From ea462ac59ef10d827df856ec55a8f19f7f6a79c1 Mon Sep 17 00:00:00 2001 From: Hang Yan Date: Thu, 23 Mar 2023 14:48:41 +0800 Subject: [PATCH] Add antrea 1.9.0 version (#4481) Signed-off-by: Hang Yan --- .../controllers/antrea/antreaconfig_util.go | 12 + .../controllers/testdata/antrea-test-1.yaml | 3 + .../cni/v1alpha2/antreaconfig_types.go | 15 + providers/config_default.yaml | 3 + .../param_models/cluster_optional.model | 3 + providers/vendir.yml | 1 - .../cni/antrea/antrea_addon_data.lib.yaml | 3 + .../bundle/config/kapp-config.yaml | 0 .../bundle/config/overlay/antrea-overlay.yaml | 17 + .../overlay/update-strategy-overlay.yaml | 0 .../bundle/config/schema.yaml | 6 + .../bundle/config/upstream/antrea.yaml | 5105 +++++++++-------- .../bundle/config/values.star | 0 .../bundle/config/values.yaml | 3 + providers/ytt/vendir/cni/cni.lib.yaml | 2 +- providers/yttcb/clusterbootstrap.yaml | 6 + 16 files changed, 2875 insertions(+), 2304 deletions(-) rename providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/{1.7.2 => 1.9.0}/bundle/config/kapp-config.yaml (100%) rename providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/{1.7.2 => 1.9.0}/bundle/config/overlay/antrea-overlay.yaml (95%) rename providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/{1.7.2 => 1.9.0}/bundle/config/overlay/update-strategy-overlay.yaml (100%) rename providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/{1.7.2 => 1.9.0}/bundle/config/schema.yaml (94%) rename providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/{1.7.2 => 1.9.0}/bundle/config/upstream/antrea.yaml (89%) rename providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/{1.7.2 => 1.9.0}/bundle/config/values.star (100%) rename providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/{1.7.2 => 1.9.0}/bundle/config/values.yaml (96%) diff --git a/addons/controllers/antrea/antreaconfig_util.go b/addons/controllers/antrea/antreaconfig_util.go index fd52ea8f04..645d1a4200 100644 --- a/addons/controllers/antrea/antreaconfig_util.go +++ b/addons/controllers/antrea/antreaconfig_util.go @@ -121,6 +121,8 @@ type antreaConfigDataValue struct { TransportInterfaceCIDRs []string `yaml:"transportInterfaceCIDRs,omitempty"` MulticastInterfaces []string `yaml:"multicastInterfaces,omitempty"` TunnelType string `yaml:"tunnelType,omitempty"` + TunnelPort int `yaml:"tunnelPort,omitempty"` + TunnelCsum bool `yaml:"tunnelCsum,omitempty"` TrafficEncryptionMode string `yaml:"trafficEncryptionMode,omitempty"` EnableUsageReporting bool `yaml:"enableUsageReporting,omitempty"` WireGuard antreaWireGuard `yaml:"wireGuard,omitempty"` @@ -152,6 +154,7 @@ type antreaFeatureGates struct { MultiCluster *bool `yaml:"Multicluster,omitempty"` SecondaryNetwork *bool `yaml:"SecondaryNetwork,omitempty"` TrafficControl *bool `yaml:"TrafficControl,omitempty"` + TopologyAwareHints *bool `yaml:"TopologyAwareHints,omitempty"` } // ClusterToAntreaConfig returns a list of Requests with AntreaConfig ObjectKey @@ -265,6 +268,11 @@ func mapAntreaConfigSpec(cluster *clusterv1beta1.Cluster, config *cniv1alpha2.An configSpec.Antrea.AntreaConfigDataValue.Multicast.IGMPQueryInterval = config.Spec.Antrea.AntreaConfigDataValue.Multicast.IGMPQueryInterval } + if semver.Compare(version, "v1.9.0") >= 0 { + configSpec.Antrea.AntreaConfigDataValue.TunnelPort = config.Spec.Antrea.AntreaConfigDataValue.TunnelPort + configSpec.Antrea.AntreaConfigDataValue.TunnelCsum = config.Spec.Antrea.AntreaConfigDataValue.TunnelCsum + } + // FeatureGates configSpec.Antrea.AntreaConfigDataValue.FeatureGates.AntreaProxy = config.Spec.Antrea.AntreaConfigDataValue.FeatureGates.AntreaProxy configSpec.Antrea.AntreaConfigDataValue.FeatureGates.EndpointSlice = config.Spec.Antrea.AntreaConfigDataValue.FeatureGates.EndpointSlice @@ -284,5 +292,9 @@ func mapAntreaConfigSpec(cluster *clusterv1beta1.Cluster, config *cniv1alpha2.An configSpec.Antrea.AntreaConfigDataValue.FeatureGates.MultiCluster = &config.Spec.Antrea.AntreaConfigDataValue.FeatureGates.MultiCluster } + if semver.Compare(version, "v1.9.0") >= 0 { + configSpec.Antrea.AntreaConfigDataValue.FeatureGates.TopologyAwareHints = &config.Spec.Antrea.AntreaConfigDataValue.FeatureGates.TopologyAwareHints + } + return configSpec, nil } diff --git a/addons/controllers/testdata/antrea-test-1.yaml b/addons/controllers/testdata/antrea-test-1.yaml index 0f72f58b24..495b1596a2 100644 --- a/addons/controllers/testdata/antrea-test-1.yaml +++ b/addons/controllers/testdata/antrea-test-1.yaml @@ -62,6 +62,8 @@ spec: transportInterfaceCIDRs: [] multicastInterfaces: [] tunnelType: geneve + tunnelPort: 0 + tunnelCsum: false trafficEncryptionMode: none wireGuard: port: 51820 @@ -91,3 +93,4 @@ spec: Multicluster: false SecondaryNetwork: false TrafficControl: false + TopologyAwareHints: false diff --git a/apis/addonconfigs/cni/v1alpha2/antreaconfig_types.go b/apis/addonconfigs/cni/v1alpha2/antreaconfig_types.go index 9754354b47..67dd09bcb0 100644 --- a/apis/addonconfigs/cni/v1alpha2/antreaconfig_types.go +++ b/apis/addonconfigs/cni/v1alpha2/antreaconfig_types.go @@ -123,6 +123,16 @@ type AntreaConfigDataValue struct { // +kubebuilder:validation:Optional TunnelType string `json:"tunnelType,omitempty"` + // TunnelPort is the destination port for UDP and TCP based tunnel protocols (Geneve, VXLAN, and STT).If zero, it will use the assigned IANA port for the protocol. + // +kubebuilder:validation:Optional + // +kubebuilder:default:=0 + TunnelPort int `json:"tunnelPort,omitempty"` + + // TunnelCsum determines whether to compute UDP encapsulation header (Geneve or VXLAN) checksums on outgoing packets + // +kubebuilder:validation:Optional + // +kubebuilder:default:=false + TunnelCsum bool `json:"tunnelCsum,omitempty"` + // Determines how tunnel traffic is encrypted. One of the following options =:> none, ipsec, wireguard // +kubebuilder:validation:Optional TrafficEncryptionMode string `json:"trafficEncryptionMode,omitempty"` @@ -256,6 +266,11 @@ type AntreaFeatureGates struct { // +kubebuilder:validation:Optional // +kubebuilder:default:=false TrafficControl bool `json:"TrafficControl,omitempty"` + + // Enable TopologyAwareHints in AntreaProxy. This requires AntreaProxy and EndpointSlice to be enabled, otherwise this flag will not take effect. + // +kubebuilder:validation:Optional + // +kubebuilder:default:=false + TopologyAwareHints bool `json:"TopologyAwareHints,omitempty"` } // AntreaConfigStatus defines the observed state of AntreaConfig diff --git a/providers/config_default.yaml b/providers/config_default.yaml index f988acaa78..31384c0d7d 100644 --- a/providers/config_default.yaml +++ b/providers/config_default.yaml @@ -734,6 +734,8 @@ ANTREA_TRANSPORT_INTERFACE_CIDRS: "" ANTREA_MULTICAST_INTERFACES: "" ANTREA_MULTICAST_IGMPQUERY_INTERVAL: "125s" ANTREA_TUNNEL_TYPE: geneve +ANTREA_TUNNEL_PORT: 0 +ANTREA_TUNNEL_CSUM: false ANTREA_TRAFFIC_ENCRYPTION_MODE: none ANTREA_WIREGUARD_PORT: 51820 ANTREA_ENABLE_USAGE_REPORTING: false @@ -758,6 +760,7 @@ ANTREA_MULTICAST: false ANTREA_MULTICLUSTER: false ANTREA_SECONDARY_NETWORK: false ANTREA_TRAFFIC_CONTROL: false +ANTREA_TOPOLOGY_AWARE_HINTS: false diff --git a/providers/tests/clustergen/param_models/cluster_optional.model b/providers/tests/clustergen/param_models/cluster_optional.model index 5288dc1bed..aca615a756 100644 --- a/providers/tests/clustergen/param_models/cluster_optional.model +++ b/providers/tests/clustergen/param_models/cluster_optional.model @@ -144,6 +144,7 @@ ANTREA_MULTICAST: "false", "true" ANTREA_MULTICLUSTER: "false", "true" ANTREA_SECONDARY_NETWORK: "false", "true" ANTREA_TRAFFIC_CONTROL: "false", "true" +ANTREA_TOPOLOGY_AWARE_HINTS: "false", "true" ANTREA_EGRESS_EXCEPT_CIDRS: "10.0.0.0/6,10.0.0.0/12", "" @@ -165,6 +166,8 @@ ANTREA_MULTICAST_IGMPQUERY_INTERVAL: "125s" ANTREA_MULTICLUSTER_NAMESPACE: "" ANTREA_MULTICLUSTER_ENABLE: "false", "true" ANTREA_TUNNEL_TYPE: "geneve" +ANTREA_TUNNEL_PORT: 0 +ANTREA_TUNNEL_CSUM: "false", "true" ANTREA_TRAFFIC_ENCRYPTION_MODE: "none", "wireGuard" ANTREA_WIREGUARD_PORT: 51820 ANTREA_ENABLE_USAGE_REPORTING: "true", "false" diff --git a/providers/vendir.yml b/providers/vendir.yml index 6fcf663530..eef637a938 100644 --- a/providers/vendir.yml +++ b/providers/vendir.yml @@ -16,7 +16,6 @@ directories: url: git@github.com:vmware-tanzu/community-edition.git ref: 71dd9381be1a4f075a64f404ca262f860e769a68 includePaths: - - addons/packages/antrea/1.7.2/bundle/config/**/* - addons/packages/calico/3.24.1/bundle/config/**/* - path: ytt/vendir/kapp-controller/_ytt_lib contents: diff --git a/providers/ytt/02_addons/cni/antrea/antrea_addon_data.lib.yaml b/providers/ytt/02_addons/cni/antrea/antrea_addon_data.lib.yaml index 557e85bc91..3d14efc392 100644 --- a/providers/ytt/02_addons/cni/antrea/antrea_addon_data.lib.yaml +++ b/providers/ytt/02_addons/cni/antrea/antrea_addon_data.lib.yaml @@ -62,6 +62,8 @@ antrea: transportInterfaceCIDRs: #@ split_comma_values(data.values.ANTREA_TRANSPORT_INTERFACE_CIDRS) multicastInterfaces: #@ split_comma_values(data.values.ANTREA_MULTICAST_INTERFACES) tunnelType: #@ data.values.ANTREA_TUNNEL_TYPE + tunnelPort: #@ data.values.ANTREA_TUNNEL_PORT + tunnelCsum: #@ data.values.ANTREA_TUNNEL_CSUM trafficEncryptionMode: #@ data.values.ANTREA_TRAFFIC_ENCRYPTION_MODE enableUsageReporting: #@ data.values.ANTREA_ENABLE_USAGE_REPORTING wireGuard: @@ -109,6 +111,7 @@ antrea: Multicluster: #@ data.values.ANTREA_MULTICLUSTER SecondaryNetwork: #@ data.values.ANTREA_SECONDARY_NETWORK TrafficControl: #@ data.values.ANTREA_TRAFFIC_CONTROL + TopologyAwareHints: #@ data.values.ANTREA_TOPOLOGY_AWARE_HINTS diff --git a/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.7.2/bundle/config/kapp-config.yaml b/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.9.0/bundle/config/kapp-config.yaml similarity index 100% rename from providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.7.2/bundle/config/kapp-config.yaml rename to providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.9.0/bundle/config/kapp-config.yaml diff --git a/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.7.2/bundle/config/overlay/antrea-overlay.yaml b/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.9.0/bundle/config/overlay/antrea-overlay.yaml similarity index 95% rename from providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.7.2/bundle/config/overlay/antrea-overlay.yaml rename to providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.9.0/bundle/config/overlay/antrea-overlay.yaml index 1615f74840..dfd68baab1 100644 --- a/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.7.2/bundle/config/overlay/antrea-overlay.yaml +++ b/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.9.0/bundle/config/overlay/antrea-overlay.yaml @@ -18,6 +18,10 @@ featureGates: #! this flag will not take effect. EndpointSlice: #@ values.antrea.config.featureGates.EndpointSlice + #! Enable TopologyAwareHints in AntreaProxy. This requires AntreaProxy and EndpointSlice to be + #! enabled, otherwise this flag will not take effect. + TopologyAwareHints: #@ values.antrea.config.featureGates.TopologyAwareHints + #! Enable traceflow which provides packet tracing feature to diagnose network issue. Traceflow: #@ values.antrea.config.featureGates.AntreaTraceflow @@ -103,6 +107,19 @@ noSNAT: #@ values.antrea.config.noSNAT #! - stt tunnelType: #@ values.antrea.config.tunnelType +#! TunnelPort is the destination port for UDP and TCP based tunnel protocols (Geneve, VXLAN, and STT). +#! If zero, it will use the assigned IANA port for the protocol, i.e. 6081 for Geneve, 4789 for VXLAN, +#! and 7471 for STT. +tunnelPort: #@ values.antrea.config.tunnelPort + +#! TunnelCsum determines whether to compute UDP encapsulation header (Geneve or VXLAN) checksums on outgoing +#! packets. For Linux kernel before Mar 2021, UDP checksum must be present to trigger GRO on the receiver for better +#! performance of Geneve and VXLAN tunnels. The issue has been fixed by +#! https://github.com/torvalds/linux/commit/89e5c58fc1e2857ccdaae506fb8bc5fed57ee063, thus computing UDP checksum is +#! no longer necessary. +#! It should only be set to true when you are using an unpatched Linux kernel and observing poor transfer performance. +tunnelCsum: #@ values.antrea.config.tunnelCsum + #! Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. #! It has the following options: #! - none (default): Inter-node Pod traffic will not be encrypted. diff --git a/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.7.2/bundle/config/overlay/update-strategy-overlay.yaml b/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.9.0/bundle/config/overlay/update-strategy-overlay.yaml similarity index 100% rename from providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.7.2/bundle/config/overlay/update-strategy-overlay.yaml rename to providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.9.0/bundle/config/overlay/update-strategy-overlay.yaml diff --git a/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.7.2/bundle/config/schema.yaml b/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.9.0/bundle/config/schema.yaml similarity index 94% rename from providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.7.2/bundle/config/schema.yaml rename to providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.9.0/bundle/config/schema.yaml index d1f6959da4..5c3982f3e3 100644 --- a/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.7.2/bundle/config/schema.yaml +++ b/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.9.0/bundle/config/schema.yaml @@ -69,6 +69,10 @@ antrea: - "" #@schema/desc "Tunnel protocols used for encapsulating traffic across Nodes. One of the following options => geneve, vxlan, gre, stt" tunnelType: none + #@schema/desc "TunnelPort is the destination port for UDP and TCP based tunnel protocols (Geneve, VXLAN, and STT)." + tunnelPort: 0 + #@schema/desc "TunnelCsum determines whether to compute UDP encapsulation header (Geneve or VXLAN) checksums on outgoing packets." + tunnelCsum: false #@schema/desc "Determines how tunnel traffic is encrypted. One of the following options => none, ipsec, wireGuard" trafficEncryptionMode: none #@schema/desc "WireGuard related configurations." @@ -145,6 +149,8 @@ antrea: SecondaryNetwork: false #@schema/desc "Enable mirroring or redirecting the traffic Pods send or receive." TrafficControl: false + #@schema/desc "Enable TopologyAwareHints in AntreaProxy. This requires AntreaProxy and EndpointSlice to be enabled." + TopologyAwareHints: false #! Deprecated. Kept for backward compatibility image: #@schema/desc "The repository of antrea image" diff --git a/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.7.2/bundle/config/upstream/antrea.yaml b/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.9.0/bundle/config/upstream/antrea.yaml similarity index 89% rename from providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.7.2/bundle/config/upstream/antrea.yaml rename to providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.9.0/bundle/config/upstream/antrea.yaml index 792afa70a8..a87da7f066 100644 --- a/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.7.2/bundle/config/upstream/antrea.yaml +++ b/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.9.0/bundle/config/upstream/antrea.yaml @@ -1,591 +1,879 @@ --- -# Source: antrea/templates/agent/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: antrea-agent - namespace: kube-system - labels: - app: antrea ---- -# Source: antrea/templates/antctl/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: antctl - namespace: kube-system - labels: - app: antrea ---- -# Source: antrea/templates/controller/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: crds/antreaagentinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-controller - namespace: kube-system + name: antreaagentinfos.crd.antrea.io labels: app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of this Agent + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of this Agent + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Node on which this Agent is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of local Pods managed by this Agent + jsonPath: ".localPodNum" + name: Num Pods + type: integer + priority: 2 + - description: Subnets used by this Agent for Pod IPAM + jsonPath: ".nodeSubnets" + name: Subnets + type: string + priority: 2 + scope: Cluster + names: + plural: antreaagentinfos + singular: antreaagentinfo + kind: AntreaAgentInfo + shortNames: + - aai + --- -# Source: antrea/templates/agent/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antrea-agent-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antrea-agent -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/antctl/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: antctl-service-account-token - namespace: kube-system - annotations: - kubernetes.io/service-account.name: antctl -type: kubernetes.io/service-account-token ---- -# Source: antrea/templates/agent/tweakerconfigmap.yaml -apiVersion: v1 -kind: ConfigMap +# Source: crds/antreacontrollerinfo.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-agent-tweaker - namespace: kube-system + name: antreacontrollerinfos.crd.antrea.io labels: app: antrea -data: - antrea-agent-tweaker.conf: |- - # Enable disableUdpTunnelOffload will disable udp tunnel offloading feature on kubernetes node's default interface. - # By default, no actions will be taken. - disableUdpTunnelOffload: false +spec: + group: crd.antrea.io + versions: + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + additionalPrinterColumns: + - description: Health status of the Controller + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" + name: Healthy + type: string + - description: Last time the Healthy Condition was updated + jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" + name: Last Heartbeat + type: date + - description: Version of the Controller + jsonPath: ".version" + name: Version + type: string + priority: 1 + - description: Number of Agents connected to the Controller + jsonPath: ".connectedAgentNum" + name: Connected Agents + type: integer + priority: 1 + - description: Node on which the Controller is running + jsonPath: ".nodeRef.name" + name: Node + type: string + priority: 1 + - description: Number of Network Policies computed by Controller + jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" + name: Num Network Policies + type: integer + priority: 2 + scope: Cluster + names: + plural: antreacontrollerinfos + singular: antreacontrollerinfo + kind: AntreaControllerInfo + shortNames: + - aci + --- -# Source: antrea/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap +# Source: crds/clusternetworkpolicy.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: - name: antrea-config - namespace: kube-system - labels: - app: antrea -data: - antrea-agent.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. - # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on - # Service traffic. - # AntreaProxy: true - - # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice - # API version v1beta1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, - # this flag will not take effect. - # EndpointSlice: false - - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable NodePortLocal feature to make the Pods reachable externally through NodePort - # NodePortLocal: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each - # agent to a configured collector. - # FlowExporter: false - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - # Multicluster: false - - # Enable support for provisioning secondary network interfaces for Pods (using - # Pod annotations). At the moment, Antrea can only create secondary network - # interfaces using SR-IOV VFs on baremetal Nodes. - # SecondaryNetwork: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable mirroring or redirecting the traffic Pods send or receive. - # TrafficControl: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # Name of the OpenVSwitch bridge antrea-agent will create and use. - # Make sure it doesn't conflict with your existing OpenVSwitch bridges. - ovsBridge: "br-int" - - # Datapath type to use for the OpenVSwitch bridge created by Antrea. Supported values are: - # - system - # - netdev - # 'system' is the default value and corresponds to the kernel datapath. Use 'netdev' to run - # OVS in userspace mode. Userspace mode requires the tun device driver to be available. - #ovsDatapathType: system - - # Name of the interface antrea-agent will create and use for host <--> pod communication. - # Make sure it doesn't conflict with your existing interfaces. - hostGateway: "antrea-gw0" - - # Determines how traffic is encapsulated. It has the following options: - # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network - # traffic is SNAT'd. - # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is - # SNAT'd if noSNAT is not set to true. Underlying network must be capable of - # supporting Pod traffic across IP subnets. - # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. - # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod - # IPAM and connectivity to the primary CNI. - # - trafficEncapMode: "encap" - - # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. - # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap - # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to - # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never - # performs SNAT and this option will be ignored; for other modes it must be set to false. - noSNAT: false - - # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, - # this option will not take effect. Supported values: - # - geneve (default) - # - vxlan - # - gre - # - stt - # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). - tunnelType: "geneve" - - # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. - # It has the following options: - # - none (default): Inter-node Pod traffic will not be encrypted. - # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses - # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, - # the PSK value must be passed to Antrea Agent through an environment - # variable: ANTREA_IPSEC_PSK. - # - wireGuard: Enable WireGuard for tunnel traffic encryption. - trafficEncryptionMode: "none" - - # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected - # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are - # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the - # underlay network. - # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only - # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, - # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. - enableBridgingMode: false - - # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the - # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. - # It affects Pods running on Linux Nodes only. - disableTXChecksumOffload: false - - # Default MTU to use for the host gateway interface and the network interface of each Pod. - # If omitted, antrea-agent will discover the MTU of the Node's primary interface and - # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). - defaultMTU: 0 - - # wireGuard specifies WireGuard related configurations. - wireGuard: - # The port for WireGuard to receive traffic. - port: 51820 - - egress: - # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. - exceptCIDRs: - - # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be - # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When - # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. - serviceCIDR: "" - - # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack - # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by - # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. - # No default value for this field. - serviceCIDRv6: "" - - # The port for the antrea-agent APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-agent` container must be set to the same value. - apiPort: 10350 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Provide the IPFIX collector address as a string with format :[][:]. - # HOST can either be the DNS name or the IP of the Flow Collector. For example, - # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect - # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. - # However, IPv6 address should be wrapped with []. - # If PORT is empty, we default to 4739, the standard IPFIX port. - # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and - # "udp" protocols. "tls" is used for securing communication between flow exporter and - # flow aggregator. - flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" - - # Provide flow poll interval as a duration string. This determines how often the - # flow exporter dumps connections from the conntrack module. Flow poll interval - # should be greater than or equal to 1s (one second). - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - flowPollInterval: "5s" - - # Provide the active flow export timeout, which is the timeout after which a flow - # record is sent to the collector for active flows. Thus, for flows with a continuous - # stream of packets, a flow record will be exported to the collector once the elapsed - # time since the last export event is equal to the value of this timeout. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - activeFlowExportTimeout: "5s" - - # Provide the idle flow export timeout, which is the timeout after which a flow - # record is sent to the collector for idle flows. A flow is considered idle if no - # packet matching this flow has been observed since the last export event. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - idleFlowExportTimeout: "15s" - - nodePortLocal: - # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To - # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature - # gate is also enabled (which is the default). - enable: true - # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port - # from that range will be assigned whenever a Pod's container defines a specific port to be exposed - # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic - # directed to that port will be forwarded to the Pod. - portRange: "61000-62000" - - # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. - # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. - kubeAPIServerOverride: "" - - # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. - # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, - # [fd00:10:96::a]:53). - dnsServerOverride: "" - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. - # If there are multiple IP addresses configured on the interface, the first one is used. The IP - # address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterface: "" - - multicast: - # The names of the interfaces on Nodes that are used to forward multicast traffic. - # Defaults to transport interface if not set. - multicastInterfaces: - - # The interval at which the antrea-agent sends IGMP queries to Pods. - # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". - igmpQueryInterval: "125s" - - # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across - # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The - # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of - # preference (from highest to lowest): - # 1. transportInterface - # 2. transportInterfaceCIDRs - # 3. The Node IP - transportInterfaceCIDRs: - - # Option antreaProxy contains AntreaProxy related configuration options. - antreaProxy: - # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, - # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy - # feature to be enabled. - # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access - # apiserver directly. - proxyAll: false - # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. - # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. - # Note that the option is only valid when proxyAll is true. - nodePortAddresses: - # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these - # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name - # with Namespace (e.g. kube-system/kube-dns) - skipServices: - # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the - # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional - # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the - # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. - # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and - # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. - proxyLoadBalancerIPs: true - - # IPsec tunnel related configurations. - ipsec: - # The authentication mode of IPsec tunnel. It has the following options: - # - psk (default): Use pre-shared key (PSK) for IKE authentication. - # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` - # feature gate to be enabled. - authenticationMode: "psk" - - multicluster: - # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. - # This feature is supported only with encap mode. - enable: false - # The Namespace where Antrea Multi-cluster Controller is running. - # The default is antrea-agent's Namespace. - namespace: "" - antrea-cni.conflist: | - { - "cniVersion":"0.3.0", - "name": "antrea", - "plugins": [ - { - "type": "antrea", - "ipam": { - "type": "host-local" - } - } - , - { - "type": "portmap", - "capabilities": {"portMappings": true} - } - , - { - "type": "bandwidth", - "capabilities": {"bandwidth": true} - } - ] - } - antrea-controller.conf: | - # FeatureGates is a map of feature names to bools that enable or disable experimental features. - featureGates: - # Enable traceflow which provides packet tracing feature to diagnose network issue. - # Traceflow: true - - # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins - # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy - # feature that supports priorities, rule actions and externalEntities in the future. - # AntreaPolicy: true - - # Enable collecting and exposing NetworkPolicy statistics. - # NetworkPolicyStats: true - - # Enable multicast traffic. This feature is supported only with noEncap mode. - # Multicast: false - - # Enable controlling SNAT IPs of Pod egress traffic. - # Egress: true - - # Run Kubernetes NodeIPAMController with Antrea. - # NodeIPAM: false - - # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the - # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for - # IPAM when configuring secondary network interfaces with Multus. - # AntreaIPAM: false - - # Enable managing external IPs of Services of LoadBalancer type. - # ServiceExternalIP: false - - # Enable certificated-based authentication for IPsec. - # IPsecCertAuth: false - - # The port for the antrea-controller APIServer to serve on. - # Note that if it's set to another value, the `containerPort` of the `api` port of the - # `antrea-controller` container must be set to the same value. - apiPort: 10349 - - # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. - enablePrometheusMetrics: true - - # Indicates whether to use auto-generated self-signed TLS certificate. - # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: - # ca.crt: - # tls.crt: - # tls.key: - selfSignedCert: true - - # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. - # https://golang.org/pkg/crypto/tls/#pkg-constants - # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always - # prefer TLS1.3 Cipher Suites whenever possible. - tlsCipherSuites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384" - - # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. - tlsMinVersion: "" - - nodeIPAM: - # Enable the integrated Node IPAM controller within the Antrea controller. - enableNodeIPAM: false - # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. - # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. - # Value ignored when enableNodeIPAM is false. - clusterCIDRs: - # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. - # Value ignored when enableNodeIPAM is false. - serviceCIDR: "" - serviceCIDRv6: "" - # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. - nodeCIDRMaskSizeIPv4: 24 - # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false - # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. - nodeCIDRMaskSizeIPv6: 64 - - ipsecCSRSigner: - # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. - # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions - # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, - # the Pod identity will also be validated to provide maximum security. - # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved - # manually by `kubectl certificate approve`. - autoApprove: true - # Indicates whether to use auto-generated self-signed CA certificate. - # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: - # tls.crt: - # tls.key: - selfSignedCA: true - - # Indicates whether to enable usage reporting or not. - enableUsageReporting: false - - # Indicates whether to enable Antrea advanced features or not. - enterpriseAntrea: true ---- -# Source: antrea/templates/crds/antreaagentinfo.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: antreaagentinfos.crd.antrea.io + name: clusternetworkpolicies.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - - name: v1beta1 + - name: v1alpha1 served: true storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true additionalPrinterColumns: - - description: Health status of this Agent - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".agentConditions[?(@.type=='AgentHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of this Agent - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Node on which this Agent is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of local Pods managed by this Agent - jsonPath: ".localPodNum" - name: Num Pods - type: integer - priority: 2 - - description: Subnets used by this Agent for Pod IPAM - jsonPath: ".nodeSubnets" - name: Subnets + - name: Tier type: string - priority: 2 + description: The Tier to which this ClusterNetworkPolicy belongs to. + jsonPath: .spec.tier + - name: Priority + type: number + format: float + description: The Priority of this ClusterNetworkPolicy relative to other policies. + jsonPath: .spec.priority + - name: Desired Nodes + type: number + format: int32 + description: The total number of Nodes that should realize the NetworkPolicy. + jsonPath: .status.desiredNodesRealized + - name: Current Nodes + type: number + format: int32 + description: The number of Nodes that have realized the NetworkPolicy. + jsonPath: .status.currentNodesRealized + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + # Ensure that Spec.Priority field is set + required: + - priority + type: object + properties: + tier: + type: string + priority: + type: number + format: float + # Ensure that Spec.Priority field is between 1 and 10000 + minimum: 1.0 + maximum: 10000.0 + appliedTo: + type: array + items: + type: object + # Ensure that Spec.AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + service: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + ingress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + service: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP query (0x11) is valid igmpType in ingress rules. + enum: [ 0x11 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + from: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + name: + type: string + enableLogging: + type: boolean + egress: + type: array + items: + type: object + required: + - action + properties: + appliedTo: + type: array + items: + type: object + # Ensure that rule AppliedTo does not allow IPBlock field + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values + action: + type: string + enum: ['Allow', 'Drop', 'Reject', 'Pass'] + ports: + type: array + items: + type: object + properties: + protocol: + type: string + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + endPort: + type: integer + protocols: + type: array + items: + type: object + oneOf: + - required: [icmp] + - required: [igmp] + properties: + icmp: + type: object + properties: + icmpType: + type: integer + minimum: 0 + maximum: 255 + icmpCode: + type: integer + minimum: 0 + maximum: 255 + igmp: + type: object + properties: + igmpType: + type: integer + # Only IGMP reports are igmpType in egress rules, + # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. + # It will match all IGMP report types if igmpType is not set. + enum: [ 0x12, 0x16, 0x22 ] + groupAddress: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + to: + type: array + items: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaces: + type: object + properties: + match: + enum: + - Self + type: string + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + group: + type: string + fqdn: + type: string + serviceAccount: + type: object + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + toServices: + type: array + items: + type: object + required: + - name + - namespace + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: + type: object + properties: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + reason: + type: string + message: + type: string + subresources: + status: {} scope: Cluster names: - plural: antreaagentinfos - singular: antreaagentinfo - kind: AntreaAgentInfo + plural: clusternetworkpolicies + singular: clusternetworkpolicy + kind: ClusterNetworkPolicy shortNames: - - aai + - acnp + --- -# Source: antrea/templates/crds/antreacontrollerinfo.yaml +# Source: crds/egress.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: antreacontrollerinfos.crd.antrea.io + name: egresses.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - - name: v1beta1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - description: Health status of the Controller - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].status" - name: Healthy - type: string - - description: Last time the Healthy Condition was updated - jsonPath: ".controllerConditions[?(@.type=='ControllerHealthy')].lastHeartbeatTime" - name: Last Heartbeat - type: date - - description: Version of the Controller - jsonPath: ".version" - name: Version - type: string - priority: 1 - - description: Number of Agents connected to the Controller - jsonPath: ".connectedAgentNum" - name: Connected Agents - type: integer - priority: 1 - - description: Node on which the Controller is running - jsonPath: ".nodeRef.name" - name: Node - type: string - priority: 1 - - description: Number of Network Policies computed by Controller - jsonPath: ".networkPolicyControllerInfo.networkPolicyNum" - name: Num Network Policies - type: integer - priority: 2 + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - appliedTo + anyOf: + - required: + - egressIP + - required: + - externalIPPool + properties: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + egressIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + externalIPPool: + type: string + status: + type: object + properties: + egressNode: + type: string + additionalPrinterColumns: + - description: Specifies the SNAT IP address for the selected workloads. + jsonPath: .spec.egressIP + name: EgressIP + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The Owner Node of egress IP + jsonPath: .status.egressNode + name: Node + type: string + subresources: + status: {} scope: Cluster names: - plural: antreacontrollerinfos - singular: antreacontrollerinfo - kind: AntreaControllerInfo + plural: egresses + singular: egress + kind: Egress shortNames: - - aci + - eg + --- -# Source: antrea/templates/crds/clustergroup.yaml +# Source: crds/externalentity.