Antrea v2.2.0-alpha.2

The main purpose of this pre-release is to validate the updated workflow for building and publishing Antrea images. This release is not meant to be used in production.

Antrea v2.2.0-alpha.1

Release is not usable as image manifests were not published correctly.

The main purpose of this pre-release is to validate the updated workflow for building and publishing Antrea images. This release is not meant to be used in production.

Antrea v2.2.0-alpha.0

Release is not usable as image manifests were not published correctly.

The main purpose of this pre-release is to validate the updated workflow for building and publishing Antrea images. This release is not meant to be used in production.

Antrea v2.1.0

Added

• Add a new feature BGPPolicy that allows users to run a BGP process on selected Kubernetes Nodes and advertise Service IPs, Pod IPs, and Egress IPs to remote BGP peers.
  • Add BGPPolicy API and Controller. (#6009 #6203, @hongliangl)
  • Add BGP datapath interface and implement goBGP integration. (#6447, @hongliangl)
  • Add documentation for the BGPPolicy feature. (#6524, @hongliangl)
  • Refer to this document for more information about this feature.
• Add a new feature NodeLatencyMonitor that allows users to do east/west connectivity monitoring and provides an API to query inter-Node latency. (#6120 #6392 #6479, @IRONICBo)
• Add two new antctl commands to validate a K8s Cluster before Antrea installation, and allow users to validate basic network and security functionalities after Antrea is installed.
  • Add antctl check cluster command to to ensure that a K8s cluster is configured properly before Antrea installation. (#6278, @kanha-gupta)
  • Add antctl check installation command to conduct Pod/Service connectivity checks and verify basic NetworkPolicy rules. (#6133 #6313 #6367, @kanha-gupta)
  • Add documentation for the new antctl check commands. (#6373, @kanha-gupta)
  • Refer to this document for more information about these new commands.

Changed

• Ensure Antrea Proxy handles all Service traffic with proxyAll enabled, even when kube-proxy is present. (#6308, @hongliangl)
• Optimize the containerized OVS installation on Windows, manual installation of the OVS kernel driver is usually not required anymore. (#6383, @wenyingd)
• Add OVS driver installation in initContainer for Antrea Agent on Windows. (#6312, @XinShuYang)
• Use HostProcess container base image and buildx to build the Antrea Agent Windows image, Window Server 2019 and later are now supported with the same image, including Windows Server 2022. (#6325, @wenyingd)
• Support shared LoadBalancerIP for multiple Services by introducing a new annotation service.antrea.io/allow-shared-load-balancer-ip: true. (#6480, @tnqn)
• Promote feature CleanupStaleUDPSvcConntrack from Alpha to Beta. (#6372, @hongliangl)
• Always include Pod labels in FlowAggregator IPFIX template. (#6418, @antoninbas)
• Fix live config updates on IPFIXExporter for FlowAggregator. (#6385, @antoninbas)
• Improve handling of config changes in FlowAggregator to support updating recordContents.podLabels at runtime. (#6378, @antoninbas)
• Add an EndpointResolver to remove Antrea Agent's dependency on proxy to access Antrea Service. (#6361, @antoninbas)
• Replace bincover with built-in Go coverage profiling tool. (#6090, @shikharish)
• Trim unneeded fields stored in informers and Node objects to reduce memory footprint. (#6317 #6351, @tnqn)
• Remove stale multicast routes to improve the readability of multicast routes. (#3242, @ceclinux)
• Add srcPodIP field in Traceflow observations. (#6247, @Atish-iaf)
• Use Helm to generate Antrea Windows manifests. (#6360, @shikharish)
• Upgrade CNI plugins from v1.4.1 to v1.5.1. (#6475, @antoninbas)
• Add documentation for the sameLabels feature in Antrea ClusterNetworkPolicy. (#6280, @Dyanngg)
• Add recommended usage of FQDN policies. (#6389, @Dyanngg)

