OVS tunnel port to a remote Node, handle the case where the port already exists but with a stale config graciously: delete the existing port first, then recreate it. (#2765, @luolanzone)
  • Fix panic in the Antrea Controller when it processes ClusterGroups that are used by multiple ClusterNetworkPolicies. (#2768, @tnqn)
  • Fix nil pointer error when antrea-agent updates OpenFlow priorities of Antrea-native policies without Service ports. (#2758, @wenyingd)
  • Fix Pod-to-Service access on Windows when the Endpoints are not non-hostNetwork Pods (e.g. the kubernetes Service). (#2702, @wenyingd) [Windows]
  • Fix container network interface MTU configuration error when using containerd as the runtime on Windows. (#2773, @wenyingd) [Windows]
Assets 24

Release v1.3.0

04 Sep 00:07
@antoninbas antoninbas
v1.3.0
62e25bf
Compare
Choose a tag to compare
Release v1.3.0

Added

  • Add ability to use Fully Qualified Domain Names (FQDNs) in egress policy rules when defining Antrea-native policies: both exact matches and wildcards are supported. (#2613 #2634 #2667 #2623 #2691, [@Dyanngg] [@antoninbas] [@GraysonWu] [@madhukark] [@lzhecheng])
  • Add support for WireGuard to encrypt inter-Node Pod traffic (as an alternative to IPsec); traffic mode must be set to encap and the "tunnelType" option will be ignored. (#2297 #2697, [@xliuxu] [@tnqn])
  • Support for configurable transport interface for Pod traffic. (#2370, [@wenyingd])
    • Use the "transportInterface" configuration parameter for the Antrea Agent to choose an interface by name; the default behavior is unchanged (interface to which the K8s Node IP is assigned is used)
    • On Windows, SNAT is now performed by the host and no longer by OVS, to accommodate for this change [Windows]
  • Support for dual-stack transport interfaces (the IPv4 and IPv6 addresses have to be assigned to the same interface); this in turn enables support for the noEncap traffic mode in dual-stack clusters. (#2436, [@lzhecheng])
  • Add Status field to the ExternalIPPool CRD: it is used to report usage information for the pool (total number of IPs in the pool and number of IPs that are currently assigned). (#2490, [@wenqiq])
  • Add Egress support for IPv6 and dual-stack clusters. (#2196 #2655, [@wenqiq])
  • Add ability to filter logs by timestamp with the "antctl supportbundle" command. (#2389, [@hangyan] [@weiqiangt])
  • Support for IPv6 / dual-stack Kind clusters. (#2415, [@adobley] [@christianang] [@gwang550])
  • Add support for sending JSON records from the Flow Aggregator instead of IPFIX records (which is still the default), as it can achieve better performance with Logstash. (#2559, [@zyiou])
  • Support "--sort-by" flag for "antctl get networkpolicy" in Agent mode. (#2604, [@antoninbas])

Changed

  • Remove the restriction that a ClusterGroup must exist before it can be used as a child group to define other ClusterGroups. (#2443, [@Dyanngg])
  • Remove the restriction that a ClusterGroup must exist before it can be used in an Antrea ClusterNetworkPolicy. (#2478, [@Dyanngg] [@abhiraut])
  • Remove "controlplane.antrea.tanzu.vmware.com/v1beta1" API as per our API deprecation policy. (#2528 #2631, [@luolanzone])
  • Controller responses to ClusterGroup membership queries ("/clustergroupmembers" API) now include the list of IPBlocks when appropriate. (#2577, [@Dyanngg] [@abhiraut])
  • Install all Endpoint flows belonging to a Service via a single OpenFlow bundle, to reduce flow installation time when the Agent starts. (#2476, [@tnqn])
  • Improve the batch installation of NetworkPolicy rules when the Agent starts: only generate flow operations based on final desired state instead of incrementally. (#2479, [@tnqn] [@Dyanngg])
  • Use GroupMemberSet.Merge instead of GroupMemberSet.Union to reduce CPU usage and memory footprint in the Agent's policy controller. (#2467, [@tnqn])
  • When checking for the existence of an iptables chain, stop listing all the chains and searching through them; this change reduces the Agent's memory footprint. (#2458, [@tnqn])
  • Tolerate more failures for the Agent's readiness probe, as the Agent may stay disconnected from the Controller for a long time in some scenarios. (#2535, [@tnqn])
  • Remove restriction that only GRE tunnels can be used when enabling IPsec: VXLAN can also be used, and so can Geneve (if the Linux kernel version for the Nodes is recent enough). (#2489, [@luolanzone])
  • Automatically perform deduplication on NetworkPolicy audit logs for denied connections: all duplicate connections received within a 1 second buffer window will be merged and the corresponding log entry will include the connection count. (#2294 #2578, [@qiyueyao])
  • Support returning partial supportbundle results when some Nodes fail to respond. (#2399, [@hangyan])
  • When listing NetworkPolicyStats through the Controller API, return an empty list if the NetworkPolicyStats Feature Gate is disabled, instead of returning an error. (#2386, [@PeterEltgroth])
  • Update OVS version from 2.14.2 to 2.15.1: the new version fixes Geneve tunnel support in the userspace datapath (used for Kind clusters). (#2515, [@antoninbas])
  • Update [go-ipfix] to version v0.5.7 to improve overall performance of the FlowExporter feature, and in particular of the Flow Aggregator component. (#2574, [@srikartati] [@zyiou])
  • Support pretty-printing for AntreaAgentInfo and AntreaControllerInfo CRDs. (#2572, [@antoninbas])
  • Improve the process of updating the Status of an Egress resource to report the name of the Node to which the Egress IP is assigned. (#2444, [@wenqiq])
  • Change the singular name of the ClusterGroup CRD from "group" to "clustergroup". (#2484, [@abhiraut])
  • Officially-supported Go version is no longer 1.15 but 1.17. (#2609 #2640, [@antoninbas])
    • There was a notable change in the implementation of the "ParseIP" and "ParseCIDR" functions, but Antrea users should not be affected; refer to this issue
  • Standardize the process of reserving OVS register ranges and defining constant values for them; OVS registers are used to store per-packet information when required to implement specific features. (#2455, [@wenyingd])
  • Update ELK stack reference configuration to support TCP transport. (#2387, [@zyiou])
  • Update Windows installation instructions. (#2456, [@lzheheng])
  • Update Antrea-native policies documentation to reflect the addition of the "kubernetes.io/metadata.name" in upstream K8s. (#2596, [@abhiraut])
  • Default to containerd as the container runtime in the Vagrant-based test K8s cluster. (#2583, [@stanleywbwong])
  • Update AllowToCoreDNS example in Antrea-native policies documentation. (#2605, [@btrieger])
  • Update actions/setup-go to v2 in all Github workflows. (#2517, [@MysteryBlokHed])