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: clustergroups.crd.antrea.io + name: externalentities.crd.antrea.io labels: app: antrea spec: @@ -593,7 +881,7 @@ spec: versions: - name: v1alpha2 served: true - storage: false + storage: true schema: openAPIV3Schema: type: object @@ -601,138 +889,101 @@ spec: spec: type: object properties: - childGroups: - type: array - items: - type: string - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlock: - type: object - properties: - cidr: - type: string - format: cidr - ipBlocks: + endpoints: type: array items: type: object properties: - cidr: + ip: type: string - format: cidr - serviceReference: - type: object - properties: - name: - type: string - namespace: - type: string - status: - type: object - properties: - conditions: + oneOf: + - format: ipv4 + - format: ipv6 + name: + type: string + ports: type: array items: type: object properties: - type: - type: string - status: + protocol: type: string - lastTransitionTime: + enum: ['TCP', 'UDP', 'SCTP'] + port: + x-kubernetes-int-or-string: true + name: type: string - - name: v1alpha3 + externalNode: + type: string + - name: v1alpha1 + served: false + storage: false + schema: + openAPIV3Schema: + type: object + scope: Namespaced + names: + plural: externalentities + singular: externalentity + kind: ExternalEntity + shortNames: + - ee + +--- +# Source: crds/externalippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 served: true storage: true schema: openAPIV3Schema: type: object + required: + - spec properties: spec: type: object + required: + - ipRanges + - nodeSelector properties: - childGroups: + ipRanges: type: array items: - type: string - podSelector: + type: object + oneOf: + - required: + - cidr + - required: + - start + - end + properties: + cidr: + type: string + format: cidr + start: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + end: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + nodeSelector: type: object properties: matchExpressions: - type: array items: - type: object properties: key: type: string @@ -744,113 +995,237 @@ spec: - DoesNotExist type: string values: - type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: object + type: array matchLabels: x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: + status: + type: object + properties: + usage: type: object properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlocks: + total: + type: integer + used: + type: integer + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + scope: Cluster + names: + plural: externalippools + singular: externalippool + kind: ExternalIPPool + shortNames: + - eip + +--- +# Source: crds/externalnode.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: antrea + name: externalnodes.crd.antrea.io +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + required: + - interfaces + properties: + interfaces: type: array + minItems: 1 + maxItems: 1 + required: + - ips items: type: object properties: - cidr: + ips: + type: array + minItems: 1 + items: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + name: type: string - format: cidr - serviceReference: - type: object - properties: - name: - type: string - namespace: - type: string - status: + served: true + storage: true + scope: Namespaced + names: + kind: ExternalNode + plural: externalnodes + shortNames: + - en + singular: externalnode +--- +# Source: crds/ippool.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + required: + - ipVersion + - ipRanges type: object properties: - conditions: - type: array + ipVersion: + type: integer + enum: [ 4, 6 ] + ipRanges: items: - type: object + oneOf: + - required: + - cidr + - gateway + - prefixLength + - required: + - start + - end + - gateway + - prefixLength properties: - type: + cidr: + format: cidr type: string - status: + start: + oneOf: + - format: ipv4 + - format: ipv6 type: string - lastTransitionTime: + end: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + gateway: + oneOf: + - format: ipv4 + - format: ipv6 + type: string + prefixLength: + type: integer + minimum: 1 + maximum: 128 + vlan: + type: integer + minimum: 0 + maximum: 4094 + type: object + type: array + status: + properties: + ipAddresses: + items: + properties: + ipAddress: + type: string + owner: + properties: + pod: + properties: + name: + type: string + namespace: + type: string + containerID: + type: string + ifName: + type: string + type: object + statefulSet: + properties: + name: + type: string + namespace: + type: string + index: + type: integer + type: object + type: object + phase: type: string + type: object + type: array + usage: + properties: + used: + type: integer + total: + type: integer + type: object + type: object + additionalPrinterColumns: + - description: The number of total IPs + jsonPath: .status.usage.total + name: Total + type: integer + - description: The number of allocated IPs + jsonPath: .status.usage.used + name: Used + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date subresources: status: {} - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: ["v1", "v1beta1"] - clientConfig: - service: - name: "antrea" - namespace: "kube-system" - path: "/convert/clustergroup" scope: Cluster names: - plural: clustergroups - singular: clustergroup - kind: ClusterGroup + plural: ippools + singular: ippool + kind: IPPool shortNames: - - cg + - ipp + --- -# Source: antrea/templates/crds/clusternetworkpolicy.yaml +# Source: crds/networkpolicy.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: clusternetworkpolicies.crd.antrea.io + name: networkpolicies.crd.antrea.io labels: app: antrea spec: @@ -862,12 +1237,12 @@ spec: additionalPrinterColumns: - name: Tier type: string - description: The Tier to which this ClusterNetworkPolicy belongs to. + description: The Tier to which this Antrea NetworkPolicy belongs to. jsonPath: .spec.tier - name: Priority type: number format: float - description: The Priority of this ClusterNetworkPolicy relative to other policies. + description: The Priority of this Antrea NetworkPolicy relative to other policies. jsonPath: .spec.priority - name: Desired Nodes type: number @@ -904,9 +1279,9 @@ spec: type: array items: type: object - # Ensure that Spec.AppliedTo does not allow IPBlock field + # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field properties: - podSelector: + externalEntitySelector: type: object properties: matchExpressions: @@ -930,7 +1305,7 @@ spec: pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: x-kubernetes-preserve-unknown-fields: true - namespaceSelector: + podSelector: type: object properties: matchExpressions: @@ -956,16 +1331,6 @@ spec: x-kubernetes-preserve-unknown-fields: true group: type: string - serviceAccount: - type: object - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace ingress: type: array items: @@ -977,7 +1342,7 @@ spec: type: array items: type: object - # Ensure that rule AppliedTo does not allow IPBlock field + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field properties: podSelector: type: object @@ -1003,42 +1368,8 @@ spec: pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true group: type: string - serviceAccount: - type: object - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string @@ -1139,31 +1470,36 @@ spec: pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: x-kubernetes-preserve-unknown-fields: true - namespaces: + externalEntitySelector: type: object properties: - match: - enum: - - Self - type: string + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true ipBlock: type: object properties: cidr: type: string format: cidr - group: - type: string - serviceAccount: - type: object - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace nodeSelector: type: object properties: @@ -1188,6 +1524,8 @@ spec: type: array matchLabels: x-kubernetes-preserve-unknown-fields: true + group: + type: string name: type: string enableLogging: @@ -1203,7 +1541,7 @@ spec: type: array items: type: object - # Ensure that rule AppliedTo does not allow IPBlock field + # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field properties: podSelector: type: object @@ -1229,42 +1567,8 @@ spec: pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true group: type: string - serviceAccount: - type: object - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values action: type: string @@ -1367,38 +1671,13 @@ spec: pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" matchLabels: x-kubernetes-preserve-unknown-fields: true - namespaces: - type: object - properties: - match: - enum: - - Self - type: string - ipBlock: - type: object - properties: - cidr: - type: string - format: cidr - group: - type: string - fqdn: - type: string - serviceAccount: - type: object - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - nodeSelector: + externalEntitySelector: type: object properties: matchExpressions: + type: array items: + type: object properties: key: type: string @@ -1410,446 +1689,252 @@ spec: - DoesNotExist type: string values: + type: array items: type: string pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array - type: object - type: array matchLabels: x-kubernetes-preserve-unknown-fields: true - toServices: - type: array - items: - type: object - required: - - name - - namespace - properties: - name: - type: string - namespace: - type: string - name: - type: string - enableLogging: - type: boolean - status: - type: object - properties: - phase: - type: string - observedGeneration: - type: integer - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer - subresources: - status: {} - scope: Cluster - names: - plural: clusternetworkpolicies - singular: clusternetworkpolicy - kind: ClusterNetworkPolicy - shortNames: - - acnp ---- -# Source: antrea/templates/crds/egress.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: egresses.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - required: - - appliedTo - anyOf: - - required: - - egressIP - - required: - - externalIPPool - properties: - appliedTo: - type: object - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - egressIP: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - externalIPPool: - type: string - status: - type: object - properties: - egressNode: - type: string - additionalPrinterColumns: - - description: Specifies the SNAT IP address for the selected workloads. - jsonPath: .spec.egressIP - name: EgressIP - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: The Owner Node of egress IP - jsonPath: .status.egressNode - name: Node - type: string - subresources: - status: {} - scope: Cluster - names: - plural: egresses - singular: egress - kind: Egress - shortNames: - - eg ---- -# Source: antrea/templates/crds/externalentity.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: externalentities.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: + ipBlock: + type: object + properties: + cidr: + type: string + format: cidr + fqdn: + type: string + nodeSelector: + type: object + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array + type: object + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + group: + type: string + toServices: + type: array + items: + type: object + required: + - name + properties: + name: + type: string + namespace: + type: string + name: + type: string + enableLogging: + type: boolean + status: type: object properties: - endpoints: + phase: + type: string + observedGeneration: + type: integer + currentNodesRealized: + type: integer + desiredNodesRealized: + type: integer + conditions: type: array items: type: object properties: - ip: + type: type: string - oneOf: - - format: ipv4 - - format: ipv6 - name: + status: type: string - ports: - type: array - items: - type: object - properties: - protocol: + lastTransitionTime: type: string - enum: ['TCP', 'UDP', 'SCTP'] - port: - x-kubernetes-int-or-string: true - name: + reason: type: string - externalNode: - type: string - - name: v1alpha1 - served: false - storage: false - schema: - openAPIV3Schema: - type: object + message: + type: string + subresources: + status: {} scope: Namespaced names: - plural: externalentities - singular: externalentity - kind: ExternalEntity + plural: networkpolicies + singular: networkpolicy + kind: NetworkPolicy shortNames: - - ee + - anp + --- -# Source: antrea/templates/crds/externalippool.yaml +# Source: crds/supportbundlecollection.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: externalippools.crd.antrea.io - labels: - app: antrea + name: supportbundlecollections.crd.antrea.io spec: group: crd.antrea.io versions: - - name: v1alpha2 + - name: v1alpha1 served: true storage: true schema: openAPIV3Schema: type: object - required: - - spec properties: spec: type: object required: - - ipRanges - - nodeSelector + - fileServer + - authentication + anyOf: + - required: + - nodes + - required: + - externalNodes properties: - ipRanges: - type: array - items: - type: object - oneOf: - - required: - - cidr - - required: - - start - - end - properties: - cidr: - type: string - format: cidr - start: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - end: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - nodeSelector: + nodes: type: object properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array - type: object + nodeNames: type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - status: - type: object - properties: - usage: - type: object - properties: - total: - type: integer - used: - type: integer - additionalPrinterColumns: - - description: The number of total IPs - jsonPath: .status.usage.total - name: Total - type: integer - - description: The number of allocated IPs - jsonPath: .status.usage.used - name: Used - type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - subresources: - status: {} - scope: Cluster - names: - plural: externalippools - singular: externalippool - kind: ExternalIPPool - shortNames: - - eip ---- -# Source: antrea/templates/crds/ippool.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ippools.