Fixed

• Fix NodePortLocal rules being deleted incorrectly due to PodIP recycle. (#6531, @tnqn)
• Fix "Access is denied" error when importing certificates into the trusted publishers store on Windows server 2022. (#6529, @wenyingd)
• Fix the Node network connection breaking when attaching a host interface to the secondary OVS bridge. (#6504, @wenyingd)
• Exclude terminated Pods from group members when calculating AppliedToGroups and EgressGroups to prevent NetworkPolicies or Egresses applying to wrong Pods. (#6508, @tnqn)
• Fix install_cni_chaining script not configuring CNI conf correctly with AKS or CNI chaining, when the CNI conf file is not ready. (#6506, @tnqn)
• Wait for OVS bridge datapath ID to be available after creating br-int to avoid failures when the Antrea Agent tries to query supported OVS datapath features. (#6472, @antoninbas)
• Fix a bug causing Antrea Proxy not to delete stale UDP conntrack entries for the virtual NodePort DNAT IP. (#6379, @hongliangl)
• Fix Antrea Agent crash when enabling proxyAll in networkPolicyOnly mode. (#6259, @hongliangl)
• Improve stale UDP conntrack entries deletion accuracy in Antrea Proxy. (#6193, @hongliangl)
• Remove unexpected altname after renaming interface to avoid failure when moving host interface to OVS bridge. (#6321, @gran-vmv)
• Avoid generating a zombie process when starting Suricata, the L7 ANP engine. (#6366, @hongliangl)
• Fix a single rule deletion bug for NodePortLocal on Linux and improve robustness of NPL rule cleanup. (#6284, @antoninbas)
• Delay removal of flow-restore-wait to fix traffic interruption issue when Antrea Agent restarts. (#6342, @antoninbas)
• Fix antctl mc deploy command usage to make the version parameter optional. (#6287, @roopeshsn)
• Fix inaccuracy in Traceflow user guide. (#6319, @antoninbas)

Antrea v2.1.0-beta.0

Note that this pre-release of v2.1.0 does not include BGPPolicy support, which will be a major feature in the final v2.1.0 release.

Antrea v2.0.1

Changed

• Update CNI binaries version to v1.4.1. (#6334, @antoninbas)
• Add documentation for the sameLabels feature in ACNP. (#6280, @Dyanngg)

Fixed

• Remove unexpected altname after renaming interface to avoid failure when moving host interface to OVS bridge. (#6321, @gran-vmv)
• Fix a single rule deletion bug for NodePortLocal on Linux and improve robustness of NPL rule cleanup. (#6284, @antoninbas)
• Fix a bug causing AntreaProxy not to delete stale UDP conntrack entries for the virtual NodePort DNAT IP. (#6379, @hongliangl)
• Improve stale UDP conntrack entries deletion accuracy in AntreaProxy. (#6193, @hongliangl)
• Fix antrea-agent crash when enabling proxyAll in networkPolicyOnly mode. (#6259, @hongliangl)
• Avoid generating defunct process when starting Suricata, the L7 ANP engine. (#6366, @hongliangl)
• Fix inaccuracy in Traceflow user guide. (#6319, @antoninbas)

Antrea v1.15.2

Fixed

• Remove unexpected altname after renaming interface to avoid failure when moving host interface to OVS bridge. (#6321, @gran-vmv)
• Do not try to update type of Secret in selfSignedCertProvider to avoid self-signed certificate update failure. (#6205, @tnqn)
• Install multicast related iptables rules only on IPv4 chains to fix the antrea-agent initialization failure occurring when the Multicast feature is enabled in dual-stack clusters. (#6123, @wenyingd)
• Fix a single rule deletion bug for NodePortLocal on Linux and improve robustness of NPL rule cleanup. (#6284, @antoninbas)
• Fix a bug causing AntreaProxy not to delete stale UDP conntrack entries for the virtual NodePort DNAT IP. (#6379, @hongliangl)
• Improve stale UDP conntrack entries deletion accuracy in AntreaProxy. (#6193, @hongliangl)
• Fix antrea-agent crash when enabling proxyAll in networkPolicyOnly mode. (#6259, @hongliangl)
• Fix a bug preventing local traffic from being identified in networkPolicyOnly mode. (#6251, @hongliangl)
• Avoid generating defunct process when starting Suricata, the L7 ANP engine. (#6366, @hongliangl)

Antrea v2.0.0

Some deprecated APIs have been removed in Antrea v2.0. Before upgrading, please read these guidelines carefully.

