Antrea v1.14.3

Changed

• Stop using projects.registry.vmware.com for user-facing images. (#6073, @antoninbas)
• Persist TLS certificate and key of antrea-controller and periodically sync the CA cert to improve robustness. (#5955, @tnqn)
• Disable cgo for all Antrea binaries. (#5988, @antoninbas)

Fixed

• Disable libcapng to make logrotate run as root in UBI images to fix an OVS crash issue. (#6052, @xliuxu)
• Fix nil pointer dereference when ClusterGroup/Group is used in NetworkPolicy controller. (#6077, @tnqn)
• Fix race condition in agent Traceflow controller when a tag is associated again with a new Traceflow before the old Traceflow deletion event is processed. (#5954, @tnqn)
• Change the maximum flags from 7 to 255 to fix the wrong TCP flags validation issue in Traceflow CRD. (#6050, @gran-vmv)
• Update maximum number of buckets to 700 in OVS group add/insert_bucket message. (#5942, @hongliangl)
• Use 65000 MTU upper bound for interfaces in encap mode in case of large packets being dropped unexpectedly. (#5997, @antoninbas)

Antrea v1.15.1

Changed

• Stop using projects.registry.vmware.com for user-facing images. (#6073, @antoninbas)
• Persist TLS certificate and key of antrea-controller and periodically sync the CA cert to improve robustness. (#5955, @tnqn)
• Disable cgo for all Antrea binaries. (#5988, @antoninbas)

Fixed

• Disable libcapng to make logrotate run as root in UBI images to fix an OVS crash issue. (#6052, @xliuxu)
• Fix nil pointer dereference when ClusterGroup/Group is used in NetworkPolicy controller. (#6077, @tnqn)
• Fix race condition in agent Traceflow controller when a tag is associated again with a new Traceflow before the old Traceflow deletion event is processed. (#5954, @tnqn)
• Change the maximum flags from 7 to 255 to fix the wrong TCP flags validation issue in Traceflow CRD. (#6050, @gran-vmv)
• Update maximum number of buckets to 700 in OVS group add/insert_bucket message. (#5942, @hongliangl)
• Use 65000 MTU upper bound for interfaces in encap mode in case of large packets being dropped unexpectedly. (#5997, @antoninbas)
• Skip loading openvswitch kernel module if it's already built-in. (#5979, @antoninbas)

Antrea v1.15.0

Added

• Support Egress using IPs from a subnet that is different from the default Node subnet
  . (#5799, @tnqn)
  • Refer to this document for more information about this feature.
• Add a migration tool to support migrating from other CNIs to Antrea. (#5677, @hjiajing)
  • Refer to this document for more information about this tool.
• Add L7 network flow export support in Antrea that enables exporting network flows with L7 protocol information. (#5218, @tushartathgur)
  • Refer to this document for more information about this feature.
• Add a new feature NodeNetworkPolicy that allows users to apply ClusterNetworkPolicy to Kubernetes Nodes. (#5658 #5716, @hongliangl @Atish-iaf)
  • Refer to this document for more information about this feature.
• Add Antrea flexible IPAM support for the Multicast feature. (#4922, @ceclinux)
• Support Talos clusters to run Antrea as the CNI, and add Talos to the K8s installers document. (#5718 #5766, @antoninbas)
• Support secondary network when the network configuration in NetworkAttachmentDefinition does not include IPAM configuration. (#5762, @jianjuns)
• Add instructions to install Antrea in encap mode in AKS. (#5901, @antoninbas)

Changed

• Change secondary network Pod controller to subscribe to CNIServer events to support bridging and VLAN network. (#5767, @jianjuns)
• Use Antrea IPAM for secondary network support. (#5427, @jianjuns)
• Create different images for antrea-agent and antrea-controller to minimize the overall image size, speeding up the startup of both antrea-agent and antrea-controller. (#5856 #5902 #5903, @jainpulkit22)
• Don't create tunnel interface (antrea-tun0) when using Wireguard encryption mode. (#5885 #5909, @antoninbas)
• Record an event when Egress IP assignment changes for better troubleshooting. (#5765, @jainpulkit22)
• Update Windows documentation with clearer installation guide and instructions. (#5789, @antoninbas)
• Enable IPv4/IPv6 forwarding on demand automatically to eliminate the need for user intervention or dependencies on other components. (#5833, @tnqn)
• Add ability to skip loading kernel modules in antrea-agent to support some specialized distributions (e.g.: Talos). (#5754, @antoninbas)
• Add NetworkPolicy rule name in Traceflow observation. (#5667, @Atish-iaf)
• Use Traceflow API v1beta1 instead of the deprecated API version in antctl traceflow. (#5689, @Atish-iaf)
• Replace net.IP with netip.Addr in FlowExporter which optimizes the memory usage and improves the performance of the FlowExporter. (#5532, @antoninbas)
• Update kubemark from v1.18.4 to v1.29.0 for antrea-agent-simulator. (#5820, @luolanzone)
• Upgrade CNI plugins to v1.4.0. (#5747 #5813, @antoninbas @luolanzone)
• Update the document for Egress feature's options and usage on AWS cloud. (#5436, @tnqn)
• Add Flexible IPAM design details in antrea-ipam.md. (#5339, @gran-vmv)

