diff --git a/.github/workflows/upload_release_assets.yml b/.github/workflows/upload_release_assets.yml index 8b81d0fa459..42cb674baba 100644 --- a/.github/workflows/upload_release_assets.yml +++ b/.github/workflows/upload_release_assets.yml @@ -119,6 +119,15 @@ jobs: asset_path: ./assets/antrea.yml asset_name: antrea.yml asset_content_type: application/octet-stream + - name: Upload antrea-crds.yml + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ github.event.release.upload_url }} + asset_path: ./assets/antrea-crds.yml + asset_name: antrea-crds.yml + asset_content_type: application/octet-stream - name: Upload antrea-ipsec.yml uses: actions/upload-release-asset@v1 env: @@ -245,3 +254,12 @@ jobs: asset_path: ./assets/Start-AntreaAgent.ps1 asset_name: Start-AntreaAgent.ps1 asset_content_type: application/octet-stream + - name: Upload Antrea Helm chart archive + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ github.event.release.upload_url }} + asset_path: ./assets/antrea-chart.tgz + asset_name: antrea-chart.tgz + asset_content_type: application/octet-stream diff --git a/build/charts/Makefile b/build/charts/Makefile index 608a7eafa98..b19bcfb6561 100644 --- a/build/charts/Makefile +++ b/build/charts/Makefile @@ -1,6 +1,10 @@ USERID := $(shell id -u) GRPID := $(shell id -g) +VERSION := $(shell head -n 1 ../../VERSION | cut -c 2-) + .PHONY: helm-docs helm-docs: docker run --rm --volume "$(CURDIR):/helm-docs" --user=$(USERID):$(GRPID) jnorwood/helm-docs:v1.7.0 + sed -i.bak "s/0.0.0/$(VERSION)/g" antrea/README.md # replace version placeholder + sed -i.bak "s/-dev-informational/--dev-informational/g" antrea/README.md # fix img.shields.io badge URLs diff --git a/build/charts/antrea/Chart.yaml b/build/charts/antrea/Chart.yaml index d835cf2b082..09336f0f94b 100644 --- a/build/charts/antrea/Chart.yaml +++ b/build/charts/antrea/Chart.yaml @@ -3,8 +3,8 @@ name: antrea type: application displayName: Antrea home: https://antrea.io/ -version: 1.17.0-dev -appVersion: 1.17.0-dev +version: 0.0.0 +appVersion: 0.0.0 kubeVersion: ">= 1.16.0-0" icon: https://raw.githubusercontent.com/antrea-io/antrea/main/docs/assets/logo/antrea_logo.svg description: Kubernetes networking based on Open vSwitch @@ -14,5 +14,7 @@ keywords: - Networking - CNI - Security + - Open vSwitch + - OVS sources: - https://github.com/antrea-io/antrea diff --git a/build/charts/antrea/README.md b/build/charts/antrea/README.md index 3d524c0bff2..f77f8afb7af 100644 --- a/build/charts/antrea/README.md +++ b/build/charts/antrea/README.md @@ -1,6 +1,6 @@ # antrea -![Version: 1.17.0-dev](https://img.shields.io/badge/Version-1.17.0--dev-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.17.0-dev](https://img.shields.io/badge/AppVersion-1.17.0--dev-informational?style=flat-square) +![Version: 1.7.0-dev](https://img.shields.io/badge/Version-1.7.0--dev-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.0-dev](https://img.shields.io/badge/AppVersion-1.7.0--dev-informational?style=flat-square) Kubernetes networking based on Open vSwitch diff --git a/build/charts/antrea/templates/crds/antreaagentinfo.yaml b/build/charts/antrea/crds/antreaagentinfo.yaml similarity index 100% rename from build/charts/antrea/templates/crds/antreaagentinfo.yaml rename to build/charts/antrea/crds/antreaagentinfo.yaml diff --git a/build/charts/antrea/templates/crds/antreacontrollerinfo.yaml b/build/charts/antrea/crds/antreacontrollerinfo.yaml similarity index 100% rename from build/charts/antrea/templates/crds/antreacontrollerinfo.yaml rename to build/charts/antrea/crds/antreacontrollerinfo.yaml diff --git a/build/charts/antrea/templates/crds/clustergroup.yaml b/build/charts/antrea/crds/clustergroup.yaml similarity index 100% rename from build/charts/antrea/templates/crds/clustergroup.yaml rename to build/charts/antrea/crds/clustergroup.yaml diff --git a/build/charts/antrea/templates/crds/clusternetworkpolicy.yaml b/build/charts/antrea/crds/clusternetworkpolicy.yaml similarity index 100% rename from build/charts/antrea/templates/crds/clusternetworkpolicy.yaml rename to build/charts/antrea/crds/clusternetworkpolicy.yaml diff --git a/build/charts/antrea/templates/crds/egress.yaml b/build/charts/antrea/crds/egress.yaml similarity index 100% rename from build/charts/antrea/templates/crds/egress.yaml rename to build/charts/antrea/crds/egress.yaml diff --git a/build/charts/antrea/templates/crds/externalentity.yaml b/build/charts/antrea/crds/externalentity.yaml similarity index 100% rename from build/charts/antrea/templates/crds/externalentity.yaml rename to build/charts/antrea/crds/externalentity.yaml diff --git a/build/charts/antrea/templates/crds/externalippool.yaml b/build/charts/antrea/crds/externalippool.yaml similarity index 100% rename from build/charts/antrea/templates/crds/externalippool.yaml rename to build/charts/antrea/crds/externalippool.yaml diff --git a/build/charts/antrea/templates/crds/ippool.yaml b/build/charts/antrea/crds/ippool.yaml similarity index 100% rename from build/charts/antrea/templates/crds/ippool.yaml rename to build/charts/antrea/crds/ippool.yaml diff --git a/build/charts/antrea/templates/crds/networkpolicy.yaml b/build/charts/antrea/crds/networkpolicy.yaml similarity index 100% rename from build/charts/antrea/templates/crds/networkpolicy.yaml rename to build/charts/antrea/crds/networkpolicy.yaml diff --git a/build/charts/antrea/templates/crds/tier.yaml b/build/charts/antrea/crds/tier.yaml similarity index 100% rename from build/charts/antrea/templates/crds/tier.yaml rename to build/charts/antrea/crds/tier.yaml diff --git a/build/charts/antrea/templates/crds/traceflow.yaml b/build/charts/antrea/crds/traceflow.yaml similarity index 100% rename from build/charts/antrea/templates/crds/traceflow.yaml rename to build/charts/antrea/crds/traceflow.yaml diff --git a/build/charts/antrea/templates/crds/trafficcontrol.yaml b/build/charts/antrea/crds/trafficcontrol.yaml similarity index 100% rename from build/charts/antrea/templates/crds/trafficcontrol.yaml rename to build/charts/antrea/crds/trafficcontrol.yaml diff --git a/build/charts/antrea/templates/NOTES.txt b/build/charts/antrea/templates/NOTES.txt index 40e0d249333..a00eeec791c 100644 --- a/build/charts/antrea/templates/NOTES.txt +++ b/build/charts/antrea/templates/NOTES.txt @@ -1 +1,5 @@ -The Antrea CNI has been successfully installed. +The Antrea CNI has been successfully installed + +You are using version {{ .Chart.Version }} + +For the Antrea documentation, please visit https://antrea.io diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml index 0dac8be1865..613d257595f 100644 --- a/build/yamls/antrea-aks.yml +++ b/build/yamls/antrea-aks.yml @@ -1,571 +1,119 @@ --- -# Source: antrea/templates/agent/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: antrea-agent - namespace: kube-system - labels: - app: antrea ---- -# Source: antrea/templates/antctl/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: crds/antreaagentinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antctl - namespace: kube-system + name: antreaagentinfos.crd.antrea.io labels: app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai + --- -# Source: antrea/templates/controller/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: crds/antreacontrollerinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-controller - namespace: kube-system + name: antreacontrollerinfos.crd.antrea.io labels: app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci + --- -# Source: antrea/templates/agent/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antrea-agent-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antrea-agent -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/antctl/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antctl-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antctl -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap +# Source: crds/clustergroup.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-config - namespace: kube-system - labels: - app: antrea -data: - antrea-agent.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. - # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on - # Service traffic. - # AntreaProxy: true - - # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice - # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, - # this flag will not take effect. - # EndpointSlice: false - - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable NodePortLocal feature to make the Pods reachable externally through NodePort - # NodePortLocal: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each - # agent to a configured collector. - # FlowExporter: false - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - # Multicluster: false - - # Enable support for provisioning secondary network interfaces for Pods (using - # Pod annotations). At the moment, Antrea can only create secondary network - # interfaces using SR-IOV VFs on baremetal Nodes. - # SecondaryNetwork: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable mirroring or redirecting the traffic Pods send or receive. - # TrafficControl: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # Name of the OpenVSwitch bridge antrea-agent will create and use. - # Make sure it doesn't conflict with your existing OpenVSwitch bridges. - ovsBridge: "br-int" - - # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: - # - system - # - netdev - # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run - # OVS in userspace mode. Userspace mode requires the tun device driver to be available. - #ovsDatapathType: system - - # Name of the interface antrea-agent will create and use for host <--> pod communication. - # Make sure it doesn't conflict with your existing interfaces. - hostGateway: "antrea-gw0" - - # Determines how traffic is encapsulated. It has the following options: - # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network - # traffic is SNAT'd. - # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is - # SNAT'd if noSNAT is not set to true. Underlying network must be capable of - # supporting Pod traffic across IP subnets. - # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. - # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod - # IPAM and connectivity to the primary CNI. - # - trafficEncapMode: "networkPolicyOnly" - - # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. - # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap - # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to - # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never - # performs SNAT and this option will be ignored; for other modes it must be set to false. - noSNAT: false - - # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, - # this option will not take effect. Supported values: - # - geneve (default) - # - vxlan - # - gre - # - stt - # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). - tunnelType: "geneve" - - # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. - # It has the following options: - # - none (default): Inter-node Pod traffic will not be encrypted. - # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses - # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, - # the PSK value must be passed to Antrea Agent through an environment - # variable: ANTREA_IPSEC_PSK. - # - wireGuard: Enable WireGuard for tunnel traffic encryption. - trafficEncryptionMode: "none" - - # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected - # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are - # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the - # underlay network. - # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only - # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, - # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. - enableBridgingMode: false - - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. - disableTXChecksumOffload: false - - # Default MTU to use for the host gateway interface and the network interface of each Pod. - # If omitted, antrea-agent will discover the MTU of the Node's primary interface and - # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). - defaultMTU: 0 - - # wireGuard specifies WireGuard related configurations. - wireGuard: - # The port for WireGuard to receive traffic. - port: 51820 - - egress: - # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. - exceptCIDRs: - - # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be - # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When - # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. - serviceCIDR: "" - - # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack - # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by - # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. - # No default value for this field. - serviceCIDRv6: "" - - # The port for the antrea-agent APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-agent` container must be set to the same value. - apiPort: 10350 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Provide the IPFIX collector address as a string with format :[][:]. - # HOST can either be the DNS name or the IP of the Flow Collector. For example, - # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect - # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. - # However, IPv6 address should be wrapped with []. - # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and - # "udp" protocols. "tls" is used for securing communication between flow exporter and - # flow aggregator. - flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" - - # Provide flow poll interval as a duration string. This determines how often the - # flow exporter dumps connections from the conntrack module. Flow poll interval - # should be greater than or equal to 1s (one second). - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - flowPollInterval: "5s" - - # Provide the active flow export timeout, which is the timeout after which a flow - # record is sent to the collector for active flows. Thus, for flows with a continuous - # stream of packets, a flow record will be exported to the collector once the elapsed - # time since the last export event is equal to the value of this timeout. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - activeFlowExportTimeout: "5s" - - # Provide the idle flow export timeout, which is the timeout after which a flow - # record is sent to the collector for idle flows. A flow is considered idle if no - # packet matching this flow has been observed since the last export event. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - idleFlowExportTimeout: "15s" - - nodePortLocal: - # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To - # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature - # gate is also enabled (which is the default). - enable: false - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port - # from that range will be assigned whenever a Pod's container defines a specific port to be exposed - # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic - # directed to that port will be forwarded to the Pod. - portRange: "61000-62000" - - # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. - # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. - kubeAPIServerOverride: "" - - # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. - # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, - # [fd00:10:96::a]:53). - dnsServerOverride: "" - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. - # If there are multiple IP addresses configured on the interface, the first one is used. The IP - # address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterface: "" - - multicast: - # The names of the interfaces on Nodes that are used to forward multicast traffic. - # Defaults to transport interface if not set. - multicastInterfaces: - - # The interval at which the antrea-agent sends IGMP queries to Pods. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - igmpQueryInterval: "125s" - - # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across - # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The - # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterfaceCIDRs: - - # Option antreaProxy contains AntreaProxy related configuration options. - antreaProxy: - # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, - # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy - # feature to be enabled. - # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access - # apiserver directly. - proxyAll: false - # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. - # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. - # Note that the option is only valid when proxyAll is true. - nodePortAddresses: - # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these - # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name - # with Namespace (e.g. kube-system/kube-dns) - skipServices: - # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the - # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional - # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the - # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. - # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and - # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. - proxyLoadBalancerIPs: true - - # IPsec tunnel related configurations. - ipsec: - # The authentication mode of IPsec tunnel. It has the following options: - # - psk (default): Use pre-shared key (PSK) for IKE authentication. - # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` - # feature gate to be enabled. - authenticationMode: "psk" - - multicluster: - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - enable: false - # The Namespace where Antrea Multi-cluster Controller is running. - # The default is antrea-agent's Namespace. - namespace: "" - antrea-cni.conflist: | - { - "cniVersion":"0.3.0", - "name": "antrea", - "plugins": [ - { - "type": "antrea", - "ipam": { - "type": "host-local" - } - } - , - { - "type": "portmap", - "capabilities": {"portMappings": true} - } - , - { - "type": "bandwidth", - "capabilities": {"bandwidth": true} - } - ] - } - antrea-controller.