Release v1.7.0

Added

• Add TrafficControl feature to control the transmission of Pod traffic; it allows users to mirror or redirect traffic originating from specific Pods or destined for specific Pods to a local network device or a remote destination via a tunnel of various types. (#3644 #3580 #3487, [@tnqn] [@hongliangl] [@wenqiq])
  • Refer to this document for more information about this feature.
  • Refer to this cookbook for more information about using this feature to provide network-based intrusion detection service to your Pods.
• Add support for the IPsec Certificate-based Authentication. (#3778, [@xliuxu])
  • Add an Antrea Agent configuration option ipsec.authenticationMode to specify authentication mode. Supported options are "psk" (default) and "cert".
  • Add an Antrea Controller configuration option ipsecCSRSigner.autoApprove to specify the auto-approve policy of Antrea CSR signer for IPsec certificates management. By default, Antrea will auto-approve the CertificateSingingRequest (CSR) if it is verified.
  • Add an Antrea Controller configuration option ipsecCSRSigner.selfSignedCA to specify whether to use auto-generated self-signed CA certificate. By default, Antrea will auto-generate a self-signed CA certificate.
• Add the following capabilities to Antrea-native policies:
  • Add support for matching ICMP traffic. (#3472, [@GraysonWu])
  • Add support for matching multicast and IGMP traffic. (#3660, [@liu4480])
  • Add support for rule-level statistics for multicast and IGMP traffic. (#3449, [@ceclinux])
• Add the following capabilities to the Multicast feature:
  • Add antctl get podmulticaststats command to query Pod-level multicast traffic statistics in Agent mode. (#3449, [@ceclinux])
  • Add "MulticastGroup" API to query Pods that have joined multicast groups; kubectl get multicastgroups can generate requests and output responses of the API. (#3354 #3449, [@ceclinux])
  • Add an Antrea Agent configuration option multicast.igmpQueryInterval to specify the interval at which the antrea-agent sends IGMP queries to Pods. (#3819, [@liu4480])
• Add the following capabilities to the Multi-cluster feature:
  • Add the Multi-cluster Gateway functionality which supports routing Multi-cluster Service traffic across clusters through tunnels between the Gateway Nodes. It enables Multi-cluster Service access across clusters, without requiring direct reachability of Pod IPs between clusters. (#3689 #3463 #3603, [@luolanzone])
  • Add a number of antctl mc subcommands for bootstrapping Multi-cluster; refer to the Multi-cluster antct document for more information. (#3474, [@hjiajing])
• Add the following capabilities to secondary network IPAM:
  • Add support for IPAM for Pod secondary networks managed by Multus. (#3529, [@jianjuns])
  • Add support for multiple IPPools. (#3606, [@jianjuns])
  • Add support for static addresses. (#3633, [@jianjuns])
• Add support for NodePortLocal on Windows. (#3453, [@XinShuYang])
• Add support for Traceflow on Windows. (#3022, [@gran-vmv])
• Add support for containerd to antrea-eks-node-init.yml. (#3840, [@antoninbas])
• Add an Antrea Agent configuration option disableTXChecksumOffload to support cases in which the datapath's TX checksum offloading does not work properly. (#3832, [@tnqn])
• Add support for InternalTrafficPolicy in AntreaProxy. (#2792, [@hongliangl])
• Add the following documentations:
  • Add documentation for the Antrea Agent RBAC permissions and how to restrict them using Gatekeeper/OPA. (#3694, [@antoninbas])
  • Add quick start guide for Antrea Multi-cluster. (#3853, [@luolanzone] [@jianjuns])
  • Add documentation for the AntreaProxy feature. (#3679, [@antoninbas])
  • Add documentation for secondary network IPAM. (#3634, [@jianjuns])