Fixed

• Fix incorrect MTU configurations for the WireGuard encryption mode and GRE tunnel mode. (#5880 #5926, @hjiajing @tnqn)
• Prioritize L7 NetworkPolicy flows over TrafficControl to avoid a potential issue that a TrafficControl CR with a redirect action to the same Pod could bypass the L7 engine. (#5768, @hongliangl)
• Delete OVS port and flows before releasing Pod IP. (#5788, @tnqn)
• Store NetworkPolicy in filesystem as fallback data source to let antre-agent fallback to use the files if it can't connect to antrea-controller on startup. (#5739, @tnqn)
• Enable Pod network after realizing initial NetworkPolicies to avoid traffic from/to Pods bypassing NetworkPolicy when antrea-agent restarts. (#5777, @tnqn)
• Fix Clean-AntreaNetwork.ps1 invocation in Prepare-AntreaAgent.ps1 for containerized OVS on Windows. (#5859, @antoninbas)
• Add missing space to kubelet args in Prepare-Node.ps1 so that kubelet can start successfully on Windows. (#5858, @antoninbas)
• Fix antctl trace-packet command failure which is caused by missing arguments. (#5838, @luolanzone)
• Support Local ExternalTrafficPolicy for Services with ExternalIPs when Antrea proxyAll mode is enabled. (#5795, @tnqn)
• Set net.ipv4.conf.antrea-gw0.arp_announce to 1 to fix an ARP request leak when a Node or hostNetwork Pod accesses a local Pod and AntreaIPAM is enabled. (#5657, @gran-vmv)
• Skip enforcement of ingress NetworkPolicies rules for hairpinned Service traffic (Pod accessing itself via a Service). (#5687 #5705, @GraysonWu)
• Add host-local IPAM GC on startup to avoid potential IP leak issue after antrea-agent restart. (#5660, @antoninbas)
• Fix the CrashLookBackOff issue when using the UBI-based image. (#5723, @antoninbas)
• Remove redundant log in fillPodInfo/fillServiceInfo to fix log flood issue, and update DestinationServiceAddress for deny connections. (#5592 #5704, @yuntanghsu)
• Enhance HNS network initialization on Windows to avoid some corner cases. (#5841, @XinShuYang)
• Fix endpoint querier rule index in response to improve troubleshooting. (#5783, @qiyueyao)
• Avoid unnecessary rule reconciliations in FQDN controller. (#5893, @Dyanngg)
• Update Windows OVS download link to remove the invalid certificate preventing unsigned OVS driver installation. (#5839, @XinShuYang)
• Fix IP annotation not working on StatefulSets for Antrea FlexibleIPAM. (#5715, @gran-vmv)
• Add DHCP IP retries in PrepareHNSNetwork to fix potential IP retrieving failure. (#5819, @XinShuYang)
• Revise antctl mc deploy to support Antrea Multi-cluster deployment update when the manifests are changed. (#5257, @luolanzone)

Antrea v1.14.2

Changed

• Enable IPv4/IPv6 forwarding on demand automatically to eliminate the need for user intervention or dependencies on other components. (#5833, @tnqn)

Fixed

• Store NetworkPolicy in filesystem as fallback data source to let antrea-agent fallback to use the files if it can't connect to antrea-controller on startup. (#5739, @tnqn)
• Support Local ExternalTrafficPolicy for Services with ExternalIPs when Antrea proxyAll mode is enabled. (#5795, @tnqn)
• Enable Pod network after realizing initial NetworkPolicies to avoid traffic from/to Pods bypassing NetworkPolicy when antrea-agent restarts. (#5777, @tnqn)
• Fix Clean-AntreaNetwork.ps1 invocation in Prepare-AntreaAgent.ps1 for containerized OVS on Windows. (#5859, @antoninbas)
• Add missing space to kubelet args in Prepare-Node.ps1 so that kubelet can start successfully on Windows. (#5858, @antoninbas)
• Update Windows OVS download link to remove the redundant certificate to fix OVS driver installation failure. (#5839, @XinShuYang)
• Add DHCP IP retries in PrepareHNSNetwork on Windows to fix the potential race condition issue where acquiring a DHCP IP address may fail after CreateHNSNetwork. (#5819, @XinShuYang)
• Fix antctl trace-packet command failure which is caused by arguments missing issue. (#5838, @luolanzone)
• Fix incorrect MTU configurations for the WireGuard encryption mode and GRE tunnel mode. (#5880 #5926, @hjiajing @tnqn)

