Release v0.9.3

Changed

• Rename internal API group from "networking.antrea.tanzu.vmware.com" to "controlplane.antrea.tanzu.vmware.com". (#1147, @jianjuns)
  • This API is served by the Antrea Controller and consumed by Agents (directly) and antctl (through the K8s apiserver using an APIService)
  • Antrea Controller deletes the previous APIService on startup to avoid issues (e.g. with Namespace deletion)
  • During upgrade from a previous version, NetworkPolicy enforcement will be disrupted until the upgrade is complete: NetworkPolicy changes may not take effect and NetworkPolicies may not be applied to new Pods, until all components have been updated

Fixed

• Fix IPsec support which was broken after updating the base distribution to Ubuntu 20.04 for the Antrea Docker image, as this update introduced a more recent version of strongSwan. (#1184 #1191, @jianjuns)
• Fix deadlock in the NetworkPolicy implementation in the Antrea Agent: this issue could only be observed when using ClusterNetworkPolicies but was affecting the enforcement of all NetworkPolicies. (#1186, @Dyanngg @yktsubo @tnqn)
• Fix unbound variable error in "start_ovs" Bash script, which was causing the antrea-ovs container to crash if one OVS daemon stopped for any reason. (#1190, @antoninbas @alex-vmw)

Release v0.9.2

Fixed

• Fix incorrect conversion from unsigned integer to string when indexing the flows responsible for the implementation of a NetworkPolicy rule by their conjunction ID / rule ID; this issue could have caused incorrect NetworkPolicy enforcement when a large number of rules are applied to a Node. (#1161, @weiqiangt)
• Fix self-signed certificate rotation in the Antrea Controller: after rotation (at half the expiration time), the new certificate was distributed to clients while the Controller apiserver kept using the old certificate. (#1154, @MatthewHinton56)
• Support setting TCP flags when initiating a Traceflow request from antctl; for Pod-to-Service trace packets, the SYN flag must be set. (#1128, @lzhecheng)
• Generate correct filename for support bundle archive temporary file: on Windows the name included an asterisk which is invalid. (#1150, @weiqiangt) [Windows]

Release v0.9.1

Changed

• Rotate self-signed certificate generated by the Antrea Controller at half the expiration time, instead of one day before expiration. (#1115, @andrewsykim)
• Collect heap profile data in Antrea support bundle to help troubleshoot issues related to memory usage. (#1110, @weiqiangt)

Fixed

• Optimize processing of egress policy rules that do not include any named port by avoiding the creation and distribution of a "global" AddressGroup - which includes all the Pods - when unnecessary. (#1100, @tnqn)
• Avoid duplicate processing of Traceflow requests in the Antrea Controller and fix data-plane tag allocation. (#1094, @jianjuns)
• Work around race condition in github.com/containernetworking/plugins when determining the network namespace of the caller which was responsible for errors when configuring Pod networking at scale. (#1131, @tnqn)
• Fail the CNI ADD request if the OF port value returned by OVS is -1, which indicates an error during interface creation. (#1112, @tnqn)
• Resubmit traffic for which Antrea Proxy has performed DNAT to the correct table so that ClusterNetworkPolicies can be enforced correctly. (#1119, @weiqiangt @yktsubo)
• Update Windows OVS package so that the dependency on Microsoft Visual C++ can be resolved during installation. (#1099, @ruicao93) [Windows]
• Temporarily ignore sanity checks when issuing a Traceflow request from the Octant UI since the current version of Octant does not support reporting the errors to the user; instead the Traceflow CRD is created and its "Status" field can be used to troubleshoot. (#1097, @ZhangYW18)
• Revert all priority updates to policy flows if flow installation / modification fails on OVS. (#1095, @Dyanngg)
• Fix the Antrea manifest for EKS (antrea-eks.yml) published for each release. (#1090, @antoninbas)