Added

• Support LoadBalancerIPMode in AntreaProxy to implement K8s KEP-1860. (#6102, @hongliangl)
• Add sameLabels field support for Antrea ClusterNetworkPolicy peer Namespace selection to allow users to create ACNPs that isolate Namespaces based on their label values. (#4537, @Dyanngg)
• Add multiple physical interfaces support for the secondary network bridge. (#5959, @aroradaman)
• Use a Node's primary NIC as the secondary OVS bridge physical interface. (#6108, @aroradaman)
• Add user documentation for Antrea native secondary network support. (#6015 #6042, @jianjuns @antoninbas)
• Add a new versioned API NetworkPolicyEvaluation and a new antctl sub-command for querying the effective policy rule applied to particular traffic. (#5740 #6112, @qiyueyao)

Changed

• Multiple deprecated APIs, fields and options have been removed from Antrea.
  • Remove deprecated v1alpha1 CRDs Tier, ClusterNetworkPolicy, NetworkPolicy, Traceflow and ExternalEntity. (#6162 #6177 #6238, @luolanzone @hjiajing @antoninbas)
  • Remove deprecated v1alpha2 and v1alpha3 CRDs ClusterGroups, ExternalIPPool, ClusterGroup and Group. (#6049 #6239, @luolanzone @antoninbas)
  • Remove deprecated ServiceAccount field in ClusterSet type for Antrea Multi-cluster. (#6134, @luolanzone)
  • Remove deprecated options enableIPSecTunnel,multicastInterfaces, multicluster.enable and legacyCRDMirroring. (#5158, @luolanzone)
  • Clean up unused code for NodePortLocal and remove the deprecated nplPortRange config. (#5943, @luolanzone)
  • Clean up deprecated APIServices. (#6002, @tnqn)
• Documentation has been updated to reflect recent changes and provide better guidance to users.
  • Add upgrade instructions for Antrea v2.0. (#6261, @antoninbas)
  • Update the OVS pipeline document and workflow diagram to keep them up to date. (#5412, @hongliangl)
  • Clarify documentation for IPPool and ExternalIPPool CRDs. (#6183, @antoninbas)
  • Document Pods using FQDN based policies must respect DNS TTL. (#6230, @tnqn)
  • Document the limitations of Audit Logging for policy rules. (#6225, @antoninbas)
• Optimizing Antrea binaries size.
  • Optimize package organization to reduce antctl binary size. (#6037, @tnqn)
  • Reduce antrea-cni binary size by removing unnecessary import packages. (#6038, @tnqn)
  • Strip all debug symbols from Go binaries by default. (#6035, @antoninbas)
  • Disable cgo for all Antrea binaries. (#5988, @antoninbas)
• Increase the minimum supported Kubernetes version to v1.19. (#6089, @hjiajing)
• Add OVS groups dump information to support bundle to help troubleshooting. (#6195, @shikharish)
• Add egressNodeName in flow records for Antrea Flow Aggregator. (#6012, @Atish-iaf)
• Add EgressNode field in the Traceflow Egress observation to include the name of the Egress Node. (#5949, @Atish-iaf)
• Upgrade IPPool CRD to v1beta1 and make the subnet definition consistent with the one in ExternalIPPool CRD. (#6036, @mengdie-song)
• Request basic memory for antrea-controller to improve its scheduling and reduce its OOM adjustment score, enhancing overall robustness. (#6233, @tnqn)
• Increase default rate limit of antrea-controller to improve performance for batch requests. (#6231, @tnqn)
• Remove Docker support for antrea-agent on Windows, update Windows documentation to remove all Docker-specific instructions, and all mentions of (userspace) kube-proxy. (#6019 #6255, @XinShuYang @antoninbas)
• Stop publishing the legacy unified image. (#6182, @antoninbas)
• Avoid unnecessary DNS queries for FQDN rule of NetworkPolicy in antrea-agent. (#6200, @tnqn)
• Stop using projects.registry.vmware.com for user-facing images. (#6073, @antoninbas)
• Fall back to lenient decoding when strict decoding config fails to tolerate unknown fields and duplicate fields, ensuring forward compatibility of configurations. (#6156, @tnqn)
• Skip loading openvswitch kernel module if it's already built-in. (#5979, @antoninbas)
• Persist TLS certificate and key of antrea-controller and sync the CA cert periodically to improve robustness. (#5955 #6205, @tnqn)
• Add more validations for ExternalIPPool CRD to improve robustness. (#5898, @aroradaman)
• Add Antrea L7 NetworkPolicy logs for allowed HTTP traffic. (#6014, @qiyueyao)
• Update maximum number of buckets to 700 in OVS group add/insert_bucket message. (#5942, @hongliangl)
• Add a flag for antctl to print OVS table names when users run antctl get ovsflows --table-names-only. (#5895 #6100, @luolanzone)
• Improve log message when antrea-agent fails to join a new Node. (#6048, @roopeshsn)
• Remove the prefix rancher-wins when collecting antrea-agent logs on Windows. (#6223, @wenyingd)
• Upgrade K8s libraries to v0.29.2. (#5843, @hjiajing)
• Upgrade base image from UBI8 to UBI9 for Antrea UBI images. (#5737, @xliuxu)