Changed

• Optimize generic traffic performance by reducing OVS packet recirculation. (#3858, [@tnqn])
• Optimize NodePort traffic performance by reducing OVS packet recirculation. (#3862, [@hongliangl])
• Improve validation for IPPool CRD. (#3570, [@jianjuns])
• Improve validation for egress.to.namespaces.match of AntreaClusterNetworkPolicy rules. (#3727, [@qiyueyao])
• Deprecate the Antrea Agent configuration option multicastInterfaces in favor of multicast.multicastInterfaces. (#3898, [@tnqn])
• Reduce permissions of Antrea Agent ServiceAccount. (#3691, [@xliuxu])
• Create a Secret in the Antrea manifest for the antctl and antrea-agent ServiceAccount as K8s v1.24 no longer creates a token for each ServiceAccount automatically. (#3730, [@antoninbas])
• Implement garbage collector for IP Pools to clean up allocations and reservations for which owner no longer exists. (#3672, [@annakhm])
• Preserve client IP if the selected Endpoint is local regardless of ExternalTrafficPolicy. (#3604, [@hongliangl])
• Add a Helm chart for Antrea and use the Helm templates to generate the standard Antrea YAML manifests. (#3578, [@antoninbas])
• Make "Agent mode" antctl work out-of-the-box on Windows. (#3645, [@antoninbas])
• Truncate SessionAffinity timeout values of Services instead of wrapping around. (#3609, [@antoninbas])
• Move Antrea Windows log dir from C:\k\antrea\logs\ to C:\var\log\antrea\. (#3416, [@GraysonWu])
• Limit max number of data values displayed on Grafana panels. (#3812, [@heanlan])
• Support deploying ClickHouse with Persistent Volume. (#3608, [@yanjunz97])
• Remove support for ELK Flow Collector. (#3738, [@heanlan])
• Improve documentation for Antrea-native policies. (#3512, [@Dyanngg])
• Update OVS version to 2.17.0. (#3591, [@antoninbas])

Fixed

• Fix Egress not working with kube-proxy IPVS strictARP mode. (#3837, [@xliuxu])
• Fix intra-Node Pod traffic bypassing Ingress NetworkPolicies in some scenarios. (#3809, [@hongliangl])
• Fix FQDN policy support for IPv6. (#3869, [@tnqn])
• Fix multicast not working if the AntreaPolicy feature is disabled. (#3807, [@liu4480])
• Fix tolerations for Pods running on control-plane for Kubernetes >= 1.24. (#3731, [@xliuxu])
• Fix DNS resolution error of antrea-agent on AKS by using ClusterFirst dnsPolicy. (#3701, [@tnqn])
• Clean up stale routes installed by AntreaProxy when ProxyAll is disabled. (#3465, [@hongliangl])
• Ensure that Service traffic does not bypass NetworkPolicies when ProxyAll is enabled on Windows. (#3510, [@hongliangl])
• Use IP and MAC to find virtual management adapter to fix Agent crash in some scenarios on Windows. (#3641, [@wenyingd])
• Fix handling of the "reject" packets generated by the Antrea Agent to avoid infinite looping. (#3569, [@GraysonWu])
• Fix export/import of Serv...

Release v1.5.3

Fixed

• Fix export/import of Services with named ports when using the Antrea Multi-cluster feature. (#3561, @luolanzone)
• Fix handling of the "reject" packets generated by the Antrea Agent to avoid infinite looping. (#3569, @GraysonWu)
• Fix DNS resolution error of Antrea Agent on AKS by using ClusterFirst dnsPolicy. (#3701, @tnqn)
• Fix tolerations for Pods running on control-plane for Kubernetes >= 1.24. (#3731, @xliuxu)
• Reduce permissions of Antrea Agent ServiceAccount. (#3691, @xliuxu)

Release v1.6.1

Added

• Add documentation for the Antrea Agent RBAC permissions and how to restrict them using Gatekeeper/OPA. (#3694, @antoninbas)

Fixed

• Clean up stale routes installed by AntreaProxy when ProxyAll is disabled. (#3465, @hongliangl)
• Fix export/import of Services with named ports when using the Antrea Multi-cluster feature. (#3561, @luolanzone)
• Fix handling of the "reject" packets generated by the Antrea Agent to avoid infinite looping. (#3569, @GraysonWu)
• Fix DNS resolution error of Antrea Agent on AKS by using ClusterFirst dnsPolicy. (#3701, @tnqn)
• Fix tolerations for Pods running on control-plane for Kubernetes >= 1.24. (#3731, @xliuxu)
• Reduce permissions of Antrea Agent ServiceAccount. (#3691, @xliuxu)
• [Windows] Ensure that Service traffic does not bypass NetworkPolicies when ProxyAll is enabled. (#3510, @hongliangl)
• Fix Antrea wildcard FQDN NetworkPolicies not working when NodeLocal DNSCache is enabled. (#3510, @hongliangl)