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha2 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - required: - - ipVersion - - ipRanges - type: object - properties: - ipVersion: - type: integer - ipRanges: - items: - oneOf: - - required: - - cidr - - gateway - - prefixLength - - required: - - start - - end - - gateway - - prefixLength - properties: - cidr: - format: cidr - type: string - start: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - end: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - gateway: - oneOf: - - format: ipv4 - - format: ipv6 - type: string - prefixLength: - type: integer - vlan: - type: integer - minimum: 0 - maximum: 4094 - type: object - type: array - status: - properties: - ipAddresses: - items: - properties: - ipAddress: + items: type: string - owner: - properties: - pod: + nodeSelector: + type: object + properties: + matchExpressions: + items: properties: - name: - type: string - namespace: - type: string - containerID: + key: type: string - ifName: + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist type: string + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array type: object - statefulSet: + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalNodes: + type: object + required: + - namespace + properties: + namespace: + type: string + nodeNames: + type: array + items: + type: string + nodeSelector: + type: object + properties: + matchExpressions: + items: properties: - name: + key: type: string - namespace: + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist type: string - index: - type: integer + values: + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + type: array type: object - type: object - phase: - type: string - type: object - type: array + type: array + matchLabels: + x-kubernetes-preserve-unknown-fields: true + expirationMinutes: + type: integer + default: 60 + sinceTime: + type: string + format: duration + fileServer: + type: object + properties: + url: + type: string + authentication: + type: object + properties: + authType: + type: string + enum: ["BearerToken", "APIKey"] + authSecret: + type: object + properties: + name: + type: string + namespace: + type: string + status: type: object + properties: + collectedNodes: + type: integer + desiredNodes: + type: integer + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string + reason: + type: string + message: + type: string subresources: status: {} scope: Cluster names: - plural: ippools - singular: ippool - kind: IPPool + plural: supportbundlecollections + singular: supportbundlecollection + kind: SupportBundleCollection shortNames: - - ipp + - sbc + --- -# Source: antrea/templates/crds/networkpolicy.yaml +# Source: crds/tier.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: networkpolicies.crd.antrea.io + name: tiers.crd.antrea.io labels: app: antrea spec: @@ -1859,25 +1944,10 @@ spec: served: true storage: true additionalPrinterColumns: - - name: Tier - type: string - description: The Tier to which this Antrea NetworkPolicy belongs to. - jsonPath: .spec.tier - name: Priority - type: number - format: float - description: The Priority of this Antrea NetworkPolicy relative to other policies. + type: integer + description: The Priority of this Tier relative to other Tiers. jsonPath: .spec.priority - - name: Desired Nodes - type: number - format: int32 - description: The total number of Nodes that should realize the NetworkPolicy. - jsonPath: .status.desiredNodesRealized - - name: Current Nodes - type: number - format: int32 - description: The number of Nodes that have realized the NetworkPolicy. - jsonPath: .status.currentNodesRealized - name: Age type: date jsonPath: .metadata.creationTimestamp @@ -1886,1142 +1956,1548 @@ spec: type: object properties: spec: - # Ensure that Spec.Priority field is set required: - priority type: object properties: - tier: - type: string priority: - type: number - format: float - # Ensure that Spec.Priority field is between 1 and 10000 - minimum: 1.0 - maximum: 10000.0 - appliedTo: - type: array - items: - type: object - # Ensure that Spec.AppliedTo does not allow NamespaceSelector/IPBlock field - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ingress: - type: array - items: - type: object - required: - - action - properties: - appliedTo: - type: array - items: - type: object - # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values - action: - type: string - enum: ['Allow', 'Drop', 'Reject', 'Pass'] - ports: - type: array - items: + type: integer + minimum: 0 + maximum: 255 + description: + type: string + scope: Cluster + names: + plural: tiers + singular: tier + kind: Tier + shortNames: + - tr + +--- +# Source: crds/traceflow.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: traceflows.crd.antrea.io + labels: + app: antrea +spec: + group: crd.antrea.io + versions: + - name: v1alpha1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.phase + description: The phase of the Traceflow. + name: Phase + type: string + - jsonPath: .spec.source.pod + description: The name of the source Pod. + name: Source-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.pod + description: The name of the destination Pod. + name: Destination-Pod + type: string + priority: 10 + - jsonPath: .spec.destination.ip + description: The IP address of the destination. + name: Destination-IP + type: string + priority: 10 + - jsonPath: .spec.liveTraffic + description: Trace live traffic. + name: Live-Traffic + type: boolean + priority: 10 + - jsonPath: .spec.droppedOnly + description: Capture only the dropped packet. + name: Dropped-Only + type: boolean + priority: 10 + - jsonPath: .spec.timeout + description: Timeout in seconds. + name: Timeout + type: integer + priority: 10 + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: + type: object + properties: + source: + type: object + properties: + pod: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + destination: + type: object + properties: + pod: + type: string + service: + type: string + namespace: + type: string + ip: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + packet: + type: object + properties: + ipHeader: + type: object + properties: + srcIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + protocol: + type: integer + ttl: + type: integer + flags: + type: integer + ipv6Header: + type: object + properties: + srcIP: + type: string + format: ipv6 + nextHeader: + type: integer + hopLimit: + type: integer + transportHeader: + type: object + properties: + icmp: type: object properties: - protocol: - type: string - enum: ['TCP', 'UDP', 'SCTP'] - port: - x-kubernetes-int-or-string: true - endPort: + id: type: integer - protocols: - type: array - items: + sequence: + type: integer + udp: type: object - oneOf: - - required: [icmp] - - required: [igmp] properties: - icmp: - type: object - properties: - icmpType: - type: integer - minimum: 0 - maximum: 255 - icmpCode: - type: integer - minimum: 0 - maximum: 255 - igmp: - type: object - properties: - igmpType: - type: integer - # Only IGMP query (0x11) is valid igmpType in ingress rules. - enum: [ 0x11 ] - groupAddress: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - from: - type: array - items: + srcPort: + type: integer + dstPort: + type: integer + tcp: type: object properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlock: - type: object - properties: - cidr: - type: string - format: cidr - nodeSelector: - type: object - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - name: - type: string - enableLogging: - type: boolean - egress: + srcPort: + type: integer + dstPort: + type: integer + flags: + type: integer + liveTraffic: + type: boolean + droppedOnly: + type: boolean + timeout: + type: integer + status: + type: object + properties: + reason: + type: string + dataplaneTag: + type: integer + phase: + type: string + startTime: + type: string + results: type: array items: type: object - required: - - action properties: - appliedTo: - type: array - items: - type: object - # Ensure that rule AppliedTo does not allow NamespaceSelector/IPBlock field - properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - # Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values - action: + node: type: string - enum: ['Allow', 'Drop', 'Reject', 'Pass'] - ports: + role: + type: string + timestamp: + type: integer + observations: type: array items: type: object properties: - protocol: + component: type: string - enum: ['TCP', 'UDP', 'SCTP'] - port: - x-kubernetes-int-or-string: true - endPort: + componentInfo: + type: string + action: + type: string + pod: + type: string + dstMAC: + type: string + networkPolicy: + type: string + ttl: type: integer - protocols: - type: array - items: - type: object - oneOf: - - required: [icmp] - - required: [igmp] + translatedSrcIP: + type: string + translatedDstIP: + type: string + tunnelDstIP: + type: string + capturedPacket: + properties: + srcIP: + type: string + dstIP: + type: string + length: + type: integer + ipHeader: + properties: + flags: + type: integer + protocol: + type: integer + ttl: + type: integer + type: object + ipv6Header: + properties: + hopLimit: + type: integer + nextHeader: + type: integer + type: object + transportHeader: + properties: + tcp: properties: - icmp: - type: object - properties: - icmpType: - type: integer - minimum: 0 - maximum: 255 - icmpCode: - type: integer - minimum: 0 - maximum: 255 - igmp: - type: object - properties: - igmpType: - type: integer - # Only IGMP reports are igmpType in egress rules, - # 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3. - # It will match all IGMP report types if igmpType is not set. - enum: [ 0x12, 0x16, 0x22 ] - groupAddress: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - to: - type: array - items: + dstPort: + type: integer + srcPort: + type: integer + flags: + type: integer type: object + udp: properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - externalEntitySelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - ipBlock: - type: object - properties: - cidr: - type: string - format: cidr - fqdn: - type: string - nodeSelector: - type: object - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - type: array - type: object - type: array - matchLabels: - x-kubernetes-preserve-unknown-fields: true - toServices: - type: array - items: + dstPort: + type: integer + srcPort: + type: integer type: object - required: - - name + icmp: properties: - name: - type: string - namespace: - type: string - name: - type: string - enableLogging: - type: boolean - status: + id: + type: integer + sequence: + type: integer + type: object + type: object + type: object + subresources: + status: {} + scope: Cluster + names: + plural: traceflows + singular: traceflow + kind: Traceflow + shortNames: + - tf + +--- +# Source: crds/trafficcontrol.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: trafficcontrols.crd.antrea.io +spec: + group: crd.antrea.io + versions: + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: + - spec + properties: + spec: type: object + required: + - appliedTo + - direction + - action + - targetPort properties: - phase: + appliedTo: + type: object + properties: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + direction: type: string - observedGeneration: - type: integer - currentNodesRealized: - type: integer - desiredNodesRealized: - type: integer + enum: + - Ingress + - Egress + - Both + action: + type: string + enum: + - Mirror + - Redirect + targetPort: + type: object + oneOf: + - required: [ovsInternal] + - required: [device] + - required: [geneve] + - required: [vxlan] + - required: [gre] + - required: [erspan] + properties: + ovsInternal: + type: object + required: + - name + properties: + name: + type: string + device: + type: object + required: + - name + properties: + name: + type: string + geneve: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + vni: + type: integer + minimum: 0 + maximum: 16777215 + destinationPort: + type: integer + minimum: 1 + maximum: 65535 + vxlan: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + vni: + type: integer + minimum: 0 + maximum: 16777215 + destinationPort: + type: integer + minimum: 1 + maximum: 65535 + gre: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + key: + type: integer + minimum: 0 + maximum: 4294967295 + erspan: + type: object + required: + - remoteIP + - version + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + sessionID: + type: integer + minimum: 0 + maximum: 1023 + version: + type: integer + enum: + - 1 + - 2 + index: + type: integer + dir: + type: integer + enum: + - 0 + - 1 + hardwareID: + type: integer + returnPort: + type: object + oneOf: + - required: [ovsInternal] + - required: [device] + - required: [geneve] + - required: [vxlan] + - required: [gre] + properties: + ovsInternal: + type: object + required: + - name + properties: + name: + type: string + device: + type: object + required: + - name + properties: + name: + type: string + geneve: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + vni: + type: integer + minimum: 0 + maximum: 16777215 + destinationPort: + type: integer + minimum: 1 + maximum: 65535 + vxlan: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + vni: + type: integer + minimum: 0 + maximum: 16777215 + destinationPort: + type: integer + minimum: 1 + maximum: 65535 + gre: + type: object + required: + - remoteIP + properties: + remoteIP: + type: string + oneOf: + - format: ipv4 + - format: ipv6 + key: + type: integer + minimum: 0 + maximum: 4294967295 + additionalPrinterColumns: + - description: Specifies the direction of traffic that should be matched. + jsonPath: .spec.direction + name: Direction + type: string + - description: Specifies the action that should be taken for the traffic. + jsonPath: .spec.action + name: Action + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date subresources: status: {} - scope: Namespaced + scope: Cluster names: - plural: networkpolicies - singular: networkpolicy - kind: NetworkPolicy + plural: trafficcontrols + singular: trafficcontrol + kind: TrafficControl shortNames: - - anp + - tc + +--- +# Source: antrea/templates/agent/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-agent + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/antctl/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antctl + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/controller/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: antrea-controller + namespace: kube-system + labels: + app: antrea +--- +# Source: antrea/templates/agent/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antrea-agent-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antrea-agent +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/antctl/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: antctl-service-account-token + namespace: kube-system + annotations: + kubernetes.io/service-account.name: antctl +type: kubernetes.io/service-account-token +--- +# Source: antrea/templates/agent/tweakerconfigmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: antrea-agent-tweaker + namespace: kube-system + labels: + app: antrea +data: + antrea-agent-tweaker.conf: |- + # Enable disableUdpTunnelOffload will disable udp tunnel offloading feature on kubernetes node's default interface. + # By default, no actions will be taken. + disableUdpTunnelOffload: false +--- +# Source: antrea/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: antrea-config + namespace: kube-system + labels: + app: antrea +data: + antrea-agent.