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Run Kubernetes NodeIPAMController with Antrea. - # NodeIPAM: false - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # The port for the antrea-controller APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-controller` container must be set to the same value. - apiPort: 10349 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Indicates whether to use auto-generated self-signed TLS certificate. - # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: - # ca.crt: - # tls.crt: - # tls.key: - selfSignedCert: true - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - nodeIPAM: - # Enable the integrated Node IPAM controller within the Antrea controller. - enableNodeIPAM: false - # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. - # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. - # Value ignored when enableNodeIPAM is false. - clusterCIDRs: - # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. - # Value ignored when enableNodeIPAM is false. - serviceCIDR: "" - serviceCIDRv6: "" - # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. - nodeCIDRMaskSizeIPv4: 24 - # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. - nodeCIDRMaskSizeIPv6: 64 - - ipsecCSRSigner: - # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. - # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions - # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, - # the Pod identity will also be validated to provide maximum security. - # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved - # manually by `kubectl certificate approve`. - autoApprove: true - # Indicates whether to use auto-generated self-signed CA certificate. - # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: - # tls.crt: - # tls.key: - selfSignedCA: true ---- -# Source: antrea/templates/crds/antreaagentinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreaagentinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of this Agent - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of this Agent - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Node on which this Agent is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of local Pods managed by this Agent - jsonPath: ".localPodNum" - name: Num Pods - type: integer - priority: 2 - - description: Subnets used by this Agent for Pod IPAM - jsonPath: ".nodeSubnets" - name: Subnets - type: string - priority: 2 - scope: Cluster - names: - plural: antreaagentinfos - singular: antreaagentinfo - kind: AntreaAgentInfo - shortNames: - - aai ---- -# Source: antrea/templates/crds/antreacontrollerinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreacontrollerinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of the Controller - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of the Controller - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Number of Agents connected to the Controller - jsonPath: ".connectedAgentNum" - name: Connected Agents - type: integer - priority: 1 - - description: Node on which the Controller is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of Network Policies computed by Controller - jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" - name: Num Network Policies - type: integer - priority: 2 - scope: Cluster - names: - plural: antreacontrollerinfos - singular: antreacontrollerinfo - kind: AntreaControllerInfo - shortNames: - - aci ---- -# Source: antrea/templates/crds/clustergroup.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clustergroups.crd.antrea.io + name: clustergroups.crd.antrea.io labels: app: antrea spec: @@ -825,8 +373,9 @@ spec: kind: ClusterGroup shortNames: - cg + --- -# Source: antrea/templates/crds/clusternetworkpolicy.yaml +# Source: crds/clusternetworkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1434,8 +983,9 @@ spec: kind: ClusterNetworkPolicy shortNames: - acnp + --- -# Source: antrea/templates/crds/egress.yaml +# Source: crds/egress.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1548,8 +1098,9 @@ spec: kind: Egress shortNames: - eg + --- -# Source: antrea/templates/crds/externalentity.yaml +# Source: crds/externalentity.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1608,8 +1159,9 @@ spec: kind: ExternalEntity shortNames: - ee + --- -# Source: antrea/templates/crds/externalippool.yaml +# Source: crds/externalippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1713,8 +1265,9 @@ spec: kind: ExternalIPPool shortNames: - eip + --- -# Source: antrea/templates/crds/ippool.yaml +# Source: crds/ippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1827,8 +1380,9 @@ spec: kind: IPPool shortNames: - ipp + --- -# Source: antrea/templates/crds/networkpolicy.yaml +# Source: crds/networkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2337,8 +1891,9 @@ spec: kind: NetworkPolicy shortNames: - anp + --- -# Source: antrea/templates/crds/tier.yaml +# Source: crds/tier.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2381,8 +1936,9 @@ spec: kind: Tier shortNames: - tr + --- -# Source: antrea/templates/crds/traceflow.yaml +# Source: crds/traceflow.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2634,8 +2190,9 @@ spec: kind: Traceflow shortNames: - tf + --- -# Source: antrea/templates/crds/trafficcontrol.yaml +# Source: crds/trafficcontrol.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2919,6 +2476,461 @@ spec: kind: TrafficControl shortNames: - tc + +--- +# Source: antrea/templates/agent/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-agent + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/antctl/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antctl + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/controller/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-controller + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/agent/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antrea-agent-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antrea-agent +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/antctl/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antctl-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antctl +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: antrea-config + namespace: kube-system + labels: + app: antrea +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + # Multicluster: false + + # Enable support for provisioning secondary network interfaces for Pods (using + # Pod annotations). At the moment, Antrea can only create secondary network + # interfaces using SR-IOV VFs on baremetal Nodes. + # SecondaryNetwork: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable mirroring or redirecting the traffic Pods send or receive. + # TrafficControl: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + ovsBridge: "br-int" + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + hostGateway: "antrea-gw0" + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + trafficEncapMode: "networkPolicyOnly" + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, + # this option will not take effect. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). + tunnelType: "geneve" + + # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. + # It has the following options: + # - none (default): Inter-node Pod traffic will not be encrypted. + # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses + # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, + # the PSK value must be passed to Antrea Agent through an environment + # variable: ANTREA_IPSEC_PSK. + # - wireGuard: Enable WireGuard for tunnel traffic encryption. + trafficEncryptionMode: "none" + + # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected + # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are + # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the + # underlay network. + # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only + # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, + # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. + enableBridgingMode: false + + # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the + # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. + # It affects Pods running on Linux Nodes only. + disableTXChecksumOffload: false + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + defaultMTU: 0 + + # wireGuard specifies WireGuard related configurations. + wireGuard: + # The port for WireGuard to receive traffic. + port: 51820 + + egress: + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + serviceCIDR: "" + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + serviceCIDRv6: "" + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + activeFlowExportTimeout: "5s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + idleFlowExportTimeout: "15s" + + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + enable: false + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + portRange: "61000-62000" + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + kubeAPIServerOverride: "" + + # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. + # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, + # [fd00:10:96::a]:53). + dnsServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. + # If there are multiple IP addresses configured on the interface, the first one is used. The IP + # address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterface: "" + + multicast: + # The names of the interfaces on Nodes that are used to forward multicast traffic. + # Defaults to transport interface if not set. + multicastInterfaces: + + # The interval at which the antrea-agent sends IGMP queries to Pods. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + igmpQueryInterval: "125s" + + # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across + # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The + # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterfaceCIDRs: + + # Option antreaProxy contains AntreaProxy related configuration options. + antreaProxy: + # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, + # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy + # feature to be enabled. + # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access + # apiserver directly. + proxyAll: false + # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. + # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. + # Note that the option is only valid when proxyAll is true. + nodePortAddresses: + # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these + # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name + # with Namespace (e.g. kube-system/kube-dns) + skipServices: + # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the + # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional + # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the + # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. + # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and + # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. + proxyLoadBalancerIPs: true + + # IPsec tunnel related configurations. + ipsec: + # The authentication mode of IPsec tunnel. It has the following options: + # - psk (default): Use pre-shared key (PSK) for IKE authentication. + # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` + # feature gate to be enabled. + authenticationMode: "psk" + + multicluster: + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + enable: false + # The Namespace where Antrea Multi-cluster Controller is running. + # The default is antrea-agent's Namespace. + namespace: "" + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + } + , + { + "type": "portmap", + "capabilities": {"portMappings": true} + } + , + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Run Kubernetes NodeIPAMController with Antrea. + # NodeIPAM: false + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + nodeIPAM: + # Enable the integrated Node IPAM controller within the Antrea controller. + enableNodeIPAM: false + # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. + # Value ignored when enableNodeIPAM is false. + clusterCIDRs: + # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + serviceCIDR: "" + serviceCIDRv6: "" + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + nodeCIDRMaskSizeIPv4: 24 + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + nodeCIDRMaskSizeIPv6: 64 + + ipsecCSRSigner: + # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. + # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions + # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, + # the Pod identity will also be validated to provide maximum security. + # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved + # manually by `kubectl certificate approve`. + autoApprove: true + # Indicates whether to use auto-generated self-signed CA certificate. + # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: + # tls.crt: + # tls.key: + selfSignedCA: true --- # Source: antrea/templates/agent/clusterrole.yaml kind: ClusterRole diff --git a/build/yamls/antrea-crds.yml b/build/yamls/antrea-crds.yml new file mode 100644 index 00000000000..64f7a1a2b62 --- /dev/null +++ b/build/yamls/antrea-crds.yml @@ -0,0 +1,2455 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: antreaagentinfos.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: antreacontrollerinfos.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clustergroups.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + - name: v1alpha3 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + subresources: + status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: "antrea" + namespace: "kube-system" + path: "/convert/clustergroup" + scope: Cluster + names: + plural: clustergroups + singular: clustergroup + kind: ClusterGroup + shortNames: + - cg +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusternetworkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this ClusterNetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + fqdn: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + toServices: + type: array + items: + type: object + required: + - name + - namespace + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + scope: Cluster + names: + plural: clusternetworkpolicies + singular: clusternetworkpolicy + kind: ClusterNetworkPolicy + shortNames: + - acnp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: egresses.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - appliedTo + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + egressIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + externalIPPool: + type: string + status: + type: object + properties: + egressNode: + type: string + additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + subresources: + status: {} + scope: Cluster + names: + plural: egresses + singular: egress + kind: Egress + shortNames: + - eg +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalentities.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + endpoints: + type: array + items: + type: object + properties: + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + name: + type: string + externalNode: + type: string + - name: v1alpha1 + served: false + storage: false + schema: + openAPIV3Schema: + type: object + scope: Namespaced + names: + plural: externalentities + singular: externalentity + kind: ExternalEntity + shortNames: + - ee +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - ipRanges + - nodeSelector + properties: + ipRanges: + type: array + items: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + status: + type: object + properties: + usage: + type: object + properties: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + scope: Cluster + names: + plural: externalippools + singular: externalippool + kind: ExternalIPPool + shortNames: + - eip +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + required: + - ipVersion + - ipRanges + type: object + properties: + ipVersion: + type: integer + enum: [ 4, 6 ] + ipRanges: + items: + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength + properties: + cidr: + format: cidr + type: string + start: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + minimum: 1 + maximum: 128 + vlan: + type: integer + minimum: 0 + maximum: 4094 + type: object + type: array + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + name: + type: string + namespace: + type: string + containerID: + type: string + ifName: + type: string + type: object + statefulSet: + properties: + name: + type: string + namespace: + type: string + index: + type: integer + type: object + type: object + phase: + type: string + type: object + type: array + type: object + subresources: + status: {} + scope: Cluster + names: + plural: ippools + singular: ippool + kind: IPPool + shortNames: + - ipp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Tier + type: string + description: The Tier to which this Antrea NetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this Antrea NetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + fqdn: + type: string + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + toServices: + type: array + items: + type: object + required: + - name + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + subresources: + status: {} + scope: Namespaced + names: + plural: networkpolicies + singular: networkpolicy + kind: NetworkPolicy + shortNames: + - anp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tiers.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - name: Priority + type: integer + description: The Priority of this Tier relative to other Tiers. + jsonPath: .spec.priority + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + required: + - priority + type: object + properties: + priority: + type: integer + minimum: 0 + maximum: 255 + description: + type: string + scope: Cluster + names: + plural: tiers + singular: tier + kind: Tier + shortNames: + - tr +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: traceflows.