Release v1.2.4

Changed

• Use iptables-wrapper in Antrea container. Now antrea-agent can work with distros that lack the iptables kernel module of "legacy" mode (ip_tables). (#3276, @antoninbas)
• Reduce permissions of Antrea ServiceAccount for updating annotations. (#3393, @tnqn)
• [Windows] Use uplink MAC as source MAC when transmitting packets to underlay network from Windows Nodes. Therefore, MAC address spoofing configuration like "Forged transmits" in VMware vSphere doesn't need to be enabled. (#3516, @wenyingd)

Fixed

• Fix DNS resolution error of antrea-agent on AKS by using ClusterFirst dnsPolicy. (#3701, @tnqn)
• Fix status report of Antrea-native policies with multiple rules that have different AppliedTo. (#3074, @tnqn)
• Upgrade Go version to 1.17 to pick up security fix for CVE-2021-44716. (#3189, @antoninbas)
• Fix NetworkPolicy resources dump for Agent's supportbundle. (#3083, @antoninbas)
• Fix gateway interface MTU configuration error on Windows. (#3043, @lzhecheng) [Windows]
• Fix initialization error of antrea-agent on Windows by specifying hostname explicitly in VMSwitch commands. (#3169, @XinShuYang) [Windows]
• Ensure that the Windows Node name obtained from the environment or from hostname is converted to lower-case. (#2672, @shettyg) [Windows]
• Fix typos in the example YAML in antrea-network-policy doc. (#3079 #3092, @antoninbas @Jexf)
• Fix ipBlock referenced in nested ClusterGroup not processed correctly. (#3383, @Dyanngg)
• Fix NetworkPolicy may not be enforced correctly after restarting a Node. (#3467, @tnqn)
• Fix antrea-agent crash caused by interface detection in AKS/EKS with NetworkPolicyOnly mode. (#3219, @wenyingd)
• Fix locally generated packets from Node net namespace might be SNATed mistakenly when Egress is enabled. (#3430, @tnqn)

Release v1.6.0

• The Egress feature is graduated from Alpha to Beta and is therefore enabled by default.
• The support for proxying all Service traffic by Antrea Proxy (enabled by antreaProxy.proxyAll) is now Beta.

Added

• Add the following capabilities to the [Antrea IPAM] feature:
  • Support pre-allocating continuous IPs for StatefulSet. (#3281, [@annakhm])
  • Support specifying VLAN for IPPool. Traffic from Pods whose IPPools are configured with a VLAN ID will be tagged when leaving the Node uplink. (#3247, [@gran-vmv])
• Add the following capabilities to the [Antrea Multi-cluster] feature:
  • Support Antrea ClusterNetworkPolicy replication in a ClusterSet. (#3363, [@Dyanngg])
  • Add antctl mc subcommand for Antrea Multi-cluster resources. (#3341 #3287, [@hjiajing] [@bangqipropel])
• Add the following capabilities to the [AntreaPolicy] feature:
  • Add Node selector in Antrea-native policies to allow matching traffic originating from specific Nodes or destined to specific Nodes. (#3038, [@wenqiq])
  • Add ServiceAccount selector in Antrea-native policies to allow selecting Pods by ServiceAccount. (#3044, [@GraysonWu])
  • Support Pagination for ClusterGroupMembership API. (#3183, [@qiyueyao])
  • Add Port Number to Audit Logging. (#3277, [@qiyueyao])
• [Flow Visibility] Add Grafana Flow Collector as the new visualization tool for flow records.
  • Add Grafana dashboards, Clickhouse data schema, deployment files, and doc. (#3063 #3525, [@heanlan] [@zyiou] [@dreamtalen])
  • Add support for exporting flow records to ClickHouse from Flow Aggregator. (#3196 #3526, [@wsquan171] [@dreamtalen])
  • Add ClickHouse monitor to ensure data retention for in-memory ClickHouse deployment. (#3244 #3498, [@yanjunz97])
• [Multicast] Support IGMPv3 leave action. (#3389, [@wenyingd])
• [Windows] Add support for EndpointSlices on Windows Nodes. (#3321, [@XinShuYang])
• Add SKIP_CNI_BINARIES environment variable to support skipping the installation of specified CNI plugins. (#3454, [@jainpulkit22])
• Support UBI8-based container image to run Antrea. (#3273, [@ksamoray])
• Add the following documentations:
  • Add documentation for ServiceExternalIP feature and Service of type LoadBalancer. (#3322, [@hty690])
  • Add documentation for deploying Antrea to Minikube cluster. (#3391, [@jainpulkit22])
  • Add documentation for antctl Multi-cluster commands. (#3414, [@bangqipropel])
  • Add documentation for Multiple-VLAN support. (#3507, [@gran-vmv])
  • Add upgrade guide for Multi-cluster. (#3374, [@luolanzone])
  • Add a per-rule example for NetworkpolicyStats docs. (#3356, [@ceclinux])