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # AllAlpha is a global toggle for alpha features. Per-feature key values override the default set by AllAlpha. + # AllAlpha: false + + # AllBeta is a global toggle for beta features. Per-feature key values override the default set by AllBeta. + # AllBeta: false + + # Enable AntreaProxy which provides ServiceLB for in-cluster Services in antrea-agent. + # It should be enabled on Windows, otherwise NetworkPolicy will not take effect on + # Service traffic. + # AntreaProxy: true + + # Enable EndpointSlice support in AntreaProxy. Don't enable this feature unless that EndpointSlice + # API version v1 is supported and set as enabled in Kubernetes. If AntreaProxy is not enabled, + # this flag will not take effect. + # EndpointSlice: false + + # Enable TopologyAwareHints in AntreaProxy. This requires AntreaProxy and EndpointSlice to be + # enabled, otherwise this flag will not take effect. + # TopologyAwareHints: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable NodePortLocal feature to make the Pods reachable externally through NodePort + # NodePortLocal: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each + # agent to a configured collector. + # FlowExporter: false + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable multicast traffic. + # Multicast: false + + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + # Multicluster: false + + # Enable support for provisioning secondary network interfaces for Pods (using + # Pod annotations). At the moment, Antrea can only create secondary network + # interfaces using SR-IOV VFs on baremetal Nodes. + # SecondaryNetwork: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable mirroring or redirecting the traffic Pods send or receive. + # TrafficControl: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # Name of the OpenVSwitch bridge antrea-agent will create and use. + # Make sure it doesn't conflict with your existing OpenVSwitch bridges. + ovsBridge: "br-int" + + # Datapath type to use for the OpenVSwitch bridge created by Antrea. At the moment, the only + # supported value is 'system', which corresponds to the kernel datapath. + #ovsDatapathType: system + + # Name of the interface antrea-agent will create and use for host <--> pod communication. + # Make sure it doesn't conflict with your existing interfaces. + hostGateway: "antrea-gw0" + + # Determines how traffic is encapsulated. It has the following options: + # encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network + # traffic is SNAT'd. + # noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is + # SNAT'd if noSNAT is not set to true. Underlying network must be capable of + # supporting Pod traffic across IP subnets. + # hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap. + # networkPolicyOnly: Antrea enforces NetworkPolicy only, and utilizes CNI chaining and delegates Pod + # IPAM and connectivity to the primary CNI. + # + trafficEncapMode: "encap" + + # Whether or not to SNAT (using the Node IP) the egress traffic from a Pod to the external network. + # This option is for the noEncap traffic mode only, and the default value is false. In the noEncap + # mode, if the cluster's Pod CIDR is reachable from the external network, then the Pod traffic to + # the external network needs not be SNAT'd. In the networkPolicyOnly mode, antrea-agent never + # performs SNAT and this option will be ignored; for other modes it must be set to false. + noSNAT: false + + # Tunnel protocols used for encapsulating traffic across Nodes. If WireGuard is enabled in trafficEncryptionMode, + # this option will not take effect. Supported values: + # - geneve (default) + # - vxlan + # - gre + # - stt + # Note that "gre" is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). + tunnelType: "geneve" + + # TunnelPort is the destination port for UDP and TCP based tunnel protocols (Geneve, VXLAN, and STT). + # If zero, it will use the assigned IANA port for the protocol, i.e. 6081 for Geneve, 4789 for VXLAN, + # and 7471 for STT. + tunnelPort: 0 + + # TunnelCsum determines whether to compute UDP encapsulation header (Geneve or VXLAN) checksums on outgoing + # packets. For Linux kernel before Mar 2021, UDP checksum must be present to trigger GRO on the receiver for better + # performance of Geneve and VXLAN tunnels. The issue has been fixed by + # https://github.com/torvalds/linux/commit/89e5c58fc1e2857ccdaae506fb8bc5fed57ee063, thus computing UDP checksum is + # no longer necessary. + # It should only be set to true when you are using an unpatched Linux kernel and observing poor transfer performance. + tunnelCsum: false + + # Determines how tunnel traffic is encrypted. Currently encryption only works with encap mode. + # It has the following options: + # - none (default): Inter-node Pod traffic will not be encrypted. + # - ipsec: Enable IPsec (ESP) encryption for Pod traffic across Nodes. Antrea uses + # Preshared Key (PSK) for IKE authentication. When IPsec tunnel is enabled, + # the PSK value must be passed to Antrea Agent through an environment + # variable: ANTREA_IPSEC_PSK. + # - wireGuard: Enable WireGuard for tunnel traffic encryption. + trafficEncryptionMode: "none" + + # Enable bridging mode of Pod network on Nodes, in which the Node's transport interface is connected + # to the OVS bridge, and cross-Node/VLAN traffic of AntreaIPAM Pods (Pods whose IP addresses are + # allocated by AntreaIPAM from IPPools) is sent to the underlay network, and forwarded/routed by the + # underlay network. + # This option requires the `AntreaIPAM` feature gate to be enabled. At this moment, it supports only + # IPv4 and Linux Nodes, and can be enabled only when `ovsDatapathType` is `system`, + # `trafficEncapMode` is `noEncap`, and `noSNAT` is true. + enableBridgingMode: false + + # Disable TX checksum offloading for container network interfaces. It's supposed to be set to true when the + # datapath doesn't support TX checksum offloading, which causes packets to be dropped due to bad checksum. + # It affects Pods running on Linux Nodes only. + disableTXChecksumOffload: false + + # Default MTU to use for the host gateway interface and the network interface of each Pod. + # If omitted, antrea-agent will discover the MTU of the Node's primary interface and + # also adjust MTU to accommodate for tunnel encapsulation overhead (if applicable). + defaultMTU: 0 + + # wireGuard specifies WireGuard related configurations. + wireGuard: + # The port for WireGuard to receive traffic. + port: 51820 + + egress: + # exceptCIDRs is the CIDR ranges to which outbound Pod traffic will not be SNAT'd by Egresses. + exceptCIDRs: + + # ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be + # set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When + # AntreaProxy is enabled, this parameter is not needed and will be ignored if provided. + serviceCIDR: "" + + # ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack + # cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by + # --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed. + # No default value for this field. + serviceCIDRv6: "" + + # The port for the antrea-agent APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-agent` container must be set to the same value. + apiPort: 10350 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Provide the IPFIX collector address as a string with format :[][:]. + # HOST can either be the DNS name or the IP of the Flow Collector. For example, + # "flow-aggregator.flow-aggregator.svc" can be provided as DNS name to connect + # to the Antrea Flow Aggregator service. If IP, it can be either IPv4 or IPv6. + # However, IPv6 address should be wrapped with []. + # If PORT is empty, we default to 4739, the standard IPFIX port. + # If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and + # "udp" protocols. "tls" is used for securing communication between flow exporter and + # flow aggregator. + flowCollectorAddr: "flow-aggregator.flow-aggregator.svc:4739:tls" + + # Provide flow poll interval as a duration string. This determines how often the + # flow exporter dumps connections from the conntrack module. Flow poll interval + # should be greater than or equal to 1s (one second). + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + flowPollInterval: "5s" + + # Provide the active flow export timeout, which is the timeout after which a flow + # record is sent to the collector for active flows. Thus, for flows with a continuous + # stream of packets, a flow record will be exported to the collector once the elapsed + # time since the last export event is equal to the value of this timeout. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + activeFlowExportTimeout: "5s" + + # Provide the idle flow export timeout, which is the timeout after which a flow + # record is sent to the collector for idle flows. A flow is considered idle if no + # packet matching this flow has been observed since the last export event. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + idleFlowExportTimeout: "15s" + + nodePortLocal: + # Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To + # enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature + # gate is also enabled (which is the default). + enable: true + # Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port + # from that range will be assigned whenever a Pod's container defines a specific port to be exposed + # (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic + # directed to that port will be forwarded to the Pod. + portRange: "61000-62000" + + # Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig. + # Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver. + kubeAPIServerOverride: "" + + # Provide the address of DNS server, to override the kube-dns service. It's used to resolve hostname in FQDN policy. + # Defaults to "". It must be a host string or a host:port pair of the DNS server (e.g. 10.96.0.10, 10.96.0.10:53, + # [fd00:10:96::a]:53). + dnsServerOverride: "" + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + # The name of the interface on Node which is used for tunneling or routing the traffic across Nodes. + # If there are multiple IP addresses configured on the interface, the first one is used. The IP + # address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterface: "" + + multicast: + # The names of the interfaces on Nodes that are used to forward multicast traffic. + # Defaults to transport interface if not set. + multicastInterfaces: + + # The interval at which the antrea-agent sends IGMP queries to Pods. + # Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". + igmpQueryInterval: "125s" + + # The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across + # Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The + # IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of + # preference (from highest to lowest): + # 1. transportInterface + # 2. transportInterfaceCIDRs + # 3. The Node IP + transportInterfaceCIDRs: + + # Option antreaProxy contains AntreaProxy related configuration options. + antreaProxy: + # ProxyAll tells antrea-agent to proxy all Service traffic, including NodePort, LoadBalancer, and ClusterIP traffic, + # regardless of where they come from. Therefore, running kube-proxy is no longer required. This requires the AntreaProxy + # feature to be enabled. + # Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access + # apiserver directly. + proxyAll: false + # A string array of values which specifies the host IPv4/IPv6 addresses for NodePort. Values can be valid