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.phase + description: The phase of the Traceflow. + name: Phase + type: string + - jsonPath: .spec.source.pod + description: The name of the source Pod. + name: Source-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.pod + description: The name of the destination Pod. + name: Destination-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.ip + description: The IP address of the destination. + name: Destination-IP + type: string + priority: 10 + - jsonPath: .spec.liveTraffic + description: Trace live traffic. + name: Live-Traffic + type: boolean + priority: 10 + - jsonPath: .spec.droppedOnly + description: Capture only the dropped packet. + name: Dropped-Only + type: boolean + priority: 10 + - jsonPath: .spec.timeout + description: Timeout in seconds. + name: Timeout + type: integer + priority: 10 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + properties: + source: + type: object + properties: + pod: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + destination: + type: object + properties: + pod: + type: string + service: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + packet: + type: object + properties: + ipHeader: + type: object + properties: + srcIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + protocol: + type: integer + ttl: + type: integer + flags: + type: integer + ipv6Header: + type: object + properties: + srcIP: + type: string + format: ipv6 + nextHeader: + type: integer + hopLimit: + type: integer + transportHeader: + type: object + properties: + icmp: + type: object + properties: + id: + type: integer + sequence: + type: integer + udp: + type: object + properties: + srcPort: + type: integer + dstPort: + type: integer + tcp: + type: object + properties: + srcPort: + type: integer + dstPort: + type: integer + flags: + type: integer + liveTraffic: + type: boolean + droppedOnly: + type: boolean + timeout: + type: integer + status: + type: object + properties: + reason: + type: string + dataplaneTag: + type: integer + phase: + type: string + startTime: + type: string + results: + type: array + items: + type: object + properties: + node: + type: string + role: + type: string + timestamp: + type: integer + observations: + type: array + items: + type: object + properties: + component: + type: string + componentInfo: + type: string + action: + type: string + pod: + type: string + dstMAC: + type: string + networkPolicy: + type: string + ttl: + type: integer + translatedSrcIP: + type: string + translatedDstIP: + type: string + tunnelDstIP: + type: string + capturedPacket: + properties: + srcIP: + type: string + dstIP: + type: string + length: + type: integer + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + transportHeader: + properties: + tcp: + properties: + dstPort: + type: integer + srcPort: + type: integer + flags: + type: integer + type: object + udp: + properties: + dstPort: + type: integer + srcPort: + type: integer + type: object + icmp: + properties: + id: + type: integer + sequence: + type: integer + type: object + type: object + type: object + subresources: + status: {} + scope: Cluster + names: + plural: traceflows + singular: traceflow + kind: Traceflow + shortNames: + - tf +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: trafficcontrols.crd.antrea.io +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - appliedTo + - direction + - action + - targetPort + properties: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + direction: + type: string + enum: + - Ingress + - Egress + - Both + action: + type: string + enum: + - Mirror + - Redirect + targetPort: + type: object + oneOf: + - required: [ovsInternal] + - required: [device] + - required: [geneve] + - required: [vxlan] + - required: [gre] + - required: [erspan] + properties: + ovsInternal: + type: object + required: + - name + properties: + name: + type: string + device: + type: object + required: + - name + properties: + name: + type: string + geneve: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + vni: + type: integer + minimum: 0 + maximum: 16777215 + destinationPort: + type: integer + minimum: 1 + maximum: 65535 + vxlan: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + vni: + type: integer + minimum: 0 + maximum: 16777215 + destinationPort: + type: integer + minimum: 1 + maximum: 65535 + gre: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + key: + type: integer + minimum: 0 + maximum: 4294967295 + erspan: + type: object + required: + - remoteIP + - version + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + sessionID: + type: integer + minimum: 0 + maximum: 1023 + version: + type: integer + enum: + - 1 + - 2 + index: + type: integer + dir: + type: integer + enum: + - 0 + - 1 + hardwareID: + type: integer + returnPort: + type: object + oneOf: + - required: [ovsInternal] + - required: [device] + - required: [geneve] + - required: [vxlan] + - required: [gre] + properties: + ovsInternal: + type: object + required: + - name + properties: + name: + type: string + device: + type: object + required: + - name + properties: + name: + type: string + geneve: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + vni: + type: integer + minimum: 0 + maximum: 16777215 + destinationPort: + type: integer + minimum: 1 + maximum: 65535 + vxlan: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + vni: + type: integer + minimum: 0 + maximum: 16777215 + destinationPort: + type: integer + minimum: 1 + maximum: 65535 + gre: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + key: + type: integer + minimum: 0 + maximum: 4294967295 + additionalPrinterColumns: + - description: Specifies the direction of traffic that should be matched. + jsonPath: .spec.direction + name: Direction + type: string + - description: Specifies the action that should be taken for the traffic. + jsonPath: .spec.action + name: Action + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + scope: Cluster + names: + plural: trafficcontrols + singular: trafficcontrol + kind: TrafficControl + shortNames: + - tc diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml index 9adf78a6d50..bf90bf55705 100644 --- a/build/yamls/antrea-eks.yml +++ b/build/yamls/antrea-eks.yml @@ -1,571 +1,119 @@ --- -# Source: antrea/templates/agent/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: antrea-agent - namespace: kube-system - labels: - app: antrea ---- -# Source: antrea/templates/antctl/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: crds/antreaagentinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antctl - namespace: kube-system + name: antreaagentinfos.crd.antrea.io labels: app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai + --- -# Source: antrea/templates/controller/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: crds/antreacontrollerinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-controller - namespace: kube-system + name: antreacontrollerinfos.crd.antrea.io labels: app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci + --- -# Source: antrea/templates/agent/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antrea-agent-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antrea-agent -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/antctl/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antctl-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antctl -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap +# Source: crds/clustergroup.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-config - namespace: kube-system - labels: - app: antrea -data: - antrea-agent.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. - # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on - # Service traffic. - # AntreaProxy: true - - # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice - # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, - # this flag will not take effect. - # EndpointSlice: false - - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable NodePortLocal feature to make the Pods reachable externally through NodePort - # NodePortLocal: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each - # agent to a configured collector. - # FlowExporter: false - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - # Multicluster: false - - # Enable support for provisioning secondary network interfaces for Pods (using - # Pod annotations). At the moment, Antrea can only create secondary network - # interfaces using SR-IOV VFs on baremetal Nodes. - # SecondaryNetwork: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable mirroring or redirecting the traffic Pods send or receive. - # TrafficControl: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # Name of the OpenVSwitch bridge antrea-agent will create and use. - # Make sure it doesn't conflict with your existing OpenVSwitch bridges. - ovsBridge: "br-int" - - # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: - # - system - # - netdev - # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run - # OVS in userspace mode. Userspace mode requires the tun device driver to be available. - #ovsDatapathType: system - - # Name of the interface antrea-agent will create and use for host <--> pod communication. - # Make sure it doesn't conflict with your existing interfaces. - hostGateway: "antrea-gw0" - - # Determines how traffic is encapsulated. It has the following options: - # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network - # traffic is SNAT'd. - # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is - # SNAT'd if noSNAT is not set to true. Underlying network must be capable of - # supporting Pod traffic across IP subnets. - # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. - # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod - # IPAM and connectivity to the primary CNI. - # - trafficEncapMode: "networkPolicyOnly" - - # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. - # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap - # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to - # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never - # performs SNAT and this option will be ignored; for other modes it must be set to false. - noSNAT: false - - # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, - # this option will not take effect. Supported values: - # - geneve (default) - # - vxlan - # - gre - # - stt - # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). - tunnelType: "geneve" - - # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. - # It has the following options: - # - none (default): Inter-node Pod traffic will not be encrypted. - # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses - # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, - # the PSK value must be passed to Antrea Agent through an environment - # variable: ANTREA_IPSEC_PSK. - # - wireGuard: Enable WireGuard for tunnel traffic encryption. - trafficEncryptionMode: "none" - - # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected - # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are - # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the - # underlay network. - # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only - # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, - # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. - enableBridgingMode: false - - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. - disableTXChecksumOffload: false - - # Default MTU to use for the host gateway interface and the network interface of each Pod. - # If omitted, antrea-agent will discover the MTU of the Node's primary interface and - # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). - defaultMTU: 0 - - # wireGuard specifies WireGuard related configurations. - wireGuard: - # The port for WireGuard to receive traffic. - port: 51820 - - egress: - # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. - exceptCIDRs: - - # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be - # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When - # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. - serviceCIDR: "" - - # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack - # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by - # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. - # No default value for this field. - serviceCIDRv6: "" - - # The port for the antrea-agent APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-agent` container must be set to the same value. - apiPort: 10350 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Provide the IPFIX collector address as a string with format :[][:]. - # HOST can either be the DNS name or the IP of the Flow Collector. For example, - # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect - # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. - # However, IPv6 address should be wrapped with []. - # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and - # "udp" protocols. "tls" is used for securing communication between flow exporter and - # flow aggregator. - flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" - - # Provide flow poll interval as a duration string. This determines how often the - # flow exporter dumps connections from the conntrack module. Flow poll interval - # should be greater than or equal to 1s (one second). - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - flowPollInterval: "5s" - - # Provide the active flow export timeout, which is the timeout after which a flow - # record is sent to the collector for active flows. Thus, for flows with a continuous - # stream of packets, a flow record will be exported to the collector once the elapsed - # time since the last export event is equal to the value of this timeout. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - activeFlowExportTimeout: "5s" - - # Provide the idle flow export timeout, which is the timeout after which a flow - # record is sent to the collector for idle flows. A flow is considered idle if no - # packet matching this flow has been observed since the last export event. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - idleFlowExportTimeout: "15s" - - nodePortLocal: - # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To - # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature - # gate is also enabled (which is the default). - enable: false - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port - # from that range will be assigned whenever a Pod's container defines a specific port to be exposed - # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic - # directed to that port will be forwarded to the Pod. - portRange: "61000-62000" - - # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. - # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. - kubeAPIServerOverride: "" - - # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. - # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, - # [fd00:10:96::a]:53). - dnsServerOverride: "" - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. - # If there are multiple IP addresses configured on the interface, the first one is used. The IP - # address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterface: "" - - multicast: - # The names of the interfaces on Nodes that are used to forward multicast traffic. - # Defaults to transport interface if not set. - multicastInterfaces: - - # The interval at which the antrea-agent sends IGMP queries to Pods. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - igmpQueryInterval: "125s" - - # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across - # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The - # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterfaceCIDRs: - - # Option antreaProxy contains AntreaProxy related configuration options. - antreaProxy: - # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, - # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy - # feature to be enabled. - # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access - # apiserver directly. - proxyAll: false - # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. - # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. - # Note that the option is only valid when proxyAll is true. - nodePortAddresses: - # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these - # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name - # with Namespace (e.g. kube-system/kube-dns) - skipServices: - # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the - # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional - # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the - # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. - # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and - # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. - proxyLoadBalancerIPs: true - - # IPsec tunnel related configurations. - ipsec: - # The authentication mode of IPsec tunnel. It has the following options: - # - psk (default): Use pre-shared key (PSK) for IKE authentication. - # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` - # feature gate to be enabled. - authenticationMode: "psk" - - multicluster: - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - enable: false - # The Namespace where Antrea Multi-cluster Controller is running. - # The default is antrea-agent's Namespace. - namespace: "" - antrea-cni.conflist: | - { - "cniVersion":"0.3.0", - "name": "antrea", - "plugins": [ - { - "type": "antrea", - "ipam": { - "type": "host-local" - } - } - , - { - "type": "portmap", - "capabilities": {"portMappings": true} - } - , - { - "type": "bandwidth", - "capabilities": {"bandwidth": true} - } - ] - } - antrea-controller.