Changed

• Remove all legacy (*.antrea.tanzu.vmware.com) APIs. (#3299, [@antoninbas])
• Remove Kind-specific manifest and scripts. Antrea now uses OVS kernel datapath for Kind clusters. (#3413, [@antoninbas])
• [Windows] Use uplink MAC as source MAC when transmitting packets to underlay network from Windows Nodes. Therefore, MAC address spoofing configuration like "Forged transmits" in VMware vSphere doesn't need to be enabled. (#3516, [@wenyingd])
• Add an agent config parameter "enableBridgingMode" for enabling flexible IPAM (bridging mode). (#3297 #3365, [@jianjuns])
• Use iptables-wrapper in Antrea container to support distros that runs iptables in "nft" mode. (#3276, [@antoninbas])
• Install CNI configuration files after installing CNI binaries to support container runtime cri-o. (#3154, [@tnqn])
• Upgrade packaged Whereabouts version to v0.5.1. (#3511, [@antoninbas])
• Upgrade to go-ipfix v0.5.12. (#3352, [@yanjunz97])
• Upgrade Kustomize from v3.8.8 to v4.4.1 to fix Cronjob patching bugs. (#3402, [@yanjunz97])
• Fail in Agent initialization if GRE tunnel type is used with IPv6. (#3156, [@antoninbas])
• Refactor the OpenFlow pipeline for future extensibility. (#3058, [@hongliangl])
• Validate IP ranges of IPPool for Antrea IPAM. (#2995, [@ksamoray])
• Validate protocol in the CRD schema of Antrea-native policies. (#3342, [@KMAnju-2021])
• Validate labels in the CRD schema of Antrea-native policies and ClusterGroup. (#3331, [@GraysonWu])
• Reduce permissions of Antrea ServiceAccounts. (#3393, [@tnqn])
• Remove --k8s-1.15 flag from hack/generate-manifest.sh. (#3350, [@antoninbas])
• Remove unnecessary CRDs and RBAC rules from Multi-cluster manifest. (#3491, [@luolanzone])
• Update label and image repo of antrea-mc-controller to be consistent with antrea-controller and antrea-agent. (#3266 #3466, [@luolanzone])
• Add clusterID annotation to ServiceExport/Import resources. (#3359, [@luolanzone])
• Do not log error when Service for Endpoints is not found to avoid log spam. (#3256, [@tnqn])
• Ignore Services of type ExternalName for NodePortLocal feature. (#3114, [@antoninbas])
• Add powershell command replacement in the Antrea Windows documentation. (#3264, [@GraysonWu])