Fixed

• Fix nil pointer dereference when ClusterGroup/Group is used in NetworkPolicy controller. (#6077, @tnqn)
• Disable libcapng to make logrotate run as root in UBI images to fix an OVS crash issue. (#6052, @xliuxu)
• Fix a race condition in antrea-agent Traceflow controller when a tag is associated again with a new Traceflow before the old Traceflow deletion event is processed. (#5954, @tnqn)
• Change the maximum flags from 7 to 255 to fix the wrong TCP flags validation issue in Traceflow CRD. (#6050, @gran-vmv)
• Use 65000 MTU upper bound for interfaces in encap mode to account for the MTU automatically configured by OVS on tunnel ports, and avoid packet drops on some clusters. (#5997, @antoninbas)
• Install multicast related iptables rules only on IPv4 chains to fix the antrea-agent initialization failure occurred when the Multicast feature is enabled in dual-stack clusters. (#6123, @wenyingd)
• Remove incorrect AntreaProxy warning on Windows when proxyAll is disabled. (#6242, @antoninbas)
• Explicitly set kubelet's log files in Prepare-Node.ps1 on Windows, to ensure that they are included in support bundle collections. (#6221, @wenyingd)
• Add validation on antrea-agent options to fail immediately when encryption is requested and the Multicast feature enabled. (#5920, @wenyingd)
• Don't print the incorrect warning message when users run antrea-controller --version outside of K8s. (#5993, @prakrit55)
• Record event when EgressIP is uninstalled from a Node and remains unassigned. (#6011, @jainpulkit22)
• Fix a bug that the local traffic cannot be identified on networkPolicyOnly mode. (#6251, @HongLia...

Antrea v1.13.4

Added

• Enable Windows OVS container to run on pristine host environment, without requiring some dependencies to be installed manually ahead of time. (#5440, @NamanAg30)

Changed

• Stop using projects.registry.vmware.com for user-facing images. (#6073, @antoninbas)
• Persist TLS certificate and key of antrea-controller and periodically sync the CA cert to improve robustness. (#5955, @tnqn)
• Disable cgo for all Antrea binaries. (#5988, @antoninbas)

Fixed

• Disable libcapng to make logrotate run as root in UBI images to fix an OVS crash issue. (#6052, @xliuxu)
• Fix nil pointer dereference when ClusterGroup/Group is used in NetworkPolicy controller. (#6077, @tnqn)
• Fix race condition in agent Traceflow controller when a tag is associated again with a new Traceflow before the old Traceflow deletion event is processed. (#5954, @tnqn)
• Change the maximum flags from 7 to 255 to fix the wrong TCP flags validation issue in Traceflow CRD. (#6050, @gran-vmv)
• Fix incorrect MTU configurations for the WireGuard encryption mode and GRE tunnel mode. (#5880 #5926, @hjiajing @tnqn)
• Use 65000 MTU upper bound for interfaces in encap mode in case of large packets being dropped unexpectedly. (#5997, @antoninbas)
• Install Multicast related iptables rules only on IPv4 chains to fix the Antrea agent initialization failure occurred when Multicast feature is enabled in dual-stack clusters. (#6123, @wenyingd)

Antrea v1.14.3

Changed

• Stop using projects.registry.vmware.com for user-facing images. (#6073, @antoninbas)
• Persist TLS certificate and key of antrea-controller and periodically sync the CA cert to improve robustness. (#5955, @tnqn)
• Disable cgo for all Antrea binaries. (#5988, @antoninbas)

Fixed

• Disable libcapng to make logrotate run as root in UBI images to fix an OVS crash issue. (#6052, @xliuxu)
• Fix nil pointer dereference when ClusterGroup/Group is used in NetworkPolicy controller. (#6077, @tnqn)
• Fix race condition in agent Traceflow controller when a tag is associated again with a new Traceflow before the old Traceflow deletion event is processed. (#5954, @tnqn)
• Change the maximum flags from 7 to 255 to fix the wrong TCP flags validation issue in Traceflow CRD. (#6050, @gran-vmv)
• Update maximum number of buckets to 700 in OVS group add/insert_bucket message. (#5942, @hongliangl)
• Use 65000 MTU upper bound for interfaces in encap mode in case of large packets being dropped unexpectedly. (#5997, @antoninbas)