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Run Kubernetes NodeIPAMController with Antrea. - # NodeIPAM: false - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # The port for the antrea-controller APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-controller` container must be set to the same value. - apiPort: 10349 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Indicates whether to use auto-generated self-signed TLS certificate. - # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: - # ca.crt: - # tls.crt: - # tls.key: - selfSignedCert: true - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - nodeIPAM: - # Enable the integrated Node IPAM controller within the Antrea controller. - enableNodeIPAM: false - # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. - # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. - # Value ignored when enableNodeIPAM is false. - clusterCIDRs: - # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. - # Value ignored when enableNodeIPAM is false. - serviceCIDR: "" - serviceCIDRv6: "" - # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. - nodeCIDRMaskSizeIPv4: 24 - # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. - nodeCIDRMaskSizeIPv6: 64 - - ipsecCSRSigner: - # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. - # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions - # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, - # the Pod identity will also be validated to provide maximum security. - # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved - # manually by `kubectl certificate approve`. - autoApprove: true - # Indicates whether to use auto-generated self-signed CA certificate. - # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: - # tls.crt: - # tls.key: - selfSignedCA: true ---- -# Source: antrea/templates/crds/antreaagentinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreaagentinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of this Agent - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of this Agent - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Node on which this Agent is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of local Pods managed by this Agent - jsonPath: ".localPodNum" - name: Num Pods - type: integer - priority: 2 - - description: Subnets used by this Agent for Pod IPAM - jsonPath: ".nodeSubnets" - name: Subnets - type: string - priority: 2 - scope: Cluster - names: - plural: antreaagentinfos - singular: antreaagentinfo - kind: AntreaAgentInfo - shortNames: - - aai ---- -# Source: antrea/templates/crds/antreacontrollerinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreacontrollerinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of the Controller - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of the Controller - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Number of Agents connected to the Controller - jsonPath: ".connectedAgentNum" - name: Connected Agents - type: integer - priority: 1 - - description: Node on which the Controller is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of Network Policies computed by Controller - jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" - name: Num Network Policies - type: integer - priority: 2 - scope: Cluster - names: - plural: antreacontrollerinfos - singular: antreacontrollerinfo - kind: AntreaControllerInfo - shortNames: - - aci ---- -# Source: antrea/templates/crds/clustergroup.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clustergroups.crd.antrea.io + name: clustergroups.crd.antrea.io labels: app: antrea spec: @@ -825,8 +373,9 @@ spec: kind: ClusterGroup shortNames: - cg + --- -# Source: antrea/templates/crds/clusternetworkpolicy.yaml +# Source: crds/clusternetworkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1434,8 +983,9 @@ spec: kind: ClusterNetworkPolicy shortNames: - acnp + --- -# Source: antrea/templates/crds/egress.yaml +# Source: crds/egress.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1548,8 +1098,9 @@ spec: kind: Egress shortNames: - eg + --- -# Source: antrea/templates/crds/externalentity.yaml +# Source: crds/externalentity.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1608,8 +1159,9 @@ spec: kind: ExternalEntity shortNames: - ee + --- -# Source: antrea/templates/crds/externalippool.yaml +# Source: crds/externalippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1713,8 +1265,9 @@ spec: kind: ExternalIPPool shortNames: - eip + --- -# Source: antrea/templates/crds/ippool.yaml +# Source: crds/ippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1827,8 +1380,9 @@ spec: kind: IPPool shortNames: - ipp + --- -# Source: antrea/templates/crds/networkpolicy.yaml +# Source: crds/networkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2337,8 +1891,9 @@ spec: kind: NetworkPolicy shortNames: - anp + --- -# Source: antrea/templates/crds/tier.yaml +# Source: crds/tier.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2381,8 +1936,9 @@ spec: kind: Tier shortNames: - tr + --- -# Source: antrea/templates/crds/traceflow.yaml +# Source: crds/traceflow.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2634,8 +2190,9 @@ spec: kind: Traceflow shortNames: - tf + --- -# Source: antrea/templates/crds/trafficcontrol.yaml +# Source: crds/trafficcontrol.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2919,6 +2476,461 @@ spec: kind: TrafficControl shortNames: - tc + +--- +# Source: antrea/templates/agent/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-agent + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/antctl/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antctl + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/controller/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-controller + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/agent/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antrea-agent-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antrea-agent +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/antctl/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antctl-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antctl +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: antrea-config + namespace: kube-system + labels: + app: antrea +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + # Multicluster: false + + # Enable support for provisioning secondary network interfaces for Pods (using + # Pod annotations). At the moment, Antrea can only create secondary network + # interfaces using SR-IOV VFs on baremetal Nodes. + # SecondaryNetwork: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable mirroring or redirecting the traffic Pods send or receive. + # TrafficControl: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + ovsBridge: "br-int" + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + hostGateway: "antrea-gw0" + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + trafficEncapMode: "networkPolicyOnly" + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, + # this option will not take effect. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). + tunnelType: "geneve" + + # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. + # It has the following options: + # - none (default): Inter-node Pod traffic will not be encrypted. + # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses + # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, + # the PSK value must be passed to Antrea Agent through an environment + # variable: ANTREA_IPSEC_PSK. + # - wireGuard: Enable WireGuard for tunnel traffic encryption. + trafficEncryptionMode: "none" + + # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected + # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are + # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the + # underlay network. + # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only + # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, + # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. + enableBridgingMode: false + + # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the + # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. + # It affects Pods running on Linux Nodes only. + disableTXChecksumOffload: false + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + defaultMTU: 0 + + # wireGuard specifies WireGuard related configurations. + wireGuard: + # The port for WireGuard to receive traffic. + port: 51820 + + egress: + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + serviceCIDR: "" + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + serviceCIDRv6: "" + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + activeFlowExportTimeout: "5s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + idleFlowExportTimeout: "15s" + + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + enable: false + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + portRange: "61000-62000" + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + kubeAPIServerOverride: "" + + # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. + # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, + # [fd00:10:96::a]:53). + dnsServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. + # If there are multiple IP addresses configured on the interface, the first one is used. The IP + # address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterface: "" + + multicast: + # The names of the interfaces on Nodes that are used to forward multicast traffic. + # Defaults to transport interface if not set. + multicastInterfaces: + + # The interval at which the antrea-agent sends IGMP queries to Pods. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + igmpQueryInterval: "125s" + + # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across + # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The + # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterfaceCIDRs: + + # Option antreaProxy contains AntreaProxy related configuration options. + antreaProxy: + # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, + # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy + # feature to be enabled. + # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access + # apiserver directly. + proxyAll: false + # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. + # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. + # Note that the option is only valid when proxyAll is true. + nodePortAddresses: + # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these + # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name + # with Namespace (e.g. kube-system/kube-dns) + skipServices: + # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the + # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional + # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the + # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. + # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and + # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. + proxyLoadBalancerIPs: true + + # IPsec tunnel related configurations. + ipsec: + # The authentication mode of IPsec tunnel. It has the following options: + # - psk (default): Use pre-shared key (PSK) for IKE authentication. + # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` + # feature gate to be enabled. + authenticationMode: "psk" + + multicluster: + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + enable: false + # The Namespace where Antrea Multi-cluster Controller is running. + # The default is antrea-agent's Namespace. + namespace: "" + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + } + , + { + "type": "portmap", + "capabilities": {"portMappings": true} + } + , + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Run Kubernetes NodeIPAMController with Antrea. + # NodeIPAM: false + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + nodeIPAM: + # Enable the integrated Node IPAM controller within the Antrea controller. + enableNodeIPAM: false + # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. + # Value ignored when enableNodeIPAM is false. + clusterCIDRs: + # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + serviceCIDR: "" + serviceCIDRv6: "" + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + nodeCIDRMaskSizeIPv4: 24 + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + nodeCIDRMaskSizeIPv6: 64 + + ipsecCSRSigner: + # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. + # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions + # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, + # the Pod identity will also be validated to provide maximum security. + # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved + # manually by `kubectl certificate approve`. + autoApprove: true + # Indicates whether to use auto-generated self-signed CA certificate. + # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: + # tls.crt: + # tls.key: + selfSignedCA: true --- # Source: antrea/templates/agent/clusterrole.yaml kind: ClusterRole diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml index a4afa9678a3..82bf6c0bfae 100644 --- a/build/yamls/antrea-gke.yml +++ b/build/yamls/antrea-gke.yml @@ -1,571 +1,119 @@ --- -# Source: antrea/templates/agent/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: antrea-agent - namespace: kube-system - labels: - app: antrea ---- -# Source: antrea/templates/antctl/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: crds/antreaagentinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antctl - namespace: kube-system + name: antreaagentinfos.crd.antrea.io labels: app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai + --- -# Source: antrea/templates/controller/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: crds/antreacontrollerinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-controller - namespace: kube-system + name: antreacontrollerinfos.crd.antrea.io labels: app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci + --- -# Source: antrea/templates/agent/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antrea-agent-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antrea-agent -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/antctl/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antctl-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antctl -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap +# Source: crds/clustergroup.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-config - namespace: kube-system - labels: - app: antrea -data: - antrea-agent.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. - # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on - # Service traffic. - # AntreaProxy: true - - # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice - # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, - # this flag will not take effect. - # EndpointSlice: false - - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable NodePortLocal feature to make the Pods reachable externally through NodePort - # NodePortLocal: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each - # agent to a configured collector. - # FlowExporter: false - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - # Multicluster: false - - # Enable support for provisioning secondary network interfaces for Pods (using - # Pod annotations). At the moment, Antrea can only create secondary network - # interfaces using SR-IOV VFs on baremetal Nodes. - # SecondaryNetwork: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable mirroring or redirecting the traffic Pods send or receive. - # TrafficControl: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # Name of the OpenVSwitch bridge antrea-agent will create and use. - # Make sure it doesn't conflict with your existing OpenVSwitch bridges. - ovsBridge: "br-int" - - # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: - # - system - # - netdev - # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run - # OVS in userspace mode. Userspace mode requires the tun device driver to be available. - #ovsDatapathType: system - - # Name of the interface antrea-agent will create and use for host <--> pod communication. - # Make sure it doesn't conflict with your existing interfaces. - hostGateway: "antrea-gw0" - - # Determines how traffic is encapsulated. It has the following options: - # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network - # traffic is SNAT'd. - # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is - # SNAT'd if noSNAT is not set to true. Underlying network must be capable of - # supporting Pod traffic across IP subnets. - # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. - # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod - # IPAM and connectivity to the primary CNI. - # - trafficEncapMode: "noEncap" - - # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. - # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap - # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to - # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never - # performs SNAT and this option will be ignored; for other modes it must be set to false. - noSNAT: false - - # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, - # this option will not take effect. Supported values: - # - geneve (default) - # - vxlan - # - gre - # - stt - # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). - tunnelType: "geneve" - - # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. - # It has the following options: - # - none (default): Inter-node Pod traffic will not be encrypted. - # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses - # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, - # the PSK value must be passed to Antrea Agent through an environment - # variable: ANTREA_IPSEC_PSK. - # - wireGuard: Enable WireGuard for tunnel traffic encryption. - trafficEncryptionMode: "none" - - # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected - # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are - # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the - # underlay network. - # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only - # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, - # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. - enableBridgingMode: false - - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. - disableTXChecksumOffload: false - - # Default MTU to use for the host gateway interface and the network interface of each Pod. - # If omitted, antrea-agent will discover the MTU of the Node's primary interface and - # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). - defaultMTU: 0 - - # wireGuard specifies WireGuard related configurations. - wireGuard: - # The port for WireGuard to receive traffic. - port: 51820 - - egress: - # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. - exceptCIDRs: - - # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be - # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When - # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. - serviceCIDR: "" - - # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack - # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by - # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. - # No default value for this field. - serviceCIDRv6: "" - - # The port for the antrea-agent APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-agent` container must be set to the same value. - apiPort: 10350 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Provide the IPFIX collector address as a string with format :[][:]. - # HOST can either be the DNS name or the IP of the Flow Collector. For example, - # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect - # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. - # However, IPv6 address should be wrapped with []. - # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and - # "udp" protocols. "tls" is used for securing communication between flow exporter and - # flow aggregator. - flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" - - # Provide flow poll interval as a duration string. This determines how often the - # flow exporter dumps connections from the conntrack module. Flow poll interval - # should be greater than or equal to 1s (one second). - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - flowPollInterval: "5s" - - # Provide the active flow export timeout, which is the timeout after which a flow - # record is sent to the collector for active flows. Thus, for flows with a continuous - # stream of packets, a flow record will be exported to the collector once the elapsed - # time since the last export event is equal to the value of this timeout. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - activeFlowExportTimeout: "5s" - - # Provide the idle flow export timeout, which is the timeout after which a flow - # record is sent to the collector for idle flows. A flow is considered idle if no - # packet matching this flow has been observed since the last export event. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - idleFlowExportTimeout: "15s" - - nodePortLocal: - # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To - # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature - # gate is also enabled (which is the default). - enable: false - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port - # from that range will be assigned whenever a Pod's container defines a specific port to be exposed - # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic - # directed to that port will be forwarded to the Pod. - portRange: "61000-62000" - - # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. - # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. - kubeAPIServerOverride: "" - - # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. - # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, - # [fd00:10:96::a]:53). - dnsServerOverride: "" - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. - # If there are multiple IP addresses configured on the interface, the first one is used. The IP - # address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterface: "" - - multicast: - # The names of the interfaces on Nodes that are used to forward multicast traffic. - # Defaults to transport interface if not set. - multicastInterfaces: - - # The interval at which the antrea-agent sends IGMP queries to Pods. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - igmpQueryInterval: "125s" - - # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across - # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The - # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterfaceCIDRs: - - # Option antreaProxy contains AntreaProxy related configuration options. - antreaProxy: - # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, - # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy - # feature to be enabled. - # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access - # apiserver directly. - proxyAll: false - # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. - # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. - # Note that the option is only valid when proxyAll is true. - nodePortAddresses: - # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these - # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name - # with Namespace (e.g. kube-system/kube-dns) - skipServices: - # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the - # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional - # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the - # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. - # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and - # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. - proxyLoadBalancerIPs: true - - # IPsec tunnel related configurations. - ipsec: - # The authentication mode of IPsec tunnel. It has the following options: - # - psk (default): Use pre-shared key (PSK) for IKE authentication. - # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` - # feature gate to be enabled. - authenticationMode: "psk" - - multicluster: - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - enable: false - # The Namespace where Antrea Multi-cluster Controller is running. - # The default is antrea-agent's Namespace. - namespace: "" - antrea-cni.conflist: | - { - "cniVersion":"0.3.0", - "name": "antrea", - "plugins": [ - { - "type": "antrea", - "ipam": { - "type": "host-local" - } - } - , - { - "type": "portmap", - "capabilities": {"portMappings": true} - } - , - { - "type": "bandwidth", - "capabilities": {"bandwidth": true} - } - ] - } - antrea-controller.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Run Kubernetes NodeIPAMController with Antrea. - # NodeIPAM: false - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # The port for the antrea-controller APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-controller` container must be set to the same value. - apiPort: 10349 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Indicates whether to use auto-generated self-signed TLS certificate. - # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: - # ca.crt: - # tls.crt: - # tls.key: - selfSignedCert: true - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - nodeIPAM: - # Enable the integrated Node IPAM controller within the Antrea controller. - enableNodeIPAM: false - # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. - # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. - # Value ignored when enableNodeIPAM is false. - clusterCIDRs: - # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. - # Value ignored when enableNodeIPAM is false. - serviceCIDR: "" - serviceCIDRv6: "" - # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. - nodeCIDRMaskSizeIPv4: 24 - # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. - nodeCIDRMaskSizeIPv6: 64 - - ipsecCSRSigner: - # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. - # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions - # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, - # the Pod identity will also be validated to provide maximum security. - # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved - # manually by `kubectl certificate approve`. - autoApprove: true - # Indicates whether to use auto-generated self-signed CA certificate. - # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: - # tls.crt: - # tls.key: - selfSignedCA: true ---- -# Source: antrea/templates/crds/antreaagentinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreaagentinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of this Agent - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of this Agent - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Node on which this Agent is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of local Pods managed by this Agent - jsonPath: ".localPodNum" - name: Num Pods - type: integer - priority: 2 - - description: Subnets used by this Agent for Pod IPAM - jsonPath: ".nodeSubnets" - name: Subnets - type: string - priority: 2 - scope: Cluster - names: - plural: antreaagentinfos - singular: antreaagentinfo - kind: AntreaAgentInfo - shortNames: - - aai ---- -# Source: antrea/templates/crds/antreacontrollerinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreacontrollerinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of the Controller - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of the Controller - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Number of Agents connected to the Controller - jsonPath: ".connectedAgentNum" - name: Connected Agents - type: integer - priority: 1 - - description: Node on which the Controller is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of Network Policies computed by Controller - jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" - name: Num Network Policies - type: integer - priority: 2 - scope: Cluster - names: - plural: antreacontrollerinfos - singular: antreacontrollerinfo - kind: AntreaControllerInfo - shortNames: - - aci ---- -# Source: antrea/templates/crds/clustergroup.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clustergroups.crd.antrea.io + name: clustergroups.crd.antrea.io labels: app: antrea spec: @@ -825,8 +373,9 @@ spec: kind: ClusterGroup shortNames: - cg + --- -# Source: antrea/templates/crds/clusternetworkpolicy.yaml +# Source: crds/clusternetworkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1434,8 +983,9 @@ spec: kind: ClusterNetworkPolicy shortNames: - acnp + --- -# Source: antrea/templates/crds/egress.yaml +# Source: crds/egress.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1548,8 +1098,9 @@ spec: kind: Egress shortNames: - eg + --- -# Source: antrea/templates/crds/externalentity.yaml +# Source: crds/externalentity.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1608,8 +1159,9 @@ spec: kind: ExternalEntity shortNames: - ee + --- -# Source: antrea/templates/crds/externalippool.yaml +# Source: crds/externalippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1713,8 +1265,9 @@ spec: kind: ExternalIPPool shortNames: - eip + --- -# Source: antrea/templates/crds/ippool.yaml +# Source: crds/ippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1827,8 +1380,9 @@ spec: kind: IPPool shortNames: - ipp + --- -# Source: antrea/templates/crds/networkpolicy.yaml +# Source: crds/networkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2337,8 +1891,9 @@ spec: kind: NetworkPolicy shortNames: - anp + --- -# Source: antrea/templates/crds/tier.yaml +# Source: crds/tier.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2381,8 +1936,9 @@ spec: kind: Tier shortNames: - tr + --- -# Source: antrea/templates/crds/traceflow.yaml +# Source: crds/traceflow.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2634,8 +2190,9 @@ spec: kind: Traceflow shortNames: - tf + --- -# Source: antrea/templates/crds/trafficcontrol.yaml +# Source: crds/trafficcontrol.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2919,6 +2476,461 @@ spec: kind: TrafficControl shortNames: - tc + +--- +# Source: antrea/templates/agent/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-agent + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/antctl/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antctl + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/controller/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-controller + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/agent/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antrea-agent-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antrea-agent +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/antctl/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antctl-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antctl +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: antrea-config + namespace: kube-system + labels: + app: antrea +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + # Multicluster: false + + # Enable support for provisioning secondary network interfaces for Pods (using + # Pod annotations). At the moment, Antrea can only create secondary network + # interfaces using SR-IOV VFs on baremetal Nodes. + # SecondaryNetwork: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable mirroring or redirecting the traffic Pods send or receive. + # TrafficControl: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + ovsBridge: "br-int" + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + hostGateway: "antrea-gw0" + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + trafficEncapMode: "noEncap" + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, + # this option will not take effect. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). + tunnelType: "geneve" + + # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. + # It has the following options: + # - none (default): Inter-node Pod traffic will not be encrypted. + # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses + # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, + # the PSK value must be passed to Antrea Agent through an environment + # variable: ANTREA_IPSEC_PSK. + # - wireGuard: Enable WireGuard for tunnel traffic encryption. + trafficEncryptionMode: "none" + + # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected + # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are + # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the + # underlay network. + # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only + # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, + # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. + enableBridgingMode: false + + # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the + # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. + # It affects Pods running on Linux Nodes only. + disableTXChecksumOffload: false + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + defaultMTU: 0 + + # wireGuard specifies WireGuard related configurations. + wireGuard: + # The port for WireGuard to receive traffic. + port: 51820 + + egress: + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + serviceCIDR: "" + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + serviceCIDRv6: "" + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + activeFlowExportTimeout: "5s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + idleFlowExportTimeout: "15s" + + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + enable: false + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + portRange: "61000-62000" + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + kubeAPIServerOverride: "" + + # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. + # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, + # [fd00:10:96::a]:53). + dnsServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. + # If there are multiple IP addresses configured on the interface, the first one is used. The IP + # address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterface: "" + + multicast: + # The names of the interfaces on Nodes that are used to forward multicast traffic. + # Defaults to transport interface if not set. + multicastInterfaces: + + # The interval at which the antrea-agent sends IGMP queries to Pods. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + igmpQueryInterval: "125s" + + # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across + # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The + # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterfaceCIDRs: + + # Option antreaProxy contains AntreaProxy related configuration options. + antreaProxy: + # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, + # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy + # feature to be enabled. + # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access + # apiserver directly. + proxyAll: false + # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. + # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. + # Note that the option is only valid when proxyAll is true. + nodePortAddresses: + # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these + # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name + # with Namespace (e.g. kube-system/kube-dns) + skipServices: + # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the + # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional + # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the + # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. + # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and + # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. + proxyLoadBalancerIPs: true + + # IPsec tunnel related configurations. + ipsec: + # The authentication mode of IPsec tunnel. It has the following options: + # - psk (default): Use pre-shared key (PSK) for IKE authentication. + # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` + # feature gate to be enabled. + authenticationMode: "psk" + + multicluster: + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + enable: false + # The Namespace where Antrea Multi-cluster Controller is running. + # The default is antrea-agent's Namespace. + namespace: "" + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + } + , + { + "type": "portmap", + "capabilities": {"portMappings": true} + } + , + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Run Kubernetes NodeIPAMController with Antrea. + # NodeIPAM: false + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + nodeIPAM: + # Enable the integrated Node IPAM controller within the Antrea controller. + enableNodeIPAM: false + # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. + # Value ignored when enableNodeIPAM is false. + clusterCIDRs: + # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + serviceCIDR: "" + serviceCIDRv6: "" + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + nodeCIDRMaskSizeIPv4: 24 + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + nodeCIDRMaskSizeIPv6: 64 + + ipsecCSRSigner: + # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. + # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions + # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, + # the Pod identity will also be validated to provide maximum security. + # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved + # manually by `kubectl certificate approve`. + autoApprove: true + # Indicates whether to use auto-generated self-signed CA certificate. + # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: + # tls.crt: + # tls.key: + selfSignedCA: true --- # Source: antrea/templates/agent/clusterrole.yaml kind: ClusterRole diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml index f3bda059167..a62bb3cc043 100644 --- a/build/yamls/antrea-ipsec.yml +++ b/build/yamls/antrea-ipsec.yml @@ -1,584 +1,119 @@ --- -# Source: antrea/templates/agent/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: antrea-agent - namespace: kube-system - labels: - app: antrea ---- -# Source: antrea/templates/antctl/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: antctl - namespace: kube-system - labels: - app: antrea ---- -# Source: antrea/templates/controller/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: crds/antreaagentinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-controller - namespace: kube-system + name: antreaagentinfos.crd.antrea.io labels: app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai + --- -# Source: antrea/templates/agent/ipsec-secret.yaml -apiVersion: v1 -kind: Secret +# Source: crds/antreacontrollerinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-ipsec - namespace: kube-system + name: antreacontrollerinfos.crd.antrea.io labels: app: antrea -type: Opaque -stringData: - # Preshared Key used by IKE for authentication with peers. - psk: "changeme" ---- -# Source: antrea/templates/agent/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antrea-agent-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antrea-agent -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/antctl/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antctl-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antctl -type: kubernetes.io/service-account-token +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci + --- -# Source: antrea/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap +# Source: crds/clustergroup.