Release v0.9.0

Added

• Add flow exporter feature. [Alpha - Feature Gate: FlowExporter]
  • Support sending network flow records using the IPFIX protocol from each Agent (#825 #984, @srikartati)
  • Add reference cookbook to visualize exported flows using Elastic Stack (#836, @zyiou)
• Support OVS hardware offload for Pod networking: Pods can now be assigned an SR-IOV Virtual Function. (#786, @moshe010)
  • Add new CI job to validate the hardware offload functionality (@AbdYsn)
• Support Node MTU auto-discovery in the Antrea Agent; the user can still override this value in the Agent configuration if desired. (#909, @reachjainrahul)
• Enable Antrea support for the AKS managed K8s service, using CNI chaining and the "networkPolicyOnly" traffic mode. (#998, @reachjainrahul)
• Support for NetworkPolicy tiering (ClusterNetworkPolicy only). (#956 #986, @abhiraut @Dyanngg)
  • The ClusterNetworkPolicy Feature Gate must now be enabled for the Agent (in addition to the Controller) to activate the feature
• Support executing Traceflow requests with antctl. (#932, @lzhecheng)
• Support automatic rotation for the self-signed certificate generated by Antrea when no certificate is provided by the user. (#1024, @MatthewHinton56)
• Add new Agent Prometheus metrics for OVS flow operations. (#866, @yktsubo)
• Provide a DaemonSet to automatically restart Pods on new Nodes in EKS when Antrea becomes ready: this ensures that NetworkPolicies are enforced correctly for all Pods. (#1057, @reachjainrahul)
• Add scripts to run the Antrea Agent directly without using a Pod to manage the lifecycle of the process. (#1013, @ruicao93) [Windows]

Changed

• Restrict all traffic modes except for "encap" to use "Antrea Proxy" for Pod-to-Service traffic, as this greatly simplifies the datapath implementation. (#1015, @suwang48404)
• Improve Antrea Octant plugin. (#913, @ZhangYW18)
  • Merge the two existing plugins (Agent / Controller Info, Traceflow) into a single plugin / binary
  • Enhance Traceflow graph color theme
  • Improve layout of the "Overview" page for the plugin: all CRDs are shown on the same page
  • Update Octant plugin installation guide (#914, @mengdie-song)
• Use Ubuntu 20.04 (instead of Ubuntu 18.04) as the base distribution for the Antrea Docker image. (#1022, @antoninbas)
• Enable outer UDP checksum for Geneve and VXLAN tunnels to benefit from Generic Receive Offload (GRO) on the receiver's side. (#1049, @tnqn)
• Support Services as destinations for Traceflow. (#979, @gran-vmv)
• Provide additional printer columns in the Traceflow CRD definition, so that more information is included in the "kubectl get" output. (#958, @abhiraut)
• More comprehensive OpenAPI schema for Traceflow CRD validation. (#918, @abhiraut)
• Optimize OVS flow updates for NetworkPolicies when the Agent restarts, by using batching. (#844, @Dyanngg)
• Increase watch timeout for the Antrea apiserver to reduce reconnection frequency; reduce log verbosity when a legitimate reconnection happens. (#1055, @antoninbas)
• Update OVS pipeline documentation to account for the new tables used for ClusterNetworkPolicy and tiering support. (#921 #1073, @abhiraut)

Fixed

• Fix implementation of NodePort Service on Windows for traffic for which the destination Pod (Service backend) is on the same Node as the source Pod. (#948, @wenyingd) [Windows]
• Fix IPsec support, which was broken because of Python3 error in an upstream OVS script. (#1046, @lzhecheng)
• Support Pod-to-LoadBalancer Service traffic in "Antrea Proxy". (#943, @ruicao93)
• Support incoming LoadBalancer Service traffic on Windows, by relying on kube-proxy. (#943, @ruicao93) [Windows]
• Avoid OpenFlow bundle timeout issues when using Traceflow: if PacketIn messages are not consumed fast enough, all inbound messages from OVS are blocked, including bundle reply messages. (#951, @gran-vmv)
• Move host routes from the uplink interface to the OVS bridge during Agent initialization on Windows. (#959, @ruicao93) [Windows]
• Optimize handling of very large AddressGroups (introduced by NetworkPolicies which select a large number of Pods in to/from rules) in the Antrea Agent. (#1031, @tnqn)
• Modify "List" apiserver requests in the Agent to use "resourceVersion=0", which forces requests to be served from the cache (instead of etcd persistent storage) and removes performance issues when many agents are restarted simultaneously. (#1045, @wenyingd)
• Fix OVS deadlock caused by glibc bug, by upgrading base distribution to Ubuntu 20.04 in Antrea Docker image. (#1022, @antoninbas @alex-vmw)
• Set the "no-flood" configuration option on the uplink bridge port in Windows, so that ARP broadcast traffic is not sent out to the underlay network. (#922, @wenyingd) [Windows]
• Avoid inaccurate warnings in the logs about "POD_NAMESPACE" not set. (#925, @antoninbas)
• Fix format of tracing packets for Traceflow:
  • Set protocol version to the correct value in the IP header (#946, @lzhecheng)
  • Add correct L3/L4 checksum values (#967, @gran-vmv)
  • Set destination MAC address correctly when the provided destination IP address matches a local Pod. (#981, @ZhangYW18)
• In "hybrid" traffic mode, reject Traceflow requests if the source and destination Nodes are not connected by a tunnel. (#944, @gran-vmv)
• Log human-readable messages when the ofnet library returns an error. (#1065, @wenyingd)
• Wait for the Antrea client in the Agent to be ready before starting watches to avoid error log messages. (#1042, @tnqn)