Antrea v1.13.3

Fixed

• Update Install-WindowsCNI-Containerd.ps1 script to make it compatible with containerd 1.7. (#5528, @NamanAg30)
• Store NetworkPolicy in filesystem as fallback data source to let antrea-agent fallback to use the files if it can't connect to antrea-controller on startup. (#5739, @tnqn)
• Support Local ExternalTrafficPolicy for Services with ExternalIPs when Antrea proxyAll mode is enabled. (#5795, @tnqn)
• Enable Pod network after realizing initial NetworkPolicies to avoid traffic from/to Pods bypassing NetworkPolicy when antrea-agent restarts. (#5777, @tnqn)
• Fix Clean-AntreaNetwork.ps1 invocation in Prepare-AntreaAgent.ps1 for containerized OVS on Windows. (#5859, @antoninbas)
• Fix antctl trace-packet command failure which is caused by arguments missing issue. (#5838, @luolanzone)
• Skip enforcement of ingress NetworkPolicies rules for hairpinned Service traffic (Pod accessing itself via a Service). (#5687 #5705, @GraysonWu)
• Set net.ipv4.conf.antrea-gw0.arp_announce to 1 to fix an ARP request leak when a Node or hostNetwork Pod accesses a local Pod and AntreaIPAM is enabled. (#5657, @gran-vmv)
• Add DHCP IP retries in PrepareHNSNetwork on Windows to fix the potential race condition issue where acquiring a DHCP IP address may fail after CreateHNSNetwork. (#5819, @XinShuYang)

Antrea v1.12.3

Fixed

• Update Install-WindowsCNI-Containerd.ps1 script to make it compatible with containerd 1.7. (#5528, @NamanAg30)
• Store NetworkPolicy in filesystem as fallback data source to let antre-agent fallback to use the files if it can't connect to antrea-controller on startup. (#5739, @tnqn)
• Support Local ExternalTrafficPolicy for Services with ExternalIPs when Antrea proxyAll mode is enabled. (#5795, @tnqn)
• Enable Pod network after realizing initial NetworkPolicies to avoid traffic from/to Pods bypassing NetworkPolicy when antrea-agent restarts. (#5777, @tnqn)
• Fix a deadlock issue in NetworkPolicy Controller which causes a FQDN resolution failure. (#5566 #5583, @Dyanngg @tnqn)
• Skip enforcement of ingress NetworkPolicies rules for hairpinned Service traffic (Pod accessing itself via a Service). (#5687 #5705, @GraysonWu)
• Set net.ipv4.conf.antrea-gw0.arp_announce to 1 to fix an ARP request leak when a Node or hostNetwork Pod accesses a local Pod and AntreaIPAM is enabled. (#5657, @gran-vmv)
• Fix antctl tf CLI failure when the Traceflow is using an IPv6 address. (#5588, @Atish-iaf)
• Fix NetworkPolicy span calculation to avoid out-dated data when multiple NetworkPolicies have the same selector. (#5554, @tnqn)
• Fix SSL library downloading failure in Install-OVS.ps1 on Windows. (#5510, @XinShuYang)
• Fix rollback invocation after CmdAdd failure in CNI server. (#5548, @antoninbas)
• Do not apply Egress to traffic destined for ServiceCIDRs to avoid performance issue and unexpected behaviors. (#5495, @tnqn)
• Do not delete IPv6 link-local route in route reconciler to fix cross-Node Pod traffic or Pod-to-external traffic. (#5483, @wenyingd)

Release v1.14.1

Fixed

• Fix the CrashLookBackOff issue when using the UBI-based image. (#5723, @antoninbas)
• Skip enforcement of ingress NetworkPolicies rules for hairpinned Service traffic (Pod accessing itself via a Service). (#5687 #5705, @GraysonWu)
• Set net.ipv4.conf.antrea-gw0.arp_announce to 1 to fix an ARP request leak when a Node or hostNetwork Pod accesses a local Pod and AntreaIPAM is enabled. (#5657, @gran-vmv)