Fixed

• Add userspace ARP/NDP responders to fix Egress and ServiceExternalIP support for IPv6 clusters. (#3318, [@hty690])
• Fix incorrect results by antctl get networkpolicy when both Pod and Namespace are specified. (#3499, [@Dyanngg])
• Fix IP leak issue when AntreaIPAM is enabled. (#3314, [@gran-vmv])
• Fix error when dumping OVS flows for a NetworkPolicy via antctl get ovsflows. (#3335, [@jainpulkit22])
• Fix IPsec encryption for IPv6 overlays. (#3155, [@antoninbas])
• Add ignored interfaces names when getting interface by IP to fix NetworkPolicyOnly mode in AKE. (#3219, [@wenyingd])
• Fix duplicate IP case for NetworkPolicy. (#3467, [@tnqn])
• Don't delete the routes which are added for the peer IPv6 gateways on Agent startup. (#3336 #3490, [@Jexf] [@xliuxu])
• Fix pkt mark conflict between HostLocalSourceMark and SNATIPMark. (#3430, [@tnqn])
• Unconditionally sync CA cert for Controller webhooks to fix Egress support when AntreaPolicy is disabled. (#3421, [@antoninbas])
• Fix inability to access NodePort in particular cases. (#3371, [@hongliangl])
• Fix ipBlocks referenced in nested ClusterGroup not processed correctly. (#3383, [@Dyanngg])
• Realize Egress for a Pod as soon as its network is created. (#3360, [@tnqn])
• Fix NodePort/LoadBalancer issue when proxyAll is enabled. (#3295, [@hongliangl])
• Do not panic when processing a PacketIn message for a denied connection. (#3447, [@antoninbas])
• ...

Release v1.5.2

Fixed

• Fix NetworkPolicy may not be enforced correctly after restarting a Node. (#3467, @tnqn)
• Fix antrea-agent crash caused by interface detection in AKS/EKS with NetworkPolicyOnly mode. (#3219, @wenyingd)
• Fix locally generated packets from Node net namespace might be SNATed mistakenly when Egress is enabled. (#3430, @tnqn)

Release v1.5.1

Changed

• Use iptables-wrapper in Antrea container. Now antrea-agent can work with distros that lack the iptables kernel module of "legacy" mode (ip_tables). (#3308, @antoninbas)
• Reduce permissions of Antrea ServiceAccount for updating annotations. (#3408, @tnqn)

Fixed

• Fix NodePort/LoadBalancer Service cannot be accessed when externalTrafficPolicy changed from Cluster to Local with proxyAll enabled. (#3330, @hongliangl)
• Fix initial egress connections from Pods may go out with node IP rather than Egress IP. (#3378, @tnqn)
• Fix NodePort Service access when an Egress selects the same Pod as the NodePort Service. (#3397, @hongliangl)
• Fix ipBlock referenced in nested ClusterGroup not processed correctly. (#3405, @Dyanngg)

Release v1.5.0

Added

• Add Antrea Multi-cluster feature which allows users to export and import Services and Endpoints across multiple clusters within a ClusterSet, and enables inter-cluster Service communication in the ClusterSet. (#3199, @luolanzone @aravindakidambi @bangqipropel @hjiajing @Dyanngg [@suwang48404] @abhiraut) [Alpha]
  • Refer to Antrea Multi-cluster Installation to get started
  • Refer to Antrea Multi-cluster Architecture for more information regarding the implementation
• Add support for multicast that allows forwarding multicast traffic within the cluster network (i.e., between Pods) and between the external network and the cluster network. (#2652 #3142 #2835 #3171 #2986, [@wenyingd] @ceclinux [@XinShuYang]) [Alpha - Feature Gate: Multicast]
  • In this release the feature is only supported on Linux Nodes for IPv4 traffic in noEncap mode
• Add support for IPPool and IP annotations on Pod and PodTemplate of Deployment and StatefulSet in AntreaIPAM mode. (#3093 #3042 #3141 #3164 #3146, @gran-vmv @annakhm)
  • IPPool annotation on Pod has a higher priority than the IPPool annotation on Namespace
  • A StatefulSet Pod's IP will be kept after Pod restarts when the IP is allocated from IPPool
  • Refer to Antrea IPAM Capabilities for more information
• Add support for SR-IOV secondary network. Antrea can now create secondary network interfaces for Pods using SR-IOV VFs on bare metal Nodes. (#2651, @arunvelayutham) [Alpha - Feature Gate: SecondaryNetwork]
• Add support for allocating external IPs for Services of type LoadBalancer from an ExternalIPPool. (#3147 [@Shengkai2000]) [Alpha - Feature Gate: ServiceExternalIP]
• Add support for antctl in the flow aggregator Pod. (#2878, [@yanjunz97])
  • Support antctl log-level for changing log verbosity level
  • Support antctl get flowrecords [-o json] for dumping flow records
  • Support antctl get recordmetrics for dumping flow records metrics
• Add support for the "Pass" action in Antrea-native policies to skip evaluation of further Antrea-native policy rules and delegate evaluation to Kubernetes NetworkPolicy. (#2964, @Dyanngg)
• Add user documentation for using Project Antrea with Fluentd in order to collect audit logs from each Node. (#2853, [@qiyueyao])
• Add user documentation for deploying Antrea on AKS Engine. (#2963, @jianjuns)
• Improve NodePortLocal documentation to list supported Service types and add information about existing integrations with external Load Balancers. (#3113, @antoninbas)
• Document how to run Antrea e2e tests on an existing K8s cluster (#3045, [@xiaoxiaobaba])