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-config - namespace: kube-system - labels: - app: antrea -data: - antrea-agent.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. - # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on - # Service traffic. - # AntreaProxy: true - - # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice - # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, - # this flag will not take effect. - # EndpointSlice: false - - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable NodePortLocal feature to make the Pods reachable externally through NodePort - # NodePortLocal: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each - # agent to a configured collector. - # FlowExporter: false - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - # Multicluster: false - - # Enable support for provisioning secondary network interfaces for Pods (using - # Pod annotations). At the moment, Antrea can only create secondary network - # interfaces using SR-IOV VFs on baremetal Nodes. - # SecondaryNetwork: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable mirroring or redirecting the traffic Pods send or receive. - # TrafficControl: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # Name of the OpenVSwitch bridge antrea-agent will create and use. - # Make sure it doesn't conflict with your existing OpenVSwitch bridges. - ovsBridge: "br-int" - - # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: - # - system - # - netdev - # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run - # OVS in userspace mode. Userspace mode requires the tun device driver to be available. - #ovsDatapathType: system - - # Name of the interface antrea-agent will create and use for host <--> pod communication. - # Make sure it doesn't conflict with your existing interfaces. - hostGateway: "antrea-gw0" - - # Determines how traffic is encapsulated. It has the following options: - # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network - # traffic is SNAT'd. - # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is - # SNAT'd if noSNAT is not set to true. Underlying network must be capable of - # supporting Pod traffic across IP subnets. - # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. - # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod - # IPAM and connectivity to the primary CNI. - # - trafficEncapMode: "encap" - - # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. - # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap - # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to - # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never - # performs SNAT and this option will be ignored; for other modes it must be set to false. - noSNAT: false - - # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, - # this option will not take effect. Supported values: - # - geneve (default) - # - vxlan - # - gre - # - stt - # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). - tunnelType: "gre" - - # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. - # It has the following options: - # - none (default): Inter-node Pod traffic will not be encrypted. - # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses - # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, - # the PSK value must be passed to Antrea Agent through an environment - # variable: ANTREA_IPSEC_PSK. - # - wireGuard: Enable WireGuard for tunnel traffic encryption. - trafficEncryptionMode: "ipsec" - - # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected - # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are - # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the - # underlay network. - # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only - # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, - # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. - enableBridgingMode: false - - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. - disableTXChecksumOffload: false - - # Default MTU to use for the host gateway interface and the network interface of each Pod. - # If omitted, antrea-agent will discover the MTU of the Node's primary interface and - # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). - defaultMTU: 0 - - # wireGuard specifies WireGuard related configurations. - wireGuard: - # The port for WireGuard to receive traffic. - port: 51820 - - egress: - # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. - exceptCIDRs: - - # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be - # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When - # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. - serviceCIDR: "" - - # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack - # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by - # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. - # No default value for this field. - serviceCIDRv6: "" - - # The port for the antrea-agent APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-agent` container must be set to the same value. - apiPort: 10350 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Provide the IPFIX collector address as a string with format :[][:]. - # HOST can either be the DNS name or the IP of the Flow Collector. For example, - # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect - # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. - # However, IPv6 address should be wrapped with []. - # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and - # "udp" protocols. "tls" is used for securing communication between flow exporter and - # flow aggregator. - flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" - - # Provide flow poll interval as a duration string. This determines how often the - # flow exporter dumps connections from the conntrack module. Flow poll interval - # should be greater than or equal to 1s (one second). - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - flowPollInterval: "5s" - - # Provide the active flow export timeout, which is the timeout after which a flow - # record is sent to the collector for active flows. Thus, for flows with a continuous - # stream of packets, a flow record will be exported to the collector once the elapsed - # time since the last export event is equal to the value of this timeout. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - activeFlowExportTimeout: "5s" - - # Provide the idle flow export timeout, which is the timeout after which a flow - # record is sent to the collector for idle flows. A flow is considered idle if no - # packet matching this flow has been observed since the last export event. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - idleFlowExportTimeout: "15s" - - nodePortLocal: - # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To - # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature - # gate is also enabled (which is the default). - enable: false - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port - # from that range will be assigned whenever a Pod's container defines a specific port to be exposed - # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic - # directed to that port will be forwarded to the Pod. - portRange: "61000-62000" - - # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. - # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. - kubeAPIServerOverride: "" - - # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. - # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, - # [fd00:10:96::a]:53). - dnsServerOverride: "" - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. - # If there are multiple IP addresses configured on the interface, the first one is used. The IP - # address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterface: "" - - multicast: - # The names of the interfaces on Nodes that are used to forward multicast traffic. - # Defaults to transport interface if not set. - multicastInterfaces: - - # The interval at which the antrea-agent sends IGMP queries to Pods. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - igmpQueryInterval: "125s" - - # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across - # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The - # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterfaceCIDRs: - - # Option antreaProxy contains AntreaProxy related configuration options. - antreaProxy: - # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, - # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy - # feature to be enabled. - # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access - # apiserver directly. - proxyAll: false - # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. - # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. - # Note that the option is only valid when proxyAll is true. - nodePortAddresses: - # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these - # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name - # with Namespace (e.g. kube-system/kube-dns) - skipServices: - # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the - # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional - # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the - # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. - # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and - # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. - proxyLoadBalancerIPs: true - - # IPsec tunnel related configurations. - ipsec: - # The authentication mode of IPsec tunnel. It has the following options: - # - psk (default): Use pre-shared key (PSK) for IKE authentication. - # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` - # feature gate to be enabled. - authenticationMode: "psk" - - multicluster: - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - enable: false - # The Namespace where Antrea Multi-cluster Controller is running. - # The default is antrea-agent's Namespace. - namespace: "" - antrea-cni.conflist: | - { - "cniVersion":"0.3.0", - "name": "antrea", - "plugins": [ - { - "type": "antrea", - "ipam": { - "type": "host-local" - } - } - , - { - "type": "portmap", - "capabilities": {"portMappings": true} - } - , - { - "type": "bandwidth", - "capabilities": {"bandwidth": true} - } - ] - } - antrea-controller.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Run Kubernetes NodeIPAMController with Antrea. - # NodeIPAM: false - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # The port for the antrea-controller APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-controller` container must be set to the same value. - apiPort: 10349 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Indicates whether to use auto-generated self-signed TLS certificate. - # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: - # ca.crt: - # tls.crt: - # tls.key: - selfSignedCert: true - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - nodeIPAM: - # Enable the integrated Node IPAM controller within the Antrea controller. - enableNodeIPAM: false - # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. - # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. - # Value ignored when enableNodeIPAM is false. - clusterCIDRs: - # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. - # Value ignored when enableNodeIPAM is false. - serviceCIDR: "" - serviceCIDRv6: "" - # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. - nodeCIDRMaskSizeIPv4: 24 - # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. - nodeCIDRMaskSizeIPv6: 64 - - ipsecCSRSigner: - # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. - # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions - # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, - # the Pod identity will also be validated to provide maximum security. - # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved - # manually by `kubectl certificate approve`. - autoApprove: true - # Indicates whether to use auto-generated self-signed CA certificate. - # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: - # tls.crt: - # tls.key: - selfSignedCA: true ---- -# Source: antrea/templates/crds/antreaagentinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreaagentinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of this Agent - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of this Agent - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Node on which this Agent is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of local Pods managed by this Agent - jsonPath: ".localPodNum" - name: Num Pods - type: integer - priority: 2 - - description: Subnets used by this Agent for Pod IPAM - jsonPath: ".nodeSubnets" - name: Subnets - type: string - priority: 2 - scope: Cluster - names: - plural: antreaagentinfos - singular: antreaagentinfo - kind: AntreaAgentInfo - shortNames: - - aai ---- -# Source: antrea/templates/crds/antreacontrollerinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreacontrollerinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of the Controller - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of the Controller - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Number of Agents connected to the Controller - jsonPath: ".connectedAgentNum" - name: Connected Agents - type: integer - priority: 1 - - description: Node on which the Controller is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of Network Policies computed by Controller - jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" - name: Num Network Policies - type: integer - priority: 2 - scope: Cluster - names: - plural: antreacontrollerinfos - singular: antreacontrollerinfo - kind: AntreaControllerInfo - shortNames: - - aci ---- -# Source: antrea/templates/crds/clustergroup.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clustergroups.crd.antrea.io + name: clustergroups.crd.antrea.io labels: app: antrea spec: @@ -838,8 +373,9 @@ spec: kind: ClusterGroup shortNames: - cg + --- -# Source: antrea/templates/crds/clusternetworkpolicy.yaml +# Source: crds/clusternetworkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1447,8 +983,9 @@ spec: kind: ClusterNetworkPolicy shortNames: - acnp + --- -# Source: antrea/templates/crds/egress.yaml +# Source: crds/egress.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1561,8 +1098,9 @@ spec: kind: Egress shortNames: - eg + --- -# Source: antrea/templates/crds/externalentity.yaml +# Source: crds/externalentity.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1621,8 +1159,9 @@ spec: kind: ExternalEntity shortNames: - ee + --- -# Source: antrea/templates/crds/externalippool.yaml +# Source: crds/externalippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1726,8 +1265,9 @@ spec: kind: ExternalIPPool shortNames: - eip + --- -# Source: antrea/templates/crds/ippool.yaml +# Source: crds/ippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1840,8 +1380,9 @@ spec: kind: IPPool shortNames: - ipp + --- -# Source: antrea/templates/crds/networkpolicy.yaml +# Source: crds/networkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2350,8 +1891,9 @@ spec: kind: NetworkPolicy shortNames: - anp + --- -# Source: antrea/templates/crds/tier.yaml +# Source: crds/tier.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2394,8 +1936,9 @@ spec: kind: Tier shortNames: - tr + --- -# Source: antrea/templates/crds/traceflow.yaml +# Source: crds/traceflow.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2647,8 +2190,9 @@ spec: kind: Traceflow shortNames: - tf + --- -# Source: antrea/templates/crds/trafficcontrol.yaml +# Source: crds/trafficcontrol.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2932,6 +2476,474 @@ spec: kind: TrafficControl shortNames: - tc + +--- +# Source: antrea/templates/agent/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-agent + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/antctl/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antctl + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/controller/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-controller + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/agent/ipsec-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antrea-ipsec + namespace: kube-system + labels: + app: antrea +type: Opaque +stringData: + # Preshared Key used by IKE for authentication with peers. + psk: "changeme" +--- +# Source: antrea/templates/agent/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antrea-agent-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antrea-agent +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/antctl/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antctl-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antctl +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: antrea-config + namespace: kube-system + labels: + app: antrea +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + # Multicluster: false + + # Enable support for provisioning secondary network interfaces for Pods (using + # Pod annotations). At the moment, Antrea can only create secondary network + # interfaces using SR-IOV VFs on baremetal Nodes. + # SecondaryNetwork: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable mirroring or redirecting the traffic Pods send or receive. + # TrafficControl: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + ovsBridge: "br-int" + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + hostGateway: "antrea-gw0" + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + trafficEncapMode: "encap" + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, + # this option will not take effect. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). + tunnelType: "gre" + + # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. + # It has the following options: + # - none (default): Inter-node Pod traffic will not be encrypted. + # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses + # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, + # the PSK value must be passed to Antrea Agent through an environment + # variable: ANTREA_IPSEC_PSK. + # - wireGuard: Enable WireGuard for tunnel traffic encryption. + trafficEncryptionMode: "ipsec" + + # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected + # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are + # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the + # underlay network. + # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only + # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, + # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. + enableBridgingMode: false + + # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the + # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. + # It affects Pods running on Linux Nodes only. + disableTXChecksumOffload: false + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + defaultMTU: 0 + + # wireGuard specifies WireGuard related configurations. + wireGuard: + # The port for WireGuard to receive traffic. + port: 51820 + + egress: + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + serviceCIDR: "" + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + serviceCIDRv6: "" + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + activeFlowExportTimeout: "5s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + idleFlowExportTimeout: "15s" + + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + enable: false + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + portRange: "61000-62000" + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + kubeAPIServerOverride: "" + + # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. + # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, + # [fd00:10:96::a]:53). + dnsServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. + # If there are multiple IP addresses configured on the interface, the first one is used. The IP + # address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterface: "" + + multicast: + # The names of the interfaces on Nodes that are used to forward multicast traffic. + # Defaults to transport interface if not set. + multicastInterfaces: + + # The interval at which the antrea-agent sends IGMP queries to Pods. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + igmpQueryInterval: "125s" + + # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across + # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The + # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterfaceCIDRs: + + # Option antreaProxy contains AntreaProxy related configuration options. + antreaProxy: + # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, + # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy + # feature to be enabled. + # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access + # apiserver directly. + proxyAll: false + # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. + # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. + # Note that the option is only valid when proxyAll is true. + nodePortAddresses: + # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these + # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name + # with Namespace (e.g. kube-system/kube-dns) + skipServices: + # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the + # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional + # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the + # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. + # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and + # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. + proxyLoadBalancerIPs: true + + # IPsec tunnel related configurations. + ipsec: + # The authentication mode of IPsec tunnel. It has the following options: + # - psk (default): Use pre-shared key (PSK) for IKE authentication. + # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` + # feature gate to be enabled. + authenticationMode: "psk" + + multicluster: + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + enable: false + # The Namespace where Antrea Multi-cluster Controller is running. + # The default is antrea-agent's Namespace. + namespace: "" + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + } + , + { + "type": "portmap", + "capabilities": {"portMappings": true} + } + , + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Run Kubernetes NodeIPAMController with Antrea. + # NodeIPAM: false + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + nodeIPAM: + # Enable the integrated Node IPAM controller within the Antrea controller. + enableNodeIPAM: false + # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. + # Value ignored when enableNodeIPAM is false. + clusterCIDRs: + # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + serviceCIDR: "" + serviceCIDRv6: "" + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + nodeCIDRMaskSizeIPv4: 24 + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + nodeCIDRMaskSizeIPv6: 64 + + ipsecCSRSigner: + # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. + # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions + # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, + # the Pod identity will also be validated to provide maximum security. + # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved + # manually by `kubectl certificate approve`. + autoApprove: true + # Indicates whether to use auto-generated self-signed CA certificate. + # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: + # tls.crt: + # tls.key: + selfSignedCA: true --- # Source: antrea/templates/agent/clusterrole.yaml kind: ClusterRole diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml index 78717183955..1bb9be1c0f5 100644 --- a/build/yamls/antrea.yml +++ b/build/yamls/antrea.yml @@ -1,571 +1,119 @@ --- -# Source: antrea/templates/agent/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: antrea-agent - namespace: kube-system - labels: - app: antrea ---- -# Source: antrea/templates/antctl/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: crds/antreaagentinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antctl - namespace: kube-system + name: antreaagentinfos.crd.antrea.io labels: app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai + --- -# Source: antrea/templates/controller/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: crds/antreacontrollerinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-controller - namespace: kube-system + name: antreacontrollerinfos.crd.antrea.io labels: app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci + --- -# Source: antrea/templates/agent/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antrea-agent-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antrea-agent -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/antctl/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antctl-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antctl -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap +# Source: crds/clustergroup.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-config - namespace: kube-system - labels: - app: antrea -data: - antrea-agent.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. - # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on - # Service traffic. - # AntreaProxy: true - - # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice - # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, - # this flag will not take effect. - # EndpointSlice: false - - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable NodePortLocal feature to make the Pods reachable externally through NodePort - # NodePortLocal: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each - # agent to a configured collector. - # FlowExporter: false - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - # Multicluster: false - - # Enable support for provisioning secondary network interfaces for Pods (using - # Pod annotations). At the moment, Antrea can only create secondary network - # interfaces using SR-IOV VFs on baremetal Nodes. - # SecondaryNetwork: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable mirroring or redirecting the traffic Pods send or receive. - # TrafficControl: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # Name of the OpenVSwitch bridge antrea-agent will create and use. - # Make sure it doesn't conflict with your existing OpenVSwitch bridges. - ovsBridge: "br-int" - - # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: - # - system - # - netdev - # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run - # OVS in userspace mode. Userspace mode requires the tun device driver to be available. - #ovsDatapathType: system - - # Name of the interface antrea-agent will create and use for host <--> pod communication. - # Make sure it doesn't conflict with your existing interfaces. - hostGateway: "antrea-gw0" - - # Determines how traffic is encapsulated. It has the following options: - # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network - # traffic is SNAT'd. - # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is - # SNAT'd if noSNAT is not set to true. Underlying network must be capable of - # supporting Pod traffic across IP subnets. - # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. - # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod - # IPAM and connectivity to the primary CNI. - # - trafficEncapMode: "encap" - - # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. - # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap - # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to - # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never - # performs SNAT and this option will be ignored; for other modes it must be set to false. - noSNAT: false - - # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, - # this option will not take effect. Supported values: - # - geneve (default) - # - vxlan - # - gre - # - stt - # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). - tunnelType: "geneve" - - # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. - # It has the following options: - # - none (default): Inter-node Pod traffic will not be encrypted. - # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses - # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, - # the PSK value must be passed to Antrea Agent through an environment - # variable: ANTREA_IPSEC_PSK. - # - wireGuard: Enable WireGuard for tunnel traffic encryption. - trafficEncryptionMode: "none" - - # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected - # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are - # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the - # underlay network. - # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only - # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, - # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. - enableBridgingMode: false - - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. - disableTXChecksumOffload: false - - # Default MTU to use for the host gateway interface and the network interface of each Pod. - # If omitted, antrea-agent will discover the MTU of the Node's primary interface and - # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). - defaultMTU: 0 - - # wireGuard specifies WireGuard related configurations. - wireGuard: - # The port for WireGuard to receive traffic. - port: 51820 - - egress: - # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. - exceptCIDRs: - - # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be - # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When - # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. - serviceCIDR: "" - - # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack - # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by - # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. - # No default value for this field. - serviceCIDRv6: "" - - # The port for the antrea-agent APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-agent` container must be set to the same value. - apiPort: 10350 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Provide the IPFIX collector address as a string with format :[][:]. - # HOST can either be the DNS name or the IP of the Flow Collector. For example, - # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect - # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. - # However, IPv6 address should be wrapped with []. - # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and - # "udp" protocols. "tls" is used for securing communication between flow exporter and - # flow aggregator. - flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" - - # Provide flow poll interval as a duration string. This determines how often the - # flow exporter dumps connections from the conntrack module. Flow poll interval - # should be greater than or equal to 1s (one second). - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - flowPollInterval: "5s" - - # Provide the active flow export timeout, which is the timeout after which a flow - # record is sent to the collector for active flows. Thus, for flows with a continuous - # stream of packets, a flow record will be exported to the collector once the elapsed - # time since the last export event is equal to the value of this timeout. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - activeFlowExportTimeout: "5s" - - # Provide the idle flow export timeout, which is the timeout after which a flow - # record is sent to the collector for idle flows. A flow is considered idle if no - # packet matching this flow has been observed since the last export event. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - idleFlowExportTimeout: "15s" - - nodePortLocal: - # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To - # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature - # gate is also enabled (which is the default). - enable: false - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port - # from that range will be assigned whenever a Pod's container defines a specific port to be exposed - # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic - # directed to that port will be forwarded to the Pod. - portRange: "61000-62000" - - # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. - # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. - kubeAPIServerOverride: "" - - # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. - # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, - # [fd00:10:96::a]:53). - dnsServerOverride: "" - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. - # If there are multiple IP addresses configured on the interface, the first one is used. The IP - # address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterface: "" - - multicast: - # The names of the interfaces on Nodes that are used to forward multicast traffic. - # Defaults to transport interface if not set. - multicastInterfaces: - - # The interval at which the antrea-agent sends IGMP queries to Pods. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - igmpQueryInterval: "125s" - - # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across - # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The - # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterfaceCIDRs: - - # Option antreaProxy contains AntreaProxy related configuration options. - antreaProxy: - # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, - # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy - # feature to be enabled. - # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access - # apiserver directly. - proxyAll: false - # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. - # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. - # Note that the option is only valid when proxyAll is true. - nodePortAddresses: - # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these - # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name - # with Namespace (e.g. kube-system/kube-dns) - skipServices: - # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the - # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional - # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the - # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. - # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and - # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. - proxyLoadBalancerIPs: true - - # IPsec tunnel related configurations. - ipsec: - # The authentication mode of IPsec tunnel. It has the following options: - # - psk (default): Use pre-shared key (PSK) for IKE authentication. - # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` - # feature gate to be enabled. - authenticationMode: "psk" - - multicluster: - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - enable: false - # The Namespace where Antrea Multi-cluster Controller is running. - # The default is antrea-agent's Namespace. - namespace: "" - antrea-cni.conflist: | - { - "cniVersion":"0.3.0", - "name": "antrea", - "plugins": [ - { - "type": "antrea", - "ipam": { - "type": "host-local" - } - } - , - { - "type": "portmap", - "capabilities": {"portMappings": true} - } - , - { - "type": "bandwidth", - "capabilities": {"bandwidth": true} - } - ] - } - antrea-controller.