Release v1.13.2

Fixed

• Fix antctl tf CLI failure when the Traceflow is using an IPv6 address. (#5588, @Atish-iaf)
• Fix a deadlock issue in NetworkPolicy Controller which causes a FQDN resolution failure. (#5566 #5583, @Dyanngg @tnqn)
• Fix NetworkPolicy span calculation to avoid out-dated data when multiple NetworkPolicies have the same selector. (#5554, @tnqn)
• Fix SSL library downloading failure in Install-OVS.ps1 on Windows. (#5510, @XinShuYang)
• Fix rollback invocation after CmdAdd failure in CNI server. (#5548, @antoninbas)
• Do not apply Egress to traffic destined for ServiceCIDRs to avoid performance issue and unexpected behaviors. (#5495, @tnqn)
• Do not delete IPv6 link-local route in route reconciler to fix cross-Node Pod traffic or Pod-to-external traffic. (#5483, @wenyingd)

Release v1.14.0

Note for UBI users: The UBI8-based image tags for this release (antrea/antrea-ubi:v1.14.0 and projects.registry.vmware.com/antrea/antrea-ubi:v1.14.0) were unusable (Antrea containers will crash immediately on startup) because of a bug and we have decided to delete them from the registries. Please use the tags for release v1.14.1 instead (antrea/antrea-ubi:v1.14.1 and projects.registry.vmware.com/antrea/antrea-ubi:v1.14.1). Ubuntu-based image tags (antrea/antrea-ubuntu:v1.14.0 and projects.registry.vmware.com/antrea/antrea-ubuntu:v1.14.0) are unaffected and fully functional.

Added

• Add rate-limit config to Egress to specify the rate limit of north-south egress traffic of this Egress. (#5425, @GraysonWu)
• Add IPAllocated and IPAssigned conditions to Egress status to improve Egress visibility. (#5282, @AJPL88 [@tnqn])
• Add goroutine stack dump in SupportBundle for both Antrea Agent and Antrea Controller. (#5538, @aniketraj1947)
• Add "X-Load-Balancing-Endpoint-Weight" header to AntreaProxy Service healthcheck. (#5299, [@hongliangl])
• Add log rotation configuration in Antrea Agent config for audit logs. (#5337 #5366, @antoninbas [@mengdie-song])
• Add GroupMembers API Pagination support to Antrea Go clientset. (#5533, [@qiyueyao])
• Add Namespaced Group Membership API for Antrea Controller. (#5380, [@qiyueyao])
• Support Pod secondary interfaces on VLAN network. (#5341 #5365 #5279, [@jianjuns])
• Enable Windows OVS container to run on pristine host environment, without requiring some dependencies to be installed manually ahead of time. (#5440, @NamanAg30)
• Update Install-WindowsCNI-Containerd.ps1 script to make it compatible with containerd 1.7. (#5528, @NamanAg30)
• Add a new all-in-one manifest for the Multi-cluster leader cluster, and update the Multi-cluster user guide. (#5389 #5531, [@luolanzone])
• Clean up auto-generated resources in leader and member clusters when a ClusterSet is deleted, and recreate resources when a member cluster rejoins the ClusterSet. (#5351 #5410, [@luolanzone])

Changed

• Multiple APIs are promoted from beta to GA. The corresponding feature gates are removed from Antrea config files.
  • Promote feature gate EndpointSlice to GA. (#5393, [@hongliangl])
  • Promote feature gate NodePortLocal to GA. (#5491, [@hjiajing])
  • Promote feature gate AntreaProxy to GA, and add an option antreaProxy.enable to allow users to disable this feature. (#5401, [@hongliangl])
• Make antrea-controller not tolerate Node unreachable to speed up the failover process. (#5521, [@tnqn])
• Improve antctl get featuregates output. (#5314, @cr7258)
• Increase the rate limit setting of PacketInMeter and the size of PacketInQueue. (#5460, @GraysonWu)
• Add hostAliases to Helm values for Flow Aggregator. (#5386, [@yuntanghsu])
• Decouple Audit logging from AntreaPolicy feature gate to enable logging for NetworkPolicy when AntreaPolicy is disabled. (#5352, [@qiyueyao])
• Change Traceflow CRD validation to webhook validation. (#5230, [@shi0rik0])
• Stop using /bin/sh and invoke the binary directly for OVS commands in Antrea Agent. (#5364, @antoninbas)
• Install flows for nested Services in EndpointDNAT only when Antrea Multi-cluster is enabled. (#5411, [@hongliangl])
• Make rate-limiting of PacketIn messages configurable; the same rate-limit value applies to each feature that is dependent on PacketIn messages (e.g, Traceflow) but the limit is enforced independently for each feature. (#5450, @GraysonWu)
• Change the default flow's action to drop in ARPSpoofGuardTable to effectively prevent ARP spoofing. (#5378, [@hongliangl])
• Remove auto-generated suffix from ConfigMap names, and add config checksums as Deployment annotations in Windows manifests, to avoid stale ConfigMaps when updating Antrea while preserving automatic rolling of Pods. (#5545, @Atish-iaf)
• Add a ClusterSet deletion webhook for the leader cluster to reject ClusterSet deletion if there is any MemberClusterAnnounce. (#5475, [@luolanzone])
• Update Go version to v1.21. (#5377, @antoninbas)