Changed

• Make LoadBalancer IP proxying configurable for AntreaProxy to support scenarios in which it is desirable to send Pod-to-ExternalIP traffic to the external LoadBalancer. (#3130, @antoninbas)
• Add startTime to the Traceflow Status to avoid issues caused by clock skew. (#2952, @antoninbas)
• Add reason field in antctl traceflow command output. (#3175, @Jexf)
• Validate serviceCIDR configuration only if AntreaProxy is disabled. (#2936, [@wenyingd])
• Improve configuration parameter validation for NodeIPAM. (#3009, [@tnqn])
• More comprehensive validation for Antrea-native policies. (#3104 #3109, @GraysonWu [@tnqn])
• Update Antrea Octant plugin to support Octant 0.24 and to use the Dashboard client to perform CRUD operations on Antrea CRDs. (#2951, @antoninbas)
• Omit hostNetwork Pods when computing members of ClusterGroup and AddressGroup. (#3080, @Dyanngg)
• Support for using an env parameter ALLOW_NO_ENCAP_WITHOUT_ANTREA_PROXY to allow running Antrea in noEncap mode without AntreaProxy. (#3116, @Jexf [@WenzelZ])
• Move throughput calculation for network flow visibility from logstash to flow-aggregator. (#2692, @heanlan)
• Add Go version information to full version string for Antrea binaries. (#3182, @antoninbas)
• Improve kind-setup.sh script and Kind documentation. (#2937, @antoninbas)
• Enable Go benchmark tests in CI. (#3004, [@wenqiq])
• Upgrade Windows OVS version to 2.15.2 to pick up some recent patches. (#2996, [@lzhecheng]) [Windows]
• Remove HNSEndpoint only if infra container fails to create. (#2976, [@lzhecheng]) [Windows]
• Use OVS Port externalIDs instead of HNSEndpoint to cache the externalIDS when using containerd as the runtime on Windows. (#2931, [@wenyingd]) [Windows]
• Reduce network downtime when starting antrea-agent on Windows Node by using Windows management virtual network adapter as OVS internal port. (#3067, [@wenyingd]) [Windows]

