Release v1.0.2

Fixed

• Fix inter-Node ClusterIP Service access when AntreaProxy is disabled. (#2318, @tnqn)
• Fix duplicate group ID allocation in AntreaProxy when using a combination of IPv4 and IPv6 Services in dual-stack clusters; this was causing Service connectivity issues. (#2317, @hongliangl)
• Fix intra-Node ClusterIP Service access when both the AntreaProxy and Egress features are enabled. (#2332, @tnqn)
• Fix invalid clean-up of the HNS Endpoint during Pod deletion, when Docker is used as the container runtime. (#2306, @wenyingd) [Windows]
• Fix race condition on Windows when retrieving the local HNS Network created by Antrea for containers. (#2253, @tnqn) [Windows]
• Fix invalid conversion function between internal and versioned types for controlplane API, which was causing JSON marshalling errors. (#2312, @tnqn)
• Fix implementation of the v1beta1 version of the legacy "controlplane.antrea.tanzu.vmware.com" API: the API was incorrectly using some v1beta2 types and it was missing some field selectors. (#2305, @tnqn)

Release v0.13.3

Fixed

• Fix inter-Node ClusterIP Service access when AntreaProxy is disabled. (#2318, @tnqn)
• Fix duplicate group ID allocation in AntreaProxy when using a combination of IPv4 and IPv6 Services in dual-stack clusters; this was causing Service connectivity issues. (#2317, @hongliangl)
• Fix invalid clean-up of the HNS Endpoint during Pod deletion, when Docker is used as the container runtime. (#2306, @wenyingd) [Windows]
• Fix race condition on Windows when retrieving the local HNS Network created by Antrea for containers. (#2253, @tnqn) [Windows]
• Fix invalid conversion function between internal and versioned types for controlplane API, which was causing JSON marshalling errors. (#2312, @tnqn)

Release v1.1.0

Added

• Enable "noEncap" and "hybrid" traffic modes for clusters which include Windows Nodes. (#2160 #2161, [@lzhecheng] [@tnqn]) [Windows]
  • Each Agent is responsible for annotating its Node resource with the MAC address of the uplink interface, using the "node.antrea.io/mac-address" annotation; the annotation is used to forward Pod traffic
• Add a generic mechanism to define policy rules enforced on all the network endpoints belonging to the same Namespace as the target of the AppliedTo; this makes it very easy to define an Antrea CNP to only allow same-Namespace traffic (Namespace isolation) across all Namespaces in the cluster or a subset of them. (#1961, [@Dyanngg])
• Add support for the "Reject" action of Antrea-native policies in the Traceflow observations. (#2032, [@gran-vmv])
• Add support for the "endPort" field in K8s NetworkPolicies. (#2190, [@GraysonWu])
• Add support for [dual-stack Services], which are enabled by default in K8s v1.21, in AntreaProxy. (#2207, [@xliuxu])
• Export flow records about connections denied by NetworkPolicies from the FlowExporter and the FlowAggregator; the records include information about the policy responsible for denying the connection when applicable. (#2112, [@zyiou])
• Add more NetworkPolicy-related information to IPFIX flow records exported by the FlowAggregator (policy type and rule name). (#2163, [@heanlan])
• Add live-traffic Traceflow support to the Antrea [Octant] plugin, which includes support for displaying the captured packet's headers. (#2124, #2182, [@luolanzone])
• Add crd.antrea.io/v1alpha3/ClusterGroup API resource which removes the deprecated "ipBlock" field; a [conversion webhook] is added to the Controller to convert from the v1alpha2 version to the v1alpha3 version. (#2008, [@Dyanngg])
• Add support for providing an IP address as the source for live-traffic Traceflow; the source can also be omitted altogether in which case any source can be a match. (#2068, [@jianjuns])
• Add ICMP echo ID and sequence number to the captured packet for live-traffic Traceflow. (#2162, [@jianjuns])
• Add support for dumping OVS groups with the "antctl get of" command. (#1984, [@jianjuns])
• Add new "antrea_agent_deny_connection_count" Prometheus metric to keep track of the number of connections denied because of NetworkPolicies; if too many connections are denied within a short window of time, the metric may undercount. (#2112, [@zyiou])
• Generate and check-in clientset code for ClusterGroupMembers and GroupAssociation, to facilitate consumption of these APIs by third-party software. (#2130, [@Dyanngg])
• Document requirements for the Node network (how to configure firewalls, security groups, etc.) when running Antrea. (#2098, [@luolanzone])