IP blocks. + # (e.g. 1.2.3.0/24, 1.2.3.4/32). An empty string slice is meant to select all host IPv4/IPv6 addresses. + # Note that the option is only valid when proxyAll is true. + nodePortAddresses: + # An array of string values to specify a list of Services which should be ignored by AntreaProxy (traffic to these + # Services will not be load-balanced). Values can be a valid ClusterIP (e.g. 10.11.1.2) or a Service name + # with Namespace (e.g. kube-system/kube-dns) + skipServices: + # When ProxyLoadBalancerIPs is set to false, AntreaProxy no longer load-balances traffic destined to the + # External IPs of LoadBalancer Services. This is useful when the external LoadBalancer provides additional + # capabilities (e.g. TLS termination) and it is desirable for Pod-to-ExternalIP traffic to be sent to the + # external LoadBalancer instead of being load-balanced to an Endpoint directly by AntreaProxy. + # Note that setting ProxyLoadBalancerIPs to false usually only makes sense when ProxyAll is set to true and + # kube-proxy is removed from the cluser, otherwise kube-proxy will still load-balance this traffic. + proxyLoadBalancerIPs: true + + # IPsec tunnel related configurations. + ipsec: + # The authentication mode of IPsec tunnel. It has the following options: + # - psk (default): Use pre-shared key (PSK) for IKE authentication. + # - cert: Use CA-signed certificates for IKE authentication. This option requires the `IPsecCertAuth` + # feature gate to be enabled. + authenticationMode: "psk" + + multicluster: + # Enable Antrea Multi-cluster Gateway to support cross-cluster traffic. + # This feature is supported only with encap mode. + enable: false + # The Namespace where Antrea Multi-cluster Controller is running. + # The default is antrea-agent's Namespace. + namespace: "" + antrea-cni.conflist: | + { + "cniVersion":"0.3.0", + "name": "antrea", + "plugins": [ + { + "type": "antrea", + "ipam": { + "type": "host-local" + } + } + , + { + "type": "portmap", + "capabilities": {"portMappings": true} + } + , + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + antrea-controller.conf: | + # FeatureGates is a map of feature names to bools that enable or disable experimental features. + featureGates: + # AllAlpha is a global toggle for alpha features. Per-feature key values override the default set by AllAlpha. + # AllAlpha: false + + # AllBeta is a global toggle for beta features. Per-feature key values override the default set by AllBeta. + # AllBeta: false + + # Enable traceflow which provides packet tracing feature to diagnose network issue. + # Traceflow: true + + # Enable Antrea ClusterNetworkPolicy feature to complement K8s NetworkPolicy for cluster admins + # to define security policies which apply to the entire cluster, and Antrea NetworkPolicy + # feature that supports priorities, rule actions and externalEntities in the future. + # AntreaPolicy: true + + # Enable collecting and exposing NetworkPolicy statistics. + # NetworkPolicyStats: true + + # Enable multicast traffic. + # Multicast: false + + # Enable controlling SNAT IPs of Pod egress traffic. + # Egress: true + + # Run Kubernetes NodeIPAMController with Antrea. + # NodeIPAM: false + + # Enable AntreaIPAM, which can allocate IP addresses from IPPools. AntreaIPAM is required by the + # bridging mode and allocates IPs to Pods in bridging mode. It is also required to use Antrea for + # IPAM when configuring secondary network interfaces with Multus. + # AntreaIPAM: false + + # Enable managing external IPs of Services of LoadBalancer type. + # ServiceExternalIP: false + + # Enable certificated-based authentication for IPsec. + # IPsecCertAuth: false + + # Enable managing ExternalNode for unmanaged VM/BM. + # ExternalNode: false + + # The port for the antrea-controller APIServer to serve on. + # Note that if it's set to another value, the `containerPort` of the `api` port of the + # `antrea-controller` container must be set to the same value. + apiPort: 10349 + + # Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener. + enablePrometheusMetrics: true + + # Indicates whether to use auto-generated self-signed TLS certificate. + # If false, a Secret named "antrea-controller-tls" must be provided with the following keys: + # ca.crt: + # tls.crt: + # tls.key: + selfSignedCert: true + + # Comma-separated list of Cipher Suites. If omitted, the default Go Cipher Suites will be used. + # https://golang.org/pkg/crypto/tls/#pkg-constants + # Note that TLS1.3 Cipher Suites cannot be added to the list. But the apiserver will always + # prefer TLS1.3 Cipher Suites whenever possible. + tlsCipherSuites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384" + + # TLS min version from: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. + tlsMinVersion: "" + + nodeIPAM: + # Enable the integrated Node IPAM controller within the Antrea controller. + enableNodeIPAM: false + # CIDR ranges for Pods in cluster. String array containing single CIDR range, or multiple ranges. + # The CIDRs could be either IPv4 or IPv6. At most one CIDR may be specified for each IP family. + # Value ignored when enableNodeIPAM is false. + clusterCIDRs: + # CIDR ranges for Services in cluster. It is not necessary to specify it when there is no overlap with clusterCIDRs. + # Value ignored when enableNodeIPAM is false. + serviceCIDR: "" + serviceCIDRv6: "" + # Mask size for IPv4 Node CIDR in IPv4 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv4 Pod CIDR is not configured. Valid range is 16 to 30. + nodeCIDRMaskSizeIPv4: 24 + # Mask size for IPv6 Node CIDR in IPv6 or dual-stack cluster. Value ignored when enableNodeIPAM is false + # or when IPv6 Pod CIDR is not configured. Valid range is 64 to 126. + nodeCIDRMaskSizeIPv6: 64 + + ipsecCSRSigner: + # Determines the auto-approve policy of Antrea CSR signer for IPsec certificates management. + # If enabled, Antrea will auto-approve the CertificateSingingRequest (CSR) if its subject and x509 extensions + # are permitted, and the requestor can be validated. If K8s `BoundServiceAccountTokenVolume` feature is enabled, + # the Pod identity will also be validated to provide maximum security. + # If set to false, Antrea will not auto-approve CertificateSingingRequests and they need to be approved + # manually by `kubectl certificate approve`. + autoApprove: true + # Indicates whether to use auto-generated self-signed CA certificate. + # If false, a Secret named "antrea-ipsec-ca" must be provided with the following keys: + # tls.crt: + # tls.key: + selfSignedCA: true + + # Indicates whether to enable usage reporting or not. + enableUsageReporting: false + + # Indicates whether to enable Antrea advanced features or not. + enterpriseAntrea: true --- -# Source: antrea/templates/crds/tier.yaml +# Source: antrea/templates/crds/clustergroup.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: tiers.crd.antrea.io + name: clustergroups.crd.antrea.io labels: app: antrea spec: group: crd.antrea.io versions: - - name: v1alpha1 - served: true - storage: true - additionalPrinterColumns: - - name: Priority - type: integer - description: The Priority of this Tier relative to other Tiers. - jsonPath: .spec.priority - - name: Age - type: date - jsonPath: .metadata.creationTimestamp - schema: - openAPIV3Schema: - type: object - properties: - spec: - required: - - priority - type: object - properties: - priority: - type: integer - minimum: 0 - maximum: 255 - description: - type: string - scope: Cluster - names: - plural: tiers - singular: tier - kind: Tier - shortNames: - - tr ---- -# Source: antrea/templates/crds/tierentitlement.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: tierentitlements.crd.antrea.tanzu.vmware.com - labels: - app: antrea -spec: - group: crd.antrea.tanzu.vmware.com - versions: - - name: v1alpha1 + - name: v1alpha2 served: true - storage: true + storage: false schema: openAPIV3Schema: type: object properties: spec: - required: - - permission - - tiers type: object properties: - permission: - type: string - enum: ['edit'] - tiers: + childGroups: type: array items: type: string - scope: Cluster - names: - plural: tierentitlements - singular: tierentitlement - kind: TierEntitlement - shortNames: - - te ---- -# Source: antrea/templates/crds/tierentitlementbinding.yml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: tierentitlementbindings.crd.antrea.tanzu.vmware.com - labels: - app: antrea -spec: - group: crd.antrea.tanzu.vmware.com - versions: - - name: v1alpha1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - required: - - tierEntitlement - - subjects - type: object - properties: - tierEntitlement: - type: string - subjects: - type: array - items: - type: object - properties: - kind: - type: string - enum: ['User', 'Group', 'ServiceAccount'] - apiGroup: - type: string - enum: ['rbac.authorization.k8s.io'] - name: - type: string - namespace: - type: string - scope: Cluster - names: - plural: tierentitlementbindings - singular: tierentitlementbinding - kind: TierEntitlementBinding - shortNames: - - teb ---- -# Source: antrea/templates/crds/traceflow.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: traceflows.crd.antrea.io - labels: - app: antrea -spec: - group: crd.antrea.io - versions: - - name: v1alpha1 - served: true - storage: true - additionalPrinterColumns: - - jsonPath: .status.phase - description: The phase of the Traceflow. - name: Phase - type: string - - jsonPath: .spec.source.pod - description: The name of the source Pod. - name: Source-Pod - type: string - priority: 10 - - jsonPath: .spec.destination.pod - description: The name of the destination Pod. - name: Destination-Pod - type: string - priority: 10 - - jsonPath: .spec.destination.ip - description: The IP address of the destination. - name: Destination-IP - type: string - priority: 10 - - jsonPath: .spec.liveTraffic - description: Trace live traffic. - name: Live-Traffic - type: boolean - priority: 10 - - jsonPath: .spec.droppedOnly - description: Capture only the dropped packet. - name: Dropped-Only - type: boolean - priority: 10 - - jsonPath: .spec.timeout - description: Timeout in seconds. - name: Timeout - type: integer - priority: 10 - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - schema: - openAPIV3Schema: - type: object - required: - - spec - properties: - spec: - type: object - properties: - source: + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlock: type: object properties: - pod: - type: string - namespace: - type: string - ip: + cidr: type: string - oneOf: - - format: ipv4 - - format: ipv6 - destination: + format: cidr + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: type: object properties: - pod: - type: string - service: + name: type: string namespace: type: string - ip: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - packet: - type: object - properties: - ipHeader: - type: object - properties: - srcIP: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - protocol: - type: integer - ttl: - type: integer - flags: - type: integer - ipv6Header: - type: object - properties: - srcIP: - type: string - format: ipv6 - nextHeader: - type: integer - hopLimit: - type: integer - transportHeader: - type: object - properties: - icmp: - type: object - properties: - id: - type: integer - sequence: - type: integer - udp: - type: object - properties: - srcPort: - type: integer - dstPort: - type: integer - tcp: - type: object - properties: - srcPort: - type: integer - dstPort: - type: integer - flags: - type: integer - liveTraffic: - type: boolean - droppedOnly: - type: boolean - timeout: - type: integer status: type: object properties: - reason: - type: string - dataplaneTag: - type: integer - phase: - type: string - startTime: - type: string - results: + conditions: type: array items: type: object properties: - node: + type: type: string - role: + status: type: string - timestamp: - type: integer - observations: - type: array - items: - type: object - properties: - component: - type: string - componentInfo: - type: string - action: - type: string - pod: - type: string - dstMAC: - type: string - networkPolicy: - type: string - ttl: - type: integer - translatedSrcIP: - type: string - translatedDstIP: + lastTransitionTime: + type: string + - name: v1alpha3 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + childGroups: + type: array + items: + type: string + podSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: type: string - tunnelDstIP: + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: + type: object + properties: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: type: string - capturedPacket: + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: + type: object properties: - srcIP: - type: string - dstIP: - type: string - length: - type: integer - ipHeader: - properties: - flags: - type: integer - protocol: - type: integer - ttl: - type: integer - type: object - ipv6Header: - properties: - hopLimit: - type: integer - nextHeader: - type: integer - type: object - transportHeader: - properties: - tcp: - properties: - dstPort: - type: integer - srcPort: - type: integer - flags: - type: integer - type: object - udp: - properties: - dstPort: - type: integer - srcPort: - type: integer - type: object - icmp: - properties: - id: - type: integer - sequence: - type: integer - type: object - type: object + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string subresources: status: {} + conversion: + strategy: Webhook + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + service: + name: "antrea" + namespace: "kube-system" + path: "/convert/clustergroup" scope: Cluster names: - plural: traceflows - singular: traceflow - kind: Traceflow + plural: clustergroups + singular: clustergroup + kind: ClusterGroup shortNames: - - tf + - cg --- -# Source: antrea/templates/crds/trafficcontrol.yaml +# Source: antrea/templates/crds/group.