Release v0.6.0

Added

• Expose Prometheus metrics for Agent and Controller using the "/metrics" apiserver endpoint; "enablePrometheusMetrics" must be set to true in configuration.
• Add documentation for deploying Prometheus and scraping Antrea metrics, along with sample YAML manifest.
• Install portmap CNI by default in order to support Pods with "hostPort" set.
• Support configurable ports for Agent and Controller apiservers.
• Set default CPU resource requests for Antrea components in YAML manifest.
• Add "/ovsflows" API endpoint to Agent to query OVS flows and "antctl get ovsflows" command; flows can be filtered by Pod / NetworkPolicy / OVS Table.
• Improvements to "/networkpolicies" API endpoint and "antctl get networkpolicies" command:
  • namespace and name parameters to filter policies
  • ability to get NetworkPolicies applied to a Pod (Agent API only)
• Add object type aliases to antctl (plural form and short alias).
• Document known issues when deploying Antrea on Photon OS or CoreOS.

Changed

• Add authentication to Agent apiserver to enable external access (from outside of Agent Pod), and generate bearer token for local access instead of delegating authentication to K8s apiserver.
• Send Agent and Controller logs to /var/log/antrea/ on the host as well as stderr.
• Make "table" output format the default for antctl get commands.
• Use custom formatter for logs originating from ofnet / libOpenflow (which use the logrus module) to mimic K8s log format.
• Use Go cross compilation support for "make bin": Antrea Linux binaries can now be built on other OS's.
• Ensure that OVS bridge datapath type is correct when Agent starts.

Fixed

• Acquire xtables.lock before executing iptables-restore in Agent to avoid initialization error when kube-proxy uses iptables concurrently.
• Start ovs-vswitchd with flow-restore-wait config (only for OVS system datapath type) to avoid conntrack issues after antrea-ovs restarts; this could also reduce downtime during upgrades.
• Fix monitoring CRDs update: recover gracefully from transient errors.
• Handle DeletedFinalStateUnknown in NetworkPolicy Controller to avoid crashes when a watch deletion event is missed, e.g. because of a transient connectivity issue to the K8s apiserver.

Release v0.5.1

Changed

• Remove performance bottleneck during NetworkPolicy computation in the Controller: add namespace-based indexers to quickly determine which internal objects need to be updated when a Pod is added / deleted.

Fixed

• Fix implementation of deny-all egress policy (no egress traffic should be allowed for any Pod to which the policy is applied).
• Fix antctl segfault when kubeconfig cannot be resolved and print error instead.

Release v0.5.0-rc.1

This is a release candidate for Antrea v0.5.0.

Its main purpose it to test the updated release process (automatic upload of assets) for Antrea.

Release v0.5.0

Added

• Add "networkPolicyOnly" as a new "encapsulation mode": in this mode Antrea enforces NetworkPolicies with OVS, but is not in charge of forwarding.
• Support for running Antrea in EKS and GKE clusters; refer to the documentation.
• New antctl "get" commands:
  • in "agent mode": addressgroup, agentinfo, appliedtogroup, networkpolicy, podinterface
  • in "controller mode": addressgroup, appliedtogroup, controllerinfo, networkpolicy
• Support for a user-friendly "table" output format for antctl "get" commands.
• Add health checks to Antrea components by leveraging the apiserver /healthz endpoint (both the Antrea Agent and Controller are running an apiserver).
• Add documentation for connecting to the Antrea Agent or Controller apiserver, in order to check the resources created by Antrea.
• Ship antctl binaries as part of each release for different OS / CPU combinations: antctl-linux-x86_64, antctl-linux-arm, antctl-linux-arm64, antctl-windows-x86_64.exe, antctl-darwin-x86_64.
• Add documentation for antctl installation and usage.

Changed

• Refactor antctl: most notable change is that the Antrea Agent now runs its own apiserver which the antctl CLI can connect to.
• Improve NetworkPolicy logging; in particular an Agent now logs (by default) a message when it receives a new NetworkPolicy that needs to be implemented locally.
• Upgrade OVS to version 2.13.0, which comes with userspace datapath improvements useful when running Antrea in Kind.
• Use ipset in iptables to match Pod-to-external traffic, which improves performance.
• Replace "beta.kubernetes.io/os" annotation (no longer supported in K8s 1.18) with "kubernetes.io/os".
• Enable running antctl from within the Antrea Controller Pod (by binding the antctl ClusterRrole to the antrea-controller ServiceAccount).

Fixed

• Cancel ongoing OpenFlow bundle if switch disconnects, to prevent deadlock when replaying flows after a restart of the antrea-ovs container.
• Keep trying to reconnect to OVS switch indefinitely after a disconnection, instead of giving up after 5 seconds.
• Backport post-2.13 patch to OVS to avoid tunnel port deletion when the antrea-ovs container exits gracefully.
• Reduce memory usage of Antrea Controller when an Agent establishes a connection.
• Clean-up the appropriate iptables rules when a Node leaves the cluster.

Release v0.4.1

Fixed

• Fix issues with IPsec support, which was broken in 0.4.0:
  • reduce MTU when IPsec is enabled to accommodate for IPsec overhead
  • add required flows to accept traffic received from IPsec tunnels
• Check and update (if needed) the type of the default tunnel port (tun0) after Agent starts.
• Fix race condition when the same OF port is reused for a new Pod.