Fixed

  • Fix panic in Agent when calculating the stats for a rule newly added to an existing NetworkPolicy. (#2495, [@tnqn])
  • Fix bug in iptables rule installation for dual-stack clusters: if a rule was already present for one protocol but not the other, its installation may have been skipped. (#2469, [@lzhecheng])
  • Fix deadlock in the Agent's FlowExporter, between the export goroutine and the conntrack polling goroutine. (#2429, [@srikartati])
  • Upgrade OVS version to 2.14.2-antrea.1 for Windows Nodes; this version of OVS is built on top of the upstream 2.14.2 release and also includes a patch to fix TCP checksum computation when the DNAT action is used. (#2549, [@lzhecheng]) [Windows]
  • Handle transient iptables-restore failures (caused by xtables lock contention) in the NodePortLocal initialization logic. (#2555, [@antoninbas])
  • Query and check the list of features supported by the OVS datapath during Agent initialization: if any required feature is not supported, the Agent will log an error and crash, instead of continuing to run which makes it hard to troubleshoot such issues. (#2571, [@tnqn])
  • On Linux, wait for the ovs-vswitchd PID file to be ready before running ovs-apptcl commands. (#2695, [@tnqn])
  • Periodically delete stale connections in the Flow Exporter if they cannot be exported (e.g. because the collector is not available), to avoid running out-of-memory. (#2516, [@srikartati])
  • F...
Read more
Assets 24

Release v1.2.2

17 Aug 02:22
@antoninbas antoninbas
v1.2.2
191c7b7
Compare
Choose a tag to compare
Release v1.2.2

Changed

  • Update go-ipfix to version v0.5.7 to improve overall performance of the FlowExporter feature, and in particular of the Flow Aggregator component. (#2574, @srikartati @zyiou)

Fixed

  • Handle transient iptables-restore failures (caused by xtables lock contention) in the NodePortLocal initialization logic. (#2555, @antoninbas)
  • Fix handling of the "reject" packets generated by the Antrea Agent in the OVS pipeline, to avoid infinite looping when traffic between two endpoints is rejected by network policies in both directions. (#2579, @GraysonWu)
  • Fix interface naming for IPsec tunnels: based on Node names, the first char could sometimes be a dash, which is not valid. (#2486, @luolanzone)
Assets 24

Release v1.1.2

12 Aug 05:39
@antoninbas antoninbas
v1.1.2
abbfa6d
Compare
Choose a tag to compare
Release v1.1.2

Changed

  • Improve the batch installation of NetworkPolicy rules when the Agent starts: only generate flow operations based on final desired state instead of incrementally. (#2479, @tnqn)

Fixed

  • Fix deadlock when initializing the GroupEntityIndex (in the Antrea Controller) with many groups; this was preventing correct distribution and enforcement of NetworkPolicies. (#2376, @tnqn)
  • Use "os/exec" package instead of third-party modules to run PowerShell commands and configure host networking on Windows; this change prevents Agent goroutines from getting stuck when configuring routes. (#2363, @lzhecheng) [Windows]
  • Fix panic in Agent when calculating the stats for a rule newly added to an existing NetworkPolicy. (#2495, @tnqn)
  • Fix bug in iptables rule installation for dual-stack clusters: if a rule was already present for one protocol but not the other, its installation may have been skipped. (#2469, @lzhecheng)
  • Upgrade OVS version to 2.14.2 to pick up security fixes for CVE-2015-8011, CVE-2020-27827 and CVE-2020-35498. (#2451, @antoninbas)
Assets 24