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Run Kubernetes NodeIPAMController with Antrea. - # NodeIPAM: false - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # The port for the antrea-controller APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-controller` container must be set to the same value. - apiPort: 10349 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Indicates whether to use auto-generated self-signed TLS certificate. - # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: - # ca.crt: - # tls.crt: - # tls.key: - selfSignedCert: true - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - nodeIPAM: - # Enable the integrated Node IPAM controller within the Antrea controller. - enableNodeIPAM: false - # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. - # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. - # Value ignored when enableNodeIPAM is false. - clusterCIDRs: - # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. - # Value ignored when enableNodeIPAM is false. - serviceCIDR: "" - serviceCIDRv6: "" - # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. - nodeCIDRMaskSizeIPv4: 24 - # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. - nodeCIDRMaskSizeIPv6: 64 - - ipsecCSRSigner: - # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. - # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions - # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, - # the Pod identity will also be validated to provide maximum security. - # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved - # manually by `kubectl certificate approve`. - autoApprove: true - # Indicates whether to use auto-generated self-signed CA certificate. - # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: - # tls.crt: - # tls.key: - selfSignedCA: true ---- -# Source: antrea/templates/crds/antreaagentinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreaagentinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of this Agent - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of this Agent - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Node on which this Agent is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of local Pods managed by this Agent - jsonPath: ".localPodNum" - name: Num Pods - type: integer - priority: 2 - - description: Subnets used by this Agent for Pod IPAM - jsonPath: ".nodeSubnets" - name: Subnets - type: string - priority: 2 - scope: Cluster - names: - plural: antreaagentinfos - singular: antreaagentinfo - kind: AntreaAgentInfo - shortNames: - - aai ---- -# Source: antrea/templates/crds/antreacontrollerinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreacontrollerinfos.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of the Controller - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of the Controller - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Number of Agents connected to the Controller - jsonPath: ".connectedAgentNum" - name: Connected Agents - type: integer - priority: 1 - - description: Node on which the Controller is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of Network Policies computed by Controller - jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" - name: Num Network Policies - type: integer - priority: 2 - scope: Cluster - names: - plural: antreacontrollerinfos - singular: antreacontrollerinfo - kind: AntreaControllerInfo - shortNames: - - aci ---- -# Source: antrea/templates/crds/clustergroup.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clustergroups.crd.antrea.io + name: clustergroups.crd.antrea.io labels: app: antrea spec: @@ -825,8 +373,9 @@ spec: kind: ClusterGroup shortNames: - cg + --- -# Source: antrea/templates/crds/clusternetworkpolicy.yaml +# Source: crds/clusternetworkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1434,8 +983,9 @@ spec: kind: ClusterNetworkPolicy shortNames: - acnp + --- -# Source: antrea/templates/crds/egress.yaml +# Source: crds/egress.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1548,8 +1098,9 @@ spec: kind: Egress shortNames: - eg + --- -# Source: antrea/templates/crds/externalentity.yaml +# Source: crds/externalentity.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1608,8 +1159,9 @@ spec: kind: ExternalEntity shortNames: - ee + --- -# Source: antrea/templates/crds/externalippool.yaml +# Source: crds/externalippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1713,8 +1265,9 @@ spec: kind: ExternalIPPool shortNames: - eip + --- -# Source: antrea/templates/crds/ippool.yaml +# Source: crds/ippool.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -1827,8 +1380,9 @@ spec: kind: IPPool shortNames: - ipp + --- -# Source: antrea/templates/crds/networkpolicy.yaml +# Source: crds/networkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2337,8 +1891,9 @@ spec: kind: NetworkPolicy shortNames: - anp + --- -# Source: antrea/templates/crds/tier.yaml +# Source: crds/tier.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2381,8 +1936,9 @@ spec: kind: Tier shortNames: - tr + --- -# Source: antrea/templates/crds/traceflow.yaml +# Source: crds/traceflow.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2634,8 +2190,9 @@ spec: kind: Traceflow shortNames: - tf + --- -# Source: antrea/templates/crds/trafficcontrol.yaml +# Source: crds/trafficcontrol.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -2919,6 +2476,461 @@ spec: kind: TrafficControl shortNames: - tc + +--- +# Source: antrea/templates/agent/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-agent + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/antctl/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antctl + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/controller/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-controller + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/agent/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antrea-agent-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antrea-agent +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/antctl/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antctl-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antctl +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: antrea-config + namespace: kube-system + labels: + app: antrea +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + # Multicluster: false + + # Enable support for provisioning secondary network interfaces for Pods (using + # Pod annotations). At the moment, Antrea can only create secondary network + # interfaces using SR-IOV VFs on baremetal Nodes. + # SecondaryNetwork: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable mirroring or redirecting the traffic Pods send or receive. + # TrafficControl: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + ovsBridge: "br-int" + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: + # - system + # - netdev + # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run + # OVS in userspace mode. Userspace mode requires the tun device driver to be available. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + hostGateway: "antrea-gw0" + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + trafficEncapMode: "encap" + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, + # this option will not take effect. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). + tunnelType: "geneve" + + # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. + # It has the following options: + # - none (default): Inter-node Pod traffic will not be encrypted. + # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses + # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, + # the PSK value must be passed to Antrea Agent through an environment + # variable: ANTREA_IPSEC_PSK. + # - wireGuard: Enable WireGuard for tunnel traffic encryption. + trafficEncryptionMode: "none" + + # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected + # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are + # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the + # underlay network. + # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only + # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, + # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. + enableBridgingMode: false + + # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the + # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. + # It affects Pods running on Linux Nodes only. + disableTXChecksumOffload: false + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + defaultMTU: 0 + + # wireGuard specifies WireGuard related configurations. + wireGuard: + # The port for WireGuard to receive traffic. + port: 51820 + + egress: + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + serviceCIDR: "" + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + serviceCIDRv6: "" + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + activeFlowExportTimeout: "5s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + idleFlowExportTimeout: "15s" + + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + enable: false + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + portRange: "61000-62000" + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + kubeAPIServerOverride: "" + + # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. + # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, + # [fd00:10:96::a]:53). + dnsServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. + # If there are multiple IP addresses configured on the interface, the first one is used. The IP + # address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterface: "" + + multicast: + # The names of the interfaces on Nodes that are used to forward multicast traffic. + # Defaults to transport interface if not set. + multicastInterfaces: + + # The interval at which the antrea-agent sends IGMP queries to Pods. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + igmpQueryInterval: "125s" + + # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across + # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The + # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterfaceCIDRs: + + # Option antreaProxy contains AntreaProxy related configuration options. + antreaProxy: + # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, + # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy + # feature to be enabled. + # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access + # apiserver directly. + proxyAll: false + # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. + # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. + # Note that the option is only valid when proxyAll is true. + nodePortAddresses: + # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these + # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name + # with Namespace (e.g. kube-system/kube-dns) + skipServices: + # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the + # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional + # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the + # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. + # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and + # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. + proxyLoadBalancerIPs: true + + # IPsec tunnel related configurations. + ipsec: + # The authentication mode of IPsec tunnel. It has the following options: + # - psk (default): Use pre-shared key (PSK) for IKE authentication. + # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` + # feature gate to be enabled. + authenticationMode: "psk" + + multicluster: + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + enable: false + # The Namespace where Antrea Multi-cluster Controller is running. + # The default is antrea-agent's Namespace. + namespace: "" + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + } + , + { + "type": "portmap", + "capabilities": {"portMappings": true} + } + , + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable multicast traffic. This feature is supported only with noEncap mode. + # Multicast: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Run Kubernetes NodeIPAMController with Antrea. + # NodeIPAM: false + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + nodeIPAM: + # Enable the integrated Node IPAM controller within the Antrea controller. + enableNodeIPAM: false + # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. + # Value ignored when enableNodeIPAM is false. + clusterCIDRs: + # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + serviceCIDR: "" + serviceCIDRv6: "" + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + nodeCIDRMaskSizeIPv4: 24 + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + nodeCIDRMaskSizeIPv6: 64 + + ipsecCSRSigner: + # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. + # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions + # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, + # the Pod identity will also be validated to provide maximum security. + # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved + # manually by `kubectl certificate approve`. + autoApprove: true + # Indicates whether to use auto-generated self-signed CA certificate. + # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: + # tls.crt: + # tls.key: + selfSignedCA: true --- # Source: antrea/templates/agent/clusterrole.yaml kind: ClusterRole diff --git a/hack/generate-helm-release.sh b/hack/generate-helm-release.sh new file mode 100755 index 00000000000..e3187cbf18e --- /dev/null +++ b/hack/generate-helm-release.sh @@ -0,0 +1,93 @@ +#!/usr/bin/env bash + +# Copyright 2022 Antrea Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -eo pipefail + +function echoerr { + >&2 echo "$@" +} + +_usage="Usage: $0 [--mode (dev|release)] --out +Package the Antrea chart into a chart archive. +Environment variable VERSION must be set. + --out Output path for chart archive + --help, -h Print this message and exit + +You can set the HELM environment variable to the path of the helm binary you want us to +use. Otherwise we will download the appropriate version of the helm binary and use it." + +function print_usage { + echoerr "$_usage" +} + +function print_help { + echoerr "Try '$0 --help' for more information." +} + +MODE="dev" +OUT="" + +while [[ $# -gt 0 ]] +do +key="$1" + +case $key in + --mode) + MODE="$2" + shift 2 + ;; + --out) + OUT="$2" + shift 2 + ;; + -h|--help) + print_usage + exit 0 + ;; + *) # unknown option + echoerr "Unknown option $1" + exit 1 + ;; +esac +done + +if [ -z "$VERSION" ]; then + echoerr "Environment variable VERSION must be set" + print_help + exit 1 +fi + +if [ "$OUT" == "" ]; then + echoerr "--out is required to provide output path" + print_help + exit 1 +fi + +THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" + +source $THIS_DIR/verify-helm.sh + +if [ -z "$HELM" ]; then + HELM="$(verify_helm)" +elif ! $HELM version > /dev/null 2>&1; then + echoerr "$HELM does not appear to be a valid helm binary" + print_help + exit 1 +fi + +ANTREA_CHART="$THIS_DIR/../build/charts/antrea" +$HELM package --app-version $VERSION --version $VERSION $ANTREA_CHART +mv "antrea-$VERSION.tgz" $OUT diff --git a/hack/generate-manifest.sh b/hack/generate-manifest.sh index e42924f3056..96362b0a0b3 100755 --- a/hack/generate-manifest.sh +++ b/hack/generate-manifest.sh @@ -430,7 +430,7 @@ done ANTREA_CHART="$THIS_DIR/../build/charts/antrea" # Suppress potential Helm warnings about invalid permissions for Kubeconfig file # by throwing away related warnings. -$HELM template \ +$HELM template --include-crds \ --namespace kube-system \ $HELM_VALUES_OPTION \ $HELM_VALUES_FILES_OPTION \ diff --git a/hack/generate-standard-manifests.sh b/hack/generate-standard-manifests.sh index b9270c33a26..8fc80e0d3a3 100755 --- a/hack/generate-standard-manifests.sh +++ b/hack/generate-standard-manifests.sh @@ -23,7 +23,7 @@ function echoerr { _usage="Usage: $0 [--mode (dev|release)] --out Generate standard YAML manifests for Antrea using Helm and writes them to output directory. --mode (dev|release) Choose the configuration variant that you need (default is 'dev') - --out Output directory for generated manifetss + --out Output directory for generated manifests --help, -h Print this message and exit In 'release' mode, environment variables IMG_NAME and IMG_TAG must be set. @@ -35,7 +35,7 @@ are the manifests that are checked-in into the Antrea source tree, and that are assets for each new Antrea release. This script looks for all the Helm values YAML files under /build/yamls/chart-values/, and generates the corresponding manifest for each one. -You can set the HELM environment variable to the path of the helm binary you wan t us to +You can set the HELM environment variable to the path of the helm binary you want us to use. Otherwise we will download the appropriate version of the helm binary and use it (this is the recommended approach since different versions of helm may create different output YAMLs)." @@ -117,11 +117,11 @@ fi ANTREA_CHART="$THIS_DIR/../build/charts/antrea" VALUES_DIR="$THIS_DIR/../build/yamls/chart-values" -VALUES_FILES=$(cd $VALUES_DIR && find * -type f -name "*.yml" ) +VALUES_FILES=$(cd $VALUES_DIR && find * -type f -name "*.yml") # Suppress potential Helm warnings about invalid permissions for Kubeconfig file # by throwing away related warnings. for values in $VALUES_FILES; do - $HELM template \ + $HELM template --include-crds \ --namespace kube-system \ -f "$VALUES_DIR/$values" \ $EXTRA_VALUES \ @@ -129,3 +129,13 @@ for values in $VALUES_FILES; do > "$OUTPUT_DIR/$values" \ 2> >(grep -v 'This is insecure' >&2) done + +# We also generate a manifest which only includes CRD resources (all of them). +# This is useful for Antrea upgrades when using Helm. +CRD_FILES=$(cd $ANTREA_CHART/crds && find * -type f -name "*.yaml" | sort) +CRD_OUTPUT_FILE="$OUTPUT_DIR/antrea-crds.yml" +rm -f "$CRD_OUTPUT_FILE" +for crd in $CRD_FILES; do + echo "---" >> "$CRD_OUTPUT_FILE" + cat "$ANTREA_CHART/crds/$crd" >> "$CRD_OUTPUT_FILE" +done diff --git a/hack/release/prepare-assets.sh b/hack/release/prepare-assets.sh index eec9ab6249b..91480e4facb 100755 --- a/hack/release/prepare-assets.sh +++ b/hack/release/prepare-assets.sh @@ -90,5 +90,11 @@ cd multicluster ./hack/generate-manifest.sh -g > "$OUTPUT_DIR"/antrea-multicluster-leader-global.yml ./hack/generate-manifest.sh -r -l antrea-multicluster > "$OUTPUT_DIR"/antrea-multicluster-leader-namespaced.yml ./hack/generate-manifest.sh -r -m > "$OUTPUT_DIR"/antrea-multicluster-member.yml +cd - + +# Package the Antrea chart +# We need to strip the leading "v" from the version string to ensure that we use +# a valid SemVer 2 version. +VERSION=${VERSION:1} ./hack/generate-helm-release.sh --out "$OUTPUT_DIR/antrea-chart.tgz" ls "$OUTPUT_DIR" | cat