Fixed

• Fix error handling of the "Reject" action of Antrea-native policies when determining if the packet belongs to Service traffic. (#3010, @GraysonWu)
• Make the "Reject" action of Antrea-native policies work in AntreaIPAM mode. (#3003, @GraysonWu)
• Set ClusterGroup with child groups to groupMembersComputed after all its child groups are created and processed. (#3030, @Dyanngg)
• Fix status report of Antrea-native policies with multiple rules that have different AppliedTo. (#3074, [@tnqn])
• Fix typos and improve the example YAML in antrea-network-policy doc. (#3079, #3092, #3108 @antoninbas @Jexf [@tnqn])
• Fix duplicated attempts to delete unreferenced AddressGroups when deleting Antrea-native policies. (#3136, @Jexf)
• Add retry to update NetworkPolicy status to avoid error logs. (#3134, @Jexf)
• Fix NetworkPolicy resources dump for Agent's supportbundle. (#3083, @antoninbas)
• Use go 1.17 to build release assets. (#3007, @antoninbas)
• Restore the gateway route automatically configured by kernel when configuring IP address if it is missing. (#2835, @antoninbas)
• Fix incorrect parameter used to check if a container is the infra container, which caused errors when reattaching HNS Endpoint. (#3089, [@XinShuYang]) [Windows]
• Fix gateway interface MTU configuration error on Windows. (#3043, @[lzhecheng]) [Windows]
• Fix initialization error of antrea-agent on Windows by specifying hostname explicitly in VMSwitch commands. (#3169, [@XinShuYang]) [Windows]

Release v1.4.0

The NodePortLocal feature is graduated from Alpha to Beta.

Added

• Support for proxying all Service traffic by Antrea Proxy, including NodePort, LoadBalancer, and ClusterIP traffic. Therefore, running kube-proxy is no longer required. (#2599 #2235 #2897 #2863, @hongliangl @lzhecheng)
  • The feature works for both Linux and Windows
  • The feature is experimental and therefore disabled by default. Use the antreaProxy.proxyAll configuration parameter for the Antrea Agent to enable it
  • If kube-proxy is removed, the kubeAPIServerOverride configuration parameter for the Antrea Agent must be set to access kube-apiserver directly
• Add AntreaIPAM feature that allows flexible control over Pod IP Addressing by assigning pools of IP addresses to specific Namespaces. (#2956, @gran-vmv @annakhm)
  • Add new IPPool API to define ranges of IP addresses which can be used as Pod IPs; the IPs in the IPPools must be in the same "underlay" subnet as the Node IP
  • A Pod's IP will be allocated from the IPPool specified by the ipam.antrea.io/ippools annotation of the Pod's Namespace if there is one
  • When the feature is enabled, the Node's network interface will be connected to the OVS bridge, in order to forward cross-Node traffic of AntreaIPAM Pods through the underlay network
  • Refer to the feature documentation for more information
• Add NodeIPAM feature to handle the per-Node PodCIDR allocation for clusters where kube-controller-manager does not run NodeIPAMController. (#1561, @ksamoray)
  • Refer to the feature documentation for instructions on how to configure it
• Support for configurable transport interface CIDRs for Pod traffic. (#2704, @Jexf)
  • Use the transportInterfaceCIDRs configuration parameter for the Antrea Agent to choose an interface by network CIDRs
• Add UDP support for NodePortLocal. (#2448, @chauhanshubham)
• Add the nodePortLocal.enable configuration parameter for the Antrea Agent to enable NodePortLocal. (#2924, @antoninbas)
• Add more visibility metrics to report the connection status of the Antrea Agent to the Flow Aggregator. (#2668, @zyiou)
• Add the antreaProxy.skipServices configuration parameter for the Antrea Agent to specify Services which should be ignored by AntreaProxy. (#2882, @luolanzone)
  • A typical use case is setting antreaProxy.skipServices to ["kube-system/kube-dns"] to make NodeLocal DNSCache work when AntreaProxy is enabled
• Add support for ToServices in the rules of Antrea-native policies to allow matching traffic intended for Services. (#2755, @GraysonWu)
• Add the egress.exceptCIDRs configuration parameter for the Antrea Agent, to specify IP destinations for which SNAT should not be performed on outgoing traffic. (#2749, @leonstack)
• Add user documentation for WireGuard encryption. (#2902, @jianjuns)
• Add user documentation for encap mode installation for EKS. (#2929, @jianjuns)