Release v0.4.0

Added

• Add support for new encapsulation modes: noEncap (inter-Node Pod traffic is never encapsulated) and hybrid (inter-Node Pod traffic is only encapsulated if Nodes are not on the same subnet).
• Add support for "named ports" to Network Policy implementation.
• Add user documentation for IPsec support.
• Add antctl "agent-info" command: command must be run from within the Agent container and will display information about the Agent (Node subnet, OVS bridge information, ...).
• Add support for new "table" output mode to antctl.

Changed

• Changes in OpenFlow client:
  • use OpenFlow "bundle" to install related Network Policy flows as part of the same transaction
  • use flow-based tunnelling even when IPsec encryption is enabled
• Use patched OVS version in Antrea Docker image to avoid cleaning-up datapath flows on graceful antrea-ovs container exit.
• Reduce amount of Antrea Controller logs when computing Network Policies.

Fixed

• Fix bug in the Agent that caused some Network Policies not to be enforced properly: for some flows the agent would overwrite existing conjunctive actions instead of adding new actions to the existing flow. This can notably happen when using a /32 ipBlock CIDR to select sources / destinations.
• Install loopback plugin on Nodes if missing, from the Agent's initContainer.
• Remove unnecessary periodical resync in Antrea K8s controllers to avoid overhead at scale.

Release v0.3.0

Added

• Add support for the IPsec ESP protocol for GRE tunnels only; it can be enabled by applying antrea-ipsec.yml instead of antrea.yml.
• Add framework to develop CLI commands for Antrea; the antctl binary only supports the "version" command at the moment.
• Add octant/octant-antrea-ubuntu Docker image to dockerhub for easier deployment of Octant with the Antrea plugin.
• Add OpenFlow and OVSDB connection health information to the Agent's monitoring CRD.
• Add Network Policy information to monitoring CRDs for both the Agent and the Controller.
• Add documentation for OVS pipeline.

Changed

• Change API group namings (for CRDs and Network Policies) from "crd.antrea.io" to "antrea.tanzu.vmware.com" and from "networkpolicy.antrea.io" to "networking.antrea.tanzu.vmware.com".
• Changes in OpenFlow client:
  • use OpenFlow "bundle" to install related flows as part of the same transaction (except for Network Policy flows)
  • all flows now have a cookie indicating their purpose (e.g. Pod flow) and encoding the Agent round number (which is incremented with every antrea-agent restart and persisted in OVSDB)
• Update to "Antrea on Kind" documentation to indicate that macOS hosts are also supported.

Fixed

• Support NodePort services with externalTrafficPolicy set to Local.
• Mount xtables lock file to antrea-agent container to prevent concurrent iptables access by Antrea and kube-proxy.
• Replay flows to OVS switch after an OpenFlow reconnection (as it may indicate that vswitchd restarted and existing flows were deleted).
• Cleanup stale gateway routes (in host routing table) and tunnel ports (in OVSDB) on Agent startup.
• Cleanup stale flows in OVS switch on Agent startup.
• Improve the robustness of CNI DEL processing: cleanup resources even if provided container netns is no longer valid.
• Fix distribution of Network Polcies at scale: buffer size of the watchers channel is increased and unresponsive watchers (i.e. Agents) are terminated.

Release v0.2.0

The Monitoring CRDs feature is graduated from Alpha to Beta.

Added

• Add "Last Hearbeat Time" to Octant plugin to visualize the last time the Agent / Controller reported its status.
• Add OVS version to Agent's monitoring CRD.
• Add instructions to run Octant and the Antrea plugin either in a Pod or as a process. A Dockerfile and YAML manifest are included for deploying Octant as a Pod.
• Support for GRE and STT tunnels for the Pod overlay network.

Changed

• Use libOpenflow Go library to manage OVS flows instead of ovs-ofctl binary.
• Minor changes to the OVS pipeline, in particular to fix issues when using the netdev OVS datapath type.
• Officially-supported Go version is no longer 1.12 but 1.13.

Fixed

• Allow the Node to reach all local Pods to support liveness probes even in the presence of Network Policies.
• Network Policy fixes:
  • fix implementation of Network Policies with multiple ingress / egress rules
  • support "except" field for "ipBlock" selectors
  • fix support for default policies
  • faster Network Policy enforcement by letting the CNI server notify the Agent's Network Policy controller when Pods are created
  • fix race condition that sometimes caused Network Policy span not to be updated properly and the Network Policy not to be disseminated to Nodes properly
  • ignore policy rules using named ports instead of allowing all traffic
• Remove stale Agent CRDs from the Controller: the Controller watches the Node list and removes the appropriate Agent CRD when a Node is deleted from the cluster.

Release v0.1.1

Fixed

• Find host-local IPAM plugin even when kubelet is started with custom cni-bin-dir.
• Ensure that the Gratuitous ARP sent after adding container interface is not dropped. This ensures we can pass Kubernetes conformance tests reliably.
• Fix Kind support on Linux hosts.

Release v0.1.0-rc.2

This is a release candidate for Antrea v0.1.0.

Its main purpose it to test the release process for Antrea.