Fixed

• Remove the dependency of the MulticastGroup API on the NetworkPolicyStats feature gate, to fix the empty list issue when users run kubectl get multicastgroups even when the Multicast is enabled. (#5367, @ceclinux)
• Fix antctl tf CLI failure when the Traceflow is using an IPv6 address. (#5588, @Atish-iaf)
• Fix a deadlock issue in NetworkPolicy Controller which causes a FQDN resolution failure. (#5566 #5583, @Dyanngg [@tnqn])
• Fix NetworkPolicy span calculation to avoid out-dated data when multiple NetworkPolicies have the same selector. (#5554, [@tnqn])
• Use the first matching address when getting Node address to find the correct transport interface. (#5529, [@xliuxu])
• Fix rollback invocation after CmdAdd failure in CNI server and improve logging. (#5548, @antoninbas)
• Add error log when Antrea network's MTU exceeds Suricata's maximum supported value. (#5408, [@hongliangl])
• Do not delete IPv6 link-local route in route reconciler to fix cross-Node Pod traffic or Pod-to-external traffic. (#5483, [@wenyingd])
• Do not apply Egress to traffic destined for ServiceCIDRs to avoid performance issue and unexpected behaviors. (#5495, [@tnqn])
• Unify TCP and UDP DNS interception flows to fix invalid flow matching for DNS responses. (#5392, @GraysonWu)
• Fix the burst setting of the PacketInQueue to reduce the DNS response delay when a Pod has any FQDN policy applied. (#5456, [@tnqn])
• Fix SSL library downloading failure in Install-OVS.ps1 on Windows. (#5510, @XinShuYang)
• Do not attempt to join Windows antrea-agents to the memberlist cluster to avoid misleading error logs. (#5434, [@tnqn])
• Fix an issue that antctl proxy is not using the user specified port. (#5435, [@tnqn])
• Enable IPv6 on OVS internal port if needed in bridging mode to fix agent crash issue when IPAM is enabled. (#5409, @antoninbas)
• Fix missing protocol in Service when processing ANP named ports to ensure rule can be enforced correctly in OVS. (#5370, @Dyanngg)
• Fix error log when agent fails to connect to K8s API. (#5353, [@tnqn])
• Fix a bug that ClusterSet status is not updated in Antrea Multi-cluster. (#5338, [@luolanzone])
• Fix an Antrea Controller crash issue in handling empty Pod labels for LabelIdentity when the config enableStretchedNetworkPolicy is enabled for Antrea Multi-cluster. (#5404 #5449, @Dyanngg)
• Always initialize ovs_meter_packet_dropped_count metrics to fix a bug that the metrics are not showing up if OVS Meter is not supported on the system. (#5413, [@tnqn])
• Skip starting modules which are not required by VM Agent to fix logs flood due to RBAC warning. (#5391, [@mengdie-song])

Release v1.11.4

Fixed

• Fix a deadlock issue in NetworkPolicy Controller which causes a FQDN resolution failure. (#5566 #5583, @Dyanngg @tnqn)
• Fix NetworkPolicy span calculation to avoid out-dated data when multiple NetworkPolicies have the same selector. (#5554, @tnqn)
• Fix SSL library downloading failure in Install-OVS.ps1 on Windows. (#5510, @XinShuYang)
• Fix rollback invocation after CmdAdd failure in CNI server and improve logging. (#5548, @antoninbas)
• Do not apply Egress to traffic destined for ServiceCIDRs to avoid performance issue and unexpected behaviors. (#5495, @tnqn)
• Do not delete IPv6 link-local route in route reconciler to fix cross-Node Pod traffic or Pod-to-external traffic. (#5483, @wenyingd)
• Fix discovered Service CIDR flapping on Agent start. (#5017, @tnqn)