Add an agent config parameter for enabling flexible IPAM (bridging mode)

In the current implementation, enabling the AntreaIPAM feature gate will
enable both AntreaIPAM which allocates IPs from IPPools, and Node side
datapath configurations to support traffic forwarding of AntreaIPAM Pods
whose IPs are allocated from IPPools by AntreaIPAM.
This commit adds a separate config parameter - enableBridgingMode - to
Antrea Agent, to enable/disable support for AntreaIPAM Pods on a Node.
Only when enableBridgingMode is set to true, Antrea Agent connects the
uplink interface to the OVS bridge, requests IP allocation from
AntreaIPAM and implements traffic forwarding for AntreaIPAM (bridging
mode) Pods. This change is also needed to extend AntreaIPAM for other
IPAM use cases, in addition to IPAM for bridging mode Pods.

Signed-off-by: Jianjun Shen <shenj@vmware.com>

build/yamls/antrea-aks.yml

@@ -4030,8 +4030,9 @@ data:
     # Enable controlling SNAT IPs of Pod egress traffic.
     #  Egress: false
 
-    # Enable flexible IPAM mode for Antrea. This mode allows to assign IP Ranges to Namespaces,
-    # Deployments and StatefulSets via IP Pool annotation.
+    # Enable AntreaIPAM. AntreaIPAM is required by the bridging mode, and can assign IPs to bridging
+    # mode Pods from the IPPools configured for Namespaces, Deployments, StatefulSets, or individual
+    # Pods.
     #  AntreaIPAM: false
 
     # Enable multicast traffic. This feature is supported only with noEncap mode.
@@ -4097,6 +4098,15 @@ data:
     # - wireGuard:       Enable WireGuard for tunnel traffic encryption.
     #trafficEncryptionMode: none
 
+    # Eanble bridging mode of Pod network on Nodes, in which the Node's transport interface is connected
+    # to the OVS bridge, and cross-Node/VLAN traffic from AntreaIPAM Pods (Pods whose IP addresses are
+    # allocated by AntreaIPAM from IPPools) is sent to the underlay network via the uplink, and
+    # forwarded/routed by the underlay network.
+    # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only
+    # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`,
+    # `trafficEncapMode` is `noEncap`, and `noSNAT` is true.
+    #enableBridgingMode: false
+
     # Default MTU to use for the host gateway interface and the network interface of each Pod.
     # If omitted, antrea-agent will discover the MTU of the Node's primary interface and
     # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
@@ -4338,7 +4348,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-7gm92g46hf
+  name: antrea-config-hk6k974fhm
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4409,7 +4419,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-7gm92g46hf
+          value: antrea-config-hk6k974fhm
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4460,7 +4470,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-7gm92g46hf
+          name: antrea-config-hk6k974fhm
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4741,7 +4751,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-7gm92g46hf
+          name: antrea-config-hk6k974fhm
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-eks.yml

@@ -4030,8 +4030,9 @@ data:
     # Enable controlling SNAT IPs of Pod egress traffic.
     #  Egress: false
 
-    # Enable flexible IPAM mode for Antrea. This mode allows to assign IP Ranges to Namespaces,
-    # Deployments and StatefulSets via IP Pool annotation.
+    # Enable AntreaIPAM. AntreaIPAM is required by the bridging mode, and can assign IPs to bridging
+    # mode Pods from the IPPools configured for Namespaces, Deployments, StatefulSets, or individual
+    # Pods.
     #  AntreaIPAM: false
 
     # Enable multicast traffic. This feature is supported only with noEncap mode.
@@ -4097,6 +4098,15 @@ data:
     # - wireGuard:       Enable WireGuard for tunnel traffic encryption.
     #trafficEncryptionMode: none
 
+    # Eanble bridging mode of Pod network on Nodes, in which the Node's transport interface is connected
+    # to the OVS bridge, and cross-Node/VLAN traffic from AntreaIPAM Pods (Pods whose IP addresses are
+    # allocated by AntreaIPAM from IPPools) is sent to the underlay network via the uplink, and
+    # forwarded/routed by the underlay network.
+    # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only
+    # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`,
+    # `trafficEncapMode` is `noEncap`, and `noSNAT` is true.
+    #enableBridgingMode: false
+
     # Default MTU to use for the host gateway interface and the network interface of each Pod.
     # If omitted, antrea-agent will discover the MTU of the Node's primary interface and
     # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
@@ -4338,7 +4348,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-7gm92g46hf
+  name: antrea-config-hk6k974fhm
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4409,7 +4419,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-7gm92g46hf
+          value: antrea-config-hk6k974fhm
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4460,7 +4470,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-7gm92g46hf
+          name: antrea-config-hk6k974fhm
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4743,7 +4753,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-7gm92g46hf
+          name: antrea-config-hk6k974fhm
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-gke.yml