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - name: trafficcontrols.crd.antrea.io + name: groups.crd.antrea.io spec: group: crd.antrea.io versions: - - name: v1alpha2 + - name: v1alpha3 served: true storage: true schema: openAPIV3Schema: type: object - required: - - spec properties: spec: type: object - required: - - appliedTo - - direction - - action - - targetPort properties: - appliedTo: + childGroups: + type: array + items: + type: string + podSelector: type: object properties: - podSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - namespaceSelector: - type: object - properties: - matchExpressions: - type: array - items: - type: object - properties: - key: - type: string - operator: - enum: - - In - - NotIn - - Exists - - DoesNotExist - type: string - values: - type: array - items: - type: string - pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$" - matchLabels: - x-kubernetes-preserve-unknown-fields: true - direction: - type: string - enum: - - Ingress - - Egress - - Both - action: - type: string - enum: - - Mirror - - Redirect - targetPort: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + namespaceSelector: type: object - oneOf: - - required: [ovsInternal] - - required: [device] - - required: [geneve] - - required: [vxlan] - - required: [gre] - - required: [erspan] properties: - ovsInternal: - type: object - required: - - name - properties: - name: - type: string - device: - type: object - required: - - name - properties: - name: - type: string - geneve: - type: object - required: - - remoteIP - properties: - remoteIP: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - vni: - type: integer - minimum: 0 - maximum: 16777215 - destinationPort: - type: integer - minimum: 1 - maximum: 65535 - vxlan: - type: object - required: - - remoteIP - properties: - remoteIP: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - vni: - type: integer - minimum: 0 - maximum: 16777215 - destinationPort: - type: integer - minimum: 1 - maximum: 65535 - gre: - type: object - required: - - remoteIP - properties: - remoteIP: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - key: - type: integer - minimum: 0 - maximum: 4294967295 - erspan: - type: object - required: - - remoteIP - - version - properties: - remoteIP: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - sessionID: - type: integer - minimum: 0 - maximum: 1023 - version: - type: integer - enum: - - 1 - - 2 - index: - type: integer - dir: - type: integer - enum: - - 0 - - 1 - hardwareID: - type: integer - returnPort: + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + externalEntitySelector: type: object - oneOf: - - required: [ovsInternal] - - required: [device] - - required: [geneve] - - required: [vxlan] - - required: [gre] properties: - ovsInternal: - type: object - required: - - name - properties: - name: - type: string - device: - type: object - required: - - name - properties: - name: - type: string - geneve: - type: object - required: - - remoteIP - properties: - remoteIP: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - vni: - type: integer - minimum: 0 - maximum: 16777215 - destinationPort: - type: integer - minimum: 1 - maximum: 65535 - vxlan: - type: object - required: - - remoteIP - properties: - remoteIP: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - vni: - type: integer - minimum: 0 - maximum: 16777215 - destinationPort: - type: integer - minimum: 1 - maximum: 65535 - gre: - type: object - required: - - remoteIP - properties: - remoteIP: - type: string - oneOf: - - format: ipv4 - - format: ipv6 - key: - type: integer - minimum: 0 - maximum: 4294967295 - additionalPrinterColumns: - - description: Specifies the direction of traffic that should be matched. - jsonPath: .spec.direction - name: Direction - type: string - - description: Specifies the action that should be taken for the traffic. - jsonPath: .spec.action - name: Action - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date + matchExpressions: + type: array + items: + type: object + properties: + key: + type: string + operator: + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + type: array + items: + type: string + matchLabels: + x-kubernetes-preserve-unknown-fields: true + ipBlocks: + type: array + items: + type: object + properties: + cidr: + type: string + format: cidr + serviceReference: + type: object + properties: + name: + type: string + namespace: + type: string + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + type: + type: string + status: + type: string + lastTransitionTime: + type: string subresources: status: {} + scope: Namespaced + names: + plural: groups + singular: group + kind: Group + shortNames: + - grp +--- +# Source: antrea/templates/crds/tierentitlement.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tierentitlements.crd.antrea.tanzu.vmware.com + labels: + app: antrea +spec: + group: crd.antrea.tanzu.vmware.com + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + required: + - permission + - tiers + type: object + properties: + permission: + type: string + enum: ['edit'] + tiers: + type: array + items: + type: string scope: Cluster names: - plural: trafficcontrols - singular: trafficcontrol - kind: TrafficControl + plural: tierentitlements + singular: tierentitlement + kind: TierEntitlement shortNames: - - tc + - te +--- +# Source: antrea/templates/crds/tierentitlementbinding.yml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tierentitlementbindings.crd.antrea.tanzu.vmware.com + labels: + app: antrea +spec: + group: crd.antrea.tanzu.vmware.com + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + required: + - tierEntitlement + - subjects + type: object + properties: + tierEntitlement: + type: string + subjects: + type: array + items: + type: object + properties: + kind: + type: string + enum: ['User', 'Group', 'ServiceAccount'] + apiGroup: + type: string + enum: ['rbac.authorization.k8s.io'] + name: + type: string + namespace: + type: string + scope: Cluster + names: + plural: tierentitlementbindings + singular: tierentitlementbinding + kind: TierEntitlementBinding + shortNames: + - teb --- # Source: antrea/templates/agent/clusterrole.yaml kind: ClusterRole @@ -3083,9 +3559,7 @@ rules: - antreaagentinfos verbs: - get - - create - update - - delete - apiGroups: - controlplane.antrea.io resources: @@ -3499,6 +3973,7 @@ rules: - antreaagentinfos verbs: - list + - create - delete - apiGroups: - crd.antrea.io @@ -3550,6 +4025,7 @@ rules: resources: - externalentities - clustergroups + - groups verbs: - get - watch @@ -3562,6 +4038,7 @@ rules: - crd.antrea.io resources: - clustergroups/status + - groups/status verbs: - update - apiGroups: @@ -3590,6 +4067,15 @@ rules: - ippools/status verbs: - update + - patch + - apiGroups: + - crd.antrea.io + resources: + - externalnodes + verbs: + - get + - watch + - list - apiGroups: - apps resources: @@ -3784,7 +4270,7 @@ spec: kubectl.kubernetes.io/default-container: antrea-agent # Automatically restart Pods with a RollingUpdate if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: ea61360cc22dff22cc94fba060568c110d5bac03638203b7f0ec04282129d6e5 + checksum/config: ee2e9a832afaaf5f44ea0095d47e03dfcb1dbf8d9a879784244a078fd501b21d checksum/tweaker-config: 2d2c4693a82ee4f18de916ab3a50276d064eb8058a673f7e6b7719b9e5c21190 labels: app: antrea @@ -3805,7 +4291,7 @@ spec: serviceAccountName: antrea-agent initContainers: - name: antrea-agent-tweaker - image: "antrea/antrea-ubuntu:v1.7.2" + image: "antrea/antrea-ubuntu:v1.9.0" imagePullPolicy: IfNotPresent resources: requests: @@ -3826,7 +4312,7 @@ spec: mountPath: /etc/antrea/antrea-agent-tweaker.conf subPath: antrea-agent-tweaker.conf - name: install-cni - image: "antrea/antrea-ubuntu:v1.7.2" + image: "antrea/antrea-ubuntu:v1.9.0" imagePullPolicy: IfNotPresent resources: requests: @@ -3860,7 +4346,7 @@ spec: mountPath: /var/run/antrea containers: - name: antrea-agent - image: "antrea/antrea-ubuntu:v1.7.2" + image: "antrea/antrea-ubuntu:v1.9.0" imagePullPolicy: IfNotPresent command: ["antrea-agent"] # Log to both "/var/log/antrea/" and stderr (so "kubectl logs" can work).- @@ -3952,7 +4438,7 @@ spec: - name: xtables-lock mountPath: /run/xtables.lock - name: antrea-ovs - image: "antrea/antrea-ubuntu:v1.7.2" + image: "antrea/antrea-ubuntu:v1.9.0" imagePullPolicy: IfNotPresent resources: requests: @@ -4049,7 +4535,7 @@ spec: annotations: # Automatically restart Pod if the ConfigMap changes # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments - checksum/config: ea61360cc22dff22cc94fba060568c110d5bac03638203b7f0ec04282129d6e5 + checksum/config: ee2e9a832afaaf5f44ea0095d47e03dfcb1dbf8d9a879784244a078fd501b21d labels: app: antrea component: antrea-controller @@ -4068,7 +4554,7 @@ spec: serviceAccountName: antrea-controller containers: - name: antrea-controller - image: "antrea/antrea-ubuntu:v1.7.2" + image: "antrea/antrea-ubuntu:v1.9.0" imagePullPolicy: IfNotPresent resources: requests: @@ -4305,6 +4791,21 @@ webhooks: admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 + - name: "groupvalidator.antrea.io" + clientConfig: + service: + name: "antrea" + namespace: "kube-system" + path: "/validate/group" + rules: + - operations: [ "CREATE", "UPDATE" ] + apiGroups: [ "crd.antrea.io" ] + apiVersions: [ "v1alpha3" ] + resources: [ "groups" ] + scope: "Namespaced" + admissionReviewVersions: [ "v1", "v1beta1" ] + sideEffects: None + timeoutSeconds: 5 - name: "externalippoolvalidator.antrea.io" clientConfig: service: diff --git a/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.7.2/bundle/config/values.star b/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.9.0/bundle/config/values.star similarity index 100% rename from providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.7.2/bundle/config/values.star rename to providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.9.0/bundle/config/values.star diff --git a/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.7.2/bundle/config/values.yaml b/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.9.0/bundle/config/values.yaml similarity index 96% rename from providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.7.2/bundle/config/values.yaml rename to providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.9.0/bundle/config/values.yaml index 55d7896fd8..a975a84db4 100644 --- a/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.7.2/bundle/config/values.yaml +++ b/providers/ytt/vendir/cni/_ytt_lib/addons/packages/antrea/1.9.0/bundle/config/values.yaml @@ -33,6 +33,8 @@ antrea: transportInterface: null transportInterfaceCIDRs: [] tunnelType: geneve + tunnelPort: 0 + tunnelCsum: false trafficEncryptionMode: none wireGuard: port: 51820 @@ -70,3 +72,4 @@ antrea: Multicluster: false SecondaryNetwork: false TrafficControl: false + TopologyAwareHints: false diff --git a/providers/ytt/vendir/cni/cni.lib.yaml b/providers/ytt/vendir/cni/cni.lib.yaml index e6287847d2..67fb0c3265 100644 --- a/providers/ytt/vendir/cni/cni.lib.yaml +++ b/providers/ytt/vendir/cni/cni.lib.yaml @@ -1,4 +1,4 @@ #@ load("@ytt:library", "library") -#@ cni_antrea_lib = library.get("addons/packages/antrea/1.7.2/bundle/config") +#@ cni_antrea_lib = library.get("addons/packages/antrea/1.9.0/bundle/config") #@ cni_calico_lib = library.get("addons/packages/calico/3.24.1/bundle/config") diff --git a/providers/yttcb/clusterbootstrap.yaml b/providers/yttcb/clusterbootstrap.yaml index cf886c4360..35f527f9a2 100644 --- a/providers/yttcb/clusterbootstrap.yaml +++ b/providers/yttcb/clusterbootstrap.yaml @@ -45,6 +45,7 @@ #@ data.values.ANTREA_MULTICLUSTER or #@ data.values.ANTREA_SECONDARY_NETWORK or #@ data.values.ANTREA_TRAFFIC_CONTROL or +#@ data.values.ANTREA_TOPOLOGY_AWARE_HINTS or #@ data.values.ANTREA_MULTICAST or #@ data.values.ANTREA_NO_SNAT or #@ data.values.ANTREA_DISABLE_UDP_TUNNEL_OFFLOAD or @@ -66,6 +67,8 @@ #@ data.values.ANTREA_MULTICAST_INTERFACES != "" or #@ data.values.ANTREA_MULTICAST_IGMPQUERY_INTERVAL != "125s" or #@ data.values.ANTREA_TUNNEL_TYPE != "geneve" or +#@ data.values.ANTREA_TUNNEL_PORT != 0 or +#@ data.values.ANTREA_TUNNEL_CSUM or #@ data.values.ANTREA_TRAFFIC_ENCRYPTION_MODE != "none" or #@ data.values.ANTREA_WIREGUARD_PORT != 51820 or #@ data.values.ANTREA_ENABLE_USAGE_REPORTING or @@ -185,6 +188,8 @@ spec: transportInterfaceCIDRs: #@ split_comma_values(data.values.ANTREA_TRANSPORT_INTERFACE_CIDRS) multicastInterfaces: #@ split_comma_values(data.values.ANTREA_MULTICAST_INTERFACES) tunnelType: #@ data.values.ANTREA_TUNNEL_TYPE + tunnelPort: #@ data.values.ANTREA_TUNNEL_PORT + tunnelCsum: #@ data.values.ANTREA_TUNNEL_CSUM trafficEncryptionMode: #@ data.values.ANTREA_TRAFFIC_ENCRYPTION_MODE enableUsageReporting: #@ data.values.ANTREA_ENABLE_USAGE_REPORTING wireGuard: @@ -225,6 +230,7 @@ spec: Multicluster: #@ data.values.ANTREA_MULTICLUSTER SecondaryNetwork: #@ data.values.ANTREA_SECONDARY_NETWORK TrafficControl: #@ data.values.ANTREA_TRAFFIC_CONTROL + TopologyAwareHints: #@ data.values.ANTREA_TOPOLOGY_AWARE_HINTS #@ end ---