Release v0.8.2

Fixed

• Fix Agent logic in charge of sending Gratuitous ARP messages when networking is configured for a Pod: the previous code was not thread-safe and causing file descriptor leaks for concurrent CNI ADD requests. (#933, @tnqn)
• Clean up some internal state in the Agent's NetworkPolicy implementation when a rule is updated. (#929, @jianjuns)

Release v0.8.1

Do not use this release, use v0.8.2 instead

Release v0.8.0

Added

• Add "Antrea Proxy" implementation to provide Pod-to-Service load-balancing (for ClusterIP Services) directly in the OVS pipeline. (#772, @weiqiangt) [Alpha - Feature Gate: AntreaProxy]
  • This feature is enabled by default for Windows Nodes, as it is required for correct NetworkPolicy implementation for Pod-to-Service traffic
• Add ClusterNetworkPolicy CRD API, which enables cluster admins to define security policies which apply to the entire cluster (not just one Namespace). (#810 #872 #724, @abhiraut @Dyanngg) [Alpha - Feature Gate: ClusterNetworkPolicy]
• Add Traceflow CRD API, which supports generating tracing requests for traffic going through the Antrea-managed Pod network. (#660 #731, @gran-vmv @lzhecheng) [Alpha - FeatureGate: Traceflow]
• Add Traceflow Octant plugin: requests can be generated from the Web dashboard (by filling-out a form) and responses are displayed in graph format. (#841, @ZhangYW18)
• Wrap klog so that one can specify a maximum number of log files to be kept for each verbosity level (using "--log_file_max_num"), while enforcing the size limit for each file (as specified with "--log_file_max_size"). (#879, @jianjuns @alex-vmw)
• Support executing Agent API requests which depend on OVS command-line utilities (e.g., ovs-ofctl, ovs-appctl) on Windows Nodes; this enables using the "antctl get ovsflows" and "antctl trace-packet" commands for Windows Nodes. (#794, @wenyingd)
• Support "antctl supportbundle" command for Windows Nodes. (#820, @weiqiangt)
• Add "--controller-only" flag to "antctl supportbundle" command to only collect information from the Controller, without the Agents. (#791, @weiqiangt)
• Add new Agent Prometheus metrics for NetworkPolicies:
  • "antrea_agent_ingress_networkpolicy_rule", "antrea_agent_egress_networkpolicy_rule" (#770, @yktsubo)
  • "antrea_agent_networkpolicy_count" (#834, @yktsubo)
• Additional documentation:
  • Windows design document (#751, @wenyingd @ruicao93)
  • information about "supportbundle" command in antctl documentation (#812, @antoninbas)
  • Feature gates documentation (#892, @antoninbas)

Changed

• Change default tunnel type from VXLAN to Geneve. (#858 #903, @jianjuns @antoninbas @abhiraut)
  • this may cause some disruption during upgrade, as inter-Node Pod communications between Nodes running Antrea pre-v0.8 and Nodes running Antrea post-v0.8 will be broken; edit the manifest if you want to stick to VXLAN
• Move Octant plugin to a new "plugins/" folder and make it its own Go module. (#838, @mengdie-song)
• Update antrea-cni to support CNI version 0.4.0. (#784, @moshe010)
• Change gateway and tunnel interface names to antrea-gw0 and antrea-tun0 respectively. (#854, @jianjuns)
• Make antrea-agent Pod tolerant of "NoExecute" taints to prevent unwanted evictions. (#815, @tnqn)
• Use "Feature Gates" to control enabling / disabling experimental features instead of introducing separate temporary configuration parameters. (#847, @tnqn)
• Upgrade K8s API version used by Antrea to 1.18. (#838, @mengdie-song)
• Create controller-ca ConfigMap in the same Namespace as the Controller Deployment, instead of hard-coding it to "kube-system". (#876, @jianjuns)
• Log error when "iptables-restore" command fails. (#839, @tnqn)
• Update OVS version to 2.13.1 on Windows because of some issues, notably with the connection tracking implementation. (#856, @ruicao93)
• Update behavior of "antctl supportbundle" command so that the Controller logs are not collected when a Node name or a Node filter is provided. (#857, @jianjuns)