@@ -4030,8 +4030,9 @@ data:
     # Enable controlling SNAT IPs of Pod egress traffic.
     #  Egress: false
 
-    # Enable flexible IPAM mode for Antrea. This mode allows to assign IP Ranges to Namespaces,
-    # Deployments and StatefulSets via IP Pool annotation.
+    # Enable AntreaIPAM. AntreaIPAM is required by the bridging mode, and can assign IPs to bridging
+    # mode Pods from the IPPools configured for Namespaces, Deployments, StatefulSets, or individual
+    # Pods.
     #  AntreaIPAM: false
 
     # Enable multicast traffic. This feature is supported only with noEncap mode.
@@ -4097,6 +4098,15 @@ data:
     # - wireGuard:       Enable WireGuard for tunnel traffic encryption.
     #trafficEncryptionMode: none
 
+    # Eanble bridging mode of Pod network on Nodes, in which the Node's transport interface is connected
+    # to the OVS bridge, and cross-Node/VLAN traffic from AntreaIPAM Pods (Pods whose IP addresses are
+    # allocated by AntreaIPAM from IPPools) is sent to the underlay network via the uplink, and
+    # forwarded/routed by the underlay network.
+    # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only
+    # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`,
+    # `trafficEncapMode` is `noEncap`, and `noSNAT` is true.
+    #enableBridgingMode: false
+
     # Default MTU to use for the host gateway interface and the network interface of each Pod.
     # If omitted, antrea-agent will discover the MTU of the Node's primary interface and
     # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
@@ -4338,7 +4348,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-hcg89gk472
+  name: antrea-config-2m5bccmf4m
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4409,7 +4419,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-hcg89gk472
+          value: antrea-config-2m5bccmf4m
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4460,7 +4470,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-hcg89gk472
+          name: antrea-config-2m5bccmf4m
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4744,7 +4754,7 @@ spec:
           path: /home/kubernetes/bin
         name: host-cni-bin
       - configMap:
-          name: antrea-config-hcg89gk472
+          name: antrea-config-2m5bccmf4m
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-ipsec.yml

@@ -4030,8 +4030,9 @@ data:
     # Enable controlling SNAT IPs of Pod egress traffic.
     #  Egress: false
 
-    # Enable flexible IPAM mode for Antrea. This mode allows to assign IP Ranges to Namespaces,
-    # Deployments and StatefulSets via IP Pool annotation.
+    # Enable AntreaIPAM. AntreaIPAM is required by the bridging mode, and can assign IPs to bridging
+    # mode Pods from the IPPools configured for Namespaces, Deployments, StatefulSets, or individual
+    # Pods.
     #  AntreaIPAM: false
 
     # Enable multicast traffic. This feature is supported only with noEncap mode.
@@ -4097,6 +4098,15 @@ data:
     # - wireGuard:       Enable WireGuard for tunnel traffic encryption.
     trafficEncryptionMode: ipsec
 
+    # Eanble bridging mode of Pod network on Nodes, in which the Node's transport interface is connected
+    # to the OVS bridge, and cross-Node/VLAN traffic from AntreaIPAM Pods (Pods whose IP addresses are
+    # allocated by AntreaIPAM from IPPools) is sent to the underlay network via the uplink, and
+    # forwarded/routed by the underlay network.
+    # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only
+    # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`,
+    # `trafficEncapMode` is `noEncap`, and `noSNAT` is true.
+    #enableBridgingMode: false
+
     # Default MTU to use for the host gateway interface and the network interface of each Pod.
     # If omitted, antrea-agent will discover the MTU of the Node's primary interface and
     # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
@@ -4343,7 +4353,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-h7767t7cfh
+  name: antrea-config-8fbkbg6md2
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4423,7 +4433,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-h7767t7cfh
+          value: antrea-config-8fbkbg6md2
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4474,7 +4484,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-h7767t7cfh
+          name: antrea-config-8fbkbg6md2
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4790,7 +4800,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-h7767t7cfh
+          name: antrea-config-8fbkbg6md2
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea-kind.yml

@@ -4030,8 +4030,9 @@ data:
     # Enable controlling SNAT IPs of Pod egress traffic.
     #  Egress: false
 