Changed

• Rename Antrea Go module from github.com/vmware-tanzu/antrea to antrea.io/antrea, using a vanity import path. (#2154, [@antoninbas])
• Enable [Receive Segment Coalescing (RSC)] in the vSwitch on Windows Nodes to reduce host CPU utilization and increase throughput when traffic is not encapsulated. (#2198, [@tnqn])
• Change the export mechanism for the FlowAggregator: instead of exporting all flows periodically with a fixed interval, we introduce an "active timeout" and an "inactive timeout", and flow information is exported differently based on flow activity. (#1949, [@srikartati])
• Periodically verify the local gateway's configuration and the gateway routes on each Node, and correct any discrepancy. (#2091, [@hty690])
• Remove the "enableTLSToFlowAggregator" parameter from the Agent configuration; this information can be provided using the "flowCollectorAddr" parameter. (#2193, [@zyiou])
• Specify antrea-agent as the default container for kubectl commands using the "kubectl.kubernetes.io/default-container" annotation introduced in K8s v1.21. (#2065, [@tnqn])
• Improve the OpenAPI schema for Antrea-native policy CRDs to enable a more comprehensive validation. (#2125, [@wenqiq])
• Bump K8s dependencies (k8s.io/apiserver, k8s.io/client-go, etc.) to v0.21.0 and replace klog with klog/v2. (#1973, [@xliuxu])
• Add nodeSelector for FlowAggregator and ELK Pods in YAML manifests: they must run on amd64 Nodes. (#2087, [@antoninbas])
• Update reference Kibana configuration to decode the flowType field and display a human-friendly string instead of an integer. (#2102, [@zyiou])
• Package [whereabouts] CNI plugin into the Antrea Linux container image and install the binary on each Node. (#2185, [@arunvelayutham])
• Start enabling Antrea end-to-end tests for Windows Nodes. (#2018, [@lzhecheng])
• Parameterize K8s download path in Windows helper scripts. (#2174 #2192, [@jayunit100] [@lzhecheng]) [Windows]

Fixed

• It was discovered that the AntreaProxy implementation has an upper-bound for the number of Endpoints it can support for each Service: we increase this upper-bound from ~500 to 800, log a warning for Services with a number of Endpoints greater than 800, and arbitrarily drop some Endpoints so we can still provide load-balancing for the Service. (#2101, [@hongliangl])
• Fix Antrea-native policy with multiple AppliedTo selectors: some rules were never realized by the Agents as they thought they had only received partial information from the Controller. (#2084, [@tnqn])
• Fix re-installation of the OpenFlow groups when the OVS daemons are restarted to ensure that AntreaProxy keeps functioning. (#2134, [@antoninbas])
• Configure the MTU correctly in Windows containers, or Path MTU Discovery fails and datagrams with the minimum size are transmitted leading to poor performance in overlay mode. (#2133, [@lzhecheng]) [Windows]
• Fix IPFIX flow records exported by the Antrea Agent. (#2089, [@zyiou])
  • If a connection spanned multiple export cycles, it wasn't handled properly and no record was sent for the connection
  • If a connection spanned a single export cycle, a single record was sent but "delta counters" were set to 0 which caused flow visualization to omit the flow in dashboards
• Fix incorrect stats reporting for ingress rules of some NetworkPolicies: some types of traffic were bypassing the OVS table keeping track of statistics once the connection was established, causing packet and byte stats to be incorrect. (#2078, [@ceclinux])
• Fix ability of the FlowExporter to connect to the FlowAggregator on Windows: the "flow-aggregator.flow-aggregator.svc" DNS name cannot be resolved on Windows because the Agent is running as a process. (#2138, [@dreamtalen]) [Windows]
• Fix Traceflow for "hairpinned" Service traffic. (#2167, [@gran-vmv])
• Fix possible crash in the FlowExporter and FlowAggregator when re-establishing a connection for exporting flow records. (#2039, [@srikartati])
• Fix local access (from the K8s Node) to the port of a Pod with NodePortLocal enabled running on the same Node. (#2200, [@antoninbas])
• Add conntrack label parsing in the FlowExporter when using the OVS netdev datapath, so that NetworkPolicy information can be populated correctly in flow records. (#2194, [@dreamtalen])
• Fix the retry logic when enabling the OVS bridge local interface on Windows Nodes. (#2081, [@antoninbas]) [Windows]
• Sleep for a small duration before injecting Traceflow packet even when the destination is local, to ensure that flow installation can complete and avoid transient errors. (#2114, [@gran-vmv])
• Build antrea-cni binary and release binaries without cgo, to avoid dependencies on system libraries. (#2189, [@antoninbas])
• Do not populate hostNetwork Pods into AppliedTo groups sent by the Controller to the Agents to avoid unnecessary logs (NetworkPolicies are not enforced on hostNetwork Pods). (2093, [@Dyanngg])
• Fix formatting of K8s...

Release v0.11.4

Fixed

• It was discovered that the AntreaProxy implementation has an upper-bound for the number of Endpoints it can support for each Service: we increase this upper-bound from ~500 to 800, log a warning for Services with a number of Endpoints greater than 800, and arbitrarily drop some Endpoints so we can still provide load-balancing for the Service. (#2101, @hongliangl)
• Fix Antrea-native policy with multiple AppliedTo selectors: some rules were never realized by the Agents as they thought they had only received partial information from the Controller. (#2084, @tnqn)
• Fix re-installation of the OpenFlow groups when the OVS daemons are restarted to ensure that AntreaProxy keeps functioning. (#2134, @antoninbas)
• Fix audit logging on Windows Nodes: the log directory was not configured properly, causing Agent initialization to fail on Windows when the AntreaPolicy feature was enabled. (#2052, @antoninbas) [Windows]
• Use correct output format for CNI Add in networkPolicyOnly mode: this was not an issue with Docker but was causing failures with containerd. (#2037, @antoninbas @dantingl)
• Fix audit logging of IPv6 traffic for Antrea-native policies: IPv6 packets were ignored by the Agent instead of being parsed and logged to file. (#1990, @antoninbas)
• Fix Status updates for ClusterNetworkPolicies. (#2036, @Dyanngg)

Release v0.12.3

Fixed

• It was discovered that the AntreaProxy implementation has an upper-bound for the number of Endpoints it can support for each Service: we increase this upper-bound from ~500 to 800, log a warning for Services with a number of Endpoints greater than 800, and arbitrarily drop some Endpoints so we can still provide load-balancing for the Service. (#2101, @hongliangl)
• Fix Antrea-native policy with multiple AppliedTo selectors: some rules were never realized by the Agents as they thought they had only received partial information from the Controller. (#2084, @tnqn)
• Fix re-installation of the OpenFlow groups when the OVS daemons are restarted to ensure that AntreaProxy keeps functioning. (#2134, @antoninbas)
• Fix audit logging on Windows Nodes: the log directory was not configured properly, causing Agent initialization to fail on Windows when the AntreaPolicy feature was enabled. (#2052, @antoninbas) [Windows]
• Use correct output format for CNI Add in networkPolicyOnly mode: this was not an issue with Docker but was causing failures with containerd. (#2037, @antoninbas @dantingl)
• Fix audit logging of IPv6 traffic for Antrea-native policies: IPv6 packets were ignored by the Agent instead of being parsed and logged to file. (#1990, @antoninbas)
• Fix Status updates for ClusterNetworkPolicies. (#2036, @Dyanngg)

Release v1.0.1

Fixed

• It was discovered that the AntreaProxy implementation has an upper-bound for the number of Endpoints it can support for each Service: we increase this upper-bound from ~500 to 800, log a warning for Services with a number of Endpoints greater than 800, and arbitrarily drop some Endpoints so we can still provide load-balancing for the Service. (#2101, @hongliangl)
• Fix Antrea-native policy with multiple AppliedTo selectors: some rules were never realized by the Agents as they thought they had only received partial information from the Controller. (#2084, @tnqn)
• Fix re-installation of the OpenFlow groups when the OVS daemons are restarted to ensure that AntreaProxy keeps functioning. (#2134, @antoninbas)
• Fix IPFIX flow records exported by the Antrea Agent. (#2089, @zyiou)
  • If a connection spanned multiple export cycles, it wasn't handled properly and no record was sent for the connection
  • If a connection spanned a single export cycle, a single record was sent but "delta counters" were set to 0 which caused flow visualization to omit the flow in dashboards
• Fix incorrect stats reporting for ingress rules of some NetworkPolicies: some types of traffic were bypassing the OVS table keeping track of statistics once the connection was established, causing packet and byte stats to be incorrect. (#2078, @ceclinux)
• Fix the retry logic when enabling the OVS bridge local interface on Windows Nodes. (#2081, @antoninbas) [Windows]

Release v0.13.2

Fixed

• It was discovered that the AntreaProxy implementation has an upper-bound for the number of Endpoints it can support for each Service: we increase this upper-bound from ~500 to 800, log a warning for Services with a number of Endpoints greater than 800, and arbitrarily drop some Endpoints so we can still provide load-balancing for the Service. (#2101, @hongliangl)
• Fix Antrea-native policy with multiple AppliedTo selectors: some rules were never realized by the Agents as they thought they had only received partial information from the Controller. (#2084, @tnqn)
• Fix re-installation of the OpenFlow groups when the OVS daemons are restarted to ensure that AntreaProxy keeps functioning. (#2134, @antoninbas)
• Fix the retry logic when enabling the OVS bridge local interface on Windows Nodes. (#2081, @antoninbas) [Windows]
• Fix audit logging on Windows Nodes: the log directory was not configured properly, causing Agent initialization to fail on Windows when the AntreaPolicy feature was enabled. (#2052, @antoninbas) [Windows]
• When selecting the Pods corresponding to a Service for which NodePortLocal has been enabled, Pods should be filtered by Namespace. (#1927, @chauhanshubham)
• Correctly handle Service Type changes for NodePortLocal, and update Pod annotations accordingly. (#1936, @chauhanshubham)
• Use correct output format for CNI Add in networkPolicyOnly mode: this was not an issue with Docker but was causing failures with containerd. (#2037, @antoninbas @dantingl)
• Fix audit logging of IPv6 traffic for Antrea-native policies: IPv6 packets were ignored by the Agent instead of being parsed and logged to file. (#1990, @antoninbas)
• Fix Status updates for ClusterNetworkPolicies. (#2036, @Dyanngg)

Release v1.0.0

Includes all the changes from [0.13.1].

The AntreaPolicy feature is graduated from Alpha to Beta and is therefore enabled by default.

Added

• Add [Egress] feature to configure SNAT policies for Pod-to-external traffic. [Alpha - Feature Gate: Egress]
  • A new Egress CRD is introduced to define SNAT policies (#1433, [@jianjuns])
  • Update the datapath to implement Egress: on Windows Nodes, everything is implemented in OVS, while on Linux Nodes, OVS marks packets and sends them to the host network namespace, where iptables handles SNAT (#1892 #1969 #1998, [@jianjuns], [@tnqn])
  • A new EgressGroup control plane API is introduced: the Controller computes group membership for each policy and sends this information to the Agents (#1965, [@tnqn])
  • Implement the EgressGroup control plane API in the Agent (#2026, [@tnqn] [@ceclinux])
  • Document the Egress feature and its datapath implementation (#2041 #2044, [@jianjuns] [@tnqn])
• Add support for the "Reject" action in Antrea-native policies as an alternative to "Drop" (which silently drops packets). (#1888, [@GraysonWu])
  • For rejected TCP connections, the Agent will send a TCP RST packet
  • For UDP and SCTP, the Agent will send an ICMP message with Type 3 (Destination Unreachable) and Code 10 (Host administratively prohibited)
• Add support for nesting in the [ClusterGroup CRD]: a ClusterGroup can now reference a list of ClusterGroups, but only one level of nesting is supported. (#1920, [@Dyanngg])
• Add ability to specify multiple IPBlocks when defining a ClusterGroup. (#1993, [@Dyanngg])
• Support for IPv6 (IPv6-only and dual-stack clusters) in the FlowAggregator and in the reference ELK stack. (#1819 #1962, [@dreamtalen])
• Add support for arm/v7 and arm64 to the main Antrea Docker image for Linux (antrea/antrea-ubuntu) instead of using a separate image. (#1994, [@antoninbas])
• Add support for live-traffic tracing in Traceflow: rather than injecting a Traceflow packet, we can monitor real traffic and update the Traceflow Status when a matching packet is observed. (#2005 #2029, [@jianjuns])
  • The captured packet is reported as part of the Traceflow request Status
  • Live-traffic tracing supports a "Dropped-Only" filter which will only capture packets dropped by the datapath
• Introduce a new optional mutating webhook to automatically label all Namespaces and Services with their name (antrea.io/metadata.name: <resourceName>); this allows NetworkPolicies and ClusterGroup to easily select these resources by name. (#1690, [@abhiraut] [@Dyanngg])
• Add support for rule-level statistics for Antrea-native policies, when the NetworkPolicyStats feature is enabled: rules are identified by their name, which can be user-provided or auto-generated. (#1780, [@ceclinux])
• Add TCP connection state information to the IPFIX records sent by the FlowExporter, and improve handling of "dying" connections. (#1904, [@zyiou])
• Add information about the flow type (intra-Node, inter-Node, Pod-to-external) to the IPFIX records sent by the FlowExporter. (#2000, [@dreamtalen])
• Add support for dumping OVS flows related to a Service with the "antctl get of" command. (#1877, [@jianjuns])
• Randomly generate a cluster UUID in the Antrea Controller and make it persistent by storing it to a ConfigMap ("antrea-cluster-identity"). (#1805, [@antoninbas])
• Add support for IPv6 to "antctl traceflow". (#1995, [@luolanzone])