Changed

• Remove chmod for OVSDB file from start_ovs, as the permissions are set correctly by OVS 2.15.1. (#2803, @antoninbas)
• Reduce memory usage of antctl when collecting supportbundle. (#2813, @tnqn)
• Do not perform SNAT for egress traffic to Kubernetes Node IPs. (#2762, @leonstack)
• Send gratuitous ARP for EgressIP via the transport interface, as opposed to the interface with Node IP (if they are different). (#2845, @Jexf)
• Ignore hostNetwork Pods selected by Egress, as they are not supported. (#2851, @Jexf)
• Avoid duplicate processing of Egress. (#2884, @Jexf)
• Ignore the IPs of kube-ipvs0 for Egress as they cannot be used for SNAT. (#2930, @Jexf)
• Change flow exporter export expiry mechanism to priority queue based, to reduce CPU usage and memory footprint. (#2360, @heanlan)
• Make Pod labels optional in the flow records. By default, they will not be included in the flow records. Use the recordContents.podLabels configuration parameter for the Flow Aggregator to include them. (#2739, @yanjunz97)
• Wait for AntreaProxy to be ready before accessing any K8s Service if antreaProxy.proxyAll is enabled, to avoid connection issues on Agent startup. (#2858, @tnqn)
• Update OVS pipeline documentation to include information about AntreaProxy. (#2725, @hongliangl)
• Remove offensive words from scripts and documentation. (#2799, @xiaoxiaobaba)
• Use readable names for OpenFlow tables. (#2585, @wenyingd)
• Improve the OpenAPI schema for CRDs to validate the matchExpressions field. (#2887, @wenqiq)
• Fail fast if the source Pod for non-live-traffic Traceflow is invalid. (#2736, @gran-vmv)
• Use the RenewIPConfig parameter to indicate whether to renew ipconfig on the host for Clean-AntreaNetwork.ps1. It defaults to false. (#2955, @wenyingd) [Windows]
• Add Windows task delay up to 30s to improve job resiliency of Prepare-AntreaAgent.ps1, to avoid a failure in initialization after Windows startup. (#2864, @perithompson) [Windows]

Fixed

• Fix nil pointer error when antrea-agent updates OpenFlow priorities of Antrea-native policies without Service ports. (#2730, @wenyingd)
• Fix panic in the Antrea Controller when it processes ClusterGroups that are used by multiple ClusterNetworkPolicies. (#2768, @tnqn)
• Fix an issue with NodePortLocal when a given Pod port needs to be exposed for both TCP and UDP. (#2903, @antoninbas)
• Fix handling of the "Reject" action of Antrea-native policies when the traffic is intended for Services. (#2772, @GraysonWu)
• Fix Agent crash when removing the existing NetNat on Windows Nodes. (#2751, @wenyingd) [Windows]
• Fix container network interface MTU configuration error when using containerd as the runtime on Windows. (#2778, @wenyingd) [Windows]
• Fix path to Prepare-AntreaAgent.ps1 in Windows docs. (#2840, @perithompson) [Windows]
• Fix NetNeighbor Powershell error handling. (#2905, @lzhecheng) [Windows]

Release v1.2.3

Changed

• Support returning partial supportbundle results when some Nodes fail to respond. (#2788, @hangyan)
• Remove restriction that only GRE tunnels can be used when enabling IPsec: VXLAN can also be used, and so can Geneve (if the Linux kernel version for the Nodes is recent enough). (#2764, @luolanzone)
• Reduce memory usage of antctl when collecting supportbundle. (#2821, @tnqn)

Fixed

• Fix nil pointer error when collecting a supportbundle on a Node for which the antrea-agent container image does not include "iproute2"; this does not affect the standard antrea/antrea-ubuntu container image. (#2789, @liu4480)
• When creating an IPsec OVS tunnel port to a remote Node, handle the case where the port already exists but with a stale config graciously: delete the existing port first, then recreate it. (#2765, @luolanzone)
• Fix panic in the Antrea Controller when it processes ClusterGroups that are used by multiple ClusterNetworkPolicies. (#2768, @tnqn)
• Fix nil pointer error when antrea-agent updates OpenFlow priorities of Antrea-native policies without Service ports. (#2758, @wenyingd)
• Fix Pod-to-Service access on Windows when the Endpoints are not non-hostNetwork Pods (e.g. the kubernetes Service). (#2702, @wenyingd) [Windows]
• Fix container network interface MTU configuration error when using containerd as the runtime on Windows. (#2773, @wenyingd) [Windows]