-    # Enable flexible IPAM mode for Antrea. This mode allows to assign IP Ranges to Namespaces,
-    # Deployments and StatefulSets via IP Pool annotation.
+    # Enable AntreaIPAM. AntreaIPAM is required by the bridging mode, and can assign IPs to bridging
+    # mode Pods from the IPPools configured for Namespaces, Deployments, StatefulSets, or individual
+    # Pods.
     #  AntreaIPAM: false
 
     # Enable multicast traffic. This feature is supported only with noEncap mode.
@@ -4097,6 +4098,15 @@ data:
     # - wireGuard:       Enable WireGuard for tunnel traffic encryption.
     #trafficEncryptionMode: none
 
+    # Eanble bridging mode of Pod network on Nodes, in which the Node's transport interface is connected
+    # to the OVS bridge, and cross-Node/VLAN traffic from AntreaIPAM Pods (Pods whose IP addresses are
+    # allocated by AntreaIPAM from IPPools) is sent to the underlay network via the uplink, and
+    # forwarded/routed by the underlay network.
+    # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only
+    # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`,
+    # `trafficEncapMode` is `noEncap`, and `noSNAT` is true.
+    #enableBridgingMode: false
+
     # Default MTU to use for the host gateway interface and the network interface of each Pod.
     # If omitted, antrea-agent will discover the MTU of the Node's primary interface and
     # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
@@ -4343,7 +4353,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-kkmb8ft29d
+  name: antrea-config-9dbd7466c6
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4414,7 +4424,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-kkmb8ft29d
+          value: antrea-config-9dbd7466c6
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4465,7 +4475,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-kkmb8ft29d
+          name: antrea-config-9dbd7466c6
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4742,7 +4752,7 @@ spec:
           type: CharDevice
         name: dev-tun
       - configMap:
-          name: antrea-config-kkmb8ft29d
+          name: antrea-config-9dbd7466c6
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d

build/yamls/antrea.yml

@@ -4030,8 +4030,9 @@ data:
     # Enable controlling SNAT IPs of Pod egress traffic.
     #  Egress: false
 
-    # Enable flexible IPAM mode for Antrea. This mode allows to assign IP Ranges to Namespaces,
-    # Deployments and StatefulSets via IP Pool annotation.
+    # Enable AntreaIPAM. AntreaIPAM is required by the bridging mode, and can assign IPs to bridging
+    # mode Pods from the IPPools configured for Namespaces, Deployments, StatefulSets, or individual
+    # Pods.
     #  AntreaIPAM: false
 
     # Enable multicast traffic. This feature is supported only with noEncap mode.
@@ -4097,6 +4098,15 @@ data:
     # - wireGuard:       Enable WireGuard for tunnel traffic encryption.
     #trafficEncryptionMode: none
 
+    # Eanble bridging mode of Pod network on Nodes, in which the Node's transport interface is connected
+    # to the OVS bridge, and cross-Node/VLAN traffic from AntreaIPAM Pods (Pods whose IP addresses are
+    # allocated by AntreaIPAM from IPPools) is sent to the underlay network via the uplink, and
+    # forwarded/routed by the underlay network.
+    # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only
+    # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`,
+    # `trafficEncapMode` is `noEncap`, and `noSNAT` is true.
+    #enableBridgingMode: false
+
     # Default MTU to use for the host gateway interface and the network interface of each Pod.
     # If omitted, antrea-agent will discover the MTU of the Node's primary interface and
     # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable).
@@ -4343,7 +4353,7 @@ metadata:
   annotations: {}
   labels:
     app: antrea
-  name: antrea-config-k7tg4t4t8h
+  name: antrea-config-kh8tf5k4t6
   namespace: kube-system
 ---
 apiVersion: v1
@@ -4414,7 +4424,7 @@ spec:
             fieldRef:
               fieldPath: spec.serviceAccountName
         - name: ANTREA_CONFIG_MAP_NAME
-          value: antrea-config-k7tg4t4t8h
+          value: antrea-config-kh8tf5k4t6
         image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -4465,7 +4475,7 @@ spec:
         key: node-role.kubernetes.io/master
       volumes:
       - configMap:
-          name: antrea-config-k7tg4t4t8h
+          name: antrea-config-kh8tf5k4t6
         name: antrea-config
       - name: antrea-controller-tls
         secret:
@@ -4746,7 +4756,7 @@ spec:
         operator: Exists
       volumes:
       - configMap:
-          name: antrea-config-k7tg4t4t8h
+          name: antrea-config-kh8tf5k4t6
         name: antrea-config
       - hostPath:
           path: /etc/cni/net.d