Changed

• Rename all Antrea API groups from *.antrea.tanzu.vmware.com to *.antrea.io. (#1799, [@hongliangl])
  • All legacy groups will be supported until December 2021
  • See the [API documentation] for more details and information on how to upgrade client applications which use the Antrea API (#2031, [@antoninbas])
• Change the export mechanism for the FlowExporter in the Antrea Agent: instead of exporting all flows periodically with a fixed interval, we introduce an "active timeout" and an "idle timeout", and flow information is exported differently based on flow activity. (#1714, [@srikartati])
• Add rate-limiting in the Agent for PacketIn messages sent by the OVS datapath: this can help limit the CPU usage when too many messages are sent by OVS. (#2015, [@GraysonWu])
• Output partial result when a Traceflow request initiated by antctl fails or times out, as it can still provide useful information. (#1879, [@jianjuns])
• Ensure that "antctl version" always outputs the client version, even when antctl cannot connect to the Antrea apiserver. (#1876, [@antoninbas])
• Extract the group member calculation for the NetworkPolicy implementation in the Controller to its own module, so it can be reused for different features which need to calculate groups of endpoints based on a given selection criteria; p
  erformance (CPU and memory usage) is also improved. (#1937, [@tnqn])
• Optimize the computation of unions of sets when processing NetworkPolicies in the Controller. (#1938, [@tnqn])
• Optimize the computation of symmetric differences of sets in the Agent (NodePortLocal) and in the Controller (NetworkPolicy processing). (#1944, [@tnqn])
• Move mutable ConfigMap resources out of the deployment YAML and create them programmatically instead; this facilitates integration with other projects such as kapp. (#1983, [@hty690])
• Improve error logs when the Antrea Agent's connection to the Controller times out, and introduce a dedicated health check in the Agent to report the connection status. (#1946, [@hty690])
• Support user-provided signed OVS binaries in Windows installation script. (#1963, [@lzhecheng]) [Windows]
• When NodePortLocal is enabled on a Pod, do not allocate new ports on the host for Pod containers with HostPort enabled. (#2024, [@annakhm])
• Use "distroless" Docker image for the FlowAggregator to reduce its size. (#2004 #2016, [@hanlins] [@dreamtalen])
• Improve reference Kibana dashboards for flow visualization and update the documentation for flow visualization with more up-to-date Kibana screenshots. (#1933, [@zyiou])
• Reject unsupported positional arguments in antctl commands. (#2011, [@hty690])
• Reduce log verbosity for PacketIn messages received by the Agent. (#2046, [@jianjuns])
• Improve Windows documentation to cover running Antrea as a Windows service, which is required when using containerd as the container runtime. (#1874, [@lzhecheng] [@jayunit100]) [Windows]
• Update the documentation for hardware offload support. (#1943, [@Mmduh-483])
• Document IPv6 support for Traceflow. (#1996, [@gran-vmv])
• Remove old references to Ubuntu 18.04 from the documentation. (#1960, [@shadowlan])

Fixed

• Fix audit logging on Windows Nodes: the log directory was not configured properly, causing Agent initialization to fail on Windows when the AntreaPolicy feature was enabled. (#2052, [@antoninbas]) [Windows]
• When selecting the Pods corresponding to a Service for which NodePortLocal has been enabled, Pods should be filtered by Namespace. (#1927, [@chauhanshubham])
• Correctly handle Service Type changes for NodePortLocal, and update Pod annotations accordingly. (#1936, [@chauhanshubham])
• Use correct output format for CNI Add in networkPolicyOnly mode: this was not an issue with Docker but was causing failures with containerd. (#2037, [@antoninbas] [@dantingl])
• Fix ...

Release v0.13.1

Fixed

• Clean up stale IP addresses on Antrea host gateway interface. (#1900, @antoninbas)
  • If a Node leaves and later rejoins a cluster, a new Pod CIDR may be allocated to the Node for each supported IP family and the gateway receives a new IP address (first address in the CIDR)
  • If the previous addresses are not removed from the gateway, we observe connectivity issues across Nodes
• Update libOpenflow to avoid crash in Antrea Agent for certain Traceflow requests. (#1833, @antoninbas)
• Fix the deletion of stale port forwarding iptables rules installed for NodePortLocal, occurring when the Antrea Agent restarts. (#1887, @monotosh-avi)
• Fix output formatting for the "antctl trace-packet" command: the result was displayed as a Go struct variable and newline characters were not rendered, making it hard to read. (#1897, @jianjuns)

Release v0.12.2

Fixed

• Ensure that NodePort traffic does not bypass NetworkPolicies. (#1816, @tnqn)
  • NodePort traffic for which ExternalTrafficPolicy is set to Cluster goes through SNAT before NetworkPolicies are enforced; after SNAT the source IP is the IP of the local gateway interface (antrea-gw0)
  • Users will need to define the appropriate NetworkPolicies to allow ingress access to isolated Pods for NodePort traffic
  • This new behavior only applies to Linux Nodes using the OVS system datapath (default)
• Clean up stale IP addresses on Antrea host gateway interface. (#1900, @antoninbas)
  • If a Node leaves and later rejoins a cluster, a new Pod CIDR may be allocated to the Node for each supported IP family and the gateway receives a new IP address (first address in the CIDR)
  • If the previous addresses are not removed from the gateway, we observe connectivity issues across Nodes