Fixed

• Fix runtime crash in the Agent when processing NetworkPolicy rules for which a Protocol has been provided, but no Port. (#882, @wenyingd @abhiraut)
• Clean up stale OVS PID files to avoid failure loops in antrea-ovs startup. (#880, @jianjuns)
• When using CNI chaining in a cloud-managed service, ensure that the initContainer blocks until the "primary CNI"'s conf file is found. (#864, @reachjainrahul)
• Update version of go-iptables library to avoid deadlock when invoking iptables commands. (#873, @antoninbas)
• Improve robustness of the liveness probe for the antrea-ovs container. (#861, @tnqn)

Release v0.7.2

Fixed

• Fix handling of StatefulSet Pod rescheduling on same Node: a fast rescheduling can cause unexpected ordering of CNI ADD and DELETE commands, which means Antrea cannot use the Pod Namespace+Name as the unique identifier for a Pod's network configuration. #827
• Fix IP address leak in IPAM caused by Antrea in-memory cache being out-of-sync with IPAM store. #828
• Increase timeout to 5 seconds when waiting for ovs-vswitchd to report the allocated of_port number. #830
• Fix CNI CHECK command implementation: the CNI server was always returning success even in case of failure. #821
• Update ofnet library version to avoid a goroutine leak. #813
• Exclude /healthz from authorization to avoid unnecessary calls to K8s API in readiness probes. #816

Release v0.7.1

Fixed

• Fix Agent logic in charge of sending Gratuitous ARP messages when networking is configured for a Pod; stale ARP cache entries may otherwise cause connectivity issues. #796
• Fix Agent crash when running in "networkPolicyOnly" mode, and in particular when running Antrea in EKS. #793, #795
• Replace usage of 'resubmit' with 'goto_table' action in new Windows-specific OVS flows. #759

Release v0.7.0

Added

• Support for worker Nodes running Windows Server 2019 or higher. [Alpha]
  • Refer to Antrea Windows documentation for usage
  • A known limitation is that K8s NetworkPolicies are not enforced correctly for Service traffic, due to our reliance on userspace kube-proxy; this will be addressed in a future release
• Support server certificate verification for Controller APIs; users can provide their own certificates (TLS certificate and corresponding CA certificate) or let the Controller generate them.
• Add ability to collect Antrea support bundles (all the relevant information useful for providing support for Antrea) using new "antctl supportbundle" command, along with corresponding Antrea API resources at the Controller and Agent.
• Support local packet tracing in a Node by leveraging 'ovs-appctl ofproto/trace'.
• Add Antrea API port to the AgentInfo and ControllerInfo CRDs.
• Additional documentation:
  • user-facing documentation for antctl commands
  • information about non-default "encapsulation" modes ("hybrid", "noEncap", "networkPolicyOnly") in architecture document
  • design document for "networkPolicyOnly" mode (in particular, this mode is used for Antrea support in EKS)

Changed

• Bump up K8s libraries to v0.17.6.
• Replace usage of 'resubmit' with 'goto_table' action in OVS pipeline: pipeline functionality is unaffected.
• Only include necessary Antrea binaries in Docker image to reduce its size.
• Support getting kubeconfig path from KUBECONFIG env variable for antctl.

Fixed

• Fix implementation of K8s NetworkPolicies with overlapping ipBlock CIDRs; in particular, the issue manifested itself when there was overlap between a 'cidr' field in one rule and an 'except' field in another rule.
• Clean-up stale NetworkPolicies in the Agent after a reconnection to the Controller; this ensures that the corresponding stale flows are removed from the OVS bridge.
• Fix usage of iptables-restore in Antrea Agent to support iptables >= 1.6.2.
• Fix return path for NodePort Service traffic in EKS: an additional iptables rule is required in the mangle table, to ensure a correct reverse path through eth0 for traffic load-balanced to a Pod attached to a secondary ENI.
• Register "antrea_agent_local_pod_count